There is an multi-tenancy issue with security that's already exists for a couple of years.
Last week this issue was classified as a potential security risk/leak during a security audit on one of our apps.
In the app we have several different organizations of the same type that can login and maintain their own users/employees (employee inherits from system.user).
We created an organization admin role that when assigned to an enduser has access to only it's own employees (entity acces xpath: [UsageManagement.Employee_Organization/UsageManagement.Organization/UsageManagement.Employee_Organization='[%CurrentUser%]']).
Next to that it is authorized to manage only roles applicable for this type of organization.
Now, when I log in as orginization admin of such an organization, I can see all data of my own employees but also the login data (system.user) from the employees of all other organization of the same type.
Worse, I can also edit the login data of those employees.
I can solve this by putting an extra xpath contraint on the grid itself, the same one as in the entity access ([UsageManagement.Employee_Organization/UsageManagement.Organization/UsageManagement.Employee_Organization='[%CurrentUser%]'])
But this is easily hackable by changing/removing the grid specific xpath in the browser.
I already found a forum entry from 5 years ago describing exactly the same problem (https://forum.mendixcloud.com/link/questions/3725).
I did not find any information or best practises on how to solve this issue.
Please advice !!!
In this post I only talk about the employee entity, but it also effects a number of other mulit-tenant entities that are shared by organizations of the same type.