In Microsoft Dynamics AX, permissions and user rights are granted to user groups. By adding a user to a user group, you grant the user all the permissions and user rights assigned to that user group. Before a user can access the product, he or she must be added to the list of product users and added to at least one Microsoft Dynamics AX user group.
By creating users and user groups, you establish who can access Microsoft Dynamics AX and what permissions users have when they are working in the application. Microsoft Dynamics AX requires that all users be listed in Active Directory directory services on your domain controller before they can be enabled on the form. If a user is not enabled on this form, they cannot access Microsoft Dynamics AX. For more information, see Working with users from Active Directory.
An administrator user and an administrator user group are created the first time Microsoft Dynamics AX is run. The user who opens the first client to connect to an Application Object Server (AOS) instance after installation is set to the Administrator user. The Administrator user is added to the Administrators user group. Administrators have complete access to all forms, menus, tables, reports, the Application Object Tree (AOT), and all security keys.
By default, also creates a Guest user account. The guest user does not have any permissions in the system, and is designed to give access to a public Enterprise Portal site. For detailed information, see Give users access to an Enterprise Portal Internet sitein the Enterprise Portal Administration Guide.
Restrict the number of users who are members of the Administrators user group, which has access to all fields, tables, reports, and modules in Microsoft Dynamics AX by default. If users are made members of the Administrators user group, they can potentially view reports or data that they should not be able to see or change configurations and business logic in the system. Ideally, only those individuals who will configure and administer Microsoft Dynamics AX should be members of the Administrators user group. To further limit this vulnerability, you can create domain administrators, who have administrator rights only to their respective domains. For more information about domain administrators, see Create domain administrators.
Deciding on the structure of your user groups
The groups you create and the permissions you assign to user groups should reflect the structure of your organization. For example, you may want to create groups for Human Resources, Finance, Sales, and Production to name a few, and then set the appropriate permissions for these groups. Create user group names that describe the permissions granted for that group, such as Finance - Full, General ledger - Read Only, Accounts payable - Edit. In this manner you avoid confusion if you have to create additional groups.
When a user is a member of more than one group and the group permissions overlap (for example, a user is a member of two groups that have access to the General Ledger module), the user inherits the highest permission level between the two groups.
When you are setting permissions for each group, work with business decision makers in each department to determine what permissions each group needs and who should be included in each group.
We recommend that as a security best practice, you create a Developers user group to help minimize the number of users in the Administrators user group. By default, only members of the Administrators user group can make changes in Application Object Tree (AOT), the central repository for classes, tables, and other development elements in Microsoft Dynamics AX. Give the Developers user group access permission to make changes in AOT. Restrict the number of users in the Developers group.
To create a group and add users to that group
The following procedure describes how to add users to a group at the time that the group is created. You do not have to add users to a group when it is created. You can add users to a group later on the form (see Create new users).
From a Microsoft Dynamics AX client, click > > .
On the tab, create a new group.
Enter an identification in the Groupcolumn (required). For example, Finfor Finance or HRfor Human Resources.
Enter a name in the User group namecolumn (required). For example, Finance Departmentor Human Resources Department.
Click the tab.
Select users in the list and then click the left-arrow button ( <) to move the selected users into the list. All users moved into the list are added to the current group.
Press CTRL+S to save changes.
Now that you have created one or more groups, you are ready to assign permissions. For information about how to assign permissions, see Manage security permissions for user groups and domain combinations.