Our app is almost completely non-persistent. All customers and their associated entities are retrieved by REST calls to a back-end. Only Photos are stored in the Mendix app. Photos that belong to equipment of the customer. We know which Photo belongs to what equipment because of the EquipmentID that we store as Photo attribute. Two questions: How do I implement an access rule on the Photo to ensure that Users can only access Photos belonging to the Customer that they have access to? How do I constrain the synchronization of Photos in the native profile to only those Photos belonging to the Location in question? For issue 1, I wanted to implement an access rule that the CustomerID attribute of the Photo should be the same as the CustomerID attribute of the CustomerAccess object that I store to remember which customer a User has access to, but Mendix does not allow starting from CurrentUser in an Access rule. For issue 2, I implemented an Access rule that there should be an association to Account, but that results in other users with the same role not being able to see the Photos in the web profile.
You need to create an association path between your persisted objects: Photo and Account. Once you have a path, you can create an XPath access rule. Since you already store the Customer ID two ways (CustomerAccess and as a foreign key on Photo), I’d recommend that you create a persisted Customer entity and an association path like this:
Create a persistable entity that represents the Customer. It can just store the customerID and the rest of our customer data can still be fed from APIs.
Create an association from Photo to Customer. This association from Account to Photo replaces the CustomerAccess object that you store today (so it keeps track of which Customer(s) the Account has access to.
Create an association from (user) Account to Customer . This association replaces the need to keep CustomerID as a foreign key on the Photo entity itself.