Currently there are quite a few situations where I need to give users access rights that they don't really need, simply because the Entity Access Rule options are too limited. This is an issue because it makes the application less safe. The problem is that it's not possible to give a user access to an entity without giving them access to any of the members/attributes. Also the GUID, createdDate, changedDate, owner and changedBy don't show up in the access rules.
Any comment on whether improvements to the access rules are planned (for 2019)??
Another improvement suggestion, add the option to allow/disallow the committing of objects. When this is unchecked the user should be able to send changes of the object to the server, but the user should not be able to directly commit to the database.
This ensures that users can't bypass validation microflows by sending JSON requests directly to the server.