Security in Axd<Document> and Ax<Table> Classes

Applies To: Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012

By default, Application Integration Framework (AIF) uses the standard table, field, and record level security when you read data from Microsoft Dynamics AX that is sent to an external system.

Record level security (RLS) is implemented at the Axd <Document> class level where the specific document defines whether RLS should be upheld for that document only. AIF uses the property to implement RLS. This property returns a boolean that specifies whether the current document class (which inherits from the AxdBase class) uses RLS. By default, this property returns true.

By default, RLS is enabled for all Axd <Document> classes that are included with Microsoft Dynamics AX except for the following:

  • Sales Invoice - AxdSalesInvoice

  • Advance Ship Notice - AxdASN

  • Purchase Requisition - AxdPurchaseRequisition

In these document classes, RLS is bypassed in the unpackPropertyBag method as shown in the following code.

protected void unpackPropertyBag(AifPropertyBag _aifPropertyBag)
        AxdSendContext  axdSendContext = 
        // Get send context properties.
        // Bypass RLS.;

When reading data that will be sent, the AxdBase class passes the request to the AxdBaseRead class. The AxdBaseRead.serializeQuery method checks whether the document implements RLS and passes that information to the query in the following code.


RLS does not apply when the AIF deserializes data from XML and writes to the database. This is the case for inbound documents that create data in Microsoft Dynamics AX.

Security Consequences

RLS affects the Axd <Document> and Ax <Table> classes as shown in the following table.




Schema generation


When generating XML schemas (XSDs), security is not verified. The schema is shared across all recipients and submitters, regardless of data access permissions.






When data is serialized from the Microsoft Dynamics AX database into XML, the following rules apply:

  • If the calling code is not authorized to read data from the data source table, that data source and all child data sources are not serialized.

  • If the calling code is not authorized to read a specific field, that field is not serialized.

  • When data is read from the database and RLS is enabled, only those records that the calling code is authorized to view are returned.

  • If the calling code is not authorized to read one of the fields that is marked as mandatory in the XML Schema (for example, the XSD generated by getSchema method), an error is thrown.


When AIF deserializes data from XML and writes it to the database, RLS is not used. Instead, AIF checks that the user has access to the tables and fields in which data is being created or updated. If the calling code is not authorized to write data to the data source table or to a specific field, the incoming XML document is rejected. The AxdBaseCreate base class in the XML document framework checks for access in the AxdBaseCreate.hasTableAccess and AxdBaseCreate.hasFieldAccess methods.


All AIF exceptions are logged to the SysExceptionTable and can be viewed in the Exceptions form. For more information, see View the exceptions log.

Required Fields

A field is considered required when:

  • The field is marked as mandatory in the data model and the field is not included in the list of mandatory field exemptions returned by the Ax <TableName>. getMandatoryFieldsExemptions method.

- or -

  • The field is in the list of mandatory fields returned by the Axd <Document>.getMandatoryFieldsMap method.

See also

Record Level Security and Outbound Documents

How to: Bypass Record Level Security in Outbound Documents