I'm trying to constrain the read access to a specific object with entity access. My user has an association to a core account entity. Only if this association is not empty, the user should gain access to the core object. But in my application, the retrieve succeeds, even if my user has no association to core account. In my core account retrieve, i don't have any constraint. I just want to retrieve the first core account. Based on my xpath constraint in my screenshot, this should always return one object. Did I model this right or am I wrong?
I assume that when you talk about a "retrieve" you are talking about a retrieve in a microflow? When you use a microflow to retrieve items this is done in a system context unless, you enable apply entity access on this microflow.
Do notice that when you do that every microflow that calls this microflow also needs to enable entity access. Calling microflows that have entity access disabled from one that has this enabled is allowed though.