The Project Security determines which user roles you can manage, as in assign to or remove from Accounts.
The Xpath's determine your read/write rights to the Account entity. So, if we look at your data:
A. No XPath constraint at all: not as entity access, not on the page.
No restrictions on Account so you can see everything from the Account entity, but not from the User entity. So this explains why you are seeing all records, but not all attributes. The accounts associated to a userrole which you can't manage won't display User attributes.
B. Entity access XPath [not(System.UserRoles = '[%UserRole_TechnicalAdmin%]')] on the Account entity.
Same as A, except not the Accounts who have an association with TechnicalAdmin UserRole
C. Entity access XPath [System.UserRoles != '[%UserRole_TechnicalAdmin%]'] on the Account entity.
Your own description already explains it. The other account which has an asoc. to TechnicalAdmin and other UserRoles is shown here, which is correct.
D. Page XPath [not(System.UserRoles = '[%UserRole_TechnicalAdmin%]')]
Is this correct? I would expect the same results as B, but here they are the other way around...
E. Page XPath [System.UserRoles != '[%UserRole_TechnicalAdmin%]']
This is a bit of a surprise to me because apparently the page xpath gives you different results compared to the entity access xpath. Apparently all Account objects without any userroles are not shown here.
After contacting Mendix Support I got the following answer:
“From the forum thread we see that points D and E are unclear. Important is that 'entity access XPath constraints' are always applied, regardless the role of the user. They are applied based on the role of the user. 'Page XPath constraints' are applied on rows if you have access to the members in your XPath constraints.
Item D : you are not allowed to access the System.UserRoles member on the Users/Accounts with the technical administrator role. Therefore, it cannot check this, so you will see all 102 accounts. Otherwise you could know which account has the 'technical administrator' role, based on the results on this page. A better example why this is important: show me all employees with a salary > 'some value'. If I don't have rights to see the salary attribute of some employees (my boss for example), based on the results on a page, I can find out what the salary is of my boss. For that reason, this constraint is not applied on the employees where I don't have access to the salary attribute.
Item E: the XPath says: give me all Accounts with at least one UserRole which is not 'technical administrator'. There are 6 accounts which has a role other than 'technical administrator'. One of them still has the 'technical administrator' role too, so the functional administrator is not allowed to see if this account has another role. For that reason, he only sees 5 accounts.”