Security Issue for Change View of Exposed Entity

[I590232]

Hi Team,

Trying to implement security for Change Tracking of an Entity through navigation but still able to access it by expanding through url.
I have below service with ErrorPricing Entity for which Change Tracking is enabled.
service ErrorPricingService { @(Capabilities: { InsertRestrictions.Insertable: true, UpdateRestrictions.Updatable : true, DeleteRestrictions.Deletable : false }) @odata.draft.enabled: true entity ErrorPricing as projection on errorPricing.ErrorPricing; }

Below is the security service implemented for the entity.
annotate ErrorPricingService.ErrorPricing with @(restrict: [ { grant: ['*'], to : 'PriceAdminInternal' }, { grant: ['READ'], to : 'PriceViewerInternal' }, { grant: ['READ'], to : 'PriceAdminExternal' } ]);

I tried using below approach but it results in internal server error.
annotate ErrorPricingService.ErrorPricing.changes with @(restrict: [ { grant: ['*'], to : 'PriceAdminInternal' }, { grant: ['READ'], to : 'PriceViewerInternal' }, { grant: ['READ'], to : 'PriceAdminExternal' } ]);

Below are the snapshots from the url from where I am able to access changes by expanding the url.

[mvoros-rs]

Hi,

isn't this a standard limitation of SAP documented here?
https://cap.cloud.sap/docs/guides/security/authorization#limitation-deep-authorization