XPath security constraint on two relations

Hi all, I’m just stuck at setting an XPATH security constraint on the following domain model. I want to constrain “Thing” such that the User can only read it, if there is a “Role” for “Division” and “Region” for the “Division” and “Region” of the “Thing”. Doing it like this: [Thing_Region/Region/Role_Region/Role/Role_User=CurrentUser] [Thing_Division/Division/Role_Division/Role/Role_User=CurrentUser] will not work, because in the case of two roles (Division 1, Region A) and  (Division 2, Region B) you would also get access to a thing in Division 1, Region B. An ideas how to solve that? Am I just missing some feature in XPATH that I could use or do I really need to completely remodel that just for security? regards, Fabian
2 answers

Or you go with this:

[Module.Thing_Region/Module.Region/Module.Role_Region/Module.Role[Module.Role_User = '[%CurrentUser%]']
/Module.Role_Division/Module.Division/Module.Thing_Division = id]



I would try with

[Things_Region/Region/Role_Region/Role[Role_User = '[%CurrentUser%]']/id 
 Things_Division/Division/Role_Division/Role[Role_User= '[%CurrentUser%]']/id]