We have a requirement to filter some information (e.g. Purchase Orders) visible to certain users by an internal attribute - Depots. A user may have access to multiple depots, so I have created a custom table, UserDepot, which contains fields UserId and Depot, and have populated this via a Data Entity using a Logic Apps. I have checked the contents using the .../Data/UserDepots URL.
Ignoring for the moment the issues of selecting Depots by Userid (I am thinking of creating a 'temp' table MyDepots in the same way MyLegalEntities and MyDepartments are created at login) and the current requirement that a user with no Depots listed should have access to all Depots, as an initial test I created a query to link PurchTable to UserDepot and then created a Security Policy to apply this query to constrain both PurchTable and PurchLines.
The query looks like this:
And the security policy is:
The DepotAccess model references ApplicationFoundation, ApplicationPlatform and ApplicationSuite.
To test, I'm using the workspace Purchase Order Preparation (mi=PurchOrderMaintainWorkspace) which, I believe uses view PurchOrderApprovedView which is based on table PurchTable and hence, I beleive, should be constrained as a result of the constraint on PurchTable.
The problem is that it doesn't work. With only 1 valid Depot in the UserDepot table a user with limited access (i.e. not System Admin) can still see all Purchase Orders.
I've tried linking the Security Policy to Role SystemUser (change Context Type to RoleName and insert SystyemUser in the Role Name on the security policy properties) and also tried synchronising the database, all to no effect.
Unless I've seriously misunderstood how XDS works, I can't see why this shouldn't work, but can't see what I've failed to configure or where my test doesn't work.
What am I missing?