Yes, you can just make 2 different rules and they will be considered as an AND statement.
So when Mendix interprets the security rules it will check both conditions and apply the read rule first,
and then based on the condition it will allow for writing.
I'm pretty sure it has an impact on performance of XPath queries though.
Yes this is possible. YOu can add multiple access rules per role with different xpath constraints:
It is a good practice to never allow Create or Delete for any entity, ever.
This has 2 reasons:
– The way it works is very confusing anyway
– It makes it much harder to trace the lifecycle of objects in your application if they can magically be summoned or destroyed by users.