XAF - Permissions for UI Actions and Security System for non-XAF Apps Powered by Entity Framework Core 3 (v20.1)

XAF Team Blog
04 May 2020

Security Permissions for Actions

This new XAF security layer allows developers to prohibit execution of both custom and XAF system Actions within WinForms and ASP.NET applications.
First, a word or two about Actions – XAF Actions represent UI commands within an application. These include a broad range of UI commands – from menu items and Ribbon commands, to navigation links. To demonstrate how XAF developers can institute fine-grain control over user roles and hide or deactivate UI Actions as needed, we recently published the following YouTube video:

To enable this feature, set the static EnableSecurityForActions property to True. To add custom Actions or remove system Actions available in the Denied Actions tab, handle the NonSecureActionsInitializing event.

Note that Action permissions will hide Actions unconditionally: we don't expect to interfere with Conditional AppearanceState MachineTargetObjectsCriteria or any custom rules that are driven by criteria or object/UI changes within Controllers. If you require dynamic functionality for Actions, use these specific methods and built-in criteria functions such as IsCurrentUserInRole and CurrentUserId.

Security System for Entity Framework Core

Our goal is to help DevExpress and non-DevExpress customers benefit from XAF's Security System and Entity Framework Core. In v20.1, we've added a secured Object Space (a DbContext wrapper) for EF Core 3.1+ and demonstrated its use for basic CRUD operations in Console and WinForms applications. This functionality mirrors our XPO ORM implementation. This feature is currently available as a community tech preview, so we welcome your feedback.

If are not familiar with XAF's security system, the following GitHub repo offers an overview of its architecture and its key features: Role-based Authorization & User Authentication .NET API. For more information, please review this FAQ KB Article.

Three main steps to integrate XAF's Role-based Access Control & User Authentication API using EF Core data access are shown below:

Similar code will work in any client or server .NET Core app, (including Blazor Server). Note that primary protection takes place at the data store level - secured record fields get 'null' values or whole records are filtered out internally if role permissions deny access. 

You can also use CanRead or other CanXXX methods to mask secured fields or modify the UI further (in the following image departments are masked with 'Protected Content' when title does not contain the word 'Development').

Security System - New Learning Materials

Free DevExpress Products – Get Your Copy Today

The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the DevExpress Support Center at your convenience. We’ll be happy to follow-up.
Gustavo Marzioni
Gustavo Marzioni

I'm using a fully custom role, can you point me which interface I have to implement for security actions?

Thanks

4 May 2020
Dennis (DevExpress)
Dennis Garavsky (DevExpress)
@Sure - IActionPermissions. For more information, please review "c:\Program Files (x86)\DevExpress 20.1\Components\Sources\DevExpress.Persistent\DevExpress.Persistent.BaseImpl\PermissionPolicy\PermissionPolicyRoleBase.cs".
5 May 2020
Alex Boston
Alex Boston
Why it's named "Denied Actions", Should it be "Actions Permissions" ?!
5 May 2020
Dennis (DevExpress)
Dennis Garavsky (DevExpress)
@Alex Boston: This tab helps you deny or deactivate UI Actions unconditionally. We follow only the 'Allow all by default' policy regardless of what is specified in the role, because other options do not make much sense for Actions.
6 May 2020
Alex Boston
Alex Boston
@Dennis:thanks for reply but why "other options do not make much sense for Actions"
For example why "Deny all by default" doesn't apply ?!
6 May 2020
Dennis (DevExpress)
Dennis Garavsky (DevExpress)
@Alex Boston: We were not aware of apps where all custom Actions would be prohibited by default - most users wanted to deny a few specific Actions and not vice versa. We would appreciate it if you describe your real business scenario in greater detail so that we can consider it for the future. Thanks.

6 May 2020
ADE AAN WIRAMA.
ADE AAN WIRAMA.

I have problem when clicking NEW in Denied Actions.

Error messages pop-up as follow :

Message:    An error with number 1021 has occurred. Error message: The object that has been passed belongs to another ObjectSpace. This error may occur when you manipulate your objects via an ObjectSpace which these objects do not belong to. For instance, you may receive this error when using the XafApplication.CreateDetailView method in case you passed an object that was obtained from a different ObjectSpace than the ObjectSpace used as a parameter in this method. To correct this error, you should ensure that all the objects you manipulate belong to one ObjectSpace. In most cases, to avoid this error it's sufficient to call the ObjectSpace.GetObject/GetObjectByKey methods to get a passed object in the target ObjectSpace. If this doesn't help, please contact our Support Team at http://www.devexpress.com/Support/Center/

What should i do to fix ?


thanks

24 May 2020
Dennis (DevExpress)
Dennis Garavsky (DevExpress)
@ADE AAN WIRAMA: Thank you for testing our early preview. We'll answer you in your Support Center ticket: https://supportcenter.devexpress.com/ticket/details/t892707/error-when-accessing-denied-actions.
24 May 2020
Ilia Lopatkin
Ilia Lopatkin

But what about some business object, that is allowed for any role to read, but only single role to write. And we have "modifying" action, that should be available for that specific role only.

With "Denied Actions" approach we must not forget to deny this action for any new role that may be added in the future. I understand that "disable all by defaul" policy is really way too prohibitive, but there should be some way to handle such cases.

We, on the other hand, for our applications already solved it by adding extensions to IModelAction. Like "ActiveRequiresAllowEdit", "EnabledRequiresAllowNew" and so on for the most frequent and popular cases. Maybe you will you can use this idea in some way.

16 June 2020

Please login or register to post comments.