Dynamics AX in the Field

Microsoft Dynamics AX from the Premier Field Engineering team at Microsoft.

Permission Comparision Examples between User Groups and Domains in AX 2009

Permission Comparision Examples between User Groups and Domains in AX 2009

  • Comments 1

When working with customers I have encountered many scenarios where the User in which they are trying to setup security permissions belonged to multiple User groups or had different permission sets in different Domains.    Permissions are compared between User groups and Domains using the least restricive principle.  This caused confusion when testing this situation.    Thus, I am providing a few examples of how AX compares the permissions in mulitple User groups and/or Domains that you can refer to when setting up permissions.

Example One:

See the illustration below.  Arnie is a User that is assigned to the SalesPerson User group which has  FULL, VIEW, and CREATE permissions to a table called CUSTGROUP in three different Domains.    The Salesperson group is the only User group that Arnie belongs to.    

 

 Below I explain the rights that Arnie will have in each of the Company's:

  • What rights will Arnie have to the CUSTGROUP table in CompanyA?
    • FULL - Because CompanyA belongs to Domain1 and the Admin Domain, the permissions need to be compared between the Domains. Since the Salesperson User group has FULL in Domain1 and CREATE in the Admin Domain, FULL is less restrictive than CREATE.
  • What rights will Arnie have to the CUSTGROUP table in CompanyB?
    • FULL - Because CompanyB belongs in Domain1 and the Admin Domain, the permissions need to be compared between the Domains. Since the Saleperson group has FULL in Domain1 and CREATE in the Admin Domain, FULL is less restrictive than CREATE.
  • What rights will Arnie have to the CUSTGROUP table in CompanyC?
    • CREATE - Because CompanyC belongs in Domain2 and the Admin Domain, the permissions need to be compared between the Domains. Since the Salesperson group has VIEW in Domain2 and CREATE in the Admin Domain, CREATE is less restrictive than VIEW

 

Example Two:

See the illustration below.   Arnie is a User that is assigned to the SalesPerson and InsideSales User groups.    The SalesPerson User group has FULL, VIEW, and CREATE permissions to the CUSTGROUP table in three different Domains while the InsideSales group has FULL to only one Domain.

  • What rights will Arnie have to the CUSTGROUP table in CompanyC?   FULL  - Because CompanyC belongs in Domain2 and the Admin Domain, the permissions need to be compared between the Domains.   Since the SalesPerson User group has VIEW rights in Domain2, CREATE rights in the Admin Domain, and FULL rights in Domain2 for the InsideSales group, FULL is less restrictive than CREATE or VIEW. 

 

Example Three:

See the illustration below.   Arnie is assigned to the SalesPerson User group has FULL and VIEW permissions to the CUSTGROUP table in two different Domains.   The Salesperson group is the only User group that Arnie belongs to.

 

  • What rights will Arnie have to the CUSTGROUP table in CompanyC?   VIEW - Because CompanyC does not belong to any other Domains, the permissions do not need to be compared between the Domains but they will be compared by User groups..   Since the SalesPerson group is the only group that Arnie belongs to and it has VIEW rights in Domain2 Arnie will VIEW rights in CompanyC.

 

Page 1 of 1 (1 items)