Workflow Security

Dynamics AX 2009

Security in Microsoft Dynamics AX workflow is handled directly by the MorphX security system. This topic describes general security considerations for an application and specific workflow security considerations.

Administrators use security and configuration keys to determine what application functionality is available and to apply access permissions for different users. For more information, see Using the MorphX Security System.

Although security and configuration keys control access to functionality within the application, this security access is limited to menu items. To help protect your system at a more granular level, it is important to set up security for table and field access. For more information, see Restrict Access to Tables and Fields.

Record level security (RLS) is automatically handled by the kernel when a form or report is opened. However, record level security can be bypassed in certain situations. For more information, see Record Level Security.

Workflow menu item security access is controlled by security keys. Security keys are required for all Display and Action menu items in workflow templates, tasks, and approvals. When you set up security key permissions, you can select the Workflow view in the View drop-down list to display only workflow objects.

Access to workflow functionality is controlled by configuration keys.

Security for data flow in workflow uses the Internet Information Service (IIS) that is controlled by active directory authentication.

The workflow infrastructure uses security accounts to access tables, application data, and other application objects to run a workflow. To set up the workflow security accounts, in the Setup pane in the Administration module, expand the Security node, and then click System service accounts.


You must update the workflow system and workflow execution account security settings for new objects. For example, if you add a new table, you must grant access to that table to the workflow system and workflow execution accounts.

The Workflow System Account (WorkflowSys) provides table access to the workflow infrastructure and is used for data communication between the Internet Information Services (IIS) and the Application Object Server (AOS).

The Workflow Execution Account (WorkflowExec) is used by the workflow runtime to execute application business logic. This security account is used by the application to define permissions to manipulate application data and execute business logic.

For more information, see "Configure system accounts" and "System service accounts" in the System and Application Setup Help.

Community Additions