For multi-tenant apps, it is important that users can only see their own data. The rule ‘Access rules leading to a user’ requires proper domain model access rules configuration.
This rule requires that all microflows available to tenant users have entity access turned on. This makes sure there is no accidental data leakage via strings, messages or non-persistent entities.
A list of tenant user roles can be configured for which this rule should be applied, e.g. “TenantUser,TenantAdministrator”
This rule is in contradiction to Microflow should not apply entity access. When developing multi-tenant apps, our advice is to apply entity access. The performance hit is preferred to potential data breaches.
Noncompliant example:
Compliant example:
Configuration:
If you want to enable this rule, go to its Rule Settings, enable the rule and add the role(s) that need entity access if used from the client.
