Security Role Extensions
A Security Role Extension (AxSecurityRoleExtension) modifies an existing security role without altering its original definition. Role extensions allow you to assign additional duties, privileges, and direct data entity permissions to standard roles delivered by Microsoft or other ISVs.
Role extensions are created by right-clicking a security role in the AOT and selecting Create extension. This creates an AxSecurityRoleExtension object named <OriginalRoleName>.<YourModelName> in your model.
What Can Be Extended
| Capability | Description |
|---|---|
| Add Duties | Assign additional security duties to the role. |
| Add Privileges | Assign additional security privileges directly to the role. |
| Add Direct Access Permissions | Grant direct data entity access permissions. |
| Modify Properties | Change property values on the role via PropertyModifications. |
Best Practices
- Prefer assigning duties over direct privileges — duties provide a manageable abstraction layer.
- Document the business reason for every duty/privilege added via extension.
- Test with the Security Diagnostics tool to verify the extended role grants the intended access.
- Do not remove standard duties — extensions are additive only.
Properties
| Property | Display Name | Type | Description |
|---|---|---|---|
| Role ExtensionAxSecurityRoleExtension | |||
| Name | Name | String | The name of the extension element (follows BaseRole.Package naming). |
| IsObsolete | Is Obsolete | NoYes | Whether the extension is deprecated. Values: No (0), Yes (1). |
| Visibility | Visibility | CompilerVisibility | Access level visibility. Values: Private (0), Protected (1), Public (2), Internal (3), InternalProtected (4). |
| Tags | Tags | String | Tags for this element separated by semicolon. |