Role-based security in Dynamics 365 for Operations. What changed and what stayed the same.

New version of AX has a couple of changes in the security architecture. Process cycles are removed (no one really used them in AX 2012) and record level security is finally obsolete.

However, because of new code architecture and restrictions that came with it, there are some changes in the way how we create new security artifacts.  Previously, in AX 2012, all security objects were stored in AOT as a metadata, even if you did security setup from UI new objects were created or changed in AOT. Now, because of .Net platform, we cannot generate assemblies on the go, so there are two ways how to create security objects:

  1. Create security objects in Visual Studio.

Nothing has changed here, developer can create or edit new roles, duties and privileges in AOT. Then they can be deployed via deployable packages.  For today’s blog I created simple role, duty and couple of privileges.

  1. Create security object from UI.

In current version experience is similar to AX 2012, where user can create and edit security objects from UI, but under the hood AX does not create any objects! All changes are stored as a data. On screenshot below you can see new role created by me for this article.


New role has one duty and this duty has only one privilege. Now I’m going to add one more privilege “My PrivilegeTwo” to my duty. To do this you need to select a duty you want to modify, click “Add references” and select a privilege you want to add.


After that, you may notice “unpublished objects” and you can either publish them or undo.


Let’s add one more privilege in AOT.


As you can see, in AOT my duty consists only from two privileges, however, in UI AX shows three:


Two of them were created by developer in AOT and one was done in UI and is stored as data.

In next blog post I will show how to deploy security data changes across environments and how to use Security diagnostics tool.


8 thoughts on “Role-based security in Dynamics 365 for Operations. What changed and what stayed the same.

  1. Alejandro January 26, 2017 / 6:53 pm

    Do you know if there is any tool to create all the artifacts into code by reading a exported file from AX?

    • ievgensaxblog January 26, 2017 / 7:05 pm

      Hi Alejandro,
      As far as I’m aware, there is no tool. However, I heard that this feature is in the road map.

  2. Tim January 24, 2018 / 6:13 am

    How do we ‘undo’ the unpublished objects. I have a couple that I would like to delete but I’m not sure how.

    • Ievgen Miroshnikov January 24, 2018 / 7:18 am

      You may simply close the form and it will delete all unpublished changes.

  3. Henry March 2, 2018 / 9:49 pm

    Are their any disadvantages to creating security objects through the UI. While the security is saved in tables in the database would there be conflicts having security both in the AOT and now in the database? All documentation directs users to make changes through the UI.

    • Ievgen Miroshnikov March 3, 2018 / 3:43 am

      I don’t see any disadvantages. UI takes priority over code and end users would not have any access to the code, so will use UI all the time. You don’t want to go though development and deployment every time you need a security change 🙂

  4. Joakim Tokvam March 16, 2018 / 12:49 pm

    Thanks for this. It is interesting that the security artifacts now are stored as data and not code.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s