Robert Hahn
07.21.2012
Michael (DevExpress Support)
07.23.2012
Hi Robert,
Thank you for your question. Unfortunately, the combination of object and member permissions is not supported. The new security system has additive permissions, so if you grant access to specific objects
by creating an object-level permission (with a criterion), you cannot deny access to specific members by creating a member-level permission.
Dan (DevExpress)
07.24.2012
The SecurityStrategyComplex class allows you to grant an operation to all objects of some type (Type Permission), or to objects that satisfy a criteria (Object Permission), or to a member of any object (Member Criteria). At this time, other configurations are not implemented. Adjusted permissions can be declared in any combination: we have implemented the 'additive' approach, so with each added permission an end-user will be granted to do more operations.
With this functionality, you can grant the 'Write' operation by a criteria, so an end-user will be granted to edit any property of any object that satisfies the criteria.
Alternatively, you can grant the 'Write' operation to desired members, so an end-user will be granted to modify these members of any object.
It seems that our documentation doesn't describe this functionality in a clear and precise way, and we will see how to improve it.
Show all comments
-
Thanks Dan, but I still don't know how to make it work.
--> My first Post <--
Try this in your SecurityDemo:
- Enable Read,Navigate for the User-Object to all users
- Users are allowed to modify the members ChangePasswordOnFirstLogon; StoredPassword of their OWN user-Recordthanks
Robert -
I regret to inform you that currently this scenario is not supported. I wrote about available opportunities in my previous reply.
In your case, the implemented functionality doesn't cover the necessary scenario out-of-the-box.
However, you can implement it manually: introduce a controller and set the PropertyEditor.AllowEdit property as necessary depending on the View.CurrentObject property value. -
Hi Dan, I don't think that I've time to build my own security strategy for such a simple and very basic request.
This is the job of DevEx.Users can see a list of objects but are only allowed to edit objects that they have created.
Within these objects users are only allowed to edit a set of properties.If a "Securitysystem" can not handle such a basic functionality, you should not call it SecuritySystem.
Sorry Dan, but I'm pretty disappointed about that.
May be additive permissions is the wrong way:
Additive permissions only is so much work when you come down to the member-Level.
To add a object permission like "Access all but not the two SystemFields" you have to add all other properties
to the permission.May be two new fields in the permission object will help:
bool Revoke => so in the sample above you define the two system fields an set Revoke to true to revoke permission on these fields.And a Sort property to sort the permissions (or may be groups) to find the right order for the revoke property.
After that it is not an additive permission system any more but much easier to handel and it is able
to handle my request by simply add Read/Write permission and revoke permissen by criteria and fieldI would set the permission like that:
Group Default:
Read: yes
Navigate: yes
Write: yes
Group User:
Write: => Criteria: Oid !=CurrentUserId => REVOKE
Colums: Write: ChangePasswordOnFirstLogon; StoredPassword => REVOKEthanks
Robert -
. . . and why does the support system removes empty lines from the comments??
The text is not readable any more.... -
Thank you for your valuable feedback. We agree that the behavior you described is often required, and we are planning to support it in the future. Unfortunately, we cannot estimate when this is done. The current specifics of the SecuritySystemStrategy implementation do not allow implementing this functionality fast. I am afraid that the only solution is to disable the necessary property editors without using the Member Access Permissions. This can be done in a controller, as Dan suggested, or via the Conditional Appearance module. We have a special IsCurrentUserInRole function for this.
-
I just ran into this requirement, too.
I can't set that a user only has permission to read an object if it belongs to them, then turn around and deny specific members. It's one or the other. Starting to wonder what the new security system IS good for at this point :-( Very disheartening. I spent a bunch of time to get it implemented in my solution only to realize how basic it really is.
-
Hello Nate,
Thank you for your feedback.
The security system automatically performs a lot of routine tasks you set. This helps you save your time (implementing all its current features on your own would likely require you spending an incredible amount of time and resources). Nevertheless, as any software product, it cannot cover every possible need and, of course, can be further improved. Although at the moment this particular scenario cannot be implemented via the security system permissions exactly as you require, XAF still offers solutions to achieve your ultimate goal.
Take special note that XAF offers various possibilities of implementing custom requirements not covered by the default package. Above we already described several ways of implementing your task. Availability of these temporary solutions, however, does not understate the value of the described scenario, which makes sense to us. We already have a corresponding item in our TODO list for this, and we also announced it in our Roadmap for 2013 (although this particular feature is currently being researched by our team, I cannot provide any exact time frame for it, as always). You will be automatically notified of any changes in this regard via email. -
Missed it on the roadmap. Thanks, Dennis.
-
No worries, Nate. You are always welcome!
Is your intention to post an answer to your own question?
- If so, then proceed.
- If you simply wanted to post additional information, ask for further clarification, or to just say "Thanks!", please click Leave a Comment.
- If you wish to edit your original question, please use the Edit button in the Toolbox at the top right corner of that entry.
Facebook
Twitter
Google+