Permissions on Dynamic Attributes

I am having an issue getting security to work on my Dynamic Attribute fields. I have added read only rules to both core fields and a few dynamic attributes on my entity for a certain role. When editing a record as a user with this role the core fields are presented as read only as expected but the dynamic attributes are still editable and I can save the record after having changed the values. I am loading the dynamic attributes in my screen using the loadDynamicAttributes=“true” setting in my datasource and then displaying the attributes within a group box using:

 <groupBox id="gbDynamicAttributes"
           caption="mainMsg://screens.dynamicAttributes"
           collapsable="true"
           spacing="true">
                 <runtimeProperties categoriesDs="categoriesDs"
                                                 runtimeDs="runtimePropsDs"/>
      </groupBox>

Is there something else I need to do to make sure the permissions on the role are being applied?

I have performed some more testing and have found that when the dynamic attributes are added to a screen using the Visibility settings from the Attribute Editor, permissions are applied correctly. It is just when adding the attributes via the runtimeProperties that this issue occurs.

Hi,
Thank you for reporting the problem.
We have created a YouTrack issue.

:ticket: See the following issue in our bug tracker:

https://youtrack.cuba-platform.com/issue/PL-9888