Implementing Role-based Extensible Data Security (XDS) policies in Microsoft Dynamics AX 2012


Security policies are used to limited access to data. Extensible Data Security (XDS) is a framework in Microsoft Dynamics AX that allows developers and system administrators to deny access to subsets of data and only share a subset of data with appropriate users.

XDS replaces the Record level security framework in previous Microsoft Dynamics AX versions. The security policies are applied on AOS and hence applied to any data retrieved from any client, whether in Rich, AIF web services or Enterprise portal.

XDS policies are also used in conjunction with Role Base security frameworks to block data access for a particular Role. They provide a powerful mechanism to implement complex data security needs. This is different from security permission, as security permission increases access to data while security policies restrict access to data.


  1. Microsoft Dynamics AX 2012

Important Concepts

Primary Table

A primary table is any table that will be used to restrict data in the constrained table. It is the table that is specified in the policy query.

Constrained Table

A constrained table is a table on which data filtering is applied. It can be a primary table or a table that is related to the primary table.

Policy Query

Policy query helps to secure data in the constrained table defined in the XDS. It is used to fetch data from the primary table, which is then used to restrict data in the constrained table.


Context is the most import part of XDS without which security policy will not be applied. It defines the context on which security policy will be applied. It can have three possible values:

  1. ContextString: Defines a specific application context on which security policy will be enabled. It is also called an application context.
  2. RoleName: Defines that the security policy will only be applied to a particular Role in the application.
  3. RoleProperty: Used to define multiple Roles for a single security policy.


As part of this tutorial, security policy will be applied to the Sales manager role, who can only view customers having Customer group 10


  1. First, create a new Policy query. Open AOT Queries
  1. Right click on Queries and create a new Query XDSCustDemo


  1. Navigate to the Data Sources node and add a new data source by right clicking it and select New Data Source


  1. Set the Table property of the newly added data source so this table will behave as the primary table of the security policy
  1. Navigate to Fields node of the data source and set its Dynamics Property to Yes
  1. Navigate to Ranges node of the data source and create a new range by right clicking it and select New Range
  2. Select CustGroup field in the Fields property and set its value to 10 in the Value property of the range


  1. Save the query
  1. Now next step is to create security policy
  1. Navigate to AOT Security Policies
  1. Right click on Policies and create a new Policy XDSCustDemo
  2. Set the properties as shown in the figure below
  3. Selecting ConstrainedTable property to Yes indicates that the primary table will also behave as the constrained table
  1. Now open AX with a User who has Sales Manager rights
  1. Navigate to Accounts receivable / Common / Customers/ All customers


  1. Verify that only those customers shows are those that have Customer group 10
January 25, 2016


Email [email protected] with any questions you have pertaining to this course.

New CPE Accredited Courses Now Available for Dynamics AX, GP, and NAVEARN CREDITS TODAY