I would absolutely love to see a new mode of data presentation or security model options which would satisfy a most basic business rule: limit your access to records to only those that you created. This would follow to all descendants of course. My first thought was to have an attribute like [OwnerEditMode] and would require the audit module or the presence of a specific field to track the user that created the record.
This would so easily enable us to present systems that limit access to records in a logical fashion within a multi-user environment.
- "User based data access security" at http://community.devexpress.com/forums/p/62661/212429.aspx#212429
- Steve Sharkey's post at http://community.devexpress.com//forums/p/62543/212905.aspx#212905
- Evgeniy Meyke's post at http://community.devexpress.com//forums/p/62543/212986.aspx#212986
- "Security: permissions at the level of records" at http://www.devexpress.com/issue=CS51298
- "Allow injection of a new and independent functionality into the load business class process and into the 'get/set' methods of a certain property" at http://www.devexpress.com/issue=S30538
- XCRM.Security - Add the capability to protect information depending on the current user's company or department
- Security.MemberLevel - Add an ability to protect separate object properties rather than an entire object (Field-level security)
XAF v2011 vol 2 introduces the new security model that includes the following ready-to-use permission types:
- Type Permission - Grants access to a particular object type
- Member Permission - Grants access to specific members of a type
- Object Permission - Grants access to objects satisfying a particular criteria
You can introduce the business object's Owner property that refers to a user and create an Object Permission with "[Owner.Oid] = CurrentUserId()" criteria.
See Also: Permission Types in the Complex Security Strategy (this link will be available shortly after the v2011 vol 2 release).