Hi I stumbled across this issue where a deeplink has the setting to NOT allow guest users and only certain user roles were allowed to execute this deeplink. I set these user roles via the allowed roles in the microflow settings. But now I found out that the allowed roles setting is completely ignored and every user that can login, is able to execute the microflow behind the deeplink. I know I can fix this by making custom logic in the microflow behind the deeplink, but I’m curious as to how this is possible.
This is possible because the user roles defined on a Microflow are only used to determine the users that are allowed to trigger that microflow. If the microflow is used as a sub microflow (or triggered from a Java action like in case of a deeplink), the user roles are not taken into account.
You could try and see if it helps if you enable "Apply entity access” on the microflows that are triggered as a deeplink.