XAF - Permissions for UI Actions and Security System for non-XAF Apps Powered by Entity Framework Core 3 (v20.1)

XAF Team Blog
04 May 2020

Security Permissions for Actions

This new XAF security layer allows developers to prohibit execution of both custom and XAF system Actions within WinForms and ASP.NET applications.
First, a word or two about Actions – XAF Actions represent UI commands within an application. These include a broad range of UI commands – from menu items and Ribbon commands, to navigation links. To demonstrate how XAF developers can institute fine-grain control over user roles and hide or deactivate UI Actions as needed, we recently published the following YouTube video:

To enable this feature, set the static EnableSecurityForActions property to True. To add custom Actions or remove system Actions available in the Denied Actions tab, handle the NonSecureActionsInitializing event.

Note that Action permissions will hide Actions unconditionally: we don't expect to interfere with Conditional AppearanceState MachineTargetObjectsCriteria or any custom rules that are driven by criteria or object/UI changes within Controllers. If you require dynamic functionality for Actions, use these specific methods and built-in criteria functions such as IsCurrentUserInRole and CurrentUserId.

Security System for Entity Framework Core

Our goal is to help DevExpress and non-DevExpress customers benefit from XAF's Security System and Entity Framework Core. In v20.1, we've added a secured Object Space (a DbContext wrapper) for EF Core 3.1+ and demonstrated its use for basic CRUD operations in Console and WinForms applications. This functionality mirrors our XPO ORM implementation. This feature is currently available as a community tech preview, so we welcome your feedback.

If are not familiar with XAF's security system, the following GitHub repo offers an overview of its architecture and its key features: Role-based Authorization & User Authentication .NET API. For more information, please review this FAQ KB Article.

Three main steps to integrate XAF's Role-based Access Control & User Authentication API using EF Core data access are shown below:

Similar code will work in any client or server .NET Core app, (including Blazor Server). Note that primary protection takes place at the data store level - secured record fields get 'null' values or whole records are filtered out internally if role permissions deny access. 

You can also use CanRead or other CanXXX methods to mask secured fields or modify the UI further (in the following image departments are masked with 'Protected Content' when title does not contain the word 'Development').

Security System - New Learning Materials

Free DevExpress Products - Get Your Copy Today

The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the DevExpress Support Center at your convenience. We'll be happy to follow-up.
No Comments

Please login or register to post comments.