Attribute-driven role based access

Hi Mendix, I am interested an enhanced role based access control that provides ability to set user access (role/privilege/right/etc.) for a limited set of objects specified by access attributes specified with access setting. If and how can such an access control be implemented in Mendix?  For example: a warehouse manager role giving access to warehouse management functions not for all warehouses, but specific ones, which are determined when this role is mapped to a user. Actually this attribute belongs to the role mapping and not the role, as different warehouse managers are mapped to different warehouses. (Either the attribute can have 1..* multiplicity or several different warehouse manager role mapping instance should be supported to set with different warehouse value.) Considerations why this information is not a user attribute: this value has not meaning to all users of the company (e.g. finance staff).  the warehouse value used for warehouse manager role mapping cannot be the same for all warehouse-specific roles – e.g. a manager can also be supervisor for additoinal warehouses (not managed by him/her).   Best Regards, Istvan
2 answers

Add an Association from Warehouse to Account . Then to Warehouse’s Accessrules add a rule for role Warehousemanager, having XPath-constraint:


Then in the microflow-properties in block Security set ‘Apply entity access’ to Yes and set 'Allowed roles’ to Warehousemanager.

Does that get you what you need?


You have associations warehouse-accessobject-user.

You could set up an xpath constraint on your warehouse saying:

[module.warehouse_accessobject/module.accessobject/module.accessobject_user = [%CurrentUser%]]

Now you can create access objects and map them to warehouses and users. The users now only have access to the warehouses they are mapped to.