By default, in Dynamics AX/365FO when assigning a user to a role, this access is granted across all companies/legal entities. What options do you have to restrict this?

Assign Organizations

Under System Administration -> Users you are able to see the roles assigned to a user. When you select a particular role you can then select Assign Organizations to restrict which companies/legal entities the user has this role’s access in.

The first time you visit this page, the ‘Grant access to all organizations’ option will be selected.

If you select ‘Grant access to specific organizations’ you can then select a company/legal entity and then scroll to the bottom of the page and select Grant.

This user now only has this role access in the company/legal entity selected. So in the example above, the Alicia user only has the Accounting Manager role in the Contoso Consulting company.

So what does this look like from a technical perspective?

User to role associations are stored in the SecurityUserRole SQL table. Company/legal entity restrictions to user role associations are stored in the SecurityUserRoleCondition table. If there is no entry in the SecurityUserRoleCondition table for a specific SecurityUserRole entry that means the user has that role access across all companies/legal entities.

In the SQL example above, you can see the Alicia user is assigned a number of different roles. The roles with a value of NULL in the DataArea column mean that there was no entry in the SecurityUserRoleCondition table and therefore the user has that access across all legal entities. The entry for the Accounting Manager role has a value in the DataArea column which means that role is being restricted to that specific legal entity.

The above process is the normal way to restrict user role access to specific companies/legal entities.

Using Organizational Hierarchies to Help With Company Restrictions

If you have a large number of legal entities to restrict a user to you may be asking if there is an easier way to assign these company/legal entity restrictions instead of granting one at a time? The answer is to use organization hierarchies.

In Organization Administration -> Organizations -> Organization Hierarchy Purposes there are a number of our of box hierarchy purposes, one of which is titled Security. This is the ‘organization hierarchy purpose’ that allows us to help with user role company restrictions.

Once created, you will be taken to the hierarchy designer. This is where you can actually set up a hierarchy of companies/legal entities. In the example below, I have the Contoso Consulting legal entity as the parent to Contoso Consulting France, United States, and Great Britain legal entities.

Now if we go back to the user role company restrictions, in the ‘Select Organization Hierarchy’ drop down you can now see the organizational hierarchies with a purpose of security (in our example the organizational hierarchy FPSecurity).

In the ‘Available Organization Nodes’ area, we can see the hierarchy of the legal entities. You still have the ability to select an individual company/legal entity and grant the access, but now you also have the ability to ‘Grant with Children’ which means that the currently selected level and all of child levels will be granted in the company restriction area.

From a technical perspective, the organizational hierarchy information is stored across the OmUserRoleOrganization, OmInternalOrganization, and OmHierarchyRelationship tables.

In the example above, I granted selected the Contoso Consulting legal entity and selected Grant with Children. In the database, we can see in the for the Accounting Manager role there is an entry in the SecurityUserRoleCondition table for each legal entity in our hierarchy. So instead of having to grant each legal entity separately, we can just grant the singular organization hierarchy which will then grant all child legal entities as well.