I’ve covered the topic of the Table Permission Framework previously but wanted to give an example of how it can be used for protecting columns within grids in D365FO.
Scenario
There is a form within D365FO that contains a grid that has a sensitive data within a particular column that you would like to hide from certain users and only allow users explicitly assigned access to see/interact with it.
How to Use TPF To Meet Requirements
In my example, I created a custom table named FpTPF and used it as a data source for a custom form that uses it as a datasource. This table contains two columns: Name and TpfValue
As you can probably guess, the Name column is just a regular string column with no TPF applied.
The TpfValue column is also a string column but does have TPF applied by enabling the ‘Aos Authorization’ value on the table field set to ‘Yes’.
I then created a form and used this table as the datasource for the grid:
I then created a custom role/privilege combination that granted Delete/Full Control access to this menu item:
When I then assigned this role to a user and tested it out, you can see that even though this user has full control to the form itself, it cannot access the TpfValue field on the grid.
So how do we make that column visible? We need to grant explicit access to the table field. One thing to note here is that to add this table field value you do have to add in the table itself but you do not need to grant any access to the table directly as this is still getting the derived access from the menu item (this is a change from AX 2012).
Once this security change has been applied the user can then see both columns as now their security meets the TPF requirements.
Conclusion
The scenario above is a common example of utilizing TPF to protect sensitive data.
For security management purposes I recommend creating a separate XDS role for situations like this and designating it as such with some sort of naming convention (ex: <RoleName>_XDS). This way you can immediately recognize if a user is assigned this additional role and can access this sensitive information and keep it separate from the ‘base’ role that only has access to the form itself.
Resources
Table Permission Framework in D365FO
Advanced Security Features in D365FO
Hi Alex,
Observation about saving data, e.g. BankAccountTable, where field AccountNum uses TPF.
I created a new role with the single built-in privilege, “Maintain bank accounts”
I give myself this role only. I am able to access the Cash / Bank Account screen.
The BankAccount field is not shown, as expected.
When I try to update a record, it gives an error “Access denied to field”.
In order to get past the error, I had to explicitly grant the user read access to BankAccountTable.AccountNum.
It seems as though without granting read-access, writing will fail. In order to allow writing to the field, I need to grant field-level read access.
Hi Alex, I commented too quickly.. I see in your older article that someone else had the same issue.
https://alexdmeyer.com/2019/01/24/table-permission-framework-in-d365fo
Perhaps disregard my previous comment 🙂