Ax 2012. Automatic role assignment feature and deactivated users

Automatic role assignment feature and deactivated users

There is a brilliant Ax 2012 system feature - Automatic role assignment. Actually, there is the same feature in Dynamics 365 Finance and Operation as well but I have not tested it yet.

The standard Ax 2012 documentation can be found here:

https://docs.microsoft.com/en-us/dynamicsax-2012/appuser-itpro/assign-users-to-security-roles
Also, you may find great posts related to the Automatic role assignment feature here:
https://dynamicspedia.com/2014/01/automatic-role-assignment-in-ax2012-part-1/
https://dynamicspedia.com/2014/01/automatic-role-assignment-in-ax2012-part-2/

The Automatic role assignment feature was used in one of our Ax 2012 projects and it worked perfectly fine. However, once we faced an issue that in some time after deactivating the user account all its roles were removed except standard one – System user. You can see the example of what we had after roles removing below:

It was really unexpected. Actually, we expected to see the same roles of the deactivated users as these users had had before deactivating their user accounts.

We investigated and discovered that the Automatic role assignment batch job (SysSecurityDynamicRoleAssignment class) removed/revoked all roles for deactivated users except the roles that had been assigned manually.

It seems that the Automatic role assignment feature has one special thing that was mentioned in the standard guide but it has not been explained for deactivated users clearly:
The user is either assigned to the role or removed from the role the next time that the rules for automatic role assignment run.

I would say that for deactivated users the following sentences can be added:

When the user is deactivated in the system, the Automatic role assignment feature will remove all automatic roles assignments except ones that have been done manually.

I am glad if this finding can help someone to save their time.