Dear,
What is the reason that the parent and child role feature has been removed from the new Allow/Deny security system ?
Is there a custom way of providing such a functionality, because we have almost 400 roles in our system based on roles hierarchy.
Thanks and best regards…
Hello Maen,
>>
What is the reason that the parent and child role feature has been removed from the new Allow/Deny security system ?
<<
Previously (with SecuritySystemRole), permissions could only allow access to objects (initially all access is denied), and the parent-child role hierarchy helped users define permissions by sharing roles that granted access to common objects, instead of creating the same permissions in each role. Currently (with PermissionPolicyRole), you can set the policy to AllowAllByDefault and deny access to specific objects. So, the hierarchy isn't as helpful as before. As a workaround, you can combine PermissionPolicyRole roles by assigning multiple roles to the same user.
>>
Is there a custom way of providing such a functionality, because we have almost 400 roles in our system based on roles hierarchy.
<<
It can be achieved with custom implementation of the user and role classes. You need to inherit your custom role from the PermissionPolicyRoleBase class, implement the IPermissionPolicyRoleWithUsers interface and add the ChildRoles and ParentRoles collections. Then implement a custom user class as described in the How to: Implement a Custom Security System User Based on an Existing Business Class article. I have attached a sample project demonstrating this functionality. Please note that we have not tested this solution and in some scenarios it can work in an unexpected way. Please give us your feedback about such situations and how much this solution meets your requirements.
Hi Guys,
Based on the example posted by Anton, I have extended it with EffectiveFrom and ExpiresOn dates,
not sure if anyone besides me has a Use Case for this but never the less here it is
Planning security in the future of limiting access in time has never seem so easy ;-)
Good luck :-)
Hello Anton,
I have not 400 roles hierarchy, but also in my opinion having back Parent-Child by default would be great.
My personal experience now is the following: we as ISV provides a few predefined roles in our application (actually is a non-XAF application that includes XAF\XPO security layer) and our customers can add their own roles. I need now to add Parent-Child because I must add some common permissions to our predefined roles and I cannot use your suggested approach to AllowAllByDefault and deny access to something because honestly I find an approach even too simplistic and not in line with an enterprise application.
Besides, I have the problem on how to update existing database schema with the two ParentRole and ChildRole properties.
I will open a dedicated ticket on this.
Thanks
David
Hello David,
Thank you for sharing your feedback with us. We will discuss it when planning future updates of our Security System.
Are you able to achieve the required results with the 'ChildRoles and ParentRoles collections' approach that Anton suggested? If not, please describe what exact issues you faced. We will be happy to assist you.
As for updating of the existing database, we are looking forward to your separate ticket.
Thanks,
Andrey
Hi Andrey,
thanks for your suggestion, but for the moment we decide to postpone this item. As soon as I must "sprint" it, I try Anton's solution.
Regards
David
Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.
Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.