When you use Record Level Security (RLS) in Dynamics AX and have users that are members of more than one Dynamics AX user group you might notice a different behavior of Dynamics AX 2009 compared to Dynamics AX 4.0 SP2 (earlier builds might behave again differently).

Given is the following scenario:

  • You have a Dynamics AX user User1
  • You have two Dynamics AX user groups GroupA and GroupB
  • User1 is member of GroupA and GroupB
  • GroupA and GroupB have both Full Access to the InventTable
  • In the InventTable three records A, B and C exist

 

You now have the following RLS setup:

Example 1 Example 2 Example 3
RLS Query on GroupA    not B (=A, C)    no RLS Query    no RLS Query
RLS Query on GroupB    not C (=A, B)    no RLS Query    not C (=A, B)
Result in Dynamics AX 4.0 SP2 All items can be seen All items can be seen. not C (=A, B)
Result in Dynamics AX 2009 All items can be seen
[Same as in Dynamics AX 4.0 SP2]
All items can be seen.
[Same as in Dynamics AX 4.0 SP2]
All items can be seen 
[Different from Dynamics AX 4.0 SP2]

So typically if you upgrade from Dynamics AX 4.0 SP2 to Dynamics AX 2009 and you have a setup as shown in Example 3, the users will end up with more permission than before.

The reason why the RLS design was changed is that the security in Dynamics AX in general is additive. So if Group1 grants read access to TableA and Group2 grants full access to TableA, a user that is member of both groups has full access to TableA.

In the above Example 3 Group A and GroupB grant access to the same table InventTable. Group B restricts the access to certain records using RLS, but GroupA does not restrict access (as no RLS Query is set up). You can see it that way, that GroupA is allowing full access to all records of this table because no RLS Query was defined. So in the sum a user who is member of both groups will be able to see all data in the table because of GroupA that allows access to all records.

--author: Anders Madsen
--editor: Alexander Lachner
--date: 16/06/2009