Dynamics AX 2012 – Audit of Security Role Membership Changes

It is a common request from customers to be able to audit security changes made for users in Dynamics AX. The most common requirement is to log security role membership changes and be able to identify:

  • The security role which was added or removed
  • The user affected
  • The administrator user who made the change
  • The date/time of the change

Such requirements are often addressed using database logging (which has some significant limitations) and/or with customisations but I would like to draw your attention to a feature which appears in AX 2012 R2 onwards, in the Estonia country localisation:

(EEUR) Permission changes log (report) [AX 2012]

The report functionality is described as follows:

“Generate and print a report that displays changes to an employee’s permissions to access information, security rights, or user role in Microsoft Dynamics AX. You can select to view the permission changes as an overall list for the employee, or as a breakdown of tables and fields.”

I would leave as an exercise for the reader to fully enable this feature for other country localisations, however we can make use of the underlying log table and business logic to meet the basic requirements laid out above, with some very simple customisation.

In standard AX, when modifying the role membership of a user, we already make a call to the class method:


If we review the code in this method, we can see that changes are logged to the table EeUserRoleChangeLog only if the changes will affect access to a legal entity which is in the country Estonia (#ISOEE.) With a change to the code in this method, we can log role membership changes in all cases.

Changes to class method EePersonalDataAccessLogging.logUserRoleChange()

After compiling and generating CIL we can test that changes to role membership are now being logged and the table meets the original data requirements:

Records created in table EeUserRoleChangeLog after changing role memberships for a user

From here, it should be a simple exercise to develop a custom report or a new form, from which to review the historic role membership changes for a given user. In the example below, I have simply added a new tab page to the ‘Log’ form SysUserLog accessed from the users list page:

Highlighting access to the SysUserLog form from Users list page

It displays the change type, the security role, the company affected (if applicable,) the user who made the change and the date/time of the change, in a grid:

New tab added to the SysUserLog form

You can download my sample in the attached xpo however please note this is a ‘proof of concept’ sample only and is not supported by Microsoft, as per our standard disclaimer. I hope that helps a few people to get up and running with a simple audit log for security in Dynamics AX!

Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that. You agree: (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the Sample Code

Download zipped xpo: SharedProject_UserRoleMembershipChangeLog.zip