web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / Help with SQLServer Se...
Microsoft Dynamics AX (Archived)

Help with SQLServer SecurityRole table

(0) ShareShare
ReportReport
Posted on by bankk 6,609

Hello everyone.

I'm in need of some help in explaining how the security roles map to the users. OK, I'm strictly doing this on the SQL server so I'm not really doing anything within AX at the moment except to validate queries I run on the SQLServer. So I have a simple join...

SELECT UINFO.ID,

      SECROLE.SECURITYROLE

FROM dbo.USERINFO AS UINFO JOIN dbo.SECURITYUSERROLE AS SECROLE

    ON (UINFO.ID = SECROLE.USER_)

WHERE UINFO.ID = 'doejohn';

I get back 6 securityrole records (which I validated through AX table browser). I then go to the SecurityRole view and look them in up but can't match them. I feel like there's a reference table missing but that doesn't make sense in my head.

Also, we have customer roles (provided by a vendor) but I don't see them in the SecurityRole view either.

Please enlighten me. Thanks very much!

*This post is locked for comments

I have the same question (0)
  • Verified answer
    Brandon Wiese Profile Picture
    Brandon Wiese 17,788 on at

    As you have discovered, only part of the security structure lives in the business database.

    Basically, there are just a couple of tables.  SECURITYUSERROLE maintains the relationship between USERID and SECURITYROLE, which is an element handle found in the model store's MODELELEMENT table, though there are much easier ways to work with it.  Don't forget to respect the ASSIGNMENTSTATUS field (enabled/disabled).

    SECURITYUSERROLECONDITION contains the relationship between a SECURITYUSERROLE record (field RECID maps back to field SECURITYUSERROLE) and explodes which DATAAREA are assigned to the user/role relationship.  AX considers the absence of any records in this table to indicate FULL access to all DATAAREA, and this is readily seen in the user interface though I find this to be a terrible security design.

    Once you have the SECURITYROLE/element handle, you have to look into the model store database for the rest.

    SECURITYROLEEXPLODEDGRAPH is a view which fully explodes roles into sub-roles.  Even if a role has no sub-roles it is returned anyway as a sub-role to itself, which makes it very usage-friendly.  You can inspect the view's SQL statement to discover that it supports 2 levels of nested sub-roles under the top level role.

    SECURITYROLETASKGRANT explodes roles (or sub-roles) into tasks, which is AX speak for duties and privileges.  Some roles may have directly attached privileges.

    SECURITYTASKEXPLODEDGRAPH is a view which fully explodes tasks into sub-tasks, which generally means duties into privileges.

    Still within the model store are a handful of extremely helpful table-value functions, SECURITYROLE_FUNC, SECURITYROLE_INLINEFUNC, and task equivalents.  The RECID's in these table functions map to element handles, so directly to SECURITYROLE fields in other tables.  Supply these with a language ID and they will return translated text, which is great, but also the ISENABLED flag indicating that a relationship is active.

    Here's a little trick I use to make all these queries much easier to build and transport.  Create synonyms in the business database that point to the model store equivalents and use the same name.  This makes it much easier to combine tables from both without having to constantly database qualify the names.  Unfortunately sometimes the intellisense works across these relationships and sometimes not, which create some pain in that case

    I can post some queries that I use if you think they might be useful.

  • Suggested answer
    Brandon Wiese Profile Picture
    Brandon Wiese 17,788 on at

    So here's one of my favorite queries.  It provides flat data that I consume into an Excel pivot table and let's our team gain visibility on the setup in many useful ways.  Ignore the remark about "consumer" roles, those are custom to my environment and that is a good example of where we do not allow AX's "grant none means grant all" to function as designed.

     -- build replacement for SECURITYUSERROLECONDITION that also contains implicit DATAAREA

     SELECT urc.[PARTITION], urc.SECURITYUSERROLE, urc.DATAAREA

       INTO #urc  -- temporary table

       FROM SECURITYUSERROLECONDITION urc

     UNION ALL

     SELECT ur.[PARTITION], ur.RECID AS SECURITYUSERROLE, d.ID AS DATAAREA

       FROM SECURITYUSERROLE ur

       JOIN MODELSECURITYROLELAYER srl ON srl.ROLEHANDLE = ur.SECURITYROLE AND srl.NAME NOT LIKE N'%Consumer'  -- do not explode *Consumer roles

       JOIN DATAAREA d ON d.ISVIRTUAL = 0  -- 1:n

       WHERE NOT EXISTS (SELECT 1 FROM SECURITYUSERROLECONDITION urc WHERE urc.[PARTITION] = ur.[PARTITION] AND urc.SECURITYUSERROLE = ur.RECID);

     SELECT DISTINCT -- eliminate duplicates caused by SECURITYROLEEXPLODEDGRAPH internal relation error

         p.PARTITIONKEY,

         p.NAME                                  AS PARTITIONNAME,

         u.ID                                    AS USERID,

         u.NAME                                  AS USERNAME,

         u.COMPANY                               AS USERDEFAULTCOMPANY,

         u.NETWORKDOMAIN,

         u.NETWORKALIAS,

         CAST(u.[SID] AS NVARCHAR(80))           AS NETWORKSID,

         rx.AOTNAME                              AS ROLEAOT,

         rx.NAME                                 AS ROLENAME,

         rx.[DESCRIPTION]                        AS ROLEDESC,

         sx.AOTNAME                              AS SUBROLEAOT,

         sx.NAME                                 AS SUBROLENAME,

         sx.[DESCRIPTION]                        AS SUBROLEDESC,

         urc.DATAAREA                            AS DATAAREAID,

         d.NAME                                  AS DATAAREANAME,

         CAST(1 AS NUMERIC(32,16))               AS [GRANT]

       FROM USERINFO u

       JOIN SECURITYUSERROLE ur          ON  ur.[PARTITION] =   u.[PARTITION] AND ur.USER_ = u.ID                  -- 1:n explode user across roles

       JOIN #urc urc                     ON urc.[PARTITION] =  ur.[PARTITION] AND urc.SECURITYUSERROLE = ur.RECID  -- 1:n explode user/role across companies

       JOIN DATAAREA d                   ON   d.[PARTITION] = urc.[PARTITION] AND d.ID = urc.DATAAREA              -- 1:1 translate company into name

       JOIN [PARTITIONS] p               ON   p.RECID       =   d.[PARTITION]                                      -- 1:1 translate partition into name

       JOIN SECURITYROLEEXPLODEDGRAPH re ON re.SECURITYROLE = ur.SECURITYROLE                                      -- 1:n explode role across sub-roles

       JOIN SECURITYROLE_INLINEFUNC(@LanguageId) rx ON rx.RECID = re.SECURITYROLE                                  -- 1:1 translate role handle into name and description

       JOIN SECURITYROLE_INLINEFUNC(@LanguageId) sx ON sx.RECID = re.SECURITYSUBROLE                               -- 1:1 translate sub-role handle into name and description

       WHERE u.[ENABLE]          = 1

         AND ur.ASSIGNMENTSTATUS = 1

         AND rx.ISENABLED        = 1

         AND sx.ISENABLED        = 1;

  • bankk Profile Picture
    bankk 6,609 on at

    Hi Brandon. Thanks so much for the in-depth explanation. Going to have to reread this a few times and dig in to fully understand but you got me to where I needed to go. :D

  • _MGP Profile Picture
    _MGP 506 on at

    Hi Brandon - I'm trying to duplicate the SECURITYROLEEXPLODEDGRAPH view but for another level of nesting because our custom Roles structure has been designed that way.

    The end game for me is that I want to use SQL queries that we can run at any time using this new view to output Roles, Privileges, Entry Points and merge this with License data from running SysUserLicenseMiner (as per this link).

    Really hope you can help.

    thanks

  • _MGP Profile Picture
    _MGP 506 on at

    N/A

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans