Bojensen Blogs

Tips on AX 2012 Security Development Tool – Part 1

This entry is part 2 of 6 in the series AX 2012 Security

Andre from Kaya Consulting has written a series of excellent articles on AX 2012 Security Development: here is Part 1:

The Security Development Tool is created by Microsoft and provides additional functionality helping you creating and maintaining security artifact like Roles, Duties and Privileges. I have used the tool since the release and noticed some very good features and also some features which could cause unwanted scenarios. To help you getting the most out of this tool and use it in a proper way, I decided to write a series of blogs on this feature. This first post will tell you about the configuration of the menu-items which will start the Security Development Tool and also how to fix the view on User License Type to show the correct CAL type.

What is it?

As mentioned in the introduction this tool provides additional features to support you on:

  • Simplify the creation and maintenance of security artifacts such as Roles, Duties and Privileges
  • Creation of new security artifacts on the basis of access through various entry points
  • Ability to test newly created or modified security Role without using a different test account
  • Ability to record business process flows and identify the entry points used, to speed up development of security artifacts
  • Ability to view effective named user license values at different security artifact levels

The full description and also useful links to downloads and user manual can be found on a blog from the Dynamics AX Server Team. Note that the tool is available as beta only. There is no official release as of today.

Tip: Complete setup by creating menu items

Initially when you have downloaded and installed the tool, you don’t see any changes and it looks like nothing is installed. If you look in the Development workspace (AOT), you can find new objects. There is a project called “SecurityDevelopmentTool” containing all related objects.


If you browse all objects, you also will find two menu items. These are not linked in any menu. As mentioned in the user guide, you can run the class SysSecEntryPointManagerSetup to link the menu items to standard AX menus. Right click on the class and select the menu option Open to perform this task. As a result these can be found in the System administration menu and also the context menu in the AOT.

SDT1-03 SDT1-02

Tip: How to view the correct CAL license type for menu items and roles

When you have opened the Security Development Tool form, there is a button called Load additional metadata. If you click this button, new properties are added on the grid. One of the columns is called Effective user license type. Within this field it is possible to analyze which menu items are causing a certain CAL license type for the particular role. You can sort or filter on this field to find the data you are looking for. If you change an existing role, it might be possible that a Functional role will become an Enterprise role due to menu items exists in a certain privilege. This might affect your current license and probably unwanted license upgrade costs are involved. For this purpose also a field called Current user license type is added above the tree.


Note that in AX 2012 R2 and R3 the Current user license type is showing incorrect values. The license type Server Users is a type added since the R2 release. It is introduced to have an indication which menu items are part of the Server license and does not have impact on the license types. This field should show only the values Enterprise, Functional, Task and Self-serve. These are taking care of the number of CAL counts. Due to a new value in an enumeration this Server Users value has priority over the needed values. To fix this, you have to change the x++ logic in two methods on the form SysSecEntryPoinManager:


The line with the next code should be changed from:

if(SysSecEntryPointTmp.EffectiveUserLicense > maxLicenseType)


if(SysSecEntryPointTmp.EffectiveUserLicense > maxLicenseType && SysSecEntryPointTmp.EffectiveUserLicense != UserLicenseType::Server)

You have to do this is both methods UpdateLicenseTypes and LoadAdditionalMetadata. Then the system will show the correct CAL license type after this change:


Tip: Test combination of multiple roles

If you want to grant more than one role to a single person, you can test it using the Security Development Tool. A while ago I wrote already a blog to explain this. Read the tip in this post: AX2012 – Testing combination of multiple roles.

Tips on AX 2012 Security Development Tool – Part 1 |

Series Navigation<< AX 2012 – Security for DevelopersTips on AX 2012 Security Development Tool – Part 2 >>

Comments are closed.