[XAF] How to use the Allow/Deny permissions policy in the existing project

https://www.devexpress.com/Support/Center/Question/Details/T418166

Clear
[C#]
using DevExpress.Persistent.BaseImpl.PermissionPolicy;
using DevExpress.ExpressApp.Security.Strategy;
using System.Collections.Generic;  
//..
        public override void UpdateDatabaseAfterUpdateSchema() {
            base.UpdateDatabaseAfterUpdateSchema();
            foreach (SecuritySystemUser securitySystemUser in ObjectSpace.GetObjects<SecuritySystemUser>()) {
                CopyUser(securitySystemUser);
            }
            foreach (SecuritySystemRole securitySystemRole in ObjectSpace.GetObjects<SecuritySystemRole>()) {
                CopyRole(securitySystemRole, null);
            }
            ObjectSpace.CommitChanges();
        }
         private void CopyUser(SecuritySystemUser securitySystemUser) {
            PermissionPolicyUser permissionPolicyUser = ObjectSpace.FindObject<PermissionPolicyUser>(new BinaryOperator("UserName", securitySystemUser.UserName));
             if (permissionPolicyUser == null) {
                permissionPolicyUser = ObjectSpace.CreateObject<PermissionPolicyUser>();
                permissionPolicyUser.UserName = securitySystemUser.UserName;
                permissionPolicyUser.IsActive = securitySystemUser.IsActive;
                permissionPolicyUser.ChangePasswordOnFirstLogon = securitySystemUser.ChangePasswordOnFirstLogon;
                 foreach (SecuritySystemRole securitySystemRole in securitySystemUser.Roles) {
                     CopyRole(securitySystemRole, permissionPolicyUser);
                 }
            }
        }
         private void CopyRole(SecuritySystemRole securitySystemRole, PermissionPolicyUser permissionPolicyUser) {
            PermissionPolicyRole permissionPolicyRole = ObjectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", securitySystemRole.Name));
             if (permissionPolicyRole == null) {
                permissionPolicyRole = ObjectSpace.CreateObject<PermissionPolicyRole>();
                permissionPolicyRole.Name = securitySystemRole.Name;
                permissionPolicyRole.PermissionPolicy = SecurityPermissionPolicy.DenyAllByDefault;
                permissionPolicyRole.IsAdministrative = securitySystemRole.IsAdministrative;
                permissionPolicyRole.CanEditModel = securitySystemRole.CanEditModel;
                 foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in securitySystemRole.TypePermissions) {
                    CopyTypePermissions(securitySystemTypePermissionObject, securitySystemRole, permissionPolicyRole);
                }
                 foreach (SecuritySystemRole parentRole in securitySystemRole.ParentRoles) {
                    CopyParentRole(parentRole, permissionPolicyRole);
                }
                 if (permissionPolicyUser != null) {
                    permissionPolicyUser.Roles.Add(permissionPolicyRole);
                }
            }
        }
         private void CopyParentRole(SecuritySystemRole parentRole, PermissionPolicyRole permissionPolicyRole) {
            if (parentRole.IsAdministrative) {
                permissionPolicyRole.IsAdministrative = true;
            }
            
            if (parentRole.CanEditModel) {
                permissionPolicyRole.IsAdministrative = true;
            }
             foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in parentRole.TypePermissions) {
                CopyTypePermissions(securitySystemTypePermissionObject, parentRole, permissionPolicyRole);
            }
             foreach (SecuritySystemRole subParentRole in parentRole.ParentRoles) {
                CopyParentRole(subParentRole, permissionPolicyRole);
            }
        }
         private void CopyTypePermissions(SecuritySystemTypePermissionObject securitySystemTypePermissionObject, SecuritySystemRole securitySystemRole, PermissionPolicyRole permissionPolicyRole) {
            PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject = ObjectSpace.FindObject<PermissionPolicyTypePermissionObject>(new BinaryOperator("TargetType", securitySystemTypePermissionObject.TargetType));
            permissionPolicyTypePermissionObject = ObjectSpace.CreateObject<PermissionPolicyTypePermissionObject>();
            permissionPolicyTypePermissionObject.TargetType = GetTargetType(securitySystemTypePermissionObject.TargetType);
            permissionPolicyTypePermissionObject.Role = permissionPolicyRole;
             if (securitySystemTypePermissionObject.AllowRead) {
                permissionPolicyTypePermissionObject.ReadState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowWrite) {
                permissionPolicyTypePermissionObject.WriteState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowCreate) {
                permissionPolicyTypePermissionObject.CreateState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowDelete) {
                permissionPolicyTypePermissionObject.DeleteState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowNavigate) {
                permissionPolicyTypePermissionObject.NavigateState = SecurityPermissionState.Allow;
            }
             foreach (SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject in securitySystemTypePermissionObject.ObjectPermissions) {
                CopyObjectPermissions(securitySystemObjectPermissionsObject, permissionPolicyTypePermissionObject);
            }
            foreach (SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject in securitySystemTypePermissionObject.MemberPermissions) {
                CopyMemberPermission(securitySystemMemberPermissionsObject, permissionPolicyTypePermissionObject);
            }
            permissionPolicyRole.TypePermissions.Add(permissionPolicyTypePermissionObject);
        }
         private void CopyMemberPermission(SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) {
            PermissionPolicyMemberPermissionsObject permissionPolicyMemberPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyMemberPermissionsObject>();
            permissionPolicyMemberPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject;
             if (securitySystemMemberPermissionsObject.AllowRead) {
                permissionPolicyMemberPermissionsObject.ReadState = SecurityPermissionState.Allow;
            }
             if (securitySystemMemberPermissionsObject.AllowWrite) {
                permissionPolicyMemberPermissionsObject.WriteState = SecurityPermissionState.Allow;
            }
            permissionPolicyMemberPermissionsObject.Members = securitySystemMemberPermissionsObject.Members;
            permissionPolicyMemberPermissionsObject.Criteria = securitySystemMemberPermissionsObject.Criteria;
            permissionPolicyTypePermissionObject.MemberPermissions.Add(permissionPolicyMemberPermissionsObject);
        }
         private void CopyObjectPermissions(SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) {
            PermissionPolicyObjectPermissionsObject permissionPolicyObjectPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyObjectPermissionsObject>();
            permissionPolicyObjectPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject;
            if (securitySystemObjectPermissionsObject.AllowRead) {
                permissionPolicyObjectPermissionsObject.ReadState = SecurityPermissionState.Allow;
            }
             if (securitySystemObjectPermissionsObject.AllowWrite) {
                permissionPolicyObjectPermissionsObject.WriteState = SecurityPermissionState.Allow;
            }
             if (securitySystemObjectPermissionsObject.AllowDelete) {
                permissionPolicyObjectPermissionsObject.DeleteState = SecurityPermissionState.Allow;
            }
             if (securitySystemObjectPermissionsObject.AllowNavigate) {
                permissionPolicyObjectPermissionsObject.NavigateState = SecurityPermissionState.Allow;
            }
            permissionPolicyObjectPermissionsObject.Criteria = securitySystemObjectPermissionsObject.Criteria;
            permissionPolicyTypePermissionObject.ObjectPermissions.Add(permissionPolicyObjectPermissionsObject);
        }
         private Type GetTargetType(Type currentType) {
            Type outType;
            if (!SecurityAssociationClassDictionary.TryGetValue(currentType, out outType)) {
                outType = currentType;
            }
            return outType;
        }
        private static Dictionary<Type, Type> SecurityAssociationClassDictionary = new Dictionary<Type, Type>(){
            { typeof(SecuritySystemUser),typeof(PermissionPolicyUser) },
            { typeof(SecuritySystemRole),typeof(PermissionPolicyRole) },
            { typeof(SecuritySystemTypePermissionObject ),typeof(PermissionPolicyTypePermissionObject ) },
            { typeof(SecuritySystemObjectPermissionsObject ),typeof(PermissionPolicyObjectPermissionsObject ) },
            { typeof(SecuritySystemMemberPermissionsObject ),typeof(PermissionPolicyMemberPermissionsObject ) }
        };
//...
Close
Your email address [email protected] appears to be unreachable. Please Update Now    Welcome, ytq 2080 (A807018)    
Download Your Products    
Log Out
Products Free Trials & Demos Buy Support My Account About Us
SUPPORT CENTER
FAQ
Training Events
Localization
Examples
Tickets
Submit a Support Ticket

Type search string and press Enter
Add to Favorites
Kb
How to use the Allow/Deny permissions policy in the existing project
Tags: .NET, Frameworks (XAF & XPO), eXpressApp Framework
0
Alexey (DevExpress Support)2 weeks ago
Starting with version 16.1, application administrators can allow accessing all data within the application for a specific role and simultaneously prevent the access to a few data types or members. Alternatively, an end-user can deny access to all data for a role and only allow access to a strict list of objects or members.

See Security - Introduce the 'Allow' and 'Deny' modifiers for permissions.

Prior to version 16.1, the SecuritySystemUser and SecuritySystemRole classes were used to create and process permissions. By default, the DenyAll policy was used, and it was necessary to add the Allow permission for objects and types. These classes are not compatible with the Allow/Deny permissions model.

This topic describes how to migrate to Allow/Deny security model in the existing application.

Leave a Comment
1 Solution
0
Alexey (DevExpress Support)2 weeks ago
If you do not need to transfer existing permissions to the new permissions policy, invoke the Application Designer for the YourSolutionName.Wxx/WxxApplication.xx file and set the UserType and RoleType properties of the SecurityStrategyComplex component to the PermissionPolicyUser and PermissionPolicyRole  values respectively. After that, update your code that creates predefined users, roles and the required permissions as per the Using the Security System help article.

If your database already contains permissions configured by end-users, you can use the example below in the YourSolutionName.Module/DatabaseUpdate/Updater.cs file to copy them to new security classes. 
NOTE: we cannot guarantee that all permissions will be converted correctly, because these classes use different permissions mechanisms.

[C#]Open in popup window
using DevExpress.Persistent.BaseImpl.PermissionPolicy;
using DevExpress.ExpressApp.Security.Strategy;
using System.Collections.Generic;  
//..
        public override void UpdateDatabaseAfterUpdateSchema() {
            base.UpdateDatabaseAfterUpdateSchema();
            foreach (SecuritySystemUser securitySystemUser in ObjectSpace.GetObjects<SecuritySystemUser>()) {
                CopyUser(securitySystemUser);
            }
            foreach (SecuritySystemRole securitySystemRole in ObjectSpace.GetObjects<SecuritySystemRole>()) {
                CopyRole(securitySystemRole, null);
            }
            ObjectSpace.CommitChanges();
        }
         private void CopyUser(SecuritySystemUser securitySystemUser) {
            PermissionPolicyUser permissionPolicyUser = ObjectSpace.FindObject<PermissionPolicyUser>(new BinaryOperator("UserName", securitySystemUser.UserName));
             if (permissionPolicyUser == null) {
                permissionPolicyUser = ObjectSpace.CreateObject<PermissionPolicyUser>();
                permissionPolicyUser.UserName = securitySystemUser.UserName;
                permissionPolicyUser.IsActive = securitySystemUser.IsActive;
                permissionPolicyUser.ChangePasswordOnFirstLogon = securitySystemUser.ChangePasswordOnFirstLogon;
                 foreach (SecuritySystemRole securitySystemRole in securitySystemUser.Roles) {
                     CopyRole(securitySystemRole, permissionPolicyUser);
                 }
            }
        }
         private void CopyRole(SecuritySystemRole securitySystemRole, PermissionPolicyUser permissionPolicyUser) {
            PermissionPolicyRole permissionPolicyRole = ObjectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", securitySystemRole.Name));
             if (permissionPolicyRole == null) {
                permissionPolicyRole = ObjectSpace.CreateObject<PermissionPolicyRole>();
                permissionPolicyRole.Name = securitySystemRole.Name;
                permissionPolicyRole.PermissionPolicy = SecurityPermissionPolicy.DenyAllByDefault;
                permissionPolicyRole.IsAdministrative = securitySystemRole.IsAdministrative;
                permissionPolicyRole.CanEditModel = securitySystemRole.CanEditModel;
                 foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in securitySystemRole.TypePermissions) {
                    CopyTypePermissions(securitySystemTypePermissionObject, securitySystemRole, permissionPolicyRole);
                }
                 foreach (SecuritySystemRole parentRole in securitySystemRole.ParentRoles) {
                    CopyParentRole(parentRole, permissionPolicyRole);
                }
                 if (permissionPolicyUser != null) {
                    permissionPolicyUser.Roles.Add(permissionPolicyRole);
                }
            }
        }
         private void CopyParentRole(SecuritySystemRole parentRole, PermissionPolicyRole permissionPolicyRole) {
            if (parentRole.IsAdministrative) {
                permissionPolicyRole.IsAdministrative = true;
            }
            
            if (parentRole.CanEditModel) {
                permissionPolicyRole.IsAdministrative = true;
            }
             foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in parentRole.TypePermissions) {
                CopyTypePermissions(securitySystemTypePermissionObject, parentRole, permissionPolicyRole);
            }
             foreach (SecuritySystemRole subParentRole in parentRole.ParentRoles) {
                CopyParentRole(subParentRole, permissionPolicyRole);
            }
        }
         private void CopyTypePermissions(SecuritySystemTypePermissionObject securitySystemTypePermissionObject, SecuritySystemRole securitySystemRole, PermissionPolicyRole permissionPolicyRole) {
            PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject = ObjectSpace.FindObject<PermissionPolicyTypePermissionObject>(new BinaryOperator("TargetType", securitySystemTypePermissionObject.TargetType));
            permissionPolicyTypePermissionObject = ObjectSpace.CreateObject<PermissionPolicyTypePermissionObject>();
            permissionPolicyTypePermissionObject.TargetType = GetTargetType(securitySystemTypePermissionObject.TargetType);
            permissionPolicyTypePermissionObject.Role = permissionPolicyRole;
             if (securitySystemTypePermissionObject.AllowRead) {
                permissionPolicyTypePermissionObject.ReadState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowWrite) {
                permissionPolicyTypePermissionObject.WriteState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowCreate) {
                permissionPolicyTypePermissionObject.CreateState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowDelete) {
                permissionPolicyTypePermissionObject.DeleteState = SecurityPermissionState.Allow;
            }
             if (securitySystemTypePermissionObject.AllowNavigate) {
                permissionPolicyTypePermissionObject.NavigateState = SecurityPermissionState.Allow;
            }
             foreach (SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject in securitySystemTypePermissionObject.ObjectPermissions) {
                CopyObjectPermissions(securitySystemObjectPermissionsObject, permissionPolicyTypePermissionObject);
            }
            foreach (SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject in securitySystemTypePermissionObject.MemberPermissions) {
                CopyMemberPermission(securitySystemMemberPermissionsObject, permissionPolicyTypePermissionObject);
            }
            permissionPolicyRole.TypePermissions.Add(permissionPolicyTypePermissionObject);
        }
         private void CopyMemberPermission(SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) {
            PermissionPolicyMemberPermissionsObject permissionPolicyMemberPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyMemberPermissionsObject>();
            permissionPolicyMemberPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject;
             if (securitySystemMemberPermissionsObject.AllowRead) {
                permissionPolicyMemberPermissionsObject.ReadState = SecurityPermissionState.Allow;
            }
             if (securitySystemMemberPermissionsObject.AllowWrite) {
                permissionPolicyMemberPermissionsObject.WriteState = SecurityPermissionState.Allow;
            }
            permissionPolicyMemberPermissionsObject.Members = securitySystemMemberPermissionsObject.Members;
            permissionPolicyMemberPermissionsObject.Criteria = securitySystemMemberPermissionsObject.Criteria;
            permissionPolicyTypePermissionObject.MemberPermissions.Add(permissionPolicyMemberPermissionsObject);
        }
         private void CopyObjectPermissions(SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) {
            PermissionPolicyObjectPermissionsObject permissionPolicyObjectPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyObjectPermissionsObject>();
            permissionPolicyObjectPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject;
            if (securitySystemObjectPermissionsObject.AllowRead) {
                permissionPolicyObjectPermissionsObject.ReadState = SecurityPermissionState.Allow;
            }
             if (securitySystemObjectPermissionsObject.AllowWrite) {
                permissionPolicyObjectPermissionsObject.WriteState = SecurityPermissionState.Allow;
            }
             if (securitySystemObjectPermissionsObject.AllowDelete) {
                permissionPolicyObjectPermissionsObject.DeleteState = SecurityPermissionState.Allow;
            }
             if (securitySystemObjectPermissionsObject.AllowNavigate) {
                permissionPolicyObjectPermissionsObject.NavigateState = SecurityPermissionState.Allow;
            }
            permissionPolicyObjectPermissionsObject.Criteria = securitySystemObjectPermissionsObject.Criteria;
            permissionPolicyTypePermissionObject.ObjectPermissions.Add(permissionPolicyObjectPermissionsObject);
        }
         private Type GetTargetType(Type currentType) {
            Type outType;
            if (!SecurityAssociationClassDictionary.TryGetValue(currentType, out outType)) {
                outType = currentType;
            }
            return outType;
        }
        private static Dictionary<Type, Type> SecurityAssociationClassDictionary = new Dictionary<Type, Type>(){
            { typeof(SecuritySystemUser),typeof(PermissionPolicyUser) },
            { typeof(SecuritySystemRole),typeof(PermissionPolicyRole) },
            { typeof(SecuritySystemTypePermissionObject ),typeof(PermissionPolicyTypePermissionObject ) },
            { typeof(SecuritySystemObjectPermissionsObject ),typeof(PermissionPolicyObjectPermissionsObject ) },
            { typeof(SecuritySystemMemberPermissionsObject ),typeof(PermissionPolicyMemberPermissionsObject ) }
        };
//...
As a result, new permissions will be created in the database. After the database is updated, manually check if all permissions are converted correctly. Please pay attention to the following:
- A key value will not be copied to new objects.
- Existing references to SecuritySystemUser and SecuritySystemRole in your business objects will not be redirected to corresponding PermissionPolicyUser and PermissionPolicyRole objects.
- In some cases, it is better to rework permissions so that they will match the new Security System. For example: Allow all objects except some using a complex criterion -> Deny some objects using a simple criterion. 


Please do not hesitate to contact us if you encounter any issue.

Leave a Comment
Add to Favorites
ID:
T418166
Created On:
2016/8/23 下午7:46:13
Modified On:
2016/9/1 上午7:36:21
Related Questions
Security - Introduce the 'Allow' and 'Deny' modifiers for permissions
How do I implement 'Permission Policy' (new feature of 16.1) to older version 15.2
How to automatically grant security permissions to change associated reference or collection members
Disclaimer: The information provided on DevExpress.com and its affiliated web properties is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information.
DEVEXPRESS
About Us
News
Our Awards
Upcoming Events
User Comments
Case Studies
Reviews and Publications
Licensing
Purchasing
MVP Program
Contact Us
Logos
.NET CONTROLS
WinForms
ASP.NET
MVC
WPF
Windows 10 Apps
CROSS PLATFORM
Reporting
Document Automation
MOBILE
DevExtreme Mobile
ENTERPRISE TOOLS
Report Server
Analytics Dashboard
FRAMEWORKS
eXpressApp Framework
CODE-DEBUG-REFACTOR
CodeRush for Visual Studio
HTML5 JS WIDGETS
DevExtreme Web
iOS
DataExplorer
FUNCTIONAL WEB TESTING
TestCafe
DELPHI C++BUILDER
VCL
SUPPORT
Search the Knowledge Base
My Questions
Code Examples
Getting Started
Demos
Documentation
Blogs
Training
Webinars
Current Version/Build
Version History
If you need additional product information, write to us at [email protected] or call us at +1 (818) 844-3383
FOLLOW US
DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, along with high-performance HTML JS Mobile Frameworks for developers targeting iOS, Android and Windows Phone. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible.
Your Privacy - Legal Statements Copyright © 1998-2015 Developer Express Inc.
All trademarks or registered trademarks are property of their respective owners