web
You’re offline. This is a read only version of the page.
close
Skip to main content
News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance forum / Logging changes in sec...
Finance forum

Logging changes in security setup

(0) ShareShare
ReportReport
Posted on by Bhavleen 40

In D365, is there a way to track who assigned a security role or change security role for other users.

Database logging is not turned on. So what are my options to trace these changes ?

Need your expert advice team !

Thanks

Thanks

Categories:
Other
Security
I have the same question (0)
  • AlP Profile Picture
    AlP 75 on at
    Logging changes in security setup
    Thanks for the response @NikolajSorensen 
     
    We are totally new (one month since we went live) in this application and does it require other tool to customize to show name of the security role instead the role number?
     
    Appreciate if you can share ideas here.
     
    Thank you.
  • Suggested answer
    NikolajSorensen Profile Picture
    NikolajSorensen 1,784 on at
    Logging changes in security setup
    The database logging setup will only show the security role number. To show the name of the security role, you will need to customize it.
     
    There is a standard report on the database log, which allows you to extract the log entries. 
     
  • AlP Profile Picture
    AlP 75 on at
    Logging changes in security setup
    Hello,
    We have similar requirement where we need to get the logs in security eg. user creation, deletion, role assignment/deletion.
    Have enabled the following tables, but it does not capture what the name of security role that was assigned/deleted.
     
    UserInfo
    SecurityRole
    SeurityUserRole
     
    Ours is D365 F&O, Is there missing tables that need to be included above and also is there a way to retrieve the logs easily eg. via report?
     
    Thanks,
  • Jie G Profile Picture
    Jie G on at
    RE: Logging changes in security setup

    Hi Bhav,

    You can also do it by turning on Database logging on table "SecurityUserRole" (System administration -> setup -> Database log setup -> New ->SecurityUserRole under System Node)

    1651.2.PNG1651.2.PNG

    Then you can track changes in System administration -> Inquiries -> Database -> Database log.

  • udaY-ch Profile Picture
    udaY-ch 5,084 on at
    RE: Logging changes in security setup

    Hi, Bhav

    You can also have a report to view the changes done to the user by duplicating the menuitem EePermissionChangesLog to support all legal entities (country region to be removed)

    Permission_5F00_report.png

    /Uday.

  • Jie G Profile Picture
    Jie G on at
    RE: Logging changes in security setup

    Hi Bhav,

    You can CoC on the class "EePersonalDataAccessLogging" like following code. 

    [ExtensionOf(classStr(EePersonalDataAccessLogging))]
final class EePersonalDataAccessLogging_extension
{
    [SubscribesTo(formStr(SysSecRoleAssignOM), delegateStr(SysSecRoleAssignOM, userRoleChange))]
    public static void logUserRoleChange(
        RefRecId _securityRole,
        RefRecId _omInternalOrganization,
        UserId _userId,
        AddRemove _addRemove)
    {
        next logUserRoleChange(_securityRole,_omInternalOrganization,_userId, _addRemove);
        
        unchecked(Uncheck::TableSecurityPermission)
        {
            CompanyInfo companyInfo;
            EeUserRoleChangeLog log;
            boolean doInsert;
            int addCount;
            int removeCount;

            doInsert = true;

            if (doInsert)
            {
                //When we grant organizations, we have to turn off access to all
                //organizations.  The application does this implicitly, but the
                //log will do it explictly.
                if (_omInternalOrganization && _addRemove == AddRemove::Add)
                {
                    select firstOnly AddRemove, RecId
                        from log
                        order by log.recId desc
                        where log.SecurityRole == _securityRole
                        && log.OMInternalOrganization == 0
                        && log.UserId == _userId;

                    if (log.recid && log.AddRemove == AddRemove::Add)
                    {
                        log.clear();
                        log.SecurityRole = _securityRole;
                        log.omInternalOrganization = 0;
                        log.UserId = _userId;
                        log.AddRemove = AddRemove::Remove;
                        log.ChangedBy = curUserId();
                        log.insert();
                    }
                }

                log.clear();
                log.SecurityRole = _securityRole;
                log.omInternalOrganization = _omInternalOrganization;
                log.UserId = _userId;
                log.AddRemove = _addRemove;
                log.ChangedBy = curUserId();
                log.insert();

                //When we revoke access to the last organization, they have implicit
                //access to all organizations.  The log will do this explictly.
                if (_omInternalOrganization && _addRemove == AddRemove::Remove)
                {
                    while select AddRemove, RecId
                        from log
                        order by log.recId desc
                        where log.SecurityRole == _securityRole
                        && log.OMInternalOrganization != 0
                        && log.UserId == _userId
                    {
                        if (log.AddRemove == AddRemove::Add)
                        {
                            addCount++;
                        }
                        else
                        {
                            removeCount++;
                        }
                    }

                    if (addCount == removeCount)
                    {
                        log.clear();
                        log.SecurityRole = _securityRole;
                        log.omInternalOrganization = 0;
                        log.UserId = _userId;
                        log.AddRemove = AddRemove::Add;
                        log.ChangedBy = curUserId();
                        log.insert();
                    }
                }

                EePersonalDataAccessLogging::logSecurityRightsChange(_securityRole, _userId, _addRemove, _omInternalOrganization);
            }
        }
    }

}



    After building, and modify roles on a user, we can see the changes are tracked in table "EeUserRoleChangeLog".

    6835.1.PNG

  • udaY-ch Profile Picture
    udaY-ch 5,084 on at
    RE: Security

    Hi. Bhav

    It is possible in AX 2012 to review the changes being made to the security roles and similarly this works in Dynamics 365 FO as well

    blogs.msdn.microsoft.com/.../dynamics-ax-2012-audit-of-security-role-membership-changes

    /Uday.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Dynamics 365 Community Calls Return
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft
Responsible AI policies for the Community

Quick Links

November Spotlight Star - Khushbu Rajvi

Congratulations to a top community star!

Forum Structure Changes Coming on 11/8!

In our never-ending quest to help the Dynamics 365 Community members get answers faster …

Dynamics 365 Community Platform update – Oct 28

Welcome to the next edition of the Community Platform Update. This is a status …

Leaderboard > Finance

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans