Hello! I’ve come across a curious issue. I have defined an XPath constraint for roles on the entity level in Domain Model. However, these constraints don’t seem to be applied when Retrieve action is used in Microflows. For example, I have restricted access to entity E for role R using an XPath constraint. If I create a DataGrid and set Data source to “Database” and select entity E, I will get a list of only those objects that satisfy the XPath constraint. However, if I use “Retrieve E from Database” in a Microflow without any constraints, I will receive all objects of entity E, regardless of whether the XPath constraint is satisfied or not. Is this how it’s supposed to work? Do I really need to duplicate constraints in all retrieval actions in microflows?
I believe this is down to the Microflow not being setup to use entity security.
If you open the Microflow, right-click and select Properties you should see the following:
You will need to set “Apply entity access” to yes to make the actions work with the entity level access.
Sounds like you might want to look at this? Without knowing where your Flow is being called from, it sounds like it’s being executed by a user who has overriding permissions, or at a level where the access rules aren’t enforced.
I can only claim to vaguely understand the intricacies of Entity Access, I’m sure there are more qualified devs here who can provide a more detailed explanation, but I hope this helps!
Thank you Josh! I had no idea that option exists, I thought it’s “always on”.