Exposing System.owner in OData

We have built xpath security around an Entity that will show the rows the User is “System.owner” of. However when we expose the OData feed we are unable to pass the System.owner info to receiving party even if I leave out the sensitive info like password etc. from “System.User”. I just want the OData recipient to be able to filter rows by “System.owner”
1 answers

With this much information it is hard to pinpoint but my gut feeling is that this is a security issue. I would create a shadow table where you store the owner ID’s and create the fields you want to expose and copy all the data over to this entity instead of using System.User. Then you can expose this table in OData and can the receiving party use this table to do the filtering.