I'm trying to set up my security for the following situation: The security is for the Member object, where their information like name and address is stored. An admin role can see everything. A member can only see Member/Name of other users but can see/edit his own details. He can also see (but not edit) the details of other users in the same Group. How can I best set this up? I've tried adding Member for object access, allowing MxAdmin role and using a XPath constraint to limit it to Group members only. This however was too restricting and did not work the way I want it.