A snapshot of the database connection a customer sees in their own Azure portal. Pathix is a tenant on top of infrastructure you control, not the other way around.
Pathix's database has around thirty tables in total; the ones below are where the vast majority of customer queries live. Definitions, configurations, security posture, surfaced findings. Row counts shown are illustrative, sampled from a mid-size customer environment.
| Table | Rows | What it holds |
|---|---|---|
| Tables | 1,247 | Every entity Pathix scanned, with logical name and metadata. |
| Columns | 38,914 | Every column on every scanned entity. Source type, audit flag, formula-column flag. The formula body itself is parsed in memory and never stored. |
| LogicComponents | 8,392 | Plugin steps, workflows, dialogs, business rules, actions, modern flows, dataflows, form scripts, PCFs, canvas apps, formula columns. |
| LogicActions | 21,408 | Every detected write. One row per (component, target field, action type) tuple. |
| LogicReferences | 47,193 | Every detected read. Workflow conditions, modern-flow filters, canvas-app Filter / LookUp expressions, formula-column derivations, form-script getValue calls. |
| Findings | 127 | Surfaced anomalies. Orphaned plugin steps, shared roles, uncovered privileges. Severity-ranked. |
| SecurityRoles | 94 | Every role in your environment, with IsCustom flag. |
| Privileges | 3,841 | Catalog of privileges with target-table resolution and access type. |
| Principals | 612 | Users, application users, and teams unified into one shape for shared-role analysis. |
| Solutions | 47 | Solution catalog with publisher uniquename. Drives the IsSystem classification across components. |
| OptionSets | 1,043 | Global and local option sets with per-value attribution, so each Choice value traces to the components that read and write it. |
Each shows a question, the SQL that answers it, and a sample result. Run any of these yourself against your own Pathix database. They aren't features you need to wait for, they're already there.
The same answer the field-writers page in Pathix shows you, expressed as a SQL query you can embed in monitoring, schedule via cron, hand to your auditor, or wrap in your own dashboard. You aren't locked into the Pathix UI.
-- The same answer as the field-writers page in the UI.
SELECT
c.Name AS Component,
c.ComponentType, -- 'PluginStep', 'ClassicWorkflow', 'ModernFlow', etc.
a.ActionType, -- 'Update', 'Create', 'Delete'
a.IsConditional,
a.Confidence, -- 'Declared', 'Parsed', 'AiDerived'
a.ExtractedFrom AS DetectedBy
FROM LogicActions a
JOIN LogicComponents c ON c.Id = a.LogicComponentId
WHERE a.TargetTable = 'account'
AND a.TargetColumn = 'creditlimit'
AND a.ActionType = 'Update'
ORDER BY c.ComponentType, c.Name;| Component | ComponentType | ActionType | IsConditional | Confidence | DetectedBy |
|---|---|---|---|---|---|
| Cap credit limit at tier | BusinessRule | Update | true | Parsed | WorkflowXamlParser |
| Annual review credit limit | ClassicWorkflow | Update | true | Parsed | WorkflowXamlParser |
| Account form (credit override) | FormScript | Update | true | Parsed | FormScriptParser |
| Sync from finance system | ModernFlow | Update | false | Parsed | FlowJsonParser |
| Acme.CreditCheck.PreUpdate | PluginStep | Update | false | Declared | PluginRegistration |
A query the Pathix UI doesn't expose. Useful for credentials review. Flag fields whose only writer is an application user, then check whether the runtime credential rotation matches that field's sensitivity.
-- Fields where every writer is an application user.
-- Indicator for credentials review.
SELECT
a.TargetTable,
a.TargetColumn,
COUNT(DISTINCT c.Id) AS WriterCount,
STRING_AGG(c.Name, ', ') AS Writers
FROM LogicActions a
JOIN LogicComponents c ON c.Id = a.LogicComponentId
WHERE a.ActionType = 'Update'
AND c.IsSystem = 0 -- customer-authored only
AND c.ComponentType = 'ModernFlow'
AND a.TargetTable IS NOT NULL
GROUP BY a.TargetTable, a.TargetColumn
HAVING COUNT(DISTINCT c.Id) = 1
ORDER BY a.TargetTable, a.TargetColumn;| TargetTable | TargetColumn | WriterCount | Writers |
|---|---|---|---|
| account | acme_externalsyncstatus | 1 | ERP nightly sync |
| account | acme_lastsyncedat | 1 | ERP nightly sync |
| contact | acme_marketingscore | 1 | Marketing platform integration |
| opportunity | acme_pricingapproved | 1 | Pricing engine webhook |
Read-side dependency answer. If this field gets renamed or deleted, every row below breaks: workflow conditions, formula columns that derive from it, canvas-app Filter expressions, modern-flow trigger filters. The Touchpoints view in Pathix shows the same answer; the SQL works for any custom report you want to build.
-- Everything that READS contact.emailaddress1.
-- Rename / remove this field and every row below breaks.
SELECT
c.Name AS Component,
c.ComponentType,
r.ReferenceKind, -- 'Filter', 'Display', 'Computation', 'PreImage'
r.IsConditional,
r.ExtractedFrom
FROM LogicReferences r
JOIN LogicComponents c ON c.Id = r.LogicComponentId
WHERE r.TargetTable = 'contact'
AND r.TargetColumn = 'emailaddress1'
ORDER BY r.ReferenceKind, c.ComponentType, c.Name;| Component | ComponentType | ReferenceKind | IsConditional | DetectedBy |
|---|---|---|---|---|
| Welcome email (new contacts) | ModernFlow | Filter | false | FlowJsonParser |
| Lead-to-opportunity sync (BR) | BusinessRule | Filter | true | WorkflowXamlParser |
| contact_main.js (email validation) | FormScript | Computation | true | FormScriptParser |
| contact.emailcomposite (formula) | FormulaColumn | Computation | false | FormulaColumnReader |
| Contact lookup canvas app | CanvasApp | Filter | false | CanvasAppPowerFxWalker |
Pathix exposes a Pathix MCP server alongside the database: 18 typed tools any MCP-aware agent (Claude Desktop, Copilot, Cursor, custom orchestrations) calls natively. find_writers, find_readers, find_component, component_footprint, table_logic_footprint, cascade_fanout, search_columns, describe_table, describe_component, list_components, list_environments, list_scans, list_solutions, list_findings, effective_permissions, shared_role_principals, describe_plugin, plan_table_migration. Each returns a result with structured confidence labels and the scan it ran against. Point an agent at the connection and it answers dependency questions on day one, no SQL knowledge required.
“Find every read and write to account.creditlimit. Include reads and writes inside Power Automate flow steps, canvas-app formulas, plugin IL you'll need to decompile (skip Microsoft-shipped), dataflow connections, and ribbon code.”
Pathix returns the answer in a second. AI is faster, cheaper, and more accurate with a parsed graph behind it. The Pathix MCP server is how your agent gets at ours.
Customers connect their existing tools to it directly. No vendor approval needed.
The list below is enforced at three layers: the SDK wrapper that intermediates every Dataverse call, the database schema (no value / payload / content columns anywhere), and code review on every change touching ingestion. You can audit this claim by reading the schema yourself.
Three categories of D365 governance tools, compared on the dimensions that determine who gets the answer to 'what writes to this field?' and what they can do with it.
| Dimension | Pathixthis product | SaaS governance tools | Community plugins |
|---|---|---|---|
| Where the data lives | Your Azure subscription. Your SQL Server. Your DBA controls. | Vendor's infrastructure. Subject to their compliance, retention, and breach posture. | Nowhere persistent. Each plugin run is ad-hoc; nothing accumulates. |
| Direct SQL access | Yes. Connect from any tool that speaks T-SQL: SSMS, ADS, Power BI, custom apps. | Vendor API only. Rate-limited. Schema is the vendor's, not yours. | No persistent schema. No SQL surface. |
| Historical state | Every scan retained as immutable history. Diff between scans is a SQL query. | Whatever the vendor's retention tier offers. Often paywalled. | Lost when you close the plugin. Every run starts from zero. |
| Custom queries Pathix didn't ship | Write your own SQL. Build your own dashboards. Nothing gated, nothing paywalled. | Limited to vendor-provided queries and exports. Custom asks become professional services engagements. | Limited to what each individual plugin author thought to build. |
| Auditor access | Hand them a read-only SQL login on your subscription. They audit on their schedule, against your data, with zero vendor involvement. | Vendor portal access. Vendor sees the audit happening. Vendor controls what the auditor can see. | No durable artefact for an auditor to inspect. |
| Vendor lock-in | Your data in your DB. If you stop using Pathix, your historical scans stay accessible via SQL. | Stop paying, lose access. Data export depends on the vendor's terms. | Nothing to lock in, and nothing to retain. |
After your Pathix deployment, the connection string lives in your Key Vault. Pull it down, point SSMS or Azure Data Studio at it, run the queries above. No Pathix login required for read access. It's your SQL Server.