Applying Security to State Machine module

In this blog entry will discuss how to restrict transition to certain states for specific system roles. Do not be put off by the title, by the end of the post you will surely agree that this is not as complicated as it sounds!

In the following example, control over transition to the Completed state is to be restricted to administrators. To make this happen we need to create a custom function criteria operator that will enumerate all user roles and check their name against this function’s argument. This is demonstrated below,

public class IsAllowedToRoleOperator : ICustomFunctionOperator {

    public const string OperatorName = "IsAllowedToRole";

    #region ICustomFunctionOperator Members

    public object Evaluate(params object[] operands) {

        if (!(operands != null && operands.Length == 1 && operands[0] is string)) {

            throw new ArgumentException("IsAllowedToRole operator should have one paraneter - string roleName.");


        var roleName = (string)operands[0];

        bool result = false;

        var userWithRoles = SecuritySystem.CurrentUser as IUserWithRoles;

        if (userWithRoles != null) {

            foreach (IRole role in userWithRoles.Roles) {

                if (role.Name == roleName) {

                    result = true;





        return result;



    public string Name {

        get { return OperatorName; }



    public Type ResultType(params Type[] operands) {

        return typeof(bool);





After implementing the operator we still need to register it, for example in a custom module.

public override void CustomizeTypesInfo(DevExpress.ExpressApp.DC.ITypesInfo typesInfo) {


    if (CriteriaOperator.GetCustomFunction(IsAllowedToRoleOperator.OperatorName) == null) {

        CriteriaOperator.RegisterCustomFunction(new IsAllowedToRoleOperator());




Note: In future versions these custom operators will be registered to the core. Thus they will appear in all relevant UIs - this sure sounds like the DX way!

The next step is to set the TargetObjectCriteria of the Completed state to,


When a non administrator tries to perform the transition as shown,


then a validation exception will be raised,


Using this approach the state machine designer is capable at runtime of restricting transition to certain states. Moreover applying different types of Security schemas is as easy as providing different versions of our custom function criteria operator.

We would appreciate your feedback on this post. Has it been useful to you? Feel free to contact us with any further questions

Related Links
Online documentation
Blog posts

9 comment(s)
christy pirumova

Tolis, i've searched the documentation for the IsAllowedToRole operator after your webinar about state machine module :)

you have mentioned it there and i've got an impression that it's a built in one

i liked the idea of such operator and am glad you have posted its definition here


22 July, 2011
Defacto Software

Very good Tolis, thank you. Would it also be possible to not even show the state transition to Completed if the user has no rights?

23 July, 2011
Apostolis Bekiaris (DevExpress)

Thanks for your comments!.

@M. Brekhof Of course it is, I already included the solution in my next post. Stay tuned!

26 July, 2011

is this still current for State Machine? It would seem practical to have a level of abstraction whereas we throw a userfriendly error message as this kind of message is not acceptable in a real-life app..

13 April, 2013
Łukasz Polak

i agree with @drew... could you do something with it?

18 June, 2013
Łukasz Polak

in current version (13.1) is primitive exception message

18 June, 2013

please provide a sample project  to get the above result

14 July, 2014
Apostolis Bekiaris (DevExpress)

A ready to use StateMachine module is inlcuded in our community project in the Xpand.ExpressApp.StateMachine.dll.

related posts

14 July, 2014
Dennis (DevExpress Support)

You can use the built-in IsCurrentUserInRole criteria function ( in the latest XAF versions.

4 February, 2015

Please login or register to post comments.