I think it is about time the security system in XAF is thoroughly overhauled. Perhaps it needs to be integrated into the data layer instead? Add the fact that security does not get applied to reporting at all and you have a pretty useless module (particularly in win apps where users can create reports themselves and see everyting they are supposedly not allowed to see).

DX?

Jascha

Tracking.

 +1!

+1

And I have more suggestions...

- Permission by user
- Recursive Roles
- Expiration Date for these permissions
- Security by Web Service

I already implemented these suggestions, but will be good see these features as default...

Edited: Security by WebService only returns the connection string if user/pass is correct...

Of course I aggregate to you Jascha! I hope that the bug I reported is resolved quickly because it's very serious!

Marcello

+1

+1, tracked!

Further, please finally add security on porperty level !!!!!!!!!!!!!!!!!!!!!!!!!!

Robert

 

I agree, it would also be nice if one could restrict access to an object such as Reports.  Some clients may not want a group of users to print a full client list with all their customers data that an employee could steal.  An administrator might want to allow a User Role to see reports, but not report (A, B, and C).

Marcello's latest comment: "If you don't guarantee security then XAF is tool only for small projects without user account protection! Our client are very worried for this problem of security."

Precisely - DX please take this seriously and as a high priority. The security system in its current state is not strong enough for any scenario where security beyond logging in is a requirement (of which there are many) and consequently XAF is very limited in its reach while this remains the case. If you intend XAF to be a serious tool in the business application marketplace then this cannot be ignored or left as TBD because it is not easy to do.

Jascha

 ++1!

Ralph

that is a big one!!!

tracked also

Dan,

if you are saying - and these are your own words - that you "cannot guarantee that data is totally secured and there is no way to read protected content" then please immediately take this down from your website because it is a blatant lie and a deception of your customers:
http://www.devexpress.com/Xaf/Security.aspx : "Designed with security in mind. XAF is secure by design."

Thank you.

 

Jascha

On Fri, 12 Jun 2009 11:01:09 +0000 (UTC), "Jascha" <> wrote:

>I think it is about time the security system in XAF is thoroughly
>overhauled. Perhaps it needs to be integrated into the data layer
>instead?

As stated in the issue, we recognize this and are working on it. I'm
going to guess that it'll be a breaking change, but I'm by no means
the expert on what needs to be done.

--
Cheers, Julian

-----------------------------------------------------------
Julian M Bucknall
CTO, Developer Express, www.devexpress.com
julianb@devexpress.com

Personal blog at http://www.boyet.com
Company blog at http://community.devexpress.com/blogs/ctodx
Author of "Tomes of Delphi: Algorithms and Data Structures"
Read my articles in PCPlus every month
-----------------------------------------------------------
|

Jascha

On Thu, 2 Jul 2009 08:17:21 +0000 (UTC), "Jascha" <> wrote:

>DX please take this seriously and as a high priority.

Of course we are. In fact, nowhere that I can see have we said that we
are not taking it seriously or have decided not to prioritize it. I
would imagine that it's a lot of work, but then again I argue from a
theoretical viewpoint.

--
Cheers, Julian

-----------------------------------------------------------
Julian M Bucknall
CTO, Developer Express, www.devexpress.com
julianb@devexpress.com

Personal blog at http://www.boyet.com
Company blog at http://community.devexpress.com/blogs/ctodx
Author of "Tomes of Delphi: Algorithms and Data Structures"
Read my articles in PCPlus every month
-----------------------------------------------------------
|

Robert

As has been said in the support center issue thread, we are working on
solving for this particular scenario. This would presumably involve
moving the security down into the business layer rather than the UI,
or even into the data layer/database. Please give us some time to make
sure that we get this new design right and minimize the breaking of
code.

Thanks for your patience.

--
Cheers, Julian

-----------------------------------------------------------
Julian M Bucknall
CTO, Developer Express, www.devexpress.com
julianb@devexpress.com

Personal blog at http://www.boyet.com
Company blog at http://community.devexpress.com/blogs/ctodx
Author of "Tomes of Delphi: Algorithms and Data Structures"
Read my articles in PCPlus every month
-----------------------------------------------------------
|