Small and medium business | Business Central, N...

User Setup remains if User gets deleted from User table

(2) Share

Report

Posted on by peturelvar

If i remove a user from the User table (2000000120) the related record doesn't get deleted from User Setup.

Then if i create a new user with the same User name he'll get all the same User Setup as the previously deleted user through the record in User Setup table? f.e. "Time Sheet Admin" + some partners are using this table for access policy setup

I want to believe i'm missing something here? If not this is a concerning security issue right?

I would believe this is probably by design so related records in the database don't get deleted but a table controlling user access shouldn't have "User Name" as PK it should have "User Security Id.". But hopefully i'm missing something :)

And i know by guideline users shouldn't be deleted from user table they should be deactivated but still it's possible to delete them and then add a new User with the same name or rename existing user as the previously deleted user. You see where i'm going...

Categories:

Dynamics 365 Business Central

Microsoft Dynamics NAV

I have the same question (0)

All responses (7)

Answers (0)

Alex A 2,870 on at

Like (1)

Report

I see what you're saying, and it's a good observation. However, the thing is.. that once a User has made transactions in the system you can't really ever remove their User card. This would break the historical ledger entries. You disable the User card instead. But you can remove their User Setup record. Sound good?

Regards,

If this helps resolve your inquiry please mark the answer.

Was this reply helpful? Yes No
peturelvar 18 on at

Like (1)

Report

Yeah and i see what you're saying. But let's say a user gets added and maybe he quits the same day and never makes any transactions. Then he can be deleted and a new user added with the same name that gets all his permissions that were set up for the previous user.

I now it's a longshot but it's a possibility and a matter of security...My point being that user tables that control access shouldn't have "User Id" as a primary key. They should have "User security Id" instead which is always unique.

1 people found this reply helpful.

Was this reply helpful? Yes No
Suggested answer

Khushbu Rajvi. 20,275 Super User 2025 Season 2 on at

Like (2)

Report

When a user is deleted, Business Central does not automatically clear the User Setup entry. This is because the system is designed for users to be disabled rather than deleted, so that historical transactions aren’t affected. The User Setup record can be removed manually if needed, but the User card itself should normally remain disabled. So the behavior you are seeing is expected.

https://learn.microsoft.com/en-us/dynamics365/business-central/admin-users-profiles-roles

https://community.dynamics.com/forums/thread/details/?threadid=c2e6b625-f19a-4db1-8f78-849e9e8db352

Was this reply helpful? Yes No
peturelvar 18 on at

Like (1)

Report

Yes i knew it was most probably by design but still i don't think it's secure since it can be broken like i've described.

I think Microsoft should create a new User Setup table with primary key as the "user security id" to prevent this from happening 100%.

Entra applications can also be added to User Setup and given certain permissions without ever making any transactions. Then they can be removed and another one added later for a different 3rd party but with same permissions from "User Setup". Keep in mind that maybe some extensions are extending User Setup with access control fields. So it's not just standard fields we're talking about.

The system is not designed for Entra Applications to be disabled like Users, most companies probably just remove them.

1 people found this reply helpful.

Was this reply helpful? Yes No
Suggested answer

Alex A 2,870 on at

Like (1)

Report

I like how you're looking out. It's good. But here is another way of looking at it:

You should always delete the User Setup when a User card is deactivated. You want to keep the User Setup table as light as possible. This table gets looked at during every posting process because it holds the user posting dates. This is why I say, always remove the User Setup record when a User becomes Inactive, then you're scenario will not come to pass while you're making suggestions to Microsoft.

Regards,

If this helps resolve your inquiry please mark the answer.

Was this reply helpful? Yes No
peturelvar 18 on at

Like (1)

Report

I agree that user setup should always be deleted when a customer is deactivated or an Entra Application is deleted.

However from a developer standpoint it's the customers responsibility to do so and i can't be sure he'll do it, in my experience it's very unlikely he'll do it.

As a developer i want the system to be as secure as possible rather then assume that the customer will clean up after himself when disabling a User.

Microsoft doesn't even suggest to delete user setup when deactivating a user. So i don't know how the customer is supposed to know he should do it.

I really appreciate your answers! :)

1 people found this reply helpful.

Was this reply helpful? Yes No
Suggested answer

RockwithNav 8,600 Super User 2025 Season 2 on at

Like (0)

Report

I would believe this is probably by design so related records in the database don't get deleted but a table controlling user access shouldn't have "User Name" as PK it should have "User Security Id.". But hopefully i'm missing something :)

This is correct - That's how system is designed and it will have no impact, User setup is just a setup table.

Was this reply helpful? Yes No