Request for advise on multi-tenancy security issue

There is an multi-tenancy issue with security that's already exists for a couple of years. Last week this issue was classified as a potential security risk/leak during a security audit on one of our apps. In the app we have several different organizations of the same type that can login and maintain their own users/employees (employee inherits from system.user). We created an organization admin role that when assigned to an enduser has access to only it's own employees (entity acces xpath: [UsageManagement.Employee_Organization/UsageManagement.Organization/UsageManagement.Employee_Organization='[%CurrentUser%]']). Next to that it is authorized to manage only roles applicable for this type of organization. Now, when I log in as orginization admin of such an organization, I can see all data of my own employees but also the login data (system.user) from the employees of all other organization of the same type. Worse, I can also edit the login data of those employees. I can solve this by putting an extra xpath contraint on the grid itself, the same one as in the entity access ([UsageManagement.Employee_Organization/UsageManagement.Organization/UsageManagement.Employee_Organization='[%CurrentUser%]']) But this is easily hackable by changing/removing the grid specific xpath in the browser. I already found a forum entry from 5 years ago describing exactly the same problem (  I did not find any information or best practises on how to solve this issue. Please advice !!! In this post I only talk about the employee entity, but it also effects a number of other mulit-tenant entities that are shared by organizations of the same type. 
3 answers

This can be solved by not letting Employee inherit from System.User. Then you can create your own entity with custom access for the admins, and handle all System.User changes in microflows. 


Hi Rene,

You can have a look at the multi tenant administration module in the Mendix AppStore. I think this will help you with your project.

You can find it here:

Please let me know if you have any questions


My colleque entered a support ticket and got the following answer from Mendix that I'd like to share:

"The correct answer has already been given by Jelle in the forumpost. 
Management around the System.User entity is configured through project security and overrides xpath constraints.
So for a multi-tenant solution, you typically don't want this level of security. Therefore, the solution lies in disabling this project level user management and use entities that do not inherit from System.User. E.g. an Employee will have a 1-1 to System.User. Changes on the Employee can have an effect on the System.User entity (through microflows)."

From this I conclude that there is a security issue when using inheretence on system.user in a multi-tenant situation as described in this post. Fixing this issue in our case will be a time-consuming challenge. :-(