Security Upgrade Advisor Tool for Dynamics AX 2012

The security framework has undergone significant changes between AX 2009 and AX 2012. There is no automatic path for upgrade of security configuration from AX 2009 to AX 2012. In order to assist the upgrade of security settings, we have written a tool called the Security Upgrade Advisor.

Security in AX 2009

Security in AX 2009 for a user starts with his or her membership in a user group. By adding a user to a group, you grant that user all the permissions assigned to that group. Domains enable you to restrict permissions to user groups to a single company, or to set up user groups that have permissions to data across companies. 

Furthermore, access of users to system elements (such as forms, menu items, and tables) is controlled using security keys. These settings are set by managing user group and domain combinations. Lastly, the security keys themselves can have child security keys. Ultimately, they control access to a securable object, set with an access level.

Security in AX 2012

Security in AX 2012 for a user starts with his or her being assigned one or more security roles. Security roles themselves contain duties, privileges and permissions. The permission is a combination of a securable object and an access level. Privileges contain a combination of an entry point and an access level. At runtime, the appropriate permission is picked up and given to the user.

Approach to security upgrade

Access to data within the system for an AX user flows through an entry point like a menu item. The algorithm essentially looks for entry points in the legacy system, looks at it access level and find privileges that map to the entry point and access level. The steps can be iteratively described with the following picture

 Here is a rule of thumb to follow: “If you find direct mapping between user group and “out of box” role that’s always better because the roles have been functionally tested”. If you cannot use out of the box security roles that AX 2012 ships with, you can map user groups to custom security roles that should have equivalent security settings compared to legacy systems.

The match process essentially works on the principle that for a given entry point in AX 2009, it will try to find a privilege in AX 2012 that contains the same entry point. The second level of matching is done for the access level. Based on whether the access level is exactly the same or varies slightly, the administrator running this tool would be asked to review a match or create new privilege. The following table explains all the cases with illustrative examples.


The Security Upgrade Advisor Tool is available from the InformationSource services download page. Documentation for the tool can be found at this link:

Note that this tool should work on both AX 4.0 and AX 2009 and also with AX 2012 and AX 2012 R2. Do try this tool out and give us your feedback.