Skip to main content
A newer version of this page is available. .

Permission Policies

  • 3 minutes to read

The Permission Policy determines Security System’s behavior when there are no explicitly specified permissions for a specific type, object or member. You can select the default Permission Policy in the Solution Wizard when creating a new XAF application.



When your application uses the Allow/Deny Permission Policy, the application’s administrators can allow access to all data within the application for a specific role and simultaneously deny access to certain data types or members. They can also deny access to all data for a role and only allow access to a specific list of objects or members. To use this feature, choose the Allow/Deny Permission Policy on the Solution Wizard‘s Choose Security page.


You should upgrade an existing project to the Allow/Deny Permissions Policy if you created an application in XAF v16.1 or earlier. If you use the Entity Framework as the ORM system, you may also need to perform a migration to switch from the Deny to the Allow/Deny policy.

The Allow/Deny Permission Policy uses the following security users and roles types:

  Built-in XPO classes Built-in Entity Framework classes Common interfaces to support in custom classes
User Type PermissionPolicyUser PermissionPolicyUser IPermissionPolicyUser
Role Type PermissionPolicyRole PermissionPolicyRole IPermissionPolicyRole

The PermissionPolicyRole classes provide the IPermissionPolicyRole.PermissionPolicy property:


You can use this property to assign “deny all”, “read-only all” or “allow all” default Permission Policies to each role, and explicitly specify the Allow or Deny modifier or leave it blank for each operation.

The Security System checks whether an access to an object’s property is allowed on several levels. The following image shows the levels in priority order:


“Member Permission by Criteria” has the highest priority and the Security System processes it first. The Security System uses explicit permissions at this level to determine whether access is allowed. If the role has not any explicit permissions on this level, the Security System processes permissions at the next level according to the scheme above.

The “Role’s Permission Policy” has the lowest priority and is used only when type, object, and member permissions are not explicitly specified.


This policy type provides compatibility with older XAF versions. With the Deny policy, access is always denied when there are no explicitly specified permissions. We recommend that you use the Allow/Deny policy instead of Deny in new applications. The Allow/Deny policy allows you to create more complex and flexible security configurations.


Individual navigation items do not support Navigation Permissions when the Deny Permission Policy is selected. The Navigation Permissions tab is not available in this mode. However, you can specify navigation permissions for each type in the Type Permissions tab.

The Deny Permission Policy uses the following security users and roles types:

  Built-in XPO classes Built-in Entity Framework classes
User Type SecuritySystemUser User
Role Type SecuritySystemRole Role

The Deny policy’s role classes do not provide the IPermissionPolicyRole.PermissionPolicy property, unlike the Allow/Deny policy’s role classes.