v
Not logged inv
SearchAsk a QuestionReport an IssueMake a SuggestionMy Questions and Issues
Issue Details
Find By ID

Security.ObjectLevel - Introduce an "Object Owner" feature into the XAF Security system

Issue Details

Log in to Track Changes or Edit
S90775
Suggestion
drew..
Yes
Processed
Implemented
.NET
eXpressApp Framework
v2011 vol 2.6
11/29/2011 2:07:32 PM
-> Created by drew.. 3/3/2008 3:20:39 AM
Description
Proposed Solution

I would absolutely love to see a new mode of data presentation or security model options which would satisfy a most basic business rule: limit your access to records to only those that you created. This would follow to all descendants of course. My first thought was to have an attribute like [OwnerEditMode] and would require the audit module or the presence of a specific field to track the user that created the record.
This would so easily enable us to present systems that limit access to records in a logical fashion within a multi-user environment.
<- Processed (Accepted - Release TBD) by DevExpress Team 3/3/2008 7:29:59 AM
<- Updated by DevExpress Team 3/6/2008 9:39:30 AM

See also:
- "User based data access security" at http://community.devexpress.com/forums/p/62661/212429.aspx#212429
- Steve Sharkey's post at http://community.devexpress.com//forums/p/62543/212905.aspx#212905
- Evgeniy Meyke's post at http://community.devexpress.com//forums/p/62543/212986.aspx#212986
- "Security: permissions at the level of records" at http://www.devexpress.com/issue=CS51298

- "Allow injection of a new and independent functionality into the load business class process and into the 'get/set' methods of a certain property" at http://www.devexpress.com/issue=S30538
- Security.CRM - Add the capability to protect information depending on the CurrentUser' company or department
- Security.MemberLevel - Add an ability to protect separate object properties rather than an entire object (Field-level security)

Thanks, Dan.
<- Processed (Planned) by DevExpress Team 10/19/2011 2:41:14 PM
<- Processed (Implemented) by DevExpress Team 11/29/2011 11:22:28 AM

XAF v2011 vol 2 introduces the new security model that includes the following ready-to-use permission types:

- Type Permission - Grants access to a particular object type
- Member Permission - Grants access to specific members of a type
- Object Permission - Grants access to objects satisfying a particular criteria

You can introduce the business object's Owner property that refers to a user and create an Object Permission with "[Owner.Oid] = CurrentUserId()" criteria.

See Also: Permission Types in the Complex Security Strategy (this link will be available shortly after the v2011 vol 2 release).

Thanks,
Konstantin B
Log in to Track Changes or Edit

Example: How to filter ListView to show only objects owned by the currently logged User

Log in to Track Changes
Download Example Example Runner
E2039
Microsoft Visual Studio 2008, Microsoft Visual Studio 2010
v
v
eXpressApp Framework
List View
12/2/2011

We already have a corresponding suggestion for this functionality: Security.ObjectLevel - Introduce an "Object Owner" feature into the XAF Security system and this example describes the idea on how to implement it yourself.

To accomplish this task, do the following:
1. Implement a Complex Security Strategy in your application;

2. Implement a helper class from the How to perform some actions only if the currently logged User belongs to a certain Role KB Article in the platform-agnostic module of your application;

3. Implement a Document class in the platform-agnostic module of your application as shown below.
Take special note how we initialize the properties of the business class in the AfterConstruction method. Refer to the Initialize a Property After Creating an Object help topic if necessary.

4. Implement a ViewController that filters the ListView by the CreatedBy property as shown below.
Refer to the Filter List Views help topic, to learn more about the used approach.

5. Run the application and log in first under John and then under Sam. Notice that in the first case, you can see only documents owned by John. This feature is enabled only for the Users role. Administrators (Sam) can view the documents created by all the users.

Log in to Track Changes
Download Example Example Runner

Peer-to-Peer Discussion in DevExpress Forums

No discussion on this article has been started yet.

Please login to start discussion.

v
v
Search
Searching Tips
 
Related Knowledge Base Articles
Related Documents
Categories
Security Module
Show more
Support Center Stats
Suggestions
Active: 1,173
Processed: 31,366
Questions & Issues
Active: 883
Processed: 259,770 + 101,868
2,128 Knowledge Base Articles
3,501 Code Central Examples
Copyright © 1998-2012 Developer Express Inc.
ALL RIGHTS RESERVED