Prevent Users from Deleting and Updating Administrative User and Role Objects
- 3 minutes to read
This topic explains how to create Validation and Conditional Appearance Rules to prevent users from deleting and updating administrative user and role objects. These rules affect all users including administrative users.
This help topic uses the ApplicationUser
class generated by the XAF Solution Wizard as well as the EF Core-based PermissionPolicyRole class. In applications based on XPO, use the PermissionPolicyRole class from the DevExpress.Persistent.BaseImpl.PermissionPolicy namespace.
Prevent Deletion of Administrative Users and Roles
- Add the Validation Module to the platform-agnostic Module (MySolution.Module).
Open the Model Editor and navigate to the Application | Validation | Rules node. Right-click this node and add the following RuleCriteria that prevents deletion of the “Admin“ user and “Administrators“ role:
Rule ID
TargetContextIDs
Criteria[1]
TargetType
CustomMessageTemplate
PreventDeleteAdminUser
Delete
[UserName] != ‘Admin’
ApplicationUser
(or a custom user type)Cannot remove this user.
PreventDeleteAdminRole
Delete
[Name] != ‘Administrators’
PermissionPolicyRole
(or a custom role type)Cannot remove this role.
Alternatively, you can open the Model.DesignedDiffs.xafml file as an XML file and add the following elements:
<?xml version="1.0" encoding="utf-8"?> <Application> <!-- ... --> <Validation> <Rules> <!-- ... --> <RuleCriteria Id="PreventDeleteAdminUser" TargetContextIDs="Delete" Criteria="[UserName] != 'Admin'" TargetType="MySolution.Module.BusinessObjects.ApplicationUser" CustomMessageTemplate="Cannot remove this user." IsNewNode="True" /> <RuleCriteria Id="PreventDeleteAdminRole" TargetContextIDs="Delete" Criteria="[Name] != 'Administrators'" TargetType="DevExpress.Persistent.BaseImpl.EF.PermissionPolicy.PermissionPolicyRole" CustomMessageTemplate="Cannot remove this role." IsNewNode="True" /> </Rules> </Validation> </Application>
The following image shows the result:
Prevent Update of Administrative Users and Roles
- Add the Conditional Appearance Module to the platform-agnostic Module (MySolution.Module).
Open the Model Editor and navigate to the Application | BOModel | MySolution.Module.BusinessObjects | ApplicationUser | AppearanceRules node. Right-click this node and add the following rule that disables editors in the Detail View of the “Admin“ User:
ID
Enabled
Context
Criteria[1]
Target Items
DisableAdminUserEditors
False
DetailView
[UserName] == ‘Admin’
IsActive; Roles; UserName
Alternatively, you can open the Model.DesignedDiffs.xafml file as an XML file and add the following element:
<?xml version="1.0" encoding="utf-8"?> <Application> <!-- ... --> <BOModel> <!-- ... --> <Class Name="MySolution.Module.BusinessObjects.ApplicationUser"> <AppearanceRules> <AppearanceRule Id="DisableAdminUserEditors" Enabled="False" Context="DetailView" Criteria="[UserName] == 'Admin'" TargetItems="IsActive; Roles; UserName" IsNewNode="True" /> </AppearanceRules> </Class> </BOModel> </Application>
Open the Model Editor and navigate to the Application | BOModel | DevExpress.Persistent.BaseImpl.EF.PermissionPolicy | PermissionPolicyRole | AppearanceRules node. Right-click this node and add the following rule that disables editors in the Detail View of the “Administrators“ Role:
ID
Enabled
Context
Criteria
Target Items
DisableAdminRoleEditors
False
DetailView
[Name] == ‘Administrators’
Name; Users; IsAdministrative
Alternatively, you can open the Model.DesignedDiffs.xafml file as an XML file and add the following element:
<?xml version="1.0" encoding="utf-8"?> <Application> <!-- ... --> <BOModel> <!-- ... --> <Class Name="DevExpress.Persistent.BaseImpl.EF.PermissionPolicy.PermissionPolicyUser"> <AppearanceRules> <AppearanceRule Id="DisableAdminRoleEditors" Enabled="False" Context="DetailView" TargetItems="Name; Users; IsAdministrative" Criteria="[Name] == 'Administrators'" IsNewNode="True" /> </AppearanceRules> </Class> </BOModel> </Application>
The following image shows the result:
-
Note that users should have permission to read the PermissionPolicyUser.UserName and PermissionPolicyRole.Name properties. Otherwise, their values are replaced with the “*******“ placeholder and no object matches the specified criteria. Grant permission to read the UserName and Name properties or use Oid/Id instead in criteria (all users have permission to read this property).