QSM (Sigrid) finding: Access rule with empty XPath Constraint found on Entity that is used in microflows that have Apply Entity Access enabled

0
We've encountered the following finding in several Mendix QSM assessments: "Access rule with empty XPath Constraint found on Entity that is used in microflows with Apply Entity Access enabled." I'd like to gather more information from the Mendix community regarding this issue. Are there other Mendix users experiencing this finding? How have you addressed it in your projects? Our current perspective is that the XPath constraint is necessary for anonymous access scenarios. However, when users have an application & module role, they often have access to all data in an entity. Do you share this view, or do you have alternative solutions to suggest? Your insights are greatly appreciated.
asked
1 answers
0

Hi Rob,

I fully agree with you, there are plenty of examples of entities where any user may at least read all records. For example a Country table listing all countries.

I think QSM doesn't necessarily tells you this is wrong, it's a finding telling you: possibly this is a security risk. If this isn't the case, you can accept this finding (at least: that's how Omnext works). And in general I agree with this rule of QSM leading to this finding: if you have entity access enabled, you do care about security, but it seems incomplete when there is no XPath constraint defined.

Regards,

Johan

answered