The second sounds like an access rule to me, for example – displaying only the projects the current user has been assigned.
If that’s the case you should put that as an XPath on the entity security.
If that’s not the case I would suggest just using the default search functionality, because the alternative would be a set of ifs with filters applied selectively and it can get messy. If you just want to get the simple search going you need to retrieve from database and put the associations in the XPath rather than retrieve via association.
Hope this helps.