An account is either a "normal" user (can login to the Mendix web client) or a web service user (can call web services) but not both, so you'll have to create separate accounts for web service users.
And yes, actions started by web service users need to pass through the exact same security layer as used for "normal" users, so you should provide security settings for these user roles as well. Because web service users can't use the "normal" Mendix client, a lot of modeler security checks (like the homepage settings) don't make any sense, that's why you should deselect the "check security" check box for user roles intended only for web service users.
In practice, a web service user role only needs permissions for the microflows that are exposed as the web services they are allowed to access, and nothing else (no entity access **, no form access and no data set access).
** unless the microflow that is the web service has "apply entity access" set to
true (default is
In my app I have a MainObject with multiple SubObjects. There is a webservice returning the MainObject with underlying SubObjects. Normal users are allowed to retrieve all SubObjects, WebserviceUsers not. I tried applying entity access for the WSuser and this works inside the Microflow (a retrieve action for the WSuser doesn't return any SubObjects) but all SubObjects are returned in the XML output.
Is there a way to restrict this (i.e. the output of the webservice)?