В статье
Create and use deep links написано:
Цитата:
Security
Site access
Access to the domain/client is controlled through the existing login and SSL mechanism.
Form access
Access to the form is controlled through the specified Menu Item, and the accompanying Menu Item security system. If a user navigates using a URL which contains a Menu Item that the user does not have access to, then the Menu Item security will prevent the form from opening. The user will receive message which says that they do not have the necessary permissions to open the form.
Data access
Access to data is controlled through the existing form-level queries. When a form is opened with a generated URL, the form will run its existing form-level queries, which restrict the user's access to data. The data context that is specified in the generated URL is consumed after these form-level queries are applied, and results only in further filtering of the data displayed to the user. In short, a generated URL can, at most, open a form and display all of the data that a form would display to the user based on the form-level queries. A generated URL cannot grant a user access to data that is otherwise inaccessible on the form when not using the generated URL.
Говоря по-русски:
Доступ к сайту обеспечивается протоколом HTTPS
Доступ к форме обеспечивается правами доступа к пункту меню, по которому генерится ссылка
Доступ к данным обеспечивается с помощью запросов на уровне формы. Т.е. пользователь не увидит данные, которые не может увидеть с помощью конкретной формы. Ну т.е. по сути фильтр накладывается на queryRun при уже существующем query