AX2012 – How to create a read only security role (Walkthrough)

Some customers and community people have sometimes the question how to create a specific role in AX2012 where people have just “read only” rights. In the past I used a specific trick to establish such a role in just 10 minutes. (This besides finetuning. see details below).

Recently this question came across on the Dynamics Community again, so I decided to write a blog about creating this role.

The approach is simple. All Duties and Privileges in AX do have a pattern. All read only duties end with the word “Inquire”. Setup forms can also have read only rights and end with “Review”. The privileges do end with “View” for forms. Reports normally end with “Generate”.

When you create an AOT project and used the filter for selecting the duties ending with “*Inquire” and “*Review” you have a list of all “read only” duties. Then create a new role. Drag and drop all duties from your project to the new role and you have created your “Read only” role.



  1. Open the Ax Development Workspace (AOT)
  2. Create a new development project and give it a name for your reference.
  3. Click the Advanced Filter/Sort button or use the shortcut combination Ctrl+F3
  4. Click the button Select for making the selection.
    Enter the value “*Inquire,*Review” for table SysModelElement field Name.
    Enter the value “SecurityDuty” for table SysModelElementType field Element Type Name.
    Click OK for this form and the Project filter form.
  5.  All elements are added to your new project like the image below illustrates.
  6. Navigate within the AOT to the node Security, Roles.  Create a new role and give it the appropriate name and description.
  7. Select the Project form.
  8. Select all Duties by using the shortcut Crtl+A.
  9. Drag and drop the selected Duties to your new role (Duties node) and save your new role.
    The baseline for the role is ready. You can already assign user to this role. But….
    Some tables have too high privileges caused by some out of the box Duties, Privileges an/or Form permissions.
    E.g. the Vendor table (VendTable) has Full control permissions.
  10. Open the form Security Roles from the System administration, Setup, Security menu.
  11. Select the new “Read only user” role.
  12. Click the button Override permissions.
  13. Walk through the list of tables and see which tables do have too high access levels.
    To correct the access level:
    Untick the field Do not override.
    Set the value of the field Override access level to “View”.
    Note that temporary tables need “Full access” for processing the reports.
  14. Click Close to close the form.

You can now use the role and eventually test it by using the Security Development Tool which is available on Informationsource.


If you have any questions write a comment bellow and share this blog with friends if you found it useful. Also subscribe to our newsletter to receive news about Dynamics AX straight to your inbox.

That’s all for now. Till next time!

[contact-form-7 404 "Not Found"]

Microsoft Dynamics AX CommunitySubscribe to this blogger RSS Feed

  1. simonJune 25, 2014   

    I tried the approach in my testing environment. I created the readonly role and assign to the user.
    when I use that user login, in system admin part, I cannot see all the menu item, just very few item I can see.

    another question for “temporary tables need “Full access””, Can you please tell me how to tell which table is temporary table?


    • André Arnaud de CalavonJuly 03, 2014   

      Hi Simon,

      Thanks for your comment.

      The included duties contains only menu items (by use of privileges) with read access rights. Some menu items in AX do only have privileges with Full control rights. As these are not included in the role, it is indeed possible that you will not see all menu items. In this case you could create new privileges and duties for these menu items giving read only rights.

      There are many temporary tables in AX. Most of them start with a prefix ‘Tmp’. There is no complete list with temporary tables. The table definition in the AOT has a property which dertermines if a table is permanent or temporary.

  2. PraveenJune 30, 2015   

    Hi, Thanks for a great post on security. It really helped me.
    I have a different requirement where in I have to create a role to Hide System administration module & all parameters forms from all modules.
    I managed to hide System Admin module for that particular role and I have assigned all the duties to the role.But to hide all the Parameter forms is what concerning me. One approach in my mind is to find all the duties which include the parameter forms privileges and duplicate and then remove the parameter form privileges and assign these duties to the role. But this is very tedious job. Is there any other approach which you can suggest ?

    Any help would be highly appreciated. TIA

    • André Arnaud de CalavonJune 30, 2015   

      Hi Praveen,

      Hide all the setup sections only is a bitt cumbersome. You can start with excluding the duties with a naming pattern …Enable and …ProcessInquire. These are mostly related to the setup areas. But then you might miss some functionality on e.g. inquiries or still have some menu items left. You can gain some help from the Security development tool which can be downloaded from Lifecycle services.

  3. André Arnaud de CalavonJune 08, 2016   

    Hi Fiaz,
    I would like to redirect you to the Microsoft Dynamics community to ask your question. When you create your question you have to specify more details like which roles were granted and which privileges were created or other security artifacts were modified.

  4. SyedAugust 07, 2016   

    Hi, for Excel add-in the functionality of “Add data” is only available for system admin users. Which makes sense as it is exposing AOT tables. However, what if i need for other users with out giving system admin rights. Only to allow excel add-in. Client will continue to use limitted rights as per role assigned. Do you have any suggestion for this requirement?

    • André Arnaud de CalavonAugust 08, 2016   

      Hi Syed,

      The “Add data” is available for all users and the contents can be managed using the option “Document data sources”. Here you can add queries or services which will be made available for users.
      Probably you were referring to “Add tables” which is indeed only available for system administrators. There is no option to grant direct table access to non system administrators.

  5. KrishnaOctober 16, 2016   

    Hi Andre,
    I’ve done similar way to get all duties readonly. Unfortunately My customized duty (newly created with readonly previlige) not found in
    the project.
    1, I’ve created a created display menu item for the form.
    2. Created a new privilege, dragged the menu item, set the access read only.
    3, Created a new duty dragged the privilege.

    When I’ve filtered as you said, (“*Inquire,*Review” , SecurityDuty). I didn’t find my newly created duty.
    Could you please assist?

    • André Arnaud de CalavonOctober 18, 2016   

      Hi Krishna,

      You have to check the name you used for the new created privilege and duty. Is it ending with “Inquire” or “Review”?

      • KrishnaOctober 20, 2016   

        Hi Andre,
        You are correct. I’ve not created privilege,duty with “Inquire” or “Review”?.
        BTW thanks for directing in right direction.

  6. syedJuly 11, 2017   

    Hi All,

    Nice explanation.
    I am a newbie in AX.
    I want to give one user CFO role on country-A and same user I need to give CFO role on country-B but READ ONLY.
    Any idea

    • André Arnaud de CalavonJuly 21, 2017   

      Hi Syed,

      Excuses for a bit late reply. A security role does contain duties and privileges which will manage the access permissions. In this case you need to have two roles:
      – “CFO” role with edit permissions
      – “CFO read only” with only inquire duties/privileges
      There is no option to have a single role behaving different in another company.

  7. PratikSeptember 13, 2017   

    Hi Team

    I have followed the same steps, but till step 9 is fine, but for step 10 at AOS i am unable to see list of duties where at AOT i can see.

    • André Arnaud de CalavonSeptember 22, 2017   

      HI Pratik,
      Step 10 is a form which should be started using the AX normal client menu. The menu path is provided in the step. If you are missing data, check if you have a version control system active. If not, check if you are on the correct security role.

Leave a Comment!

Your email address will not be published. Required fields are marked *