Hello @Nathan_Cousins
Before Backendless 6.4.6 we do not check permissions when loading realations during the find operation (find, find by id, find first, find last). Now we check it, but we check it without counting object acl and owner policy. The security system is still multi-layered. For any load relations during find operation the system goes through several layers where each can trim the scope of the operations. The layered order of the decision making is consists of the following points of validation:
- Table permissions for the User account
- Table permissions for the user-defined roles
- Table permissions for system-level roles
- Global user-defined roles
- Global system roles
DENY has a higher priority than GRANT on the same layer.
Also, we have created an internal ticket to account owner policy BKNDLSS-26121. It will be implemented probably in a month. So the layered order of the decision making will probably consists of the following points of validation:
- Table permissions for the User account
- Table permissions for the user-defined roles
- Owner Policy
- Table permissions for system-level roles
- Global user-defined roles
- Global system roles