π Bug Report
Summary
The GRANT syntax does not support member-level attribute access control.
When attempting to grant READ or WRITE permissions on specific attributes
using quoted identifiers (e.g. READ "Attr1", "Attr2"), MxCLI throws a parse
error and the operation fails.
Context
Discovered during AI-assisted security configuration, where Claude attempted
to apply attribute-level access rules on an entity using the following syntax:
GRANT Mod.Role ON Mod.Entity (CREATE, DELETE, READ "Attr1" "Attr2", WRITE "Attr1")
The command failed with a parse error indicating that only CREATE, DELETE,
READ, and WRITE keywords are expected β not quoted attribute identifiers.
Steps to Reproduce
- Define an entity with multiple attributes (e.g.
Name, Email, Salary)
- Attempt to grant read access on specific attributes only:
GRANT Mod.Role ON Mod.Entity (READ "Name" "Email", WRITE "Name")
- MxCLI throws a parse/syntax error β
Observed vs Expected
|
Observed |
Expected |
READ "Attr1", "Attr2" |
Parse error β unexpected quoted identifier |
Grant read access on specified attributes only |
READ * |
Works β
|
Works β
|
WRITE * |
Works β
|
Works β
|
Current Workaround
Use READ * and WRITE * to grant access on all attributes.
This works but does not support fine-grained, attribute-level security rules.
GRANT Mod.Role ON Mod.Entity (CREATE, DELETE, READ *, WRITE *)
Impact
- Attribute-level access control cannot be configured via MxCLI
- AI agents default silently to
READ * / WRITE * (full access)
as a workaround β which may violate security requirements in
production or government-grade applications
- No way to enforce column-level data restrictions through automation
Suggested Fix / Enhancement
Either:
- Add support for
READ "Attr1", "Attr2" syntax in the GRANT command
to allow attribute-level permission scoping
- Or clearly document in
CLAUDE.md and the GRANT reference that
attribute-level access is not supported, so AI agents and developers
don't attempt invalid syntax
Environment
- Tool: MxCLI v0.6.0
- Mendix Studio Pro Version: [11.9.0]
π Bug Report
Summary
The
GRANTsyntax does not support member-level attribute access control.When attempting to grant
READorWRITEpermissions on specific attributesusing quoted identifiers (e.g.
READ "Attr1", "Attr2"), MxCLI throws a parseerror and the operation fails.
Context
Discovered during AI-assisted security configuration, where Claude attempted
to apply attribute-level access rules on an entity using the following syntax:
GRANT Mod.Role ON Mod.Entity (CREATE, DELETE, READ "Attr1" "Attr2", WRITE "Attr1")
The command failed with a parse error indicating that only
CREATE,DELETE,READ, andWRITEkeywords are expected β not quoted attribute identifiers.Steps to Reproduce
Name,Email,Salary)GRANT Mod.Role ON Mod.Entity (READ "Name" "Email", WRITE "Name")
Observed vs Expected
READ "Attr1", "Attr2"READ *WRITE *Current Workaround
Use
READ *andWRITE *to grant access on all attributes.This works but does not support fine-grained, attribute-level security rules.
GRANT Mod.Role ON Mod.Entity (CREATE, DELETE, READ *, WRITE *)
Impact
READ */WRITE *(full access)as a workaround β which may violate security requirements in
production or government-grade applications
Suggested Fix / Enhancement
Either:
READ "Attr1", "Attr2"syntax in the GRANT commandto allow attribute-level permission scoping
CLAUDE.mdand the GRANT reference thatattribute-level access is not supported, so AI agents and developers
don't attempt invalid syntax
Environment