Merge pull request #9607 from Dmitri-Kom/ctrl/3329-update-system-module-to-enable-entity-access

Yiyun333 · web-flow · commit c306f51a25a2 · 2025-06-26T16:11:13.000+02:00
Document the secure entity access default in the system module
diff --git a/content/en/docs/refguide/installation/upgrading-from-10-to-11.md b/content/en/docs/refguide/installation/upgrading-from-10-to-11.md
@@ -81,6 +81,16 @@ We recommend you also upgrade Atlas Web Content if it is in your app.
 
 For optimal implementation, ensure all UI modules either use CSS variables or have their variables defined within the module. If an app uses CSS variables inside **theme/web/custom-variables.scss** while some UI modules still rely on old Atlas SASS variables, those usages will fallback to Atlas default values. Therefore, we recommend you to transition to CSS variables only after confirming that all company design modules no longer depend on Atlas SASS variables.
 
+### Using the **ShowHomePage** Microflow in the **System** Module {#apply-entity-access}
+
+In Studio Pro versions prior to 11, the default configuration was insecure: **Apply entity access** was set to `false`. In Studio Pro version 11, the **ShowHomePage** microflow in the **System** module now enforces a secure default for entity access. As a result, after upgrading to version 11, your application may report errors that were previously not detected.
+
+Below is an example of a potential error that may occur after upgrading to version 11, along with recommended approaches for resolving it.
+
+After the upgrade, your app may report the following new error: `A microflow that does not apply entity access can only call microflows that also do not apply entity access`. This error occurs when a microflow that does not apply entity access attempts to call the **ShowHomePage** microflow in the **System** module, which now enforces entity access. In earlier versions, the **ShowHomePage** microflow did not have entity access applied, so this error did not arise before the upgrade.
+
+You can resolve the error by enabling entity access for the microflow that calls the **ShowHomePage** microflow. However, this may not always align with your intended access control strategy. Alternatively, you can create a custom microflow that includes the [Show home page](/refguide/show-home-page/) activity without enabling entity access. You can then call this new microflow instead of the one in the **System** module. Another approach is to call the **Show home page** activity directly within your microflow.
+
 ### Other
 
 * Studio Pro 10.21 and above requires your application to use Java 21. The Java version of an application can be configured in the runtime settings. Java 21 is available in 9.24.23 and above. Please consider the Java Version Migration guide for a list of changes between Java versions. For on-premises deployments, ensure that JDK 21 is installed in the environments where Mendix 10 applications are deployed.
diff --git a/content/en/docs/refguide/modeling/security/_index.md b/content/en/docs/refguide/modeling/security/_index.md
@@ -83,6 +83,12 @@ Mendix applications that are deployed to SAP BTP can have SSO with SAP's IdP. Me
 
 If you want to invite your colleagues to build your app, you can manage the **Team** in [Apps](https://sprintr.home.mendix.com/). Only team members who are invited to your app can access it (as a project to collaborate on). You can assign app roles to them. These team member roles define what they can access and change in the app in the backend while developing the app and are different from end-user roles which define what users can access in a running app. For more information, see [Team](/developerportal/general/team/) in the documentation of **Apps**.
 
+## The System Module
+
+Each Mendix app includes a **System** module that provides essential functionalities that every app needs, such as user and user role entities. This module is automatically included in each app.
+
+One of the documents in this module is the **ShowHomePage** microflow, which can be used when creating an app. Starting from Studio Pro 11, this microflow enforces a secure default for entity access. This means that when using this microflow, such as calling it from another microflow, it is assured that entity access from the **ShowHomePage** microflow is applied and restricted by default. This is a breaking change introduced in Studio Pro 11. For more details, see the [Using the ShowHomePage Microflow in the System Module](/refguide/upgrading-from-10-to-11/#apply-entity-access) section in *Upgrading from Mendix Studio Pro 10 to 11*.
+
 ## The Security Overview
 
 The [Security Overview](/refguide/security-overview/) provides you with an overview of your app's security. To access the overview, open the **App** menu, and then click **Show Security Overview**. 
