One of the questions I get quite often is now that I know that security created/modified from the AOT is stored differently than security created/modified from the user interface, what is the best way to move security between environments effectively and ensure the validity of the tested security in each environment?

Treating Security as Code

What I mean by this is that your security should go through all of the same testing, deployment, and version control processes you have for code… because it is code. Just like you wouldn’t let a developer make code changes directly in production, you should not allow your security to be modified directly in production and instead should use the same promotion process you already have set up for your code. This concept is called Application Lifecycle Management, to learn more about this there is a great free course offered by Microsoft available here.

Joris de Gruyter has a great blog that consolidates all of the Microsoft posts surrounding this idea for various versions of Dynamics AX/365FO.

The basic idea is to use version control and code promotion to move security. So instead of doing something like this, where the user would go to each environment and make the security change:

You instead do something like this, where the user makes the changes in a development environment, that change then gets promoted to a test environment and finally it gets promoted once again to a production environment.

One thing to note here, this setup is a very basic setup and there can be multiple more layers between development and production.

Utilize Tools To Help Automate Process

Fastpath Security Designer Security Migration Tool – as part of the Fastpath Security Designer module, there is a Security Migration functionality to convert the SecurityDatabaseCustomization.xml output file a user gets from exporting security from the user interface in D365FO to the XML needed to either:

  • Create security elements in code via the AOT
  • Generate security XML to import via D365FO user interface into another D365FO environment

You have the ability to select which security layers you would like to export and to be able to rename the Name, Label, and Description properties of the security layers.

D365FO Security Converter – a free tool I developed to mimic the functionality of the Security Migration Tool as a standalone tool