Input-level dataset filters and required field validations in Self-Service Actions are currently UI-side only. Any execution path that bypasses the form UI, JSON mode, direct API calls, or Port's MCP, skips these validations entirely, allowing invalid or unauthorized inputs to be submitted.

The desired behavior is for all execution paths to respect the same validation rules defined in the form UI, with meaningful error messages returned on violation. Current workarounds are insufficient for all cases:

Dynamic permissions: server-side enforcement, but requires manual policy configuration per action.

ownedByTeam: true on blueprint read permissions, restricts entity visibility at the catalog level, but does not cover all use cases.