This can be solved by not letting Employee inherit from System.User. Then you can create your own entity with custom access for the admins, and handle all System.User changes in microflows.
Hi Rene,
You can have a look at the multi tenant administration module in the Mendix AppStore. I think this will help you with your project.
You can find it here: https://appstore.home.mendix.com/link/app/80498/
Please let me know if you have any questions
My colleque entered a support ticket and got the following answer from Mendix that I'd like to share:
"The correct answer has already been given by Jelle in the forumpost.
Management around the System.User entity is configured through project security and overrides xpath constraints.
So for a multi-tenant solution, you typically don't want this level of security. Therefore, the solution lies in disabling this project level user management and use entities that do not inherit from System.User. E.g. an Employee will have a 1-1 to System.User. Changes on the Employee can have an effect on the System.User entity (through microflows)."
From this I conclude that there is a security issue when using inheretence on system.user in a multi-tenant situation as described in this post. Fixing this issue in our case will be a time-consuming challenge. :-(