Steve,
Make sure that the microflow has the apply entity access (in the properties) set to yes (background of the microflow will turn yellow(ish), then the microflow will obey the xpath constraint when run.
In addition to what Erwin said about the 'apply entity access' setting in microflows, note that even without this setting being on, the data still cannot escape to the web/mobile client if the user doesn't have access to a certain entity/attribute. The same goes for things such as generated documents.
It is useful to do operations/calculations without security applied, especially when security rules are heavy on the database. Which is why this setting is the default.
As both Erwin and Bas are saying, entity access is the way to go here.
However I just did a quick test case, what Bas is saying isn't completely true. My expecting would be that if I don't have instance access I don't get the identifier either. But the microflow still returns the guid of the objects that I'm not allowed to see.
In other words, the total nr of rows in the grid also includes the objects that I'm not supposed to see. These rows are blank, so I don't see the data, but I would still expect the platform the exclude the records completely.
This is something I'll file a ticket for.
Part of the microflow response that I received is added below:
{
"actionResult" : [{
"objectType" : "MyFirstModule.Order",
"guid" : "281474976710657",
"attributes" : {}
}, {
"objectType" : "MyFirstModule.Order",
"guid" : "281474976710658",
"attributes" : {
"Attribute_4" : {
"value" : "My test text",
"readonly" : true
},
"Attribute_3" : {
"value" : "My test text",
"readonly" : true
},