Recently ran into an interesting scenario where an end user deleted a security layer from the user interface and wanted to restore it. This security layer was an out of box security layer so it existed in the AOT. Here is the process on how to perform this task.

Note: The following process only works in the scenario that the security layer exists in the AOT and you remove it from the user interface. If the security layer was created from the user interface and it is deleted the only recourse is to reapply a previous security XML to the environment or to restore the entire environment to an earlier time period.


In my initial scenario, I am going to delete an out of box role from my environment (in this case the Auditor role) and then restore it. Here is what the Auditor role looks like before we remove it:

Now lets go ahead and click the Delete button, which move the Auditor role to the Unpublished Objects area:

We can see in this case the the ‘Deleting’ column is checked meaning that the change we are performing is going to delete this security layer. Once we publish this change, we can see the role no longer exists:

How Do We Manage Deleted Objects

In the top menu bar, if we go to Data -> Manage Disabled Objects:

We will be taken to a screen where we can see all security that was deleted from the user interface but exists in the AOT:

If we select the Auditor role and click ‘Enable Selected Objects’, the role will be removed from this screen and will appear again in the Unpublished Objects area:

In this case now we can see that the role is being added back as the ‘Deleting’ column is left blank. Once we publish the security here the role is added back to our security list.

Note: If a user was assigned this role before it was deleted, this process does not regrant security to this user that process must be done manually.

What if a Duty or Privilege is Deleted? Does the Process Change?

In the next scenario I deleted a privilege (in this case the ‘Maintain Vendors’ privilege) which is assigned to the ‘Maintain Vendor Master’ duty.

After performing the same process as above, I noticed the privilege itself was brought back but the relationships to other security layers was not reestablished (in this example you can see the association to the duties is missing).

Since these associations still exist on the privilege itself in the AOT, how do we bring those associations back?

If we go back to the Data tab and this time go to the ‘Repair’ option this will build the necessary associations back for the restored security layer.


Hopefully this helps to show how there is a feature within D365FO to help with this process but keep in mind the following:

  • This only works for security that exists as code in the AOT and is deleted from the user interface
  • If you remove a duty or privilege the parent security layer relationships are not rebuilt automatically, that must be done manually through the Repair option