Tuesday, February 28, 2012

Override permissions in a role

I recently came across a trick on setting up security in AX 2012. We wanted to create a new role by copying an existing role and removing a few duties from the role. I managed copying the role through some coding and that went well. However, when I tested the new role, it doesn't behave exactly the same as the original role. After poking around a bit, I found this nice new function in AX 2012 "Override Permissions" on the role form. As Microsoft noted, "Overrides for securable objects are not associated with specific duties or privileges. If you apply an override, the access level for the object is set for the role, regardless of access levels specified by the duties and privileges assigned to that role." I found this is better and easier than changing the duties or privilege itself.

You can also go to the AOT and look up in the table SecurityRolePermissionOverride and see what permissions are overridden.

One last note, you don't want to override too many permissions as it'll slow down your system performance.

Updated on 2/29/2012
Today had two discoveries on AX 2012 security settings.

  1. Unlike AX 2009, any change from the Security Role/Privileges form (e.g. adding a new role, adding/removing a duty from a role) auto triggers a change on the AOT under the Security section! If you're working from a usr layer (as a regular functional consultant would do), the changes will be on the USR layer!! I learned this in a hard way as I found all my security settings gone after a recent code deployment. So, if you don't want to keep redo your security settings in AX 2012, log onto the CUS layer and do the configuration, or merge the code after you're done on the USR layer. 
  2. Another way to duplicate an existing role is to go to AOT>Security>Roles and duplicate the role. Then all duties and permissions will get copied to the new role. Much better.


  1. Note: as of Ax2012R2 and above, the SecurityRolePermissionOverride table is held in the _MODEL database. As such, to find this table through the AOT navigate: AOT > System Documentation > Tables SecurityRolePermissionOverride.

    1. ps. to see data; right click the table name, then select Add-Ins, Table Browser.

  2. Is there any situation where it's justified to use the override feature over copying the role to a new one, and then amending that new role's permissions? i.e. What's the benefit of overriding a role vs replacing with a bespoke copy?

  3. Hello :)I've just searching some information about Override permissions in a role in microsoft dynamic AX and found your blog. Thank you for sharing!