Security Privileges
A Security Privilege (AxSecurityPrivilege) is the atomic permission unit in the D365 F&O security model. Each privilege grants a specific access level to one or more entry points (menu items or service operations), and optionally specifies data entity permissions, direct table access, and form control overrides.
Privileges do not exist in isolation — they are referenced by duties (recommended) or directly by roles.
Access Levels
Entry points within a privilege use the AccessGrant type to specify the level of access:
| Level | Description |
|---|---|
| No Access | No access granted (default). |
| Read | Can read records. |
| Update | Can read and modify records. |
| Create | Can read, modify, and create records. |
| Correct | Can modify posted/historical records (date-effective access). |
| Delete | Full access including delete. |
For date-effective tables, privileges support period-specific grants:
Grant— the base access level.GrantCurrentData— access to current-period records.GrantFutureData— access to future-dated records.GrantPastData— access to historical records.
Child Collections
A privilege contains four child collections:
| Collection | Child Type | Purpose |
|---|---|---|
| EntryPoints | AxSecurityEntryPointReference | Menu item and service operation references — the primary way to grant access. |
| DataEntityPermissions | AxSecurityDataEntityPermission | Permissions for OData/data management access to data entities. |
| DirectAccessPermissions | AxSecurityDataEntityReference | Direct table/view access grants outside the entry-point model. |
| FormControlOverrides | AxSecurityFormControlReferenceCollection | Overrides that hide or disable specific form controls for this privilege level. |
Entry Points
The EntryPoints collection is the most commonly used child. Each AxSecurityEntryPointReference maps to a menu item (Display, Output, or Action) or a service operation:
| Property | Type | Description |
|---|---|---|
| Name | String | Identifier for this entry-point reference. |
| ObjectName | String | The AOT name of the menu item or service operation. |
| ObjectType | EntryPointType | The type of entry point. Values: None (0), MenuItemDisplay (1), MenuItemOutput (2), MenuItemAction (3), ServiceOperation (76) |
| ObjectChildName | String | The method name (for service operations). |
| Grant | AccessGrant | Base access level granted. |
| GrantCurrentData | AccessGrant | Access level for current-period data. |
| GrantFutureData | AccessGrant | Access level for future-period data. |
| GrantPastData | AccessGrant | Access level for past-period data. |
| Tags | String | Tags for this element separated by semicolon. |
Each entry-point reference can further contain Forms children (AxSecurityEntryPointReferenceForm) that define form-level control and data source overrides for that specific entry point.
Data Entity Permissions
The DataEntityPermissions collection grants access to data entities through OData and the data management framework. Each AxSecurityDataEntityPermission has:
| Property | Type | Description |
|---|---|---|
| Name | String | The AOT name of the data entity. |
| IntegrationMode | IntegrationMode | Which integration channels the permission applies to. Values: All (0), DataServices (1), DataManagement (2) |
| Grant | AccessGrant | Access level granted to the data entity. |
Data entity permissions also support Fields and Methods child collections for field-level and method-level security.
Direct Access Permissions
DirectAccessPermissions grant direct table or data entity access outside the entry-point model. Each AxSecurityDataEntityReference specifies:
| Property | Type | Description |
|---|---|---|
| Name | String | The AOT name of the table or data entity. |
| Grant | AccessGrant | Base access level. |
| GrantCurrentData | AccessGrant | Current-period access. |
| GrantFutureData | AccessGrant | Future-period access. |
| GrantPastData | AccessGrant | Past-period access. |
| Tags | String | Tags for this element separated by semicolon. |
Form Control Overrides
FormControlOverrides (AxSecurityFormControlReferenceCollection) allow a privilege to hide or disable specific form controls. This is useful when a form is accessible but certain fields or buttons should not be visible at this access level.
Each collection entry identifies a form by name and contains Controls children that specify the individual controls to override.
Standard Privileges
| Privilege | AOT Name | Description |
|---|---|---|
| View vendors | VendTableView | Read access to the vendor master list. |
| Maintain vendors | VendTableMaintain | Full CRUD access to vendor records. |
| Post vendor invoices | VendInvoicePost | Post vendor invoices to the ledger. |
| View purchase orders | PurchTableView | Read access to purchase orders. |
| Maintain sales orders | SalesTableMaintain | Full CRUD access to sales orders. |
Creating a Security Privilege
- In Visual Studio, right-click your project and select Add → New Item → Security Privilege.
- Set the
Name,Label, andDescriptionproperties. - Add entry-point references under the Entry Points node — specify the menu item, object type, and access level.
- Optionally add data entity permissions or form control overrides.
- Build and deploy.
Code Example — Checking Privilege Access Programmatically
Properties
| Property | Display Name | Type | Description |
|---|---|---|---|
| Security PrivilegeAxSecurityPrivilege | |||
| Name | Name | String | The name of the element. |
| IsObsolete | Is Obsolete | NoYes | Determines whether the element is deprecated or not. Values: No (0), Yes (1) |
| Visibility | Visibility | CompilerVisibility | The visibility of the element. Values: Private (0), Protected (1), Public (2), Internal (3), InternalProtected (4) |
| Tags | Tags | String | Tags for this element separated by semicolon. |
| Label | Label | String | Privilege name that is displayed. |
| Description | Description | String | Privilege description that is displayed. |
| Enabled | Enabled | NoYes | Set to false to hide the node from the security framework. Values: No (0), Yes (1) |
| Entry Point ReferenceAxSecurityEntryPointReference | |||
| Name | Name | String | The name of the element. |
| ObjectName | Object Name | String | The name of the referenced entry point (menu item or service operation). |
| ObjectType | Object Type | EntryPointType | The type of entry point. Values: None (0), MenuItemDisplay (1), MenuItemOutput (2), MenuItemAction (3), ServiceOperation (76) |
| ObjectChildName | Method Name | String | The child method name (for service operations). |
| Grant | Access Level | AccessGrant | Base access level granted to data. |
| GrantCurrentData | Current Access Level | AccessGrant | Access level granted to current-period data. |
| GrantFutureData | Future Access Level | AccessGrant | Access level granted to future-period data. |
| GrantPastData | Past Access Level | AccessGrant | Access level granted to past-period data. |
| Tags | Tags | String | Tags for this element separated by semicolon. |
| Data Entity PermissionAxSecurityDataEntityPermission | |||
| Name | Name | String | The AOT name of the data entity. |
| IntegrationMode | Integration Mode | IntegrationMode | Which integration channels the permission applies to. Values: All (0), DataServices (1), DataManagement (2) |
| Grant | Grant | AccessGrant | Access level granted to the data entity. |
| Direct Access PermissionAxSecurityDataEntityReference | |||
| Name | Name | String | The AOT name of the table or data entity. |
| Grant | Access Level | AccessGrant | Base access level granted to data. |
| GrantCurrentData | Current Access Level | AccessGrant | Access level granted to current-period data. |
| GrantFutureData | Future Access Level | AccessGrant | Access level granted to future-period data. |
| GrantPastData | Past Access Level | AccessGrant | Access level granted to past-period data. |
| Tags | Tags | String | Tags for this element separated by semicolon. |