From the blog of Alex Meyer, D365FO and Fastpath product expert:
Have you ever wondered how to give limited access to a user? Perhaps you'd like then to have read access for a certain form, but not write access. In this blog Alex shares how to leverage the deny permissions, with a detailed look into how and when to use the deny permissions in Microsoft Dynamics 365 for Finance and Operations.
A new piece of security functionality that did not exist in AX 2012 but now exists in D365FO is the idea of having an explicit deny access level available to assign. But how do you utilize the deny permissions when setting up security?
It isn’t always straight forward when to use the deny permission. Even if you are using task recordings to help set up security, this process will not identify when to use the deny permission to achieve your end goal as it is only looking for menu items consumed during a recording and you cannot designate certain functionality to be denied. Read Alex's full blog post here.