I’ve covered the topic of the Table Permission Framework previously but wanted to give an example of how it can be used for protecting columns within grids in D365FO.
There is a form within D365FO that contains a grid that has a sensitive data within a particular column that you would like to hide from certain users and only allow users explicitly assigned access to see/interact with it.
How to Use TPF To Meet Requirements
In my example, I created a custom table named FpTPF and used it as a data source for a custom form that uses it as a datasource. This table contains two columns: Name and TpfValue
As you can probably guess, the Name column is just a regular string column with no TPF applied.
The TpfValue column is also a string column but does have TPF applied by enabling the ‘Aos Authorization’ value on the table field set to ‘Yes’.
I then created a form and used this table as the datasource for the grid:
I then created a custom role/privilege combination that granted Delete/Full Control access to this menu item:
When I then assigned this role to a user and tested it out, you can see that even though this user has full control to the form itself, it cannot access the TpfValue field on the grid.
So how do we make that column visible? We need to grant explicit access to the table field. One thing to note here is that to add this table field value you do have to add in the table itself but you do not need to grant any access to the table directly as this is still getting the derived access from the menu item (this is a change from AX 2012).
Once this security change has been applied the user can then see both columns as now their security meets the TPF requirements.
The scenario above is a common example of utilizing TPF to protect sensitive data.
For security management purposes I recommend creating a separate XDS role for situations like this and designating it as such with some sort of naming convention (ex: <RoleName>_XDS). This way you can immediately recognize if a user is assigned this additional role and can access this sensitive information and keep it separate from the ‘base’ role that only has access to the form itself.