Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Task-Based Help > Security > How to: Assign the Same Permissions for All Users of an Active Directory Group
A newer version of this page is available. .
All docs
V19.2
.NET Framework 4.5.2+
eXpressApp Framework
Fundamentals
Getting Started
Concepts
Design-Time Features
Deployment
Task-Based Help
Business Model Design
Application Model
Actions
Navigation
Views
List Editors
Property Editors
Templates
Filtering
Reporting
Dashboards
Office
Scheduler and Notifications
Maps Module
Security
How to: Assign the Same Permissions for All Users of an Active Directory Group
How to: Call Direct SQL Queries in Integrated Mode or through the Middle Tier Application Server
How to: Change the Client-Side Security Mode from UI Level to Integrated in XPO applications
How to: Connect to the WCF Application Server from Non-XAF Applications
How to: Get the Current User in Code
How to: Hide the 'Protected Content' Columns in a List View and Property Editors in a Detail View
How to: Implement a Custom Security Operation that Can be Permitted at the Type Level
How to: Implement a Custom Security System User Based on an Existing Business Class
How to: Implement Custom Security Objects (Users, Roles, Operation Permissions)
How to: Manually Configure Permissions for Associated Collections and Reference Properties
How to: Show a List of Users Allowed to Read an Object
How to: Use Custom Logon Parameters and Authentication
How to: Use the Integrated Mode of the Security System in Non-XAF Applications
Workflow
Localization
Testing
Miscellaneous UI Customizations
Frequently Asked Questions (FAQ)
API Reference
Download CHM

How to: Assign the Same Permissions for All Users of an Active Directory Group

  • 3 minutes to read

The AuthenticationActiveDirectory authentication type does not support Active Directory Security Groups out of the box. This topic demonstrates how to map XAF security roles to AD groups. When a user logs on for the first time, existing roles with names matching the user’s AD group names are automatically assigned. If the user membership in AD groups was modified, the associated roles collection will be updated accordingly on the next logon.

Note

The approach described in this topic is not supported by the Mobile platform.

  • In the module project, reference the System.DirectoryServices.AccountManagement.dll assembly, which provides the UserPrincipal class.

  • Inherit AuthenticationActiveDirectory and override the AuthenticationActiveDirectory.Authenticate method:

    using System.DirectoryServices.AccountManagement;
using DevExpress.Data.Filtering;
using DevExpress.ExpressApp;
using DevExpress.ExpressApp.Security;
using DevExpress.Persistent.BaseImpl.PermissionPolicy;
// ...
public class CustomAuthenticationActiveDirectory : AuthenticationActiveDirectory { 
    public override object Authenticate(IObjectSpace objectSpace) { 
        string userName = GetUserName(); 
        PermissionPolicyUser user = objectSpace.FindObject<PermissionPolicyUser>(new BinaryOperator("UserName", userName)); 
        if(user == null) { 
            if(CreateUserAutomatically) { 
                user = objectSpace.CreateObject<PermissionPolicyUser>(); 
                user.UserName = userName; 
            }                 
        } 
        if(user != null) { 
            foreach(PermissionPolicyRole role in user.Roles.ToArray()) { 
                if(!UserPrincipal.Current.GetGroups().Any(p => p.Name == role.Name)) { 
                    user.Roles.Remove(role); 
                } 
            } 
            foreach(string groupName in UserPrincipal.Current.GetGroups().Select(x => x.Name)) { 
                if(!user.Roles.Any(p => p.Name == groupName)) { 
                    PermissionPolicyRole role = objectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", groupName)); 
                    if(role != null) { 
                        user.Roles.Add(role); 
                    } 
                } 
            } 
        } 
        if(user == null || user.Roles.Count == 0) { 
            throw new AuthenticationException(userName); 
        } 
        objectSpace.CommitChanges(); 
        return user; 
    } 
}
  • Rebuild the solution.

  • Run the Application Designer and replace the AuthenticationActiveDirectory component with the CustomAuthenticationActiveDirectory component from the toolbox (as it is demonstrated in the Pass the Custom Classes to the Security System section of the How to: Use Custom Logon Parameters and Authentication topic).

    CustomAuthenticationActiveDirectory