Defining access rules using associated entities - Mendix Forum

Defining access rules using associated entities



Today access rules are defined per entity, which can become quite complex when the amount of entities grows.

Many times entities are linked through a “composition” relation (for example a User may have a 1-many relation with entity Message). Access rules have to be defined on entity Message, usually repeating the rules already defined on User entity.

→ what if it was possible to define on entity Message something like “[canRead(User_Message, firstname) and ...]” ?
Some functions would be really helpful :

→ it would be possible to centralize access rules, and reduce complexity

2 answers

hi Erik, sorry for the late reply, I thought I answered this one.

It’s currently not possible to define relative rules using the functions I suggested (“canRead”, “canWrite” etc). We have to redefine the complete XPath in each associated entity ; it’s pure duplication 


As far as I understand from what you propose this is already possible.

Setting reading and writing permissions on an association is already possible. You could even configure one module roles multiple times, with different xpath conditions (not unlike how it is set on the Account entity). 
The latter two options are more securely handled on the microflow level and configure access through the microflow (and have the microflow handle whatever you desire), although there are widgets that might force you to set the create and delete rights on the entity as a whole.


There are many scenario’s possible on how to relate project roles to module roles to entities and documents. This flexibility comes at the cost a bit of complexity unfortunately.