How to find all D365 Security ROLES inheritance relations?

 

Is just a starting point

How can we catch all security relations OnPrem/Cloud environment? (also considering changes made by Security Configuration in Security Module)

It can be useful to know all the objects that have a relationship to the security role.

• First a quicky recap:

The security AX2012/D365 consists of in three main elements:

The security inheritance – relations is like belog

The common security role tree is like below

A common issue or request is to find all relations about objects, to better understand how role work

-         which are the related duties?

-         which are the related privileges?

-        I need to know all security role dependency

....and others...

By SQL script we can find all security object references.

Table SECURITYOBJECTCHILDREREFERENCES can help us.

The main tables:

SECURITYPRIVILEGE

SECURITYDUTY

SECURITYROLES

SECURITYOBJECTCHILDREREFERENCES

Also the table SECURITYOBJECTCHILDREREFERENCES can be used for others query/relations

Run SQL scripts:

 -- All Privileges

select * from SECURITYPRIVILEGE

-- All Duty

select * from SECURITYDUTY

-- All Roles

select * from SECURITYROLES

---

HOW TO GET ALL SECURITY REFERENCES

1. Get the list of all security roles with its duties

SELECT T2.Name as SecurityRole, T3.NAME as Duty
FROM SECURITYOBJECTCHILDREREFERENCES T1
JOIN SECURITYROLE T2 ON T1.IDENTIFIER = T2.AOTNAME
JOIN SECURITYDUTY T3 ON T1.CHILDIDENTIFIER = T3.IDENTIFIER
WHERE T1.OBJECTTYPE = 0 AND T1.CHILDOBJECTTYPE = 1

2. Get the list of all security roles with its privileges

SELECT T2.Name as SecurityRole, T3.NAME as Privilege
FROM SECURITYOBJECTCHILDREREFERENCES T1
JOIN SECURITYROLE T2 ON T1.IDENTIFIER = T2.AOTNAME
JOIN SECURITYPRIVILEGE T3 ON T1.CHILDIDENTIFIER = T3.IDENTIFIER
HERE T1.OBJECTTYPE = 0 AND T1.CHILDOBJECTTYPE = 2 

3. Get the list of all role-duty combination with privilege 

SELECT T2.Name as SecurityRole, T2.AOTNAME as RoleSystemName,  T3.NAME AS Duty, T3.IDENTIFIER as DutySystemName, T5.NAME as Privilege, T5.IDENTIFIER as PrivilegeSystemNam
FROM SECURITYOBJECTCHILDREREFERENCES T1
JOIN SECURITYROLE T2 ON T1.IDENTIFIER = T2.AOTNAME
JOIN SECURITYDUTY T3 ON T1.CHILDIDENTIFIER = T3.IDENTIFIER
JOIN SECURITYOBJECTCHILDREREFERENCES T4 on T4.IDENTIFIER = T3.IDENTIFIER
JOIN SECURITYPRIVILEGE T5 on T4.CHILDIDENTIFIER = T5.IDENTIFIER
WHERE T1.OBJECTTYPE = 0 AND T1.CHILDOBJECTTYPE = 1
AND T4.OBJECTTYPE = 1 AND T4.CHILDOBJECTTYPE = 2

Examples:

Duties related to role "SystemUser"

Privileges related to role "SystemUser" (by direct relation)

Privileges related to Role through Duties

enjoy