If you're leaving out the last part, so just employee > department > employee, you would constrain the access to employees belonging to departments that have employees, which would be true for all employees (if all of them are assigned to a department), since there wouldn't even be a constraint on employees other than themselves.

The last part is needed to constrain access for the user to employees belonging to his/her own department. The association is enough, although it can be confusing at first and actually I think I read somewhere that Mendix accepts the ”extended” expression too in recent versions, but if you write it out all the way to account it will make no difference. An association is just another table, with two columns: the IDs from both ends of the association.

The first paragraph of your comment showed me something, thank you. Still, I do not really understand the last line /UserManager.Employee_Account='[%CurrentUser%]']. Since we do visual programming, I tried to express this XPath visually:

Is this image OK? Maybe let's imagine other, very simple example of XPath constraint such as [UserManager.Employee_Account='[%CurrentUser%]'] which we use for Employee, so he/she can edit only his/her account. Still, even this simple example looks weird. How can association (which is a link table with 2 columns with account id and employee id, 1-to-1 because every employee has 1 account) be equal to Current User GUID (which is probably a string like"123456789")? List table object = string? That can never be equal.

If it was something like UserManager.Employee_Account.Employee.getGUID()='[%CurrentUser%]'], I would believe that it can be equal.

Back to our former example with KeyUser from the course. Even if in a sense we "identify that employee's account is equal to current user" how does this allow to see accounts of employees who are not equal to current user? Or if the meaning of this line is actually different, for example, "employee's account is equal to one of account in a certain set of accounts" (=accounts of users that belong to my mananged departments), why the line is not /UserManager.Employee_Account='(some code here listing the needed accounts)']?

Because all of this is generated by clicking on "Path to user..." and it is a XPath, it is a question into what code is this actually translated. It would help to understand better the underlying implementation.

Maybe the authors had the idea that let's traverse it like: "employee > department > employee" where the starting point are not all employees, but only me (current user?). So XPath code is like "employee > department > employee > current user" but more understandable would be "current user > employee > department > employee"? So, the image would look different, like this:

Well probably not, it seems somehow off :-)

Thank you very much. My colleague also found this, which explains how association can be equal to something: https://academy.mendix.com/link/modules/385/lectures/3111/5.1-Different-Ways-to-Optimize-XPath-Queries