Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security (Access Control & Authentication) > ORM Object Model, Policy Configuration and Storage > Roles and Permission Policy
All docs
V23.2
.NET 6.0+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Security (Access Control & Authentication)
Security Tiers
User Logon and Authentication
ORM Object Model, Policy Configuration and Storage
Type, Object and Member Permissions
Create Predefined Users, Roles and Permissions in the Database
Change the Current User Role in Code
Roles and Permission Policy
Merging of Permissions Defined in Different Roles
Permissions for Associated Objects
Manually Configure Permissions for Associated Collections and Reference Properties
Security Permissions Caching
Assign the Same Permissions for All Users of an Active Directory Group
Implement Custom User, Role and Permission Objects
Authorization and Data Protection
Non-XAF UI Scenarios
Security Considerations
Audit Trail (History of Data Changes)
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Roles and Permission Policy

  • 2 minutes to read

The Allow/Deny Permission Policy determines Security System’s behavior when there are no explicitly specified permissions for a specific type, object or member.

The application’s administrators can allow access to all data within the application for a specific role and simultaneously deny access to certain data types or members. They can also deny access to all data for a role and only allow access to a specific list of objects or members.

Note

You should upgrade an existing project to the Allow/Deny Permissions Policy if you created an application in XAF v16.1 or earlier. If you use the Entity Framework as the ORM system, you may also need to perform a migration to switch from the obsolete Deny to the Allow/Deny policy.

The Permission Policy uses the following security users and roles types:

  Built-in XPO classes Built-in EF Core classes Common interfaces to support in custom classes
User Type PermissionPolicyUser PermissionPolicyUser IPermissionPolicyUser
Role Type PermissionPolicyRole PermissionPolicyRole IPermissionPolicyRole

The PermissionPolicyRole classes provide the IPermissionPolicyRole.PermissionPolicy property:

PermissionPolicy

You can use this property to assign “deny all”, “read-only all” or “allow all” default Permission Policies to each role, and explicitly specify the Allow or Deny modifier or leave it blank for each operation.

The Security System checks whether an access to an object’s property is allowed on several levels. The following image shows the levels in priority order:

PermissionsPriority

“Member Permission by Criteria” has the highest priority and the Security System processes it first. The Security System uses explicit permissions at this level to determine whether access is allowed. If the role has not any explicit permissions on this level, the Security System processes permissions at the next level according to the scheme above.

The “Role’s Permission Policy” has the lowest priority and is used only when type, object, and member permissions are not explicitly specified.

See Also