Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Data Security and Safety > Security (Access Control & Authentication) > Task-Based Help > Prevent Users from Deleting and Updating Administrative User and Role Objects
A newer version of this page is available. .
All docs
V21.2
.NET Framework 4.5.2+
Cross-Platform .NET App UI (XAF)
Getting Started
Installation, Upgrade, Version History
Application Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Data Security and Safety
Security (Access Control & Authentication)
Passwords in the Security System
Client-Side Security (2-Tier Architecture)
Authentication
Predefined Users, Roles and Permissions
Middle Tier Security (XPO Only)
Security Permissions Caching
Permissions for Associated Objects
Merging of Permissions Defined in Different Roles
Permission Policy
Customize the Logon Window
Use the Security (Access Control & Authentication) API in Non-XAF Applications - Free Offer
Task-Based Help
Assign the Same Permissions for All Users of an Active Directory Group
Assign an Image to a User
Change the Current User Role in Code
Change the Client-Side Security Mode from UI Level to Integrated in XPO applications
Determine if the Current User Has Specific Permissions
Get the Current User in Code
Hide the Protected Content Columns in a List View and Property Editors in a Detail View
Implement a Custom Security Operation that Can be Permitted at the Type Level
Implement a Custom Security System User Based on an Existing Business Class
Implement Custom Security Objects (Users, Roles, Operation Permissions)
Manually Configure Permissions for Associated Collections and Reference Properties
Prevent Users from Deleting and Updating Administrative User and Role Objects
Show a List of Users Allowed to Read an Object
Use Custom Logon Parameters and Authentication
Audit Trail (History of Data Changes)
Backend Web API Service (CTP)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Prevent Users from Deleting and Updating Administrative User and Role Objects

  • 3 minutes to read

This topic explains how to create Validation and Conditional Appearance Rules to prevent users from deleting and updating administrative user and role objects. These rules affect all users including administrative users.

This help topic uses the XPO-based PermissionPolicyUser and PermissionPolicyRole classes. In applications based on EF 6 and EF Core, use the PermissionPolicyUser and PermissionPolicyRole classes from the DevExpress.Persistent.BaseImpl.EF.PermissionPolicy namespace.

Prevent Deletion of Administrative Users and Roles

  1. Add the Validation Module to the platform-agnostic Module.

  2. Open the Model Editor and navigate to the Application | Validation | Rules node. Right-click this node and add the following RuleCriteria that prevent deletion of the “Admin“ User and “Administrators“ Role:

    Rule ID

    TargetContextIDs

    Criteria[1]

    TargetType

    CustomMessageTemplate

    PreventDeleteAdminUser

    Delete

    [UserName] != ‘Admin’

    PermissionPolicyUser
    (or a custom user type)

    Cannot remove this user.

    PreventDeleteAdminRole

    Delete

    [Name] != ‘Administrators’

    PermissionPolicyRole
    (or a custom role type)

    Cannot remove this role.

    admin_user_validation_rule

    Alternatively, you can open the Model.DesignedDiffs.xafml file as an XML file and add the following elements:

    <?xml version="1.0" encoding="utf-8"?>
<Application>
  <!-- ... -->
  <Validation>
    <Rules>
      <!-- ... -->
      <RuleCriteria 
        Id="PreventDeleteAdminUser" 
        TargetContextIDs="Delete" 
        Criteria="[UserName] != 'Admin'" 
        TargetType="DevExpress.Persistent.BaseImpl.PermissionPolicy.PermissionPolicyUser" 
        CustomMessageTemplate="Cannot remove this user." 
        IsNewNode="True" />
      <RuleCriteria 
        Id="PreventDeleteAdminRole" 
        TargetContextIDs="Delete" 
        Criteria="[Name] != 'Administrators'" 
        TargetType="DevExpress.Persistent.BaseImpl.PermissionPolicy.PermissionPolicyRole" 
        CustomMessageTemplate="Cannot remove this role." 
        IsNewNode="True" />
    </Rules>
  </Validation>
</Application>

The following image shows the result:

Prevent Update of Administrative Users and Roles

  1. Add the Conditional Appearance Module to the platform-agnostic Module.

  2. Open the Model Editor and navigate to the Application | BOModel | DevExpress.Persistent.BaseImpl.PermissionPolicy | PermissionPolicyUser | AppearanceRules node. Right-click this node and add the following rule that disables editors on the Detail View of the “Admin“ User:

    ID

    Enabled

    Context

    Criteria[1]

    Target Items

    DisableAdminUserEditors

    False

    DetailView

    [UserName] == ‘Admin’

    IsActive; Roles; UserName

    Alternatively, you can open the Model.DesignedDiffs.xafml file as an XML file and add the following element:

    <?xml version="1.0" encoding="utf-8"?>
<Application>
  <!-- ... -->
  <BOModel>
    <!-- ... -->
    <Class Name="DevExpress.Persistent.BaseImpl.PermissionPolicy.PermissionPolicyUser">
      <AppearanceRules>
        <AppearanceRule 
          Id="DisableAdminUserEditors" 
          Enabled="False" 
          Context="DetailView" 
          Criteria="[UserName] == 'Admin'" 
          TargetItems="IsActive; Roles; UserName" 
          IsNewNode="True" />
      </AppearanceRules>
    </Class>
  </BOModel>
</Application>

  3. Open the Model Editor and navigate to the Application | BOModel | DevExpress.Persistent.BaseImpl.PermissionPolicy | PermissionPolicyRole | AppearanceRules node. Right-click this node and add the following rule that disables editors on the Detail View of the “Administrators“ Role:

    ID

    Enabled

    Context

    Criteria

    Target Items

    DisableAdminRoleEditors

    False

    DetailView

    [Name] == ‘Administrators’

    Name; Users; IsAdministrative

    Alternatively, you can open the Model.DesignedDiffs.xafml file as an XML file and add the following element:

    <?xml version="1.0" encoding="utf-8"?>
<Application>
  <!-- ... -->
  <BOModel>
    <!-- ... -->
    <Class Name="DevExpress.Persistent.BaseImpl.PermissionPolicy.PermissionPolicyRole">
      <AppearanceRules>
        <AppearanceRule 
          Id="DisableAdminRoleEditors" 
          Enabled="False" 
          Context="DetailView" 
          TargetItems="Name; Users; IsAdministrative" 
          Criteria="[Name] == 'Administrators'" 
          IsNewNode="True" />
      </AppearanceRules>
    </Class>
  </BOModel>
</Application>

The following image shows the result:

Footnotes

  1. Note that users should have permission to read the PermissionPolicyUser.UserName and PermissionPolicyRole.Name properties. Otherwise, their values are replaced with the “*******“ placeholder and no object matches the specified criteria. Grant permission to read the UserName and Name properties or use Oid/Id instead in criteria (all users have permission to read this property).