I have an issue with data security in an app that I’m building. I have an entity whose objects are restricted to only being visible to their owners, by having the XPath restriction “[System.owner = ‘[%CurrentUser%]’]”. When viewing the data in a data grid, this works fine, and only objects created by the current user are visible to them. However, I have another page which generates a report based on the data in this entity, and is only supposed to use the data that the user would otherwise have access to. However, the report instead generates using all the data on the system, including data that should otherwise be hidden from the user. Considering that the access rules should not allow this, I’m confused as to why this happens.
As for the specifics, the report itself is generated as a non-persistible ReportData entity via a microflow, which is updated every time the report page loads.
Note that microflows only adhere to security if Apply entity access is set to Yes. So check your microflow that generates the report data.