Limitations
Users with QBAC document access are not able to read document properties. This is a design limitation. Users with QBAC document access do not have properties access by default, unless the QBAC query explicitly matches document properties through a CTS query. However, QBAC access to document properties gives access to the document itself by default.
Queries run unfiltered. If a query has false positives that means that access may be granted where it is not intended to.
It is not recommended to use expensive QBAC queries (for example, wildcards with lexicon expansion), since they run on every database request.
Queries may depend on specific indexes (for example, range queries). If those indexes are deleted, the queries will fail and will lead to denial of access.
Configuration of QBAC queries is through security APIs and RMAs only. See the RMAs for configuring roles and users at
/10.0/REST/POST/manage/v2/rolesand/10.0/REST/POST/manage/v2/users.