Tips on AX 2012 Security Development Tool – Part 1

The AX 2012 Security Development Tool is created by Microsoft and provides additional functionality helping you to create and maintain security artifact like Roles, Duties and Privileges. I have used the tool since the release and noticed some very good features and also some features which could cause unwanted scenarios. To help you get the most out of this tool and use it in a proper way, I decided to write a series of blogs on this feature. This first post will tell you about the configuration of the menu-items which will start the Security Development Tool and also how to fix the view on User License Type to show the correct CAL type.

What is AX 2012 Security Development Tool?

As mentioned in the introduction AX 2012 Security Development Tool provides additional features to support you on:

  • Simplify the creation and maintenance of security artifacts such as Roles, Duties and Privileges
  • Creation of new security artifacts on the basis of access through various entry points
  • Ability to test newly created or modified security Role without using a different test account
  • Ability to record business process flows and identify the entry points used, to speed up development of security artifacts
  • Ability to view effective named user license values at different security artifact levels

The full description and also useful links to downloads and user manual can be found on a blog from the Dynamics AX Server Team.


Tip: Complete setup by creating menu items

Initially when you have downloaded and installed the tool, you don’t see any changes and it looks like nothing is installed. If you look in the Development workspace (AOT), you can find new objects. There is a project called “SecurityDevelopmentTool” containing all related objects.


If you browse all objects, you also will find two menu items. These are not linked in any menu. As mentioned in the user guide, you can run the class SysSecEntryPointManagerSetup to link the menu items to standard AX menus. Right click on the class and select the menu option Open to perform this task. As a result these can be found in the System administration menu and also the context menu in the AOT.

SDT1-03    SDT1-02


Tip: How to view the correct CAL license type for menu items and roles

When you have opened the Security Development Tool form, there is a button called Load additional metadata. If you click this button, new properties are added on the grid. One of the columns is called Effective user license type. Within this field it is possible to analyze which menu items are causing a certain CAL license type for the particular role. You can sort or filter on this field to find the data you are looking for. If you change an existing role, it might be possible that a Functional role will become an Enterprise role due to menu items exists in a certain privilege. This might affect your current license and probably unwanted license upgrade costs are involved. For this purpose also a field called Current user license type is added above the tree.


Note that in AX 2012 R2 and R3 the Current user license type is showing incorrect values. The license type Server Users is a type added since the R2 release. It is introduced to have an indication which menu items are part of the Server license and does not have impact on the license types. This field should show only the values Enterprise, Functional, Task and Self-serve. These are taking care of the number of CAL counts. Due to a new value in an enumeration this Server Users value has priority over the needed values. To fix this, you have to change the x++ logic in two methods on the form SysSecEntryPoinManager:


The line with the next code should be changed from:

if(SysSecEntryPointTmp.EffectiveUserLicense > maxLicenseType)


if(SysSecEntryPointTmp.EffectiveUserLicense > maxLicenseType && SysSecEntryPointTmp.EffectiveUserLicense != UserLicenseType::Server)

You have to do this is both methods UpdateLicenseTypes and LoadAdditionalMetadata. Then the system will show the correct CAL license type after this change:



Tip: Test combination of multiple roles

If you want to grant more than one role to a single person, you can test it using the Security Development Tool. A while ago I wrote already a blog to explain this. Read the tip in this post: AX2012 – Testing combination of multiple roles.

If you have any questions leave a comment bellow or contact us. Also if you found this blog useful please share it and don`t forget to subscribe to our newsletter,  so you can read my future blogs.

That’s all for now. Till next time!

[contact-form-7 404 "Not Found"]

Microsoft Dynamics AX CommunitySubscribe to this blogger RSS Feed

  1. KrishnaOctober 20, 2016   

    The link was broken for “AX2012 – Testing combination of multiple roles”.
    So update the latest one.

    • André Arnaud de CalavonOctober 24, 2016   

      Hi Krishna,

      Thanks for reporting the broken link. It has been corrected.

  2. SofiaOctober 24, 2016   

    Hi Andre,
    I changed the code on both methods and I still get None as the Licence
    I’m using AX 2012 R3 Kernel 6.3.4000.127

    • André Arnaud de CalavonOctober 24, 2016   

      Hi Sofia,

      Can you check if the CIL compilation completed without issues? The code suggestion was to solve an issue related to showing ‘Server users’. You are mentioning ‘None’ as license type. What role or menu item are you referring to?

      • SofiaOctober 24, 2016   

        Thanks Andre, I ran the CIL again and it worked this time
        Kind Regards,

  3. Guillermo AlvarengaJanuary 19, 2017   

    Can I create a role that causes a user to not be able to view a record according to the value of a field?

    For example, for my specific case, I want a user not to see the vendors but depending on their vendor group, that they can see the vendors of the vendor group “X1” but can not access the vendor group “X2”. Can this be done?

    • André Arnaud de CalavonJanuary 23, 2017   

      Hi Guillermo,

      This is possible using eXtensible Data Security. The Security Development Tool is not helping you for this requirement. You can visit the Dynamics Community site (link provided in my blog) and search for similar questions and answers how to achieve it.

      kind regards,


  4. rahulApril 01, 2017   

    I installed the tool but not able to get Project “SecurityDevelopmentTool” under project area. I checked Objects also not presented in AOT.

    I am using AX 2012 R3 CU11.

    • André Arnaud de CalavonApril 01, 2017   

      Hi Rahul,

      When you cannot see any object related to the tool, the installation of the objects failed or you imported another model with objects. Please review if the correct model was imported and if the import was successful or stopped with an error.

  5. AdriaanJuly 11, 2017   

    Hi André, Thanks for your documentation and tips — superb!

  6. syedDecember 20, 2017   

    Any way to know which user is considered as Enterprise and which one as Functional.

Leave a Comment!

Your email address will not be published. Required fields are marked *