Just gonna have a go here as well ;] Luis what Bas means is that you should set the xpath on your domain/security level instead of on your forms. e.g. if Customer employees are only allowed to see their own orders you should set a xpath on the entity access rules for orders for your CustomerEmployee module role. Something like
[General.OrderCustomer/General.Customer/General.CustomerEmployeeOrder = '[%CurrentUser%]']
On another notice i think your original xpath should also be a little different.
As a rule of thumb we use that whenever you duplicate part of your xpath you need to combine these lines (keep in mind that this is not always true ;])
[AuditTrail.AuditTransaction\_AuditEntry/AuditTrail.AuditEntry/AuditTrail.AuditEntry\_Site='[%CurrentObject%]'
[AuditTrail.AuditTransaction\_AuditEntry/AuditTrail.AuditEntry/CategoryLabel='Sales']
should be
[AuditTrail.AuditTransaction\_AuditEntry/AuditTrail.AuditEntry[CategoryLabel='Sales']/AuditTrail.AuditEntry\_Site='[%CurrentObject%]']