During an AX implementation, I’ve noticed that when doing security setup of user groups and permissions, it is important to have the ‘Tables’ node (in AP for example) set to full control for anyone doing AP postings. Starting from there, you can deny access to individual tables belonging to AP, but the parent ‘Tables’ node must be enabled.

It would also seem that the ‘Tables’ node is subtractive, for example, add the following group (see screenshot) to a user of the ‘Admin’ group (other than the ‘Admin’ user itself) and that user will no longer be able to post Packing Slips and Invoices in AP.

A group with everything set to full control except the ‘Tables’ node in AP will effectively deny any AP posting to the user. This has been tested in AX 4 sp1 and sp2. I have no logical explanation for the behavior, but I’ve deduced that any security setup should enable the top nodes first and then remove access to the underlying tables as needed.

Also note that temporary tables do not show up on the security tree and are handled by that root ‘Tables’ node only. So it’s a good idea to enable the root node anyways.