Skip to main content
.NET Framework 4.5.2+

Manually Configure Permissions for Associated Collections and Reference Properties

  • 2 minutes to read

The Security System automatically configures permissions for one side of an association if the other side is specified. The Permissions for Associated Objects topic describes this behavior. You can also specify permissions for both sides of an association. This topic describes how to manually allow linking and unlinking of objects from a collection when a user has read-only access to objects in this collection. Here, it is assumed that you have:

The key concept is that you should grant Write access to the collection properties on both sides of the association to allow linking and unlinking operations. These operations always lead to modifying both collections. That is why granting Write on one side is insufficient.


In this example, the many-to-many association is demonstrated. However, you can use the same approach with the one-to-many association.

Follow the steps below to setup a security role that has readonly access to Projects, but can modify the Employee.Projects collection.

  1. In the overridden ModuleUpdater.UpdateDatabaseAfterUpdateSchema method (located in the Updater.cs (Updater.vb) file of the module project), create a user role. For this role, grant full access to the Employee object, and read-only access to the Project object.

    PermissionPolicyRole role = ObjectSpace.CreateObject<PermissionPolicyRole>();
    role.Name = "User role";
    role.AddTypePermission<Person>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow);
    role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
    role.AddTypePermission<Project>(SecurityOperations.ReadOnlyAccess, SecurityPermissionState.Allow);
  2. Currently, a user whose role is User role cannot link or unlink Project objects. Linking or unlinking Project objects causes a modification of the Employees property, which is read-only, because the Project object is read-only. The solution is to grant Write access to this property.

    role.AddMemberPermission<Project>(SecurityOperations.Write, "Employees", "", SecurityPermissionState.Allow);
  3. Add a user associated with the role that was configured in the previous steps.

    PermissionPolicyUser user = ObjectSpace.CreateObject<PermissionPolicyUser>();
    user.UserName = "User";
  4. Run the application, log in as “User”, and ensure that the Project objects can be linked to the Employee.Projects collection.