web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / Restrict access to men...
Microsoft Dynamics AX (Archived)
Answered

Restrict access to menu items by privilege

(0) ShareShare
ReportReport
Posted on by Community Member

I am trying to restrict access to certain menu items by using the AOT's roles, duties and privileges.

I have created a new role with a new duty with a new privilege. The privilege contains an Entry Point that specifies the menuitemdisplay as BankAccountTableListPage with NoAccess:

2110.Capture.JPG

2110.Capture.JPG

However, a user given this role is NOT restricted from seeing the menu item:

2110.Capture.JPG

What am I doing wrong?

In case this is the wrong way to approach things should I just install the Security Development Tool?

*This post is locked for comments

I have the same question (0)
  • Shyam Mani Profile Picture
    Shyam Mani 331 on at

    Please test using Security Dev Tool, also make sure you have not given a superior role already.

  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,030 Super User 2025 Season 2 on at

    Hi AXatak,

    This is not how AX security is designed. By default you don't have any permissions in AX 2012 unless you grant access to entry points using privileges, duties and roles. When a user has a role where the entry point BankAccountTableListPage has maintain rights, another privilege with NoAccess will be ignored as the highest possible access will win.

    So you have to remove the duty/privilege from a role or create a new role without this entry point. The security development tool will provide some insights, but still you need to be aware how the AX2012 security is actually designed and intended to be used.

    I have written some blogs with tips in the past for using the security development tool. You may read them also.

  • Community Member Profile Picture
    Community Member on at

    Thanks André. I will need to set up the Security Development Tool in our test environment to find out what duties/privileges are causing the issue. I have set the tool up in our UAT environment before but test is not showing the menu items at the end of the installation.

  • Verified answer
    RobertCho Profile Picture
    RobertCho 75 on at

    Hi AXatak,

    If you want to see what roles/duties/privileges give access to BankAccountTableListPage menuItem, just right-click on this menu item -> Add-ins -> security tools -> view related security roles.

    Then you can verify if user you want to restrict has got one of those roles.

  • Community Member Profile Picture
    Community Member on at

    Hi Robert,

    824260.Capture.JPG

    I tried that but instead of seeing "View Related Security Roles" I get "Empty".

    Maybe this is because I haven't managed to get the SDT installed correctly.

  • RobertCho Profile Picture
    RobertCho 75 on at

    Hi AxAtak,

    Menu item, not Menu.

    AOT -> Menu Items -> Display -> BankAccountTableListPage

  • Community Member Profile Picture
    Community Member on at

    Excellent thanks Robert that has worked for me and I can tailor as I need now.

  • RobertCho Profile Picture
    RobertCho 75 on at

    You welcome.

  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,030 Super User 2025 Season 2 on at

    Hi AXatak,

    Read my blog (and related blogs in this serie) about the security development tool to get the menu-items implemented and the end of the installation as well.

    kaya-consulting.com/ax-2012-security-development-tool-part-1

  • Suggested answer
    TCHWRX Profile Picture
    TCHWRX on at

    I do not have access to an AX2012 but here is how it works in D365FO.

    And btw, what you are trying to do is IMHO the best way of doing it. Create a Privilege that will EXCLUDE access and then assign two roles to a user, one that has everything they need plus extra and a second role that will exclude the access you do NOT want them to have from the first role.

    How to create an “Excluding” role in D365FO and why you need to know this.

    Have you ever been faced with the situation where your client wants to have a role that can do almost everything that one of the standard roles in D365FO, EXCEPT for a few privileges? In my example I have decided to use one Privilege, “LedgerJournalSetup”, which allows a user to create and maintain “Journal names”

    I have had this scenario presented to me several times and searching online provides you with a few options, but they are not really good options IMHO. Why are they no good you may ask? Well, consider this scenario: the way most people go around the issue is to copy an existing role, say Accountant, and give the new role another name, say “ACME Accountant” (“ACME” being the client/project name and a Best Practice to use as a pre-fix to any changes you do to the system). Next you remove the privilege that you do not want the new role to have, in my example the Privilege “LedgerJournalSetup”. Then you test the new role and when it is working, you deploy your changes.

    While this achieves the purpose, it is not a good way of dealing with the issue if you plan to keep your D365 current. By copying a standard role, you create a snapshot of what that role looked like at the time of copy, which is fine short term, but then the next update for D365 is available and you want to deploy it. How do you now account for updates to the original role (and believe me, they do happen)?

    You can deal with this in a couple of different ways:

    1. One option is to delete your own role (“ACME Accountant”), copy the updated standard role into a new “ACME Accountant” role and then remove the privilege you do not want your Accountants to have. Go back and assign the “ACME Accountant” role to all your Accountants and while this approach would work, it does require time and effort.
    2. A second way to do this is to compare the updated role with the old version of the role and apply the changes to your “ACME Accountant” role. This approach would of course also work but it is also time consuming.
    3. A third option is leave your role “as-is” and run the risk that your Accountants are missing out on new cool functionality (yes, this happens too that MS release new cool features) introduced to the standard “Accountant” role.

    But what if there was a fourth way of handling this that would not require a whole lot of re-work of your Role? Wouldn’t that be nice? Well …. There is another, and IMHO, much better way to handle the scenario. What you have to do is to create an “Excluding” role, for lack of a better description.

    So, here is what you do:

    1. Create a new role “ACME Accountant Limited”
    2. Create new and add reference to a new duty “ACME Accountant Limited” (this step can be skipped if you are ok with assigning Privileges directly to a role, but that is not considered a Best Practice so don’t do that!)
    3. Create new and add reference to a new Privilege “ACME LedgerJournalSetup - Deny” that has the Display menu item “LedgerJournalSetup” in it. The trick here is that when you assign the “LedgerJournalSetup” to your new privilege, you specify that you want to DENY access to this entry point.
      “- Deny” is my naming convention to make it easier to know what the Privilege does without having to open it up. You can make your own convention if you prefer.
    4. Now that you have created your “Excluding” Role, all you must do is to grant your Accountants the standard Accountant role AS WELL AS the new Excluding role “ACME Accountant Limited”, which will override the access to “LedgerJournalSetup” and thereby effectively remove this access for your Accountants.
      D365FO-Excluding-Role.png

    With this approach you achieve the following:

    1. You do not have a copy of a standard role.
    2. You do not have to re-create your role when the standard is update (well you actually do in the situation where you do not want your accountants to have access to new functionality introduced in the updated standard role)
    3. If you are OK with having your Accountants gaining access to the new functionality in the updated standard role, then you do not have to do anything.
    4. You have not made any changes to the standard role, which means that updates are easier to deploy.

    I have not experimented with creating a Privilege that has “Grant” set but I would assume that it would do the opposite of “Deny”, namely override an “Exclusion”.

    I hope you will find this little writeup valuable when you plan to setup security in D365FO.

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans