Current filter:
                                You should refresh the page.
                                  • Problem
                                    Security permissions calculation is quite a complex process, and sometimes it is difficult to diagnose why access to a certain object and its members is allowed or denied. It is more common for application administrators or regular XAF developers who may not want to study documentation guides or be able to debug the XAF source code as per How can I debug DevExpress .NET source code using PDB files or using other approaches. So, in addition to documenting security rules, we are researching the usefulness of a tool that would show how effective permissions are calculated for each user in the UI, very similar to our Diagnostic Action. This may be helpful even to us, to reduce time spent on diagnosing related client problems.

                                    Solution

                                    We created the 'Security Diagnostic' action that shows calculation results in the UI:



                                    The Security Diagnostic Tool shows detailed information about request parameters (the RequestInfo element), the Security System settings (the SecurityInfo element), permission processing results and criteria for each role.
                                    As you can see there is one "Demo" role, which does not grant the "Write" access to the "Property1" property.


                                    Getting started
                                    1. Ensure that you have XAF v17.2.6+ installed, open an application project's configuration file (App.config in WinForms and Web.config in ASP.NET) and locate the appSettings section's EnableDiagnosticActions key.
                                    2. Set the EnableDiagnosticActions key's value to True:

                                    [XML]
                                    <add key="EnableDiagnosticActions" value="True" />

                                    This will add the Diagnostic Info Action to the Application Model and the Action will be added to the UI.

                                    3. Run your project, log in under a required user, open a required object's DetailView, click the Security Diagnostic item of the Tools | Diagnostic(Child Window) action, choose an operation and a member name.

                                    Note
                                    the 'Security Diagnostic' action doesn't work with Middle Tier security mode.

                                    Your feedback is needed
                                    Please test the tool and let us know whether it is useful in your development process and how you would change it. For instance, the more specific there are use cases of this tool where it was difficult to configure permissions for a user, the greater it is possible that we can arrive at technical solutions that will address them.


                                    See Also
                                    Concepts > Security System > Permissions for Associated Objects
                                    Concepts > Security System > Security Permissions Caching
                                    Concepts > Security System > Permission Policies


                                    Search keywords: security, diagnostic, troubleshoot, configure, setup, permissions, access rights, granted, allow, deny, roles, users, diagnose, effective, debug

                                Show all comments
                                • Willem de Vries 01.03.2018
                                  Hello DX!

                                  Thanks for this important initiative!

                                  My solution idea would be different: make it available to administrators (and/or members of a certain role) instead of non-administrators, since the administrators will have to answer the question of the non-administrative user: why don't i have ... access to ... ; and have to solve it (when company policies allow so).

                                  Another addition is that i would prefer a solution that enables the administrator to select a user first, and then a class and/or a property to find out the current effective rights for that user on that class and/or property.

                                  Implementing these suggestions will make off-site support easier, because administrators don't have to go to the user's workplace to do the diagnostics on-site. It will also enabe diagnosing why certain (persistent) classes don't show up in the navigation panel.

                                  Willem

                                  PS This is also a very nice step to enable administrators to report to management how security is implemented (see my ticket https://www.devexpress.com/Support/Center/Question/Details/T561660/testing-security-permissions-for-different-users).
                                • Dennis (DevExpress Support) 01.04.2018

                                  @Willem: Thanks for your suggestions. Our team will take these UI adjustments into account. Right away, it is possible that a developer or application administrator logs in into the app using a test user belonging to the same problematic role.
                                  Before moving further, we would appreciate your taking the time to see what is already available and whether the diagnostic output really helps diagnose your real life cases. We are looking forward to learning more about your specific use-cases and whether the tool was helpful for them (please contact us separately for each case by submitting new tickets using the https://www.devexpress.com/ask service).

                                • Willem de Vries 01.04.2018
                                  Hi Dennis,

                                  I will check what you made available and report back on it.

                                  Regarding your post:

                                  >> using a test user belonging to the same problematic role.

                                  The role is not always problematic IMO.

                                  My users can be member of a lot of different roles and some of the roles have overlap on certain classes. Which classes have overlap is not always clear, since the security module does not provide information on roles per class AFAIK.
                                • Dennis (DevExpress Support) 01.04.2018
                                  Thanks for your update, Willem. We will await your testing results in a separate ticket. Thanks in advance.
                                • Andrey K (DevExpress Support) 03.02.2018

                                  Hello,

                                  With 17.2.6, we have included the diagnostic tool into the standard delivery and made a more useful output. Please enable it using <add key="EnableDiagnosticActions" value="True" /> in the configuration file and let us know what you think.

                                  Thanks,
                                  Andrey

                                • Michael Bogaerts 03.09.2018
                                  @willem,

                                  I have implemented role inheritance and use difference Role types (organizational / functional / profile ) to manage our security based on the PermissionPolicy approach. This allows us to organise our security in a much more transparent way. while limiting the administrative overhead and limiting overlaps

                                  It is still in beta but i can prepare a demo solution if you are interested.

                                  besides this we have also implemented an impersonation mechanism so we can work in the user's context  in stead of using the test user approach.
                                  not yet in shareable state but if interested i will will keep you informed.


                                  @dx valuable tool, i will test it for sure.

                                  possible solution that pops into my mind is to add EnableDiagnosticActions option to the role in the same way as the EditModel checkbox? 






                                • Dennis (DevExpress Support) 03.12.2018

                                  @Michael:
                                  >>possible solution that pops into my mind is to add EnableDiagnosticActions option to the role in the same way as the EditModel checkbox? 
                                  The option enabling the diagnostic tool (EnableDiagnosticActions) is global, and is usually enabled by an application developer. Would you please clarify your solution idea, because it is not quite clear why it should be available on a per role-basis? Are you also targeting power users or application administrators?

                                • Michael Bogaerts 03.12.2018
                                  Hi Dennis,

                                  It is more the idea to enable it without a need to modify the app.config, if our third level support guys login they might me able to research some issues. i would not be enabled in any other context then support / development.

                                  in other words i would like to have it user dependent in stead of installation/system dependent.

                                  Does this clarify it a bit more?
                                • Dennis (DevExpress Support) 03.12.2018
                                  @Michael: Yes, thanks.
                                • Randy Jean 06.04.2019
                                  Just had a situation that called for using this tool on a clients' app.  Very useful!  It helped me to identify that an aggregated association being read-only caused the parent to not allow deletion.  Was able to set the reference member on the child to read/write and that did the trick!
                                • Andrey K (DevExpress Support) 06.04.2019
                                  @Randy Jean

                                  Excellent news.  Happy to hear that our tool assisted you. Please remember, we are here to help. Let me know if I can be of further assistance. 

                                  Before I let you go...Since you had to use this tool, it seems that you have a complex and interesting project that would make a great case study. We'd love to highlight your company and project on our website and detail how you're using DevExpress products. We publish case studies online and they do tend to generate traffic for our customers. 
                                  Please let me know if you have a few minutes to fill out a short case study form (attached). Thanks in advance.

                                  Andrey
                                • Randy Jean 06.04.2019
                                  Hi Andrey,
                                  Will take a look at this form and try to get something back to you soon.  Is there a specific email I can submit to?
                                • Dennis (DevExpress Support) 06.04.2019
                                  Thank you in advance, Randy. You can email it at xafteam@devexpress.com or clientservices@devexpress.com.

                                0 Solutions

                                Creation Date Importance Sort by