How to: Assign the Same Permissions for All Users of an Active Directory Group

  • 3 min to read

The AuthenticationActiveDirectory authentication type does not support Active Directory Security Groups out of the box. This topic demonstrates how to map XAF security roles to AD groups. When a user logs on for the first time, existing roles with names matching the user's AD group names are automatically assigned. If the user membership in AD groups was modified, the associated roles collection will be updated accordingly on the next logon.

Note

The approach described in this topic is not supported by the Mobile platform.

  • In the module project, reference the System.DirectoryServices.AccountManagement.dll assembly, which provides the UserPrincipal class.
  • Inherit AuthenticationActiveDirectory and override the AuthenticationActiveDirectory.Authenticate method:

    using System.DirectoryServices.AccountManagement;
    using DevExpress.Data.Filtering;
    using DevExpress.ExpressApp;
    using DevExpress.ExpressApp.Security;
    using DevExpress.Persistent.BaseImpl.PermissionPolicy;
    // ...
    public class CustomAuthenticationActiveDirectory : AuthenticationActiveDirectory { 
        public override object Authenticate(IObjectSpace objectSpace) { 
            string userName = GetUserName(); 
            PermissionPolicyUser user = objectSpace.FindObject<PermissionPolicyUser>(new BinaryOperator("UserName", userName)); 
            if(user == null) { 
                if(CreateUserAutomatically) { 
                    user = objectSpace.CreateObject<PermissionPolicyUser>(); 
                    user.UserName = userName; 
                }                 
            } 
            if(user != null) { 
                foreach(PermissionPolicyRole role in user.Roles.ToArray()) { 
                    if(!UserPrincipal.Current.GetGroups().Any(p => p.Name == role.Name)) { 
                        user.Roles.Remove(role); 
                    } 
                } 
                foreach(string groupName in UserPrincipal.Current.GetGroups().Select(x => x.Name)) { 
                    if(!user.Roles.Any(p => p.Name == groupName)) { 
                        PermissionPolicyRole role = objectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", groupName)); 
                        if(role != null) { 
                            user.Roles.Add(role); 
                        } 
                    } 
                } 
            } 
            if(user == null || user.Roles.Count == 0) { 
                throw new AuthenticationException(userName); 
            } 
            objectSpace.CommitChanges(); 
            return user; 
        } 
    }
    
  • Rebuild the solution.
  • Run the Application Designer and replace the AuthenticationActiveDirectory component with the CustomAuthenticationActiveDirectory component from the toolbox (as it is demonstrated in the Pass the Custom Classes to the Security System section of the How to: Use Custom Logon Parameters and Authentication topic).

    CustomAuthenticationActiveDirectory