Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security (Access Control & Authentication) > ORM Object Model, Policy Configuration and Storage > Roles and Permission Policy > Assign the Same Permissions for All Users of an Active Directory Group
All docs
V23.2
.NET 6.0+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Security (Access Control & Authentication)
Security Tiers
User Logon and Authentication
ORM Object Model, Policy Configuration and Storage
Type, Object and Member Permissions
Create Predefined Users, Roles and Permissions in the Database
Change the Current User Role in Code
Roles and Permission Policy
Merging of Permissions Defined in Different Roles
Permissions for Associated Objects
Manually Configure Permissions for Associated Collections and Reference Properties
Security Permissions Caching
Assign the Same Permissions for All Users of an Active Directory Group
Implement Custom User, Role and Permission Objects
Authorization and Data Protection
Non-XAF UI Scenarios
Security Considerations
Audit Trail (History of Data Changes)
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Assign the Same Permissions for All Users of an Active Directory Group

  • 3 minutes to read

The AuthenticationActiveDirectory authentication type does not support Active Directory Security Groups out of the box. This topic demonstrates how to map XAF security roles to AD groups. When a user logs on for the first time, existing roles with names matching the user’s AD group names are automatically assigned. If the user membership in AD groups was modified, the associated roles collection will be updated accordingly on the next logon.

Note

ASP.NET Core Blazor applications do not support the Active Directory authentication.

  • In the module project, reference the System.DirectoryServices.AccountManagement.dll assembly, which provides the UserPrincipal class.

  • Inherit AuthenticationActiveDirectory and override the AuthenticationActiveDirectory.Authenticate method:

    using System.DirectoryServices.AccountManagement;
using DevExpress.Data.Filtering;
using DevExpress.ExpressApp;
using DevExpress.ExpressApp.Security;
using DevExpress.Persistent.BaseImpl.PermissionPolicy;
// ...
public class CustomAuthenticationActiveDirectory : AuthenticationActiveDirectory { 
    public override object Authenticate(IObjectSpace objectSpace) { 
        string userName = GetUserName(); 
        PermissionPolicyUser user = objectSpace.FirstOrDefault<PermissionPolicyUser>(u => u.UserName == userName); 
        if(user == null) { 
            if(CreateUserAutomatically) { 
                user = objectSpace.CreateObject<PermissionPolicyUser>(); 
                user.UserName = userName; 
            }                 
        } 
        if(user != null) { 
            foreach(PermissionPolicyRole role in user.Roles.ToArray()) { 
                if(!UserPrincipal.Current.GetGroups().Any(p => p.Name == role.Name)) { 
                    user.Roles.Remove(role); 
                } 
            } 
            foreach(string groupName in UserPrincipal.Current.GetGroups().Select(x => x.Name)) { 
                if(!user.Roles.Any(p => p.Name == groupName)) { 
                    PermissionPolicyRole role = objectSpace.FirstOrDefault<PermissionPolicyRole>(r => r.Name == groupName); 
                    if(role != null) { 
                        user.Roles.Add(role); 
                    } 
                } 
            } 
        } 
        if(user == null || user.Roles.Count == 0) { 
            throw new AuthenticationException(userName); 
        } 
        objectSpace.CommitChanges(); 
        return user; 
    } 
}
  • Rebuild the solution.

  • Run the Application Designer and replace the AuthenticationActiveDirectory component with the CustomAuthenticationActiveDirectory component from the toolbox (as it is demonstrated in the Pass the Custom Classes to the Security System section of the How to: Use Custom Logon Parameters and Authentication topic).

    CustomAuthenticationActiveDirectory