When you use Record Level Security (RLS) in Dynamics AX and have users that are members of more than one Dynamics AX user group you might notice a different behavior of Dynamics AX 2009 compared to Dynamics AX 4.0 SP2 (earlier builds might behave again differently).
Given is the following scenario:
You now have the following RLS setup:
So typically if you upgrade from Dynamics AX 4.0 SP2 to Dynamics AX 2009 and you have a setup as shown in Example 3, the users will end up with more permission than before.
The reason why the RLS design was changed is that the security in Dynamics AX in general is additive. So if Group1 grants read access to TableA and Group2 grants full access to TableA, a user that is member of both groups has full access to TableA.
In the above Example 3 Group A and GroupB grant access to the same table InventTable. Group B restricts the access to certain records using RLS, but GroupA does not restrict access (as no RLS Query is set up). You can see it that way, that GroupA is allowing full access to all records of this table because no RLS Query was defined. So in the sum a user who is member of both groups will be able to see all data in the table because of GroupA that allows access to all records.