Skip to main content

Security Roles

A Security Role (AxSecurityRole) is the top-level unit of the D365 F&O security model. Users are assigned to roles, and each role aggregates duties, privileges, sub-roles, and direct-access permissions to define what the user can see and do.

Roles map to business responsibilities. Standard examples include System Administrator, Accounts Payable Clerk, Purchasing Agent, and Sales Manager. Custom roles can be created for any business function.

Structure

A security role contains four child collections:

CollectionChild TypePurpose
DutiesAxSecurityDutyReferenceReferences to duties that group related privileges. This is the primary mechanism for granting access.
PrivilegesAxSecurityPrivilegeReferenceDirect privilege references — bypasses the duty layer. Use sparingly.
Sub-RolesAxSecurityRoleReferenceReferences to other roles whose access is inherited. Useful for building composite roles.
DirectAccessPermissionsAxSecurityDataEntityReferenceDirect table/data entity access grants outside the entry-point model (rare).
tip

Prefer assigning duties to roles rather than individual privileges. Duties provide a meaningful business grouping that is easier to audit and manage as the number of privileges grows.

Standard Roles

RoleAOT NameDescription
System AdministratorSystemAdministratorFull access to all application functionality.
Accounts Payable ClerkVendAccountsPayableClerkProcesses vendor invoices and payments.
Purchasing AgentPurchasingAgentCreates and manages purchase orders.
Accounts Receivable ClerkCustAccountsReceivableClerkManages customer invoices and collections.
Sales ManagerTradeSalesManagerOversees sales order operations.
Human Resources ManagerHcmHumanResourcesManagerManages employee records and HR processes.

Creating a Security Role

  1. In Visual Studio, right-click your project and select Add → New Item → Security Role.
  2. Set the Name, Label, and Description properties.
  3. Add duty references under the Duties node.
  4. Optionally add privilege references or sub-role references.
  5. Build and deploy.

Code Example — Checking Role Assignment

Code Example — Enumerating Role Duties

Extensions

Use a Security Role Extension (AxSecurityRoleExtension) to modify standard Microsoft roles without overlaying them. Role extensions are the recommended approach for adding custom access to standard roles.

What Can Be Extended

CollectionDescription
DutiesAdd new duty references to the extended role.
PrivilegesAdd new privilege references to the extended role.
DirectAccessPermissionsAdd direct table/entity access grants to the extended role.
PropertyModificationsModify scalar properties (e.g., Label, Description, Enabled) of the base role.
warning

You cannot remove duties or privileges from a standard role via extension — you can only add new ones. To disable an inherited duty, create a custom role that excludes it, or use database-level security configuration to override the role definition at runtime.

Extension Example

To add a custom duty to the standard Purchasing Agent role:

  1. Right-click the PurchasingAgent security role in Application Explorer.
  2. Select Create Extension.
  3. In the new extension object, add your custom duty reference under the Duties node.
  4. Build and deploy.

Child Object Properties

Duty Reference

Each entry in the Duties collection is an AxSecurityDutyReference:

PropertyDescription
NameThe AOT name of the referenced duty.
EnabledWhether this duty reference is active. Set to No to disable without removing.
TagsTags for this element separated by semicolon.

Privilege Reference

Each entry in the Privileges collection is an AxSecurityPrivilegeReference:

PropertyDescription
NameThe AOT name of the referenced privilege.
EnabledWhether this privilege reference is active. Set to No to disable without removing.
TagsTags for this element separated by semicolon.

Sub-Role Reference

Each entry in the SubRoles collection is an AxSecurityRoleReference:

PropertyDescription
NameThe AOT name of the referenced role whose access is inherited.
EnabledWhether this sub-role reference is active.
TagsTags for this element separated by semicolon.

Direct Access Permission

Each entry in the DirectAccessPermissions collection is an AxSecurityDataEntityReference:

PropertyDescription
NameThe AOT name of the referenced table or data entity.
GrantAccess level granted to data (AccessGrant).
GrantCurrentDataAccess level granted to current-period data.
GrantFutureDataAccess level granted to future-period data.
GrantPastDataAccess level granted to past-period data.
TagsTags for this element separated by semicolon.

Properties

13/13 properties
PropertyDisplay NameTypeDescription
Security RoleAxSecurityRole
NameNameStringThe name of the element.
IsObsoleteIs ObsoleteNoYesDetermines whether the element is deprecated or not. Values: No (0), Yes (1)
VisibilityVisibilityCompilerVisibilityThe visibility of the element. Values: Private (0), Protected (1), Public (2), Internal (3), InternalProtected (4)
TagsTagsStringTags for this element separated by semicolon.
LabelLabelStringRole name that is displayed.
DescriptionDescriptionStringRole description that is displayed.
EnabledEnabledNoYesSet to false to hide the node from the security framework. Values: No (0), Yes (1)
ContextStringContext StringStringIf the context type is ContextString, this property displays the string.
CanBeDeletedFromUICan Be Deleted From UINoYesSet to NO to block ability for users to delete critical security roles. Values: No (0), Yes (1)
Role ExtensionAxSecurityRoleExtension
NameNameStringThe name of the extension element.
IsObsoleteIs ObsoleteNoYesDetermines whether the element is deprecated or not. Values: No (0), Yes (1)
VisibilityVisibilityCompilerVisibilityThe visibility of the element. Values: Private (0), Protected (1), Public (2), Internal (3), InternalProtected (4)
TagsTagsStringTags for this element separated by semicolon.