Microflows - Apply Entity Access - When to use

Hi All,   Came across this setting today and wondering in which situations should I give consideration to applying entity access during microflow runtime execution.    If my understanding is correct, entity access is applied to a widget on a page that uses that object. For the user, what they see is only what they have access to as defined in their security rules. However, it was mentioned in a learning path that is possible for the javascript query xpath to be manipulated. Potentially creating an opportunity for someone to access data they should not.   In your experience, when has it been a good use case to enforce apply entity access at the microflow level.     Thanks, Byron
1 answers

- to ensure users don’t get to see data they don’t have access to. For example if you have a button calling a microflow retrieving all orders without entity access and export them to an excel/csv/pdf, customers will see all orders instead of only their own.

- to ensure users can’t manipulate data they don’t have access to. If you provide a button calling a microflow that retrieves all orders and changes an attribute / association without entity access, Mendix won’t complain.

- to prevent errors. If you retrieve an object without entity access and a user doesn’t have access rights, the user will end up with an empty context object if you pass that object to a page with a dataview, while the microflow does retrieve an object so you can’t show an error message depending on an object being found or not.

- performance maybe: if you retrieve without entity access you could end up with large lists slowing a process down, while with entity access you retrieve the subset a user has access to.


There’s probably more, but this should already demonstrate the valid use of entity access in a microflow. In microflows behind buttons that retrieve and manipulate data, and in data source microflows, the question should be when it’s valid not to enable entity access.