Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security (Access Control & Authentication) > ORM Object Model, Policy Configuration and Storage > Roles and Permission Policy > Manually Configure Permissions for Associated Collections and Reference Properties
All docs
V23.2
.NET 6.0+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Security (Access Control & Authentication)
Security Tiers
User Logon and Authentication
ORM Object Model, Policy Configuration and Storage
Type, Object and Member Permissions
Create Predefined Users, Roles and Permissions in the Database
Change the Current User Role in Code
Roles and Permission Policy
Merging of Permissions Defined in Different Roles
Permissions for Associated Objects
Manually Configure Permissions for Associated Collections and Reference Properties
Security Permissions Caching
Assign the Same Permissions for All Users of an Active Directory Group
Implement Custom User, Role and Permission Objects
Authorization and Data Protection
Non-XAF UI Scenarios
Security Considerations
Audit Trail (History of Data Changes)
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Manually Configure Permissions for Associated Collections and Reference Properties

  • 2 minutes to read

The Security System automatically configures permissions for one side of an association if the other side is specified. The Permissions for Associated Objects topic describes this behavior. You can also specify permissions for both sides of an association. This topic describes how to manually allow linking and unlinking of objects from a collection when a user has read-only access to objects in this collection. Here, it is assumed that you have:

The key concept is that you should grant Write access to the collection properties on both sides of the association to allow linking and unlinking operations. These operations always lead to modifying both collections. That is why granting Write on one side is insufficient.

Note

In this example, the many-to-many association is demonstrated. However, you can use the same approach with the one-to-many association.

Follow the steps below to set up a security role that has read-only access to Projects, but can modify the Employee.Projects collection.

  1. In the overridden ModuleUpdater.UpdateDatabaseAfterUpdateSchema method (located in the Updater.cs (Updater.vb) file of the module project), create a user role. For this role, grant full access to the Employee object, and read-only access to the Project object.

    PermissionPolicyRole role = ObjectSpace.CreateObject<PermissionPolicyRole>();
role.Name = "User role";
role.AddTypePermission<Person>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow);
role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
role.AddTypePermission<Project>(SecurityOperations.ReadOnlyAccess, SecurityPermissionState.Allow);

  2. Currently, a user whose role is User role cannot link or unlink Project objects. Linking or unlinking Project objects causes a modification of the Employees property, which is read-only, because the Project object is read-only. The solution is to grant Write access to this property.

    role.AddMemberPermission<Project>(SecurityOperations.Write, "Employees", "", SecurityPermissionState.Allow);

  3. Add a user associated with the role that was configured in the previous steps.

    ApplicationUser user = ObjectSpace.CreateObject<ApplicationUser>();
user.UserName = "User";
user.SetPassword("");
user.Roles.Add(role);

  4. Run the application, log in as “User”, and ensure that the Project objects can be linked to the Employee.Projects collection.

    Associations_ManyToMany_LinkUnlinkReadonlyObjects

See Also