PathixDataverse Forensics
Your data · Customer-hosted in your subscription

Your data is yours.
Queryable, exportable, auditor-ready.

Pathix runs in your Azure subscription and stores its analysis in a SQL database you own. Connect SSMS, run queries, build dashboards, hand the connection to your auditor. Everything Pathix knows about your environment is queryable directly, on your terms, not gated behind an export request or a vendor approval process.

Book a demoRead the schema reference
Where Pathix lives

Your subscription, your resource group, your SQL Server.

A snapshot of the database connection a customer sees in their own Azure portal. Pathix is a tenant on top of infrastructure you control, not the other way around.

Subscription
Contoso Production
Yours. Pathix has no visibility into other subscriptions in your tenant.
Resource group
rg-pathix-prod-eastus2
Created by your Bicep deployment. You own it.
SQL server
sql-pathix-prod-eastus2.database.windows.net
Database
Pathix
Connect from SSMS, Azure Data Studio, Power BI, or any tool that speaks SQL.
Authentication
Entra ID, your existing identity
No Pathix-specific credential to manage. Your DBA group already has access.
Backup retention
Your policy
Pathix doesn't set this. Your SQL Server config governs.
What's in the database

The tables you'll query most. Every row is metadata about your environment.

Pathix's database has around thirty tables in total; the ones below are where the vast majority of customer queries live. Definitions, configurations, security posture, surfaced findings. Row counts shown are illustrative, sampled from a mid-size customer environment.

TableRowsWhat it holds
Tables1,247Every entity Pathix scanned, with logical name and metadata.
Columns38,914Every column on every scanned entity. Source type, audit flag, formula-column flag. The formula body itself is parsed in memory and never stored.
LogicComponents8,392Plugin steps, workflows, dialogs, business rules, actions, modern flows, dataflows, form scripts, PCFs, canvas apps, formula columns.
LogicActions21,408Every detected write. One row per (component, target field, action type) tuple.
LogicReferences47,193Every detected read. Workflow conditions, modern-flow filters, canvas-app Filter / LookUp expressions, formula-column derivations, form-script getValue calls.
Findings127Surfaced anomalies. Orphaned plugin steps, shared roles, uncovered privileges. Severity-ranked.
SecurityRoles94Every role in your environment, with IsCustom flag.
Privileges3,841Catalog of privileges with target-table resolution and access type.
Principals612Users, application users, and teams unified into one shape for shared-role analysis.
Solutions47Solution catalog with publisher uniquename. Drives the IsSystem classification across components.
OptionSets1,043Global and local option sets with per-value attribution, so each Choice value traces to the components that read and write it.
What you can ask of it

Three example queries, end-to-end.

Each shows a question, the SQL that answers it, and a sample result. Run any of these yourself against your own Pathix database. They aren't features you need to wait for, they're already there.

#01

What writes to account.creditlimit?

The same answer the field-writers page in Pathix shows you, expressed as a SQL query you can embed in monitoring, schedule via cron, hand to your auditor, or wrap in your own dashboard. You aren't locked into the Pathix UI.

-- The same answer as the field-writers page in the UI.
SELECT
    c.Name              AS Component,
    c.ComponentType,    -- 'PluginStep', 'ClassicWorkflow', 'ModernFlow', etc.
    a.ActionType,       -- 'Update', 'Create', 'Delete'
    a.IsConditional,
    a.Confidence,       -- 'Declared', 'Parsed', 'AiDerived'
    a.ExtractedFrom     AS DetectedBy
FROM LogicActions a
JOIN LogicComponents c ON c.Id = a.LogicComponentId
WHERE a.TargetTable = 'account'
  AND a.TargetColumn = 'creditlimit'
  AND a.ActionType = 'Update'
ORDER BY c.ComponentType, c.Name;
Results
ComponentComponentTypeActionTypeIsConditionalConfidenceDetectedBy
Cap credit limit at tierBusinessRuleUpdatetrueParsedWorkflowXamlParser
Annual review credit limitClassicWorkflowUpdatetrueParsedWorkflowXamlParser
Account form (credit override)FormScriptUpdatetrueParsedFormScriptParser
Sync from finance systemModernFlowUpdatefalseParsedFlowJsonParser
Acme.CreditCheck.PreUpdatePluginStepUpdatefalseDeclaredPluginRegistration
5 rows. Query returned in 8ms.
#02

Which fields can ONLY be written by an integration user?

A query the Pathix UI doesn't expose. Useful for credentials review. Flag fields whose only writer is an application user, then check whether the runtime credential rotation matches that field's sensitivity.

-- Fields where every writer is an application user.
-- Indicator for credentials review.
SELECT
    a.TargetTable,
    a.TargetColumn,
    COUNT(DISTINCT c.Id) AS WriterCount,
    STRING_AGG(c.Name, ', ') AS Writers
FROM LogicActions a
JOIN LogicComponents c ON c.Id = a.LogicComponentId
WHERE a.ActionType = 'Update'
  AND c.IsSystem = 0    -- customer-authored only
  AND c.ComponentType = 'ModernFlow'
  AND a.TargetTable IS NOT NULL
GROUP BY a.TargetTable, a.TargetColumn
HAVING COUNT(DISTINCT c.Id) = 1
ORDER BY a.TargetTable, a.TargetColumn;
Results
TargetTableTargetColumnWriterCountWriters
accountacme_externalsyncstatus1ERP nightly sync
accountacme_lastsyncedat1ERP nightly sync
contactacme_marketingscore1Marketing platform integration
opportunityacme_pricingapproved1Pricing engine webhook
4 rows. Each row is a candidate for credentials review: only one app-user-driven flow ever writes that field.
#03

Show me everything that depends on contact.emailaddress1.

Read-side dependency answer. If this field gets renamed or deleted, every row below breaks: workflow conditions, formula columns that derive from it, canvas-app Filter expressions, modern-flow trigger filters. The Touchpoints view in Pathix shows the same answer; the SQL works for any custom report you want to build.

-- Everything that READS contact.emailaddress1.
-- Rename / remove this field and every row below breaks.
SELECT
    c.Name                AS Component,
    c.ComponentType,
    r.ReferenceKind,      -- 'Filter', 'Display', 'Computation', 'PreImage'
    r.IsConditional,
    r.ExtractedFrom
FROM LogicReferences r
JOIN LogicComponents c ON c.Id = r.LogicComponentId
WHERE r.TargetTable = 'contact'
  AND r.TargetColumn = 'emailaddress1'
ORDER BY r.ReferenceKind, c.ComponentType, c.Name;
Results
ComponentComponentTypeReferenceKindIsConditionalDetectedBy
Welcome email (new contacts)ModernFlowFilterfalseFlowJsonParser
Lead-to-opportunity sync (BR)BusinessRuleFiltertrueWorkflowXamlParser
contact_main.js (email validation)FormScriptComputationtrueFormScriptParser
contact.emailcomposite (formula)FormulaColumnComputationfalseFormulaColumnReader
Contact lookup canvas appCanvasAppFilterfalseCanvasAppPowerFxWalker
5 rows across 4 component types. Every row carries Confidence and provenance, so you can tell at a glance how Pathix knows this dependency exists.
Agent-ready

Ships with an MCP server.

Pathix exposes a Pathix MCP server alongside the database: 18 typed tools any MCP-aware agent (Claude Desktop, Copilot, Cursor, custom orchestrations) calls natively. find_writers, find_readers, find_component, component_footprint, table_logic_footprint, cascade_fanout, search_columns, describe_table, describe_component, list_components, list_environments, list_scans, list_solutions, list_findings, effective_permissions, shared_role_principals, describe_plugin, plan_table_migration. Each returns a result with structured confidence labels and the scan it ran against. Point an agent at the connection and it answers dependency questions on day one, no SQL knowledge required.

Try this on your favorite AI agent. We'll wait.

“Find every read and write to account.creditlimit. Include reads and writes inside Power Automate flow steps, canvas-app formulas, plugin IL you'll need to decompile (skip Microsoft-shipped), dataflow connections, and ribbon code.”

Pathix returns the answer in a second. AI is faster, cheaper, and more accurate with a parsed graph behind it. The Pathix MCP server is how your agent gets at ours.

What you can build with it

The Pathix database is a consumption surface, not internal storage.

Customers connect their existing tools to it directly. No vendor approval needed.

  • Embed Pathix queries in your existing monitoring stack: Grafana, Power BI, Azure Monitor, anything that speaks SQL.
  • Schedule weekly governance reports via SQL Server Agent or Azure Logic Apps. Standard with every Pathix install.
  • Hand the database connection to your internal auditor. They run their own queries against your data, in your subscription, on their schedule.
  • Build custom dashboards your team wants that Pathix's UI doesn't ship. Your environment, your priorities.
  • Compare two scans yourself. Diff the LogicActions tables across ScanIds. Pathix retains immutable history for exactly this purpose.
  • Export to whatever format your compliance program needs. Pathix's PDF export is one option, your own CSV / Parquet / Power BI dataflow is another.
What's deliberately not here

Pathix is metadata-only by architectural commitment.

The list below is enforced at three layers: the SDK wrapper that intermediates every Dataverse call, the database schema (no value / payload / content columns anywhere), and code review on every change touching ingestion. You can audit this claim by reading the schema yourself.

  • Customer record values from any business table. Pathix never ingests them.
  • Audit log payloads. Before / after values are stripped at the ingestion boundary. Pathix stores the event tuple (who, what, when), not the values.
  • File or image attachments. Pathix never pulls them.
  • Anything returned by Retrieve / RetrieveMultiple against business data. The SDK wrapper makes this physically impossible.
  • Customer-tenant-identifying telemetry. The license validation call carries license key, version, and a hash. Nothing else.
Versus the alternatives

The same question, very different answers about who controls the data.

Three categories of D365 governance tools, compared on the dimensions that determine who gets the answer to 'what writes to this field?' and what they can do with it.

DimensionPathixthis productSaaS governance toolsCommunity plugins
Where the data livesYour Azure subscription. Your SQL Server. Your DBA controls.Vendor's infrastructure. Subject to their compliance, retention, and breach posture.Nowhere persistent. Each plugin run is ad-hoc; nothing accumulates.
Direct SQL accessYes. Connect from any tool that speaks T-SQL: SSMS, ADS, Power BI, custom apps.Vendor API only. Rate-limited. Schema is the vendor's, not yours.No persistent schema. No SQL surface.
Historical stateEvery scan retained as immutable history. Diff between scans is a SQL query.Whatever the vendor's retention tier offers. Often paywalled.Lost when you close the plugin. Every run starts from zero.
Custom queries Pathix didn't shipWrite your own SQL. Build your own dashboards. Nothing gated, nothing paywalled.Limited to vendor-provided queries and exports. Custom asks become professional services engagements.Limited to what each individual plugin author thought to build.
Auditor accessHand them a read-only SQL login on your subscription. They audit on their schedule, against your data, with zero vendor involvement.Vendor portal access. Vendor sees the audit happening. Vendor controls what the auditor can see.No durable artefact for an auditor to inspect.
Vendor lock-inYour data in your DB. If you stop using Pathix, your historical scans stay accessible via SQL.Stop paying, lose access. Data export depends on the vendor's terms.Nothing to lock in, and nothing to retain.

Want to point a SQL tool at it?

After your Pathix deployment, the connection string lives in your Key Vault. Pull it down, point SSMS or Azure Data Studio at it, run the queries above. No Pathix login required for read access. It's your SQL Server.

Book a demoSee how it works
Pathix

Forensics for Dynamics 365 and the Dataverse.

See it on sample data →
USE CASES
PRODUCT
COMPANY
© 2026 Pathix · self-hosted · metadata-onlyNot affiliated with Microsoft. Dynamics 365, Dataverse, and Power Platform are trademarks of Microsoft Corporation.