Hi all, I’m just stuck at setting an XPATH security constraint on the following domain model. I want to constrain “Thing” such that the User can only read it, if there is a “Role” for “Division” and “Region” for the “Division” and “Region” of the “Thing”. Doing it like this: [Thing_Region/Region/Role_Region/Role/Role_User=CurrentUser] [Thing_Division/Division/Role_Division/Role/Role_User=CurrentUser] will not work, because in the case of two roles (Division 1, Region A) and (Division 2, Region B) you would also get access to a thing in Division 1, Region B. An ideas how to solve that? Am I just missing some feature in XPATH that I could use or do I really need to completely remodel that just for security? regards, Fabian