Security Duties
A Security Duty (AxSecurityDuty) represents a business responsibility that maps to a collection of related privileges. Duties sit between roles and privileges in the security hierarchy, providing a meaningful grouping layer.
For example, the duty Maintain vendor invoices groups all privileges needed to create, edit, post, and view vendor invoice records. A role like Accounts Payable Clerk then references this duty to grant all of those permissions in one assignment.
Why Use Duties?
Without duties, administrators would need to assign potentially dozens of individual privileges to every role. Duties provide:
- Business-level granularity — each duty maps to a recognizable business activity described in the Label and Description.
- Reusability — the same duty can be assigned to multiple roles.
- Manageability — when a new form or operation is added to a business process, only the duty needs to be updated, not every role that references it.
- Auditability — security reviews can focus on the duty level rather than individual privileges.
Naming Convention
Standard Microsoft duties follow a consistent naming pattern:
| Pattern | Meaning | Example |
|---|---|---|
<Module><Entity>Maintain | Full CRUD access to an entity | VendInvoiceMaintain |
<Module><Entity>View | Read-only access to an entity | VendInvoiceView |
<Module><Entity>Approve | Approval access for workflow | PurchOrderApprove |
<Module><Process>Process | Execute a business process | VendPaymentProcess |
<Module><Entity>Enable | Configure or enable features | VendInvoiceEnable |
Standard Duties
| Duty | AOT Name | Description |
|---|---|---|
| Maintain vendor invoices | VendInvoiceVendorInvoiceMaintain | Create, edit, and delete vendor invoices. |
| Approve purchase orders | PurchOrderApprovePurchOrders | Approve purchase order workflow items. |
| View customer invoices | CustInvoiceCustomerInvoiceView | View customer invoice records (read-only). |
| Maintain sales orders | SalesOrderMaintain | Create, edit, and process sales orders. |
| Maintain employee records | HcmWorkerMaintain | Manage human resources worker records. |
Creating a Security Duty
- In Visual Studio, right-click your project and select Add → New Item → Security Duty.
- Set the
Name,Label, andDescriptionproperties. - Add privilege references under the Privileges node — each reference points to a
AxSecurityPrivilegethat grants access to specific entry points. - Build and deploy.
Code Example — Checking if a Duty is Assigned
Extensions
Use a Security Duty Extension (AxSecurityDutyExtension) to modify standard Microsoft duties without overlaying them. Extensions can add privileges or modify properties.
What Can Be Extended
| Collection | Description |
|---|---|
| Privileges | Add new privilege references to the extended duty. |
| PropertyModifications | Modify scalar properties (e.g., Label, Description, Enabled) of the base duty. |
You cannot remove privileges from a standard duty via extension — you can only add new ones. If a standard duty grants too much access, create a custom duty with only the privileges you need.
Extension Example
To add a custom privilege to a standard duty:
- Right-click the duty in Application Explorer.
- Select Create Extension.
- In the new extension object, add your custom privilege reference under the Privileges node.
- Build and deploy.
Child Object Properties
Privilege Reference
Each entry in the Privileges collection is an AxSecurityPrivilegeReference:
| Property | Description |
|---|---|
| Name | The AOT name of the referenced privilege. |
| Enabled | Whether this privilege reference is active. Set to No to disable without removing. |
| Tags | Tags for this element separated by semicolon. |
Properties
| Property | Display Name | Type | Description |
|---|---|---|---|
| Security DutyAxSecurityDuty | |||
| Name | Name | String | The name of the element. |
| IsObsolete | Is Obsolete | NoYes | Determines whether the element is deprecated or not. Values: No (0), Yes (1) |
| Visibility | Visibility | CompilerVisibility | The visibility of the element. Values: Private (0), Protected (1), Public (2), Internal (3), InternalProtected (4) |
| Tags | Tags | String | Tags for this element separated by semicolon. |
| Label | Label | String | Duty name that is displayed. |
| Description | Description | String | Duty description that is displayed. |
| Enabled | Enabled | NoYes | Set to false to hide the node from the security framework. Values: No (0), Yes (1) |
| ContextString | Context String | String | If the context type is ContextString, this property displays the string. |
| Duty ExtensionAxSecurityDutyExtension | |||
| Name | Name | String | The name of the extension element. |
| IsObsolete | Is Obsolete | NoYes | Determines whether the element is deprecated or not. Values: No (0), Yes (1) |
| Visibility | Visibility | CompilerVisibility | The visibility of the element. Values: Private (0), Protected (1), Public (2), Internal (3), InternalProtected (4) |
| Tags | Tags | String | Tags for this element separated by semicolon. |