285
we are using customized security roles based on Internal Audit requirement. We just noticed that "Not All" customers were available on AR > Common > Customers > All customers.
Is there a specific Security Role/Privilege/Duties that I need to include so they may able to view these accounts?
Hi M P,
In your environment, a Global address book feature might be enabled: docs.microsoft.com/.../about-security-in-the-global-address-book
This can indeed limit the number of customers and it is based on the XDS policies.
So, check if GAB security is enabled. In that case, the user will only see customers which are part of his address book (assigned via teams) and all customers without an address book tag.
In addition, there are some public sector roles which do have a security policy enabled which could also be the case. However, I thought this was only restricting vendors; not sure about the customers.
Yes, if the user is System admin, security is bypassed so that's why you see the difference when the client is opened.
But since you see different results in All customers form, it means that the query for All customers form must be different for these two users. And it would be interesting to see that query. Were you able to collect trace of that process? You say that the only difference that you spotted was the one that you already shared, which is not related to opening of All customers form.
But just in case you missed something when you compared the traces of All customers form, could you share the queries for Admin and non-admin, when they opened All customers form? Perhaps we can spot something that you missed.
the trace log looks the same, just had an additional line pertaining to MyRoles. When I check the XDS method, it is pertaining to checking if the role is SysAdmin
Call stack:
(S)\Classes\xRecord\insert
(S)\Data Dictionary\Tables\MyRoles\Methods\PopulateRolesForNonAdminUser - line 26
(S)\Data Dictionary\Tables\MyRoles\Methods\XDS - line 17
(S)\Classes\SysQueryRangeUtil\currentRoleHasAccessToPrivate - line 28
(S)<runtime compiled code>\anytype wrapper(){ return SysQueryRangeUtil::currentRoleHasAccessToPrivate(); }
So are you saying that when the users open All customers form, the trace is exactly the same for System administrator and non-admin user? If yes, then the query is exactly the same and then they both will see all customers.
Did a trace and perform same steps just to capture the log for both the default System Administrators and Locally Customized Role and found difference. Is there anyway to bypass this part?
SQL statement: SELECT T1.ID,T1.NAME,T1.ENABLE,T1.DEL_STARTUPMENU,T1.STATUSLINEINFO,T1.TOOLBARINFO,T1.DEBUGINFO,T1.AUTOINFO,T1.AUTOUPDATE,T1.GARBAGECOLLECTLIMIT,T1.HISTORYLIMIT,T1.MESSAGELIMIT,T1.GENERALINFO,T1.SHOWSTATUSLINE,T1.SHOWTOOLBAR,T1.DEBUGGERPOPUP,T1.SHOWAOTLAYER,T1.DEL_PASSWORD,T1.DEL_OSACCOUNTNAME,T1.STARTUPPROJECT,T1.CONFIRMDELETE,T1.CONFIRMUPDATE,T1.REPORTFONTNAME,T1.REPORTFONTSIZE,T1.FORMFONTNAME,T1.FORMFONTSIZE,T1.PROPERTYFONTNAME,T1.PROPERTYFONTSIZE,T1.INFOLOGLEVEL,T1.COMPANY,T1.AUTOLOGOFF,T1.QUERYTIMELIMIT,T1.TRACEINFO,T1.REPORTTOPMARGIN,T1.REPORTBOTTOMMARGIN,T1.REPORTLEFTMARGIN,T1.REPORTRIGHTMARGIN,T1.COMPILERWARNINGLEVEL,T1.SID,T1.NETWORKDOMAIN,T1.NETWORKALIAS,T1.ENABLEDONCE,T1.EXTERNALUSER,T1.LANGUAGE,T1.HELPLANGUAGE,T1.PREFERREDTIMEZONE,T1.PREFERREDCALENDAR,T1.HOMEPAGEREFRESHDURATION,T1.NOTIFYTIMEZONEMISMATCH,T1.FILTERBYGRIDONBYDEFAULT,T1.GLOBALFORMOPENMODE,T1.DEL_DEFAULTMODELID,T1.SHOWMODELNAMEINAOT,T1.ACCOUNTTYPE,T1.ISSUERRECID,T1.CREDENTIALRECID,T1.GLOBALLISTPAGELINKMODE,T1.GLOBALEXCELEXPORTMODE,T1.GLOBALEXCELEXPORTLOCATION,T1.CLIENTACCESSLOGLEVEL,T1.DEFAULTPARTITION,T1.GLOBALEXCELEXPORTFILEPATH,T1.RECVERSION,T1.PARTITION,T1.RECID FROM USERINFO T1 WHERE ((PARTITION=xxxxxx) AND (ID=?)) [ID=xxxxx, Reused=Yes]
Call stack:
(S)\Classes\xAxaptaUserManager\GetRolesForUser
(S)\Data Dictionary\Tables\MyRoles\Methods\PopulateRolesForNonAdminUser - line 15
(S)\Data Dictionary\Tables\MyRoles\Methods\XDS - line 17
(S)\Classes\SysQueryRangeUtil\currentRoleHasAccessToPrivate - line 28
(S)<runtime compiled code>\anytype wrapper(){ return SysQueryRangeUtil::currentRoleHasAccessToPrivate(); }
Database: Microsoft SQL Server
SQL statement: SELECT T1.RECID,T1.AOTNAME FROM [XXXX_model].[dbo].SECURITYROLE T1 WHERE (RECID=?) [ID=2, Reused=No]
Call stack:
(S)\Data Dictionary\Tables\MyRoles\Methods\PopulateRolesForNonAdminUser - line 23
(S)\Data Dictionary\Tables\MyRoles\Methods\XDS - line 17
(S)\Classes\SysQueryRangeUtil\currentRoleHasAccessToPrivate - line 28
(S)<runtime compiled code>\anytype wrapper(){ return SysQueryRangeUtil::currentRoleHasAccessToPrivate(); }
You say that there's no data related security setup. I still doubt that, but let's assume that it's correct.
Perhaps you have some customization that hides some customers for non-admins?
One thing that can help you find the explanation is to capture trace when you open All customers form with non-admin role, and see what kind of SQL statement is executed when the form is opened. Tracing is only possible for administrators so you need one admin user capturing the trace and another user opening the Customers form. Once you have the trace, you can analyze it with Trace parser. Before asking more about Trace parser, please try to find the official documentation and many blog that should provide sufficient information to use it :)
#1
André Arnaud de Cal...
292,884
Super User 2025 Season 1
#2
Martin Dráb
231,758
Most Valuable Professional
#3
nmaenpaa
101,156
Moderator
Share
Report
All responses (
Answers (
