PathixDataverse Forensics
Everyday · D365 admin & security analyst

See what changed.
Even what you didn't change.

Pathix diffs every scan against the last, so the privilege that appeared overnight, the writer that showed up on a field, the role the platform quietly widened, all surface before they become an incident. And the questions you field all day, who can write this, what touches that, are thirty-second answers off the same scan.

Book a demoSee the whole picture
Change tracking

Your role editor shows you the state. Pathix shows you the delta.

Every scan is compared against the one before it: new and removed writers, source changes, and security deltas down to a single privilege grant or a role that moved from Local to Global. The most valuable part is the part you can't get anywhere else. It catches the changes you didn't make. When Microsoft auto-grants a new custom role a stack of SharePoint privileges you never set, Pathix shows you. The role editor won't, because it only shows the current state, never how it got there.

It is a deterministic diff of one scan against the next, no AI and no inference. The highest-confidence thing Pathix can tell you: this exists now, and it didn't before.

Pathix change log: 413 changes in 30 days across the Dev-Clean environment, scan #1 to scan #2. Rows show a privilege scope widened from Local to Global, a field-security grant flipped on, a privilege granted and another revoked, a plugin source modified from 412 to 418 IL, and a principal disabled, each with its target, transition, and detail.
Dependency search

Every touchpoint on a field, ranked by salience.

Search a column and Pathix opens its Touchpoints: one list of everything that writes it (plugins, workflows, flows, form scripts, canvas apps) and everything that reads it, ranked by salience so the most graph-prominent edges sit on top. Every edge carries a confidence tier and names the component it came from, so you click straight through instead of opening assemblies one at a time. The classic writers-and-dependents split is still one tab over, as Split view.

This maps what canwrite a field, and what changed between scans. It does not read the audit log to name who wrote a specific value at runtime; that stays Dataverse auditing's job. What it does is narrow the suspects from everything to the few components that could have.

Pathix Touchpoints view of account.creditlimit, salience 48, 88th percentile within the environment. One list of 18 write and read edges ranked by focus-local salience: an AI-derived plugin step at 35, an orphaned reader a finding implicates at 26, a conditional approval workflow at 8, and lower-salience canvas apps, web resources, business rules and workflows at 0. Columns show salience, direction, kind, component, and confidence tier: Declared, Parsed, or AI-derived. A side panel shows field metadata and the field's own finding and hotspot.

With AI on: AI-derived edges surface the dynamic and late-bound writes static parsing can't prove on its own, each one labeled and coupled to its evidence.

Hotspots

Not just what's prominent. A queue you can work.

Salience ranks the fields and components that stand out in the graph, noisiest first, never a risk ranking. Each hotspot opens as something you can act on: see why it surfaced (fan-in, sensitivity, an adjacent finding, unresolved edges), then mark it noted, dig in, or set it not relevant, assign it, and leave a reason. Every step lands in an activity log. There is no fix to close, because a hotspot is awareness, not a verdict.

Pathix hotspot triage for the creditlimit field, salience 48, 88th percentile. A why-this-is-surfaced panel breaks the score into factors: fan-in 1.0, sensitive .85, near a finding .70, unresolved edges .26, with confidence shown separately from the score. Awareness controls mark it Noted, Investigating, or Not relevant, add a reason, and assign it to a person. An activity log records each step: first seen, marked Noted ('money field with heavy fan-in, worth a periodic eyeball'), assigned, then set to Investigating ('AI-derived shadow writer needs confirming before we trust the number').
Effective permissions

Resolve access from either end.

Ask it from the user: who is this person, and what can they actually reach, resolved across every role and team they belong to. Or ask it from the field: who can write this, across all the principals that can, and the path each one takes to get there. The catch usually hides in the path, the user who still has write access through a team nobody thought to audit.

FROM THE USER · WHAT CAN THEY TOUCH
Pathix user access view: one user with their direct roles, team memberships, and every table they can touch, showing write access to the account table granted both directly and through a team.
FROM THE FIELD · WHO CAN TOUCH IT
Pathix table access view: the 60 principals that can write the account table, each with its type (user, team, application user), its access path, and the privileges it confers.

With AI on: hand the incident to an agent over the Pathix MCP and it traces who can reach the field and how, while you read the answer.

Field-level security

The field that's secured, and unreadable by everyone.

Pathix surfaces which columns are field-secured and which profiles actually grant access to them, including the gap that quietly breaks things: a field secured with no profile granting read, so it's invisible to the people who are supposed to see it. It accounts for the System Administrator bypass correctly, so what you see is real exposure, not a false alarm.

Pathix field-level security view: secured columns and the profiles that grant access, flagging a field secured with no profile grants.
Security audit

An audit on every scan, not a project.

Every scan runs a security audit against the real customization graph: a privileged role shared between a human and an integration account, a disabled user that still holds its roles, an application user that can write to the security model. Each finding is ranked, assigned, and tracked from open to mitigated, with a decision log that is audit-grade by the time anyone asks.

The full security workbench: the console, every finding, and the trend →

See what Pathix finds in a real environment.

A 30-minute walkthrough on a pre-scanned demo environment. No access to your tenant, nothing to install.

Book a demo
Pathix

Forensics for Dynamics 365 and the Dataverse.

See it on sample data →
USE CASES
PRODUCT
COMPANY
© 2026 Pathix · self-hosted · metadata-onlyNot affiliated with Microsoft. Dynamics 365, Dataverse, and Power Platform are trademarks of Microsoft Corporation.