Additional security config needs and use of constraint

I want to add additional access control for users for some selection of Entities at record level across the application suite. For example, An user has access to all products but only to a specific warehouse. in order to maintain this access control at the record level, I have a table in the database where the access to a list of the warehouse is maintained. When the user logs-in the application he will only see those warehouse which is authorized for him.

Is it something we can use through constraint? If so, I could appreciate sharing how to use it.

Yes you can do it with security constraints.
Provided that you have app_Warehouse entity, and app_WarehouseAccess which contains wharehouse and user attributes, the constraint should be as follows:

Entity: app_Warehouse
Join clause: join app_WarehouseAccess a on a.warehouse = {E}
Where clause: = :session$userId

Hi Konstantin
Thank you for your help. Here is what I did following your code-snippet…


and the result I get when click the test button :

        An error occurred while running resulting query.

    com.haulmont.cuba.core.sys.jpql.JpqlSyntaxException: Errors found for input JPQL:[select e from erp$Plant e join erp_PlantAccess a on a.plant = e join erp_PlantAccess a on a.plant = e where (( = :session_userId and a.accessGranted = true) and ( = :session$userId and a.accessGranted = true)) and (e.tenantId = 'assurance')] The identification variable 'a' cannot be declared more than once

Looks like the constraint is applied twice. Ensure it is present only once in the groups tree.

That’s what I am wondering of, where is the error as it seems there is no such duplicate constraint used here as you see.

Note that I am trying to use it in multi tenant environment. When I test it in Admin access (not a tenant admin) then test passes. It doesn’t pass when I test as a tenant user where the tenant. Is it a bug?

Can you replicate it on a test project?

Hi @mortozakhan

I saw in another topic that the suggested syntax for the join clause in the form (your picture) should NOT have the word ‘join’ included in the text field.

@knstvk maybe you can correct me if I’m wrong.


No, the syntax is correct (see context help button “?” next to the field):

A value of this field is added to the “from” query clause. It should begin with a comma, “join” or “left join”.
The {E} placeholder should be used as an alias of the entity being extracted. On execution of the query, it will be replaced with a real alias, specified in the query.
For example:
join {E}.seller s

Hi Konstantin
Sorry for the delayed reply as I was on a business trip.

I have attached a demo app where you will find Warehouse and WarehouseAccess used for this test. (137.8 KB)
Here is the exception:

Syntax errors found while parsing 'where' and 'join' clauses:
CommonErrorNode [,1:6], resync=where = :session$userId>]

Here is the constraint used:


Looking forward to your further help.


In the “Where Clause” field you should not add the where keyword. It is mentioned in the docs and in the context help.