An administrator user and an administrator user group are created the first time Microsoft Dynamics AX is run. The user who opens the first client to connect to an Application Object Server (AOS) instance after installation is set to the Administrator user. The Administrator user is added to the Administrators user group. Administrators have complete access to all forms, menus, tables, reports, the Application Object Tree (AOT), and all security keys.

By default, also creates a Guest user account. The guest user does not have any permissions in the system, and is designed to give access to a public Enterprise Portal site. For detailed information, see Give users access to an Enterprise Portal Internet sitein the Enterprise Portal Administration Guide.

Important

Restrict the number of users who are members of the Administrators user group, which has access to all fields, tables, reports, and modules in Microsoft Dynamics AX by default. If users are made members of the Administrators user group, they can potentially view reports or data that they should not be able to see or change configurations and business logic in the system. Ideally, only those individuals who will configure and administer Microsoft Dynamics AX should be members of the Administrators user group. To further limit this vulnerability, you can create domain administrators, who have administrator rights only to their respective domains. For more information about domain administrators, see Create domain administrators.

The groups you create and the permissions you assign to user groups should reflect the structure of your organization. For example, you may want to create groups for Human Resources, Finance, Sales, and Production to name a few, and then set the appropriate permissions for these groups. Create user group names that describe the permissions granted for that group, such as Finance - Full, General ledger - Read Only, Accounts payable - Edit. In this manner you avoid confusion if you have to create additional groups.

Important
When a user is a member of more than one group and the group permissions overlap (for example, a user is a member of two groups that have access to the General Ledger module), the user inherits the highest permission level between the two groups.

When you are setting permissions for each group, work with business decision makers in each department to determine what permissions each group needs and who should be included in each group.

We recommend that as a security best practice, you create a Developers user group to help minimize the number of users in the Administrators user group. By default, only members of the Administrators user group can make changes in Application Object Tree (AOT), the central repository for classes, tables, and other development elements in Microsoft Dynamics AX. Give the Developers user group access permission to make changes in AOT. Restrict the number of users in the Developers group.

The following procedure describes how to add users to a group at the time that the group is created. You do not have to add users to a group when it is created. You can add users to a group later on the Userform (see Create new users).

1. From a Microsoft Dynamics AX client, click Administration> Setup> User groups.

2. On the Groupstab, create a new group.

3. Enter an identification in the Groupcolumn (required). For example, Finfor Finance or HRfor Human Resources.

4. Enter a name in the User group namecolumn (required). For example, Finance Departmentor Human Resources Department.

5. Click the Userstab.

6. Select users in the Remaining userslist and then click the left-arrow button ( <) to move the selected users into the Selected userslist. All users moved into the Selected userslist are added to the current group.

7. Press CTRL+S to save changes.

Now that you have created one or more groups, you are ready to assign permissions. For information about how to assign permissions, see Manage security permissions for user groups and domain combinations.