Scenario
This example demonstrates how to use the new security system to implement the following security roles:
- Users (Joe, John) can view and edit tasks from their own department, but cannot delete them or create new ones. They also have readonly access to employees and other data of their own department.
- Managers (Sam, Mary) can fully manage (CRUD) their own department, its employees and tasks. However, they cannot access data from other departments.
- Administrators (Admin) can do everything within the application.
All users have empty passwords by default.
Steps to implement
1.Permissions at the type, object and member level (with a criteria) are configured in the MainDemo.Module/DatabaseUpdate/Updater file. Take special note that for building a complex criteria against associated objects, the JoinOperand together with the built-in CurrentUserId and IsCurrentUserInRole criteria functions. For greater convenience, strongly typed criteria for permissions are accompanied with their string representation.
2. The SecuredObjectSpaceProvider is used in the CreateDefaultObjectSpaceProvider method of the XafApplication descendants located in the WinForms and ASP.NET projects.
3. Permission requests caching is enabled via the IsGrantedAdapter.Enable method in the MainDemo.Module\MainDemoModule.xx file (see the T241873 ticket for more details).
4. The Department, Employee and EmployeeTask classes are implemented in the MainDemo.Module/BusinessObjects folder. To quickly understand relationships between involved business classes, their class diagram is attached.
IMPORTANT NOTES
1. See also the functional tests in the MainDemo.EasyTests folder for more details on the tested scenarios.
2. For versions older than v15.2.5, be aware of the issue described in the Security - The "Entering state 'GetObjectsNonReenterant'" error may occur while saving data if a permission criteria involves a collection property thread.
3.The State of the New Security System
Question Comments
Added By: Raoulw at: 2/11/2013 2:02:04 PM
This is a great sample. There is one error, or it is not clear in the description. 'Users (Joe, John) can do everything with their own tasks and can also view data of their own department;' implies that Joe has read only access to Mary's tasks, which is not true. The code below fixes that.
Raoul.
SecuritySystemObjectPermissionsObject canSeeTasksOnlyFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject<SecuritySystemObjectPermissionsObject>();
//canSeeTasksOnlyFromOwnDepartmentObjectPermission.Criteria = "AssignedTo.Department.Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
canSeeTasksOnlyFromOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("AssignedTo.Department.Oid"), joinEmployees, BinaryOperatorType.Equal).ToString();
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowNavigate = true;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowRead = true;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowWrite = false;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowDelete = false;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.Save();
employeeTaskPermissions.ObjectPermissions.Add(canSeeTasksOnlyFromOwnDepartmentObjectPermission);
Thanks for your update, Raoul!
Added By: Konstantin B at: 10/17/2013 4:47:01 AMI'm tried to apply solution for bug fixing "Security - The "Entering state 'GetObjectsNonReenterant error may occur while saving data if a permission criteria involves a collection property" to this example, but unsuccessfully - always get GetObjectsNonReenterant exception.
Could you please supply the project how can fix it for the current example?
Thanks
Added By: Dennis (DevExpress Support) at: 10/21/2013 6:32:14 AMPlease track https://www.devexpress.com/Support/Center/Question/Details/Q287727 for any updates on this problem. Thanks!