Some customers and community people have sometimes the question of how to create a specific role in AX2012 where people have just “read-only” rights. In the past, I used a specific trick to establish such a role in just 10 minutes. (This besides finetuning. see details below).

Recently this question came across on the Dynamics Community again, so I decided to write a blog about creating this role.

The approach is simple. All Duties and Privileges in AX do have a pattern. All read-only duties end with the word “Inquire”. Setup forms can also have read-only rights and end with “Review”. The privileges do end with “View” for forms. Reports normally end with “Generate”.

When you create an AOT project and used the filter for selecting the duties ending with “*Inquire” and “*Review” you have a list of all “read-only” duties. Then create a new role. Drag and drop all duties from your project to the new role and you have created your “Read-only” role.


  1. Open the Ax Development Workspace (AOT)
  2. Create a new development project and give it a name for your reference.
  3. Click the Advanced Filter/Sort button or use the shortcut combination Ctrl+F3

  4. Click the button Select for making the selection.

    Enter the value “*Inquire,*Review” for table SysModelElement field Name.
    Enter the value “SecurityDuty” for table SysModelElementType field Element Type Name.
    Click OK for this form and the Project filter form.
  5. All elements are added to your new project like the image below illustrates.

  6. Navigate within the AOT to the node Security, Roles.  Create a new role and give it the appropriate name and description.
  7. Select the Project form.
  8. Select all Duties by using the shortcut Crtl+A.
  9. Drag and drop the selected Duties to your new role (Duties node) and save your new role.

    The baseline for the role is ready. You can already assign a user to this role. But….
    Some tables have too high privileges caused by some out-of-the-box Duties, Privileges and/or Form permissions.
    E.g. the Vendor table (VendTable) has Full control permissions.
  10. Open the form Security Roles from the System administration, Setup, Security menu.
  11. Select the new “Read only user” role.
  12. Click the button Override permissions.
  13. Walk through the list of tables and see which tables do have too high access levels.

    To correct the access level:
    Untick the field Do not override.
    Set the value of the field Override access level to “View”.

    Note that temporary tables need “Full access” for processing the reports.
  14. Click Close to close the form.

You can now use the role and eventually test it by using the Security Development Tool which is available on Informationsource.

I do hope you liked this post and will add value for you in your daily work as a professional. If you have related questions or feedback, don’t hesitate to use the Comment feature below.

That’s all for now. Till next time!

20 replies
  1. simon
    simon says:

    I tried the approach in my testing environment. I created the readonly role and assign to the user.
    when I use that user login, in system admin part, I cannot see all the menu item, just very few item I can see.

    another question for “temporary tables need “Full access””, Can you please tell me how to tell which table is temporary table?


    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Simon,

      Thanks for your comment.

      The included duties contains only menu items (by use of privileges) with read access rights. Some menu items in AX do only have privileges with Full control rights. As these are not included in the role, it is indeed possible that you will not see all menu items. In this case you could create new privileges and duties for these menu items giving read only rights.

      There are many temporary tables in AX. Most of them start with a prefix ‘Tmp’. There is no complete list with temporary tables. The table definition in the AOT has a property which dertermines if a table is permanent or temporary.

  2. Praveen
    Praveen says:

    Hi, Thanks for a great post on security. It really helped me.
    I have a different requirement where in I have to create a role to Hide System administration module & all parameters forms from all modules.
    I managed to hide System Admin module for that particular role and I have assigned all the duties to the role.But to hide all the Parameter forms is what concerning me. One approach in my mind is to find all the duties which include the parameter forms privileges and duplicate and then remove the parameter form privileges and assign these duties to the role. But this is very tedious job. Is there any other approach which you can suggest ?

    Any help would be highly appreciated. TIA

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Praveen,

      Hide all the setup sections only is a bitt cumbersome. You can start with excluding the duties with a naming pattern …Enable and …ProcessInquire. These are mostly related to the setup areas. But then you might miss some functionality on e.g. inquiries or still have some menu items left. You can gain some help from the Security development tool which can be downloaded from Lifecycle services.

  3. André Arnaud de Calavon
    André Arnaud de Calavon says:

    Hi Fiaz,
    I would like to redirect you to the Microsoft Dynamics community to ask your question. When you create your question you have to specify more details like which roles were granted and which privileges were created or other security artifacts were modified.

  4. Syed
    Syed says:

    Hi, for Excel add-in the functionality of “Add data” is only available for system admin users. Which makes sense as it is exposing AOT tables. However, what if i need for other users with out giving system admin rights. Only to allow excel add-in. Client will continue to use limitted rights as per role assigned. Do you have any suggestion for this requirement?

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Syed,

      The “Add data” is available for all users and the contents can be managed using the option “Document data sources”. Here you can add queries or services which will be made available for users.
      Probably you were referring to “Add tables” which is indeed only available for system administrators. There is no option to grant direct table access to non system administrators.

  5. Krishna
    Krishna says:

    Hi Andre,
    I’ve done similar way to get all duties readonly. Unfortunately My customized duty (newly created with readonly previlige) not found in
    the project.
    1, I’ve created a created display menu item for the form.
    2. Created a new privilege, dragged the menu item, set the access read only.
    3, Created a new duty dragged the privilege.

    When I’ve filtered as you said, (“*Inquire,*Review” , SecurityDuty). I didn’t find my newly created duty.
    Could you please assist?

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Krishna,

      You have to check the name you used for the new created privilege and duty. Is it ending with “Inquire” or “Review”?

      • Krishna
        Krishna says:

        Hi Andre,
        You are correct. I’ve not created privilege,duty with “Inquire” or “Review”?.
        BTW thanks for directing in right direction.

  6. syed
    syed says:

    Hi All,

    Nice explanation.
    I am a newbie in AX.
    I want to give one user CFO role on country-A and same user I need to give CFO role on country-B but READ ONLY.
    Any idea

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Syed,

      Excuses for a bit late reply. A security role does contain duties and privileges which will manage the access permissions. In this case you need to have two roles:
      – “CFO” role with edit permissions
      – “CFO read only” with only inquire duties/privileges
      There is no option to have a single role behaving different in another company.

  7. Pratik
    Pratik says:

    Hi Team

    I have followed the same steps, but till step 9 is fine, but for step 10 at AOS i am unable to see list of duties where at AOT i can see.

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      HI Pratik,
      Step 10 is a form which should be started using the AX normal client menu. The menu path is provided in the step. If you are missing data, check if you have a version control system active. If not, check if you are on the correct security role.

  8. Sunitha
    Sunitha says:

    Hi,i am using ax 2012 R2 CU6, I need read only access for functional and development areas.How can i achieve that ? can you please explain.

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Sunitha,

      Thanks for reading the blog. What exactly do you mean with functional and development? In fact functional + development is the System administrator role. So, please elaborate.

  9. Mazher
    Mazher says:


    In case I want to create a read only role similar to Accountant. How can I achieve this.

    Pls. guide.

    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Mazher,

      To be able to achieve this, you need to see which duties and privileges will have only read access in these areas. I don’t know all of them by heart. Like mentioned in the blog there is a pattern to be able to find out which duties and privileges will have maintain or read access.

  10. Muhammad Yasir
    Muhammad Yasir says:

    Hi ,
    I followed the same steps and able to achieve what you describe here but faced one issue.When i go to Purchase orders list page –> Receive (Tab) –> Posting receipts lists (button) remains enabled and we can post receipts even we have the read only the user. The reason i found is that this button is an action menutiem which has full access rights in the associated Privilege. so my question is that how can we find all duties which contains such menutiems with full access rights and how can we alter them to readonly access to achieve full read only access to AX.


    • André Arnaud de Calavon
      André Arnaud de Calavon says:

      Hi Muhammad,

      Thanks for reading the blog. As mentioned, there might be some objects with still full access. It could be related to buttons with x++ coding or indeed privileges set on standard security objects. Possibly, you can use the Security Development Tool to find out about the menu items with full access. Also ensure, that the user does not have other roles where higher access is provided.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.