Manage permissions

Dynamics AX 4.0

Permissions determine who can access menus, forms, reports, and tables. In Microsoft Dynamics AX, you assign permissions to user groups instead of individual users. Assigning permissions to groups saves time because you do not have to adjust permissions for each user.

When you create a new user group in Microsoft Dynamics AX, the group, by default, is set to No access for all menus, forms, reports, and tables. This means that after you create a new group, you must use the procedure in this topic to enable permissions; otherwise, all members of the group are denied access to all menus, forms, reports, and tables.


  • Higher-level permissions inherit lower-level permissions. For example, a group that has Create permissions for an item like a form also has Edit and View permissions as well.

  • If you grant developer permissions to a user group, the group must have developer permissions across all domains. If the group does not have developer permissions across all domains, members of the group cannot synchronize the Application Object Tree (AOT).

  • A user group can have different permissions within different domains. For more information about domains, see Manage domains.

  • If you assign permission to a parent-node key, for example, you select Absence approver and then select Full control, all child nodes inherit the same permission. If you do not want all child nodes to inherit the same permission, you can change permissions on individual child nodes.

  • Work with managers who oversee the different groups in your business or organization to determine permissions levels. For example, work with a manager in the Finance department to determine permissions levels for the Finance groups. The manager knows which groups should have permissions to items like General ledger and Bank, including permissions on child nodes.

  • If you are uncertain about whether to allow permission to a certain item, leave the permissions level set to No access. It is better to deny permission to an item and force an individual to request permission for their group than to give permission to an area that a group should not be able to access.

  • Restrict the number of users who are members of the Administrators group, which has access to all fields, tables, reports, and modules in Microsoft Dynamics AX by default. If users are made members of the Administrators group, they can potentially view reports or data they should not be allowed to see or change configurations and business logic in the system. Ideally, only those individuals who configure and administer Microsoft Dynamics AX should be members of the Administrators group.


If you change permissions for a user group, especially if you demote permissions, instruct all group members to restart their Microsoft Dynamics AX clients after making the change. If group members do not restart their clients, they might retain their former permissions. As a best practice, ask members of a group to log off Microsoft Dynamics AX before changing permissions and inform all Microsoft Dynamics AX users of the impending client restart. If necessary, select users in the form (> ) and click before changing user group permissions. For more information, see Remove users.

  1. From a Microsoft Dynamics AX client, click ( > > > .

  2. On the tab, select a user group and then select a domain.

  3. Click the tab.

  4. To set security keys for Enterprise Portal components, double-click in the box.

  5. In the list box, select the item(s) for which you want to set permissions, for example, . Press and hold the CTRL button on your keyboard to select multiple items.

  6. Under , select a permissions level. Once you select a permissions level, the selected item shows a check mark to indicate permissions have been set.

  7. Click the button to ensure all dependent keys are set and to inherit this permission level to all child tables, forms, and nodes.

  8. Press CTRL + S to save changes.

  9. Restart the Microsoft Dynamics AX server if you changed the permissions of an existing group, especially if you set more restrictive permissions on that group.


If you need to set permissions for a group in a different domain, repeat this procedure and select the new domain in step 2.

Restrict user group access permissions to Application Object Tree (AOT), the central repository for classes, tables, and other development elements in Microsoft Dynamics AX. By default, only members of the Administrators group have access to AOT. As a security best practice, create a Developers group (see Manage user groups) and give this group access permission to make changes in AOT. The Developers group could have Edit permission if you adhere to a strict security policy of least privilege. However, if developers need to create or delete AOT elements, the group requires Create or Full control permission.

Ideally, you should not give any other group access permission to AOT, especially access permission where members of that group can make changes in AOT. If necessary, you can grant View permission so individuals can look at elements in AOT.

Adjust global types

Developers may require access permission for an additional menu item: adjust global types ( > > > > key > subkey > menu item). Administrators typically adjust global types only during installation. If at all possible, avoid adjusting global types after the initial installation because these changes affect the entire Microsoft Dynamics AX application. If a developer needs to adjust global types for the entire application that person must be granted Full control permission for this menu item.

Microsoft Dynamics AX includes user and user-group permission reports (also called security reports). These reports list the permissions for a selected user or user group. Use these reports to help you create a consistent security policy when creating new users or groups, or when setting up a domain.

  1. From a Microsoft Dynamics AX client, click > > > .

  2. Enter the parameters.

  3. Click OK.

  1. From a Microsoft Dynamics AX client, click > > > .

  2. Enter the parameters.

  3. Click OK.