mendixlabs
diff --git a/‎.claude/skills/mendix/manage-security.md‎
Lines changed: 15 additions & 1 deletion b/‎.claude/skills/mendix/manage-security.md‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎cmd/mxcli/help_topics/security.txt‎
Lines changed: 4 additions & 0 deletions b/‎cmd/mxcli/help_topics/security.txt‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs-site/src/examples/security.md‎
Lines changed: 17 additions & 1 deletion b/‎docs-site/src/examples/security.md‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎docs-site/src/language/entity-access.md‎
Lines changed: 31 additions & 3 deletions b/‎docs-site/src/language/entity-access.md‎
Lines changed: 31 additions & 3 deletions
diff --git a/‎docs-site/src/language/grant-revoke.md‎
Lines changed: 23 additions & 2 deletions b/‎docs-site/src/language/grant-revoke.md‎
Lines changed: 23 additions & 2 deletions
diff --git a/‎docs-site/src/reference/security/grant.md‎
Lines changed: 9 additions & 1 deletion b/‎docs-site/src/reference/security/grant.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎docs-site/src/reference/security/revoke.md‎
Lines changed: 36 additions & 4 deletions b/‎docs-site/src/reference/security/revoke.md‎
Lines changed: 36 additions & 4 deletions
diff --git a/‎docs/01-project/MDL_QUICK_REFERENCE.md‎
Lines changed: 3 additions & 2 deletions b/‎docs/01-project/MDL_QUICK_REFERENCE.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎docs/05-mdl-specification/01-language-reference.md‎
Lines changed: 23 additions & 2 deletions b/‎docs/05-mdl-specification/01-language-reference.md‎
Lines changed: 23 additions & 2 deletions
diff --git a/‎mdl-examples/doctype-tests/08-security-examples.mdl‎
Lines changed: 29 additions & 2 deletions b/‎mdl-examples/doctype-tests/08-security-examples.mdl‎
Lines changed: 29 additions & 2 deletions
@@ -121,6 +121,8 @@ REVOKE VIEW ON PAGE MyModule.Customer_Overview FROM MyModule.User;
 
 ### Entity Access (CRUD)
 
+GRANT is **additive** — it merges with existing access, never removes permissions.
+
 ```sql
 -- Full access (all CRUD + all members)
 GRANT MyModule.Admin ON MyModule.Customer (CREATE, DELETE, READ *, WRITE *);
@@ -131,11 +133,23 @@ GRANT MyModule.Viewer ON MyModule.Customer (READ *);
 -- Selective member access
 GRANT MyModule.User ON MyModule.Customer (READ (Name, Email), WRITE (Email));
 
+-- Additive: adds Phone to existing read access (Name, Email preserved)
+GRANT MyModule.User ON MyModule.Customer (READ (Phone));
+
 -- With XPath constraint
 GRANT MyModule.User ON MyModule.Order (READ *, WRITE *) WHERE '[Status = ''Open'']';
 
--- Revoke entity access for a role
+-- Revoke entity access entirely
 REVOKE MyModule.Viewer ON MyModule.Customer;
+
+-- Partial revoke: remove read on specific attribute
+REVOKE MyModule.User ON MyModule.Customer (READ (Phone));
+
+-- Partial revoke: downgrade write to read-only
+REVOKE MyModule.User ON MyModule.Customer (WRITE (Email));
+
+-- Partial revoke: remove structural permission
+REVOKE MyModule.User ON MyModule.Customer (DELETE);
 ```
 
 ### User Roles
 
@@ -29,9 +29,13 @@ PAGE ACCESS:
 ENTITY ACCESS:
   GRANT <role> ON <module>.<entity> (<rights>) [WHERE '<xpath>'];
   REVOKE <role> ON <module>.<entity>;
+  REVOKE <role> ON <module>.<entity> (<rights>);
 
   Rights: CREATE, DELETE, READ *, READ (<attr>,...), WRITE *, WRITE (<attr>,...)
 
+  GRANT is additive — merges new rights into existing access rules.
+  REVOKE without rights removes the entire rule; with rights, downgrades selectively.
+
 USER ROLES:
   CREATE USER ROLE <name> (<role> [, ...]) [MANAGE ALL ROLES];
   ALTER USER ROLE <name> ADD MODULE ROLES (<role> [, ...]);
 
@@ -73,12 +73,28 @@ CREATE OR MODIFY DEMO USER 'manager' PASSWORD 'Password1!' (SalesManager);
 ALTER PROJECT SECURITY DEMO USERS ON;
 ```
 
+## Additive Grants
+
+GRANT merges with existing access — it never removes permissions:
+
+```sql
+-- Viewer already has READ (Name, Email)
+GRANT Sales.Viewer ON Sales.Customer (READ (Phone));
+-- Result: READ (Name, Email, Phone)
+```
+
 ## Revoking Access
 
 ```sql
--- Remove a specific grant
+-- Remove all access for a role
 REVOKE Sales.Viewer ON Sales.Customer;
 
+-- Partial revoke: remove read on a specific attribute
+REVOKE Sales.User ON Sales.Customer (READ (Phone));
+
+-- Partial revoke: downgrade write to read-only
+REVOKE Sales.User ON Sales.Customer (WRITE (Email));
+
 -- Remove microflow access
 REVOKE EXECUTE ON MICROFLOW Sales.ACT_Order_Delete FROM Sales.User;
 ```
@@ -59,6 +59,23 @@ GRANT Shop.User ON Shop.Order (READ *, WRITE *)
 
 Note that single quotes inside XPath expressions must be doubled (`''`), since the entire expression is wrapped in single quotes.
 
+### Additive Behavior
+
+GRANT is **additive**. If a role already has an access rule on the entity, the new rights are merged in without removing existing permissions:
+
+```sql
+-- Initial grant
+GRANT Shop.User ON Shop.Customer (READ (Name, Email));
+
+-- Add Notes access — Name and Email are preserved
+GRANT Shop.User ON Shop.Customer (READ (Notes));
+-- Result: READ (Name, Email, Notes)
+
+-- Upgrade Email to writable — existing reads preserved
+GRANT Shop.User ON Shop.Customer (WRITE (Email));
+-- Result: READ (Name, Notes), WRITE (Email)
+```
+
 ### Multiple Roles on the Same Entity
 
 Each GRANT creates a separate access rule. An entity can have rules for multiple roles:
@@ -71,19 +88,30 @@ GRANT Shop.Viewer ON Shop.Order (READ *);
 
 ## REVOKE on Entities
 
-Remove an entity access rule for a role:
+Remove an entity access rule entirely or revoke specific rights:
 
 ```sql
+-- Full revoke (removes entire rule)
 REVOKE <Module>.<Role> ON <Module>.<Entity>;
+
+-- Partial revoke (downgrades specific rights)
+REVOKE <Module>.<Role> ON <Module>.<Entity> (<rights>);
 ```
 
-Example:
+Examples:
 
 ```sql
+-- Remove all access for Viewer
 REVOKE Shop.Viewer ON Shop.Customer;
+
+-- Remove read access on a specific attribute
+REVOKE Shop.User ON Shop.Customer (READ (Notes));
+
+-- Downgrade write to read-only on Email
+REVOKE Shop.User ON Shop.Customer (WRITE (Email));
 ```
 
-This removes the entire access rule for that role on that entity.
+A full `REVOKE` (without rights list) removes the entire access rule. A partial `REVOKE` downgrades specific rights: `REVOKE READ (x)` sets member x to no access, `REVOKE WRITE (x)` downgrades from ReadWrite to ReadOnly.
 
 ## Viewing Entity Access
 
 
@@ -21,6 +21,8 @@ Where `<rights>` is a comma-separated list of:
 | `WRITE *` | Write all members |
 | `WRITE (<attr>, ...)` | Write specific members only |
 
+GRANT is **additive**: if the role already has an access rule on the entity, new rights are merged in. Existing permissions are never removed by a GRANT — only upgraded.
+
 Examples:
 
 ```sql
@@ -36,20 +38,39 @@ GRANT Shop.User ON Shop.Customer (READ (Name, Email), WRITE (Email));
 -- With XPath constraint (doubled single quotes for string literals)
 GRANT Shop.User ON Shop.Order (READ *, WRITE *)
   WHERE '[Status = ''Open'']';
+
+-- Additive: adds Notes to existing read access without removing Name, Email
+GRANT Shop.User ON Shop.Customer (READ (Notes));
 ```
 
 ### REVOKE
 
-Remove an entity access rule entirely:
+Remove an entity access rule entirely, or revoke specific rights:
 
 ```sql
+-- Full revoke (removes entire rule)
 REVOKE <Module>.<Role> ON <Module>.<Entity>;
+
+-- Partial revoke (downgrades specific rights)
+REVOKE <Module>.<Role> ON <Module>.<Entity> (<rights>);
 ```
 
-Example:
+For partial revoke, `REVOKE READ (x)` sets member x access to None. `REVOKE WRITE (x)` downgrades member x from ReadWrite to ReadOnly. `REVOKE CREATE` / `REVOKE DELETE` removes the structural permission.
+
+Examples:
 
 ```sql
+-- Remove all access
 REVOKE Shop.Viewer ON Shop.Customer;
+
+-- Remove read access on a specific member
+REVOKE Shop.User ON Shop.Customer (READ (Notes));
+
+-- Downgrade write to read-only
+REVOKE Shop.User ON Shop.Customer (WRITE (Email));
+
+-- Remove delete permission only
+REVOKE Shop.User ON Shop.Customer (DELETE);
 ```
 
 ## Microflow Access
 
@@ -22,7 +22,7 @@ Grants access rights to module roles. There are four forms of the GRANT statemen
 
 ### Entity Access
 
-The entity access form creates an access rule on an entity for a given module role. The rule specifies which CRUD operations are permitted and optionally restricts visibility with an XPath constraint.
+The entity access form creates or updates an access rule on an entity for a given module role. **GRANT is additive**: if the role already has an access rule on the entity, the new rights are merged with existing ones. Existing permissions are never downgraded by a GRANT.
 
 Entity access rules control:
 - **CREATE** -- whether the role can create new instances
@@ -117,6 +117,14 @@ Grant nanoflow execution:
 GRANT EXECUTE ON NANOFLOW Shop.NAV_ValidateInput TO Shop.User;
 ```
 
+Additive grant -- add new attribute access without removing existing:
+
+```sql
+-- Viewer already has READ (Name, Email)
+GRANT Shop.Viewer ON Shop.Customer (READ (Phone));
+-- Result: READ (Name, Email, Phone)
+```
+
 ## See Also
 
 [REVOKE](revoke.md), [CREATE MODULE ROLE](create-module-role.md), [CREATE USER ROLE](create-user-role.md)
@@ -3,9 +3,12 @@
 ## Synopsis
 
 ```sql
--- Entity access
+-- Entity access (full -- removes entire rule)
 REVOKE module.Role ON module.Entity
 
+-- Entity access (partial -- downgrades specific rights)
+REVOKE module.Role ON module.Entity ( rights )
+
 -- Microflow access
 REVOKE EXECUTE ON MICROFLOW module.Name FROM module.Role [, ...]
 
@@ -22,7 +25,9 @@ Removes previously granted access rights from module roles. Each form is the cou
 
 ### Entity Access
 
-Removes the entire entity access rule for the specified module role on the entity. Unlike GRANT, there is no way to partially revoke (e.g., remove only WRITE while keeping READ). The entire rule is removed.
+Without a rights list, removes the entire entity access rule for the specified module role on the entity.
+
+With a rights list, performs a **partial revoke**: `REVOKE READ (x)` sets member x to no access. `REVOKE WRITE (x)` downgrades member x from ReadWrite to ReadOnly. `REVOKE CREATE` and `REVOKE DELETE` remove the structural permission. The access rule itself is preserved.
 
 ### Microflow Access
 
@@ -42,7 +47,16 @@ Removes execute permission on a nanoflow from one or more module roles.
 :   The module role losing access. Must be a qualified name (`Module.RoleName`).
 
 `module.Entity`
-:   The entity whose access rule is removed.
+:   The entity whose access rule is removed or modified.
+
+`rights`
+:   Optional. A comma-separated list of rights to revoke (partial revoke). Same syntax as GRANT rights:
+    - `CREATE` -- revoke create permission
+    - `DELETE` -- revoke delete permission
+    - `READ *` -- revoke all read access
+    - `READ (Attr1, ...)` -- revoke read on specific attributes
+    - `WRITE *` -- downgrade all members from ReadWrite to ReadOnly
+    - `WRITE (Attr1, ...)` -- downgrade specific attributes from ReadWrite to ReadOnly
 
 `module.Name`
 :   The target microflow, nanoflow, or page.
@@ -52,12 +66,30 @@ Removes execute permission on a nanoflow from one or more module roles.
 
 ## Examples
 
-Remove entity access for a role:
+Remove all entity access for a role:
 
 ```sql
 REVOKE Shop.Viewer ON Shop.Customer;
 ```
 
+Partial revoke -- remove read access on a specific attribute:
+
+```sql
+REVOKE Shop.User ON Shop.Customer (READ (Notes));
+```
+
+Partial revoke -- downgrade write to read-only:
+
+```sql
+REVOKE Shop.User ON Shop.Customer (WRITE (Email));
+```
+
+Partial revoke -- remove structural permission:
+
+```sql
+REVOKE Shop.User ON Shop.Customer (DELETE);
+```
+
 Remove microflow execution from multiple roles:
 
 ```sql
 
@@ -220,8 +220,9 @@ Nested folders use `/` separator: `'Parent/Child/Grandchild'`. Missing folders a
 | Revoke microflow access | `REVOKE EXECUTE ON MICROFLOW Mod.MF FROM Mod.Role, ...;` | |
 | Grant page access | `GRANT VIEW ON PAGE Mod.Page TO Mod.Role, ...;` | |
 | Revoke page access | `REVOKE VIEW ON PAGE Mod.Page FROM Mod.Role, ...;` | |
-| Grant entity access | `GRANT Mod.Role ON Mod.Entity (CREATE, DELETE, READ *, WRITE *);` | Supports member lists and WHERE |
-| Revoke entity access | `REVOKE Mod.Role ON Mod.Entity;` | |
+| Grant entity access | `GRANT Mod.Role ON Mod.Entity (CREATE, DELETE, READ *, WRITE *);` | Additive — merges with existing |
+| Revoke entity access | `REVOKE Mod.Role ON Mod.Entity;` | Full revoke — removes entire rule |
+| Revoke entity access (partial) | `REVOKE Mod.Role ON Mod.Entity (READ (Attr));` | Partial — downgrades specific rights |
 | Set security level | `ALTER PROJECT SECURITY LEVEL OFF\|PROTOTYPE\|PRODUCTION;` | |
 | Toggle demo users | `ALTER PROJECT SECURITY DEMO USERS ON\|OFF;` | |
 | Create demo user | `CREATE DEMO USER 'name' PASSWORD 'pass' [ENTITY Module.Entity] (UserRole, ...);` | |
 
@@ -1004,7 +1004,7 @@ REVOKE VIEW ON PAGE <module>.<name> FROM <module>.<role> [, ...]
 
 ### GRANT (Entity Access)
 
-Creates an access rule on an entity for one or more module roles with CRUD permissions.
+Creates or updates an access rule on an entity for one or more module roles with CRUD permissions. **GRANT is additive** — if the role already has an access rule, new rights are merged without removing existing permissions.
 
 **Syntax:**
 ```sql
@@ -1030,15 +1030,36 @@ GRANT Shop.User ON Shop.Customer (READ (Name, Email), WRITE (Email));
 
 -- With XPath constraint
 GRANT Shop.User ON Shop.Order (READ *, WRITE *) WHERE '[Status = ''Open'']';
+
+-- Additive: adds Phone to existing read access (Name, Email preserved)
+GRANT Shop.User ON Shop.Customer (READ (Phone));
 ```
 
 ### REVOKE (Entity Access)
 
-Removes an entity access rule for specified roles.
+Removes an entity access rule entirely, or revokes specific rights.
 
 **Syntax:**
 ```sql
+-- Full revoke (removes entire rule)
 REVOKE <module>.<role> ON <module>.<entity>
+
+-- Partial revoke (downgrades specific rights)
+REVOKE <module>.<role> ON <module>.<entity> (<rights>)
+```
+
+Partial revoke semantics: `REVOKE READ (x)` sets member x to no access. `REVOKE WRITE (x)` downgrades from ReadWrite to ReadOnly. `REVOKE CREATE` / `REVOKE DELETE` removes the structural permission.
+
+**Examples:**
+```sql
+-- Remove all access
+REVOKE Shop.Viewer ON Shop.Customer;
+
+-- Remove read on specific attribute
+REVOKE Shop.User ON Shop.Customer (READ (Phone));
+
+-- Downgrade write to read-only
+REVOKE Shop.User ON Shop.Customer (WRITE (Email));
 ```
 
 ### CREATE USER ROLE
 
@@ -392,11 +392,38 @@ SHOW ACCESS ON SecTest.Customer;
 /
 
 -- ============================================================================
--- Level 5.5: Revoke Entity Access
+-- Level 5.5: Additive GRANT
 -- ============================================================================
 
 /**
- * Remove the Viewer role's access rule from Customer.
+ * GRANT is additive: adding Notes access preserves existing Name and Email.
+ */
+GRANT SecTest.User ON SecTest.Customer (READ (Notes));
+/
+
+-- ============================================================================
+-- Level 5.6: Partial REVOKE
+-- ============================================================================
+
+/**
+ * Remove read access on a specific attribute (Notes).
+ * Other permissions are preserved.
+ */
+REVOKE SecTest.User ON SecTest.Customer (READ (Notes));
+/
+
+/**
+ * Downgrade write to read-only on Email.
+ */
+REVOKE SecTest.User ON SecTest.Customer (WRITE (Email));
+/
+
+-- ============================================================================
+-- Level 5.7: Full Revoke Entity Access
+-- ============================================================================
+
+/**
+ * Remove the Viewer role's access rule from Customer entirely.
  */
 REVOKE SecTest.Viewer ON SecTest.Customer;
 /