I recently wrote about what features allow you to restrict user role assignments to a specific company/legal entity within D365FO, and a great developer from the AX community Nathan Clouse commented and said ‘What if someone made an open source project to change this behavior?’. After some back and forth we decided we were the people to start this project, I recently got our first feature completely so I wanted to show what we had so far and kind of give a glimpse of where this is headed.

AAXSecurityTools GitHub Link

We currently have two features:

Auto Assignment of Company Restrictions based on user

Create a page where you can set company restrictions for a user

Setting Up Automatic User Role Company Restrictions

I will be addressing the first one in this post, the use case for this is that when you assign a role to a user by default that user gets that access across all companies. You can then restrict this access down to specific legal entities manually, but what if you could pull the company restrictions for a this user role assignment from the user who is doing the role assignment? So if a user only has access to companies A, B, and C then anytime they perform a user role assignment it is automatically restricted to companies A, B, and C. This ensures that a user can not unintentionally grant role access to a user to all companies and will restrict company access automatically based on the access of the user performing the user role assignment.

I started by adding a toggle on the user screen call User Role Company Restrictions to, this will enable the automatic company restrictions for this user.

I assigned this fastpath user the Security Administrator role and then went and then restricted this access to only the Contoso Consulting and Contoso Entertainment System legal entities.

So now if I log in as this user and perform a user role assignment for a different user they will automatically be restricted to the Contoso Consulting and Contoso Entertainment System legal entities. In the example below I added the Accountant and Accounting Manager roles to the Wayne user and it was restricted to the GLSI and GLSI legal entities.

If we go into each role -> Assign Organizations we can confirm that the role company restrictions have been successfully applied automatically.

What if the assigning user’s company restriction is from a organizational hierarchy?

Now let’s look at the process if the user role company restrictions is done via organizational hierarchy. In a previous post, I went through the process of setting up a security organizational hierarchy like the one below. This hierarchy includes the following companies: GLSI, FRSI, USSI, GBSI

Once created, you can use this organizational hierarchy to limit the company access to a user role.

Now if we go to a user and assign roles to that user, those roles will automatically be restricted to the legal entities within the organizational hierarchy. In the example below, on the Wayne user I assigned the Cost Accountant and Cost Accountant Clerk roles.

Now if we go to Assign Organizations for each of these roles we can see that each of these have automatically been assigned the security organizational hierarchy as the restriction correctly.


Hopefully this feature will help with D365FO administrators when assigning security. Nate has been working hard on the 2nd feature and I will let him post when that becomes available.

As always, feel free to reach out with any questions you might have.


Nate Clouse’s Blog

Nate’s Twitter Profile

AAXSecurity Tools GitHub Link