FBA users have full control to the EP site. They can modify your EP site.
This is working as design and is documented here –
” The Add-AXEnterprisePortalClaimsAuthenticationProvider cmdlet associates an existing Microsoft SharePoint Server claims authentication provider with an Enterprise Portal site. All users of the authentication provider are added as users to the Enterprise Portal web application and are granted full control of the web application”
This has been entered as a Design Change Request for the next release for AX 2012.
To prevent your FBA users from making changes to your EP site, you will need to change their SharePoint rights to Read from Full control. Here is the workaround to prevent your FBA users from being able to modify the EP site.
In SharePoint Central Administration, go to Application Management> Manage web applications,
Click on the DynamicsEP – sps2010-5000 (the name here may be a little different. But this is your EP site with claims auth) then click on User Policy icon.
Noticed the user name “…fbaprovider” has the “Full Control” permission.
Click on the Display Name for the “…fbaprovider” user name, change the Permission Policy Levels from Full Control to Full Read. Save your change.