E4045 - How to Separate Data Between Employees and Managers

Tags: .NET, Frameworks (XAF & XPO), eXpressApp Framework

Open in popup window

using System;using DevExpress.ExpressApp;using DevExpress.Data.Filtering;using DevExpress.ExpressApp.Security;using MainDemo.Module.BusinessObjects;using DevExpress.ExpressApp.SystemModule;using DevExpress.Persistent.Base.General;using DevExpress.ExpressApp.Security.Strategy;

namespace MainDemo.Module.DatabaseUpdate { public class Updater : DevExpress.ExpressApp.Updating.ModuleUpdater { public Updater(IObjectSpace objectSpace, Version currentDBVersion) : base(objectSpace, currentDBVersion) { } public override void UpdateDatabaseAfterUpdateSchema() { base.UpdateDatabaseAfterUpdateSchema(); //Create departments. Department devDepartment = ObjectSpace.FindObject(CriteriaOperator.Parse("Title == 'R&D'")); if(devDepartment == null) { devDepartment = ObjectSpace.CreateObject(); devDepartment.Title = "R&D"; devDepartment.Office = "1"; devDepartment.Save(); } Department supDepartment = ObjectSpace.FindObject(CriteriaOperator.Parse("Title == 'Technical Support'")); if(supDepartment == null) { supDepartment = ObjectSpace.CreateObject(); supDepartment.Title = "Technical Support"; supDepartment.Office = "2"; supDepartment.Save(); } Department mngDepartment = ObjectSpace.FindObject(CriteriaOperator.Parse("Title == 'Management'")); if(mngDepartment == null) { mngDepartment = ObjectSpace.CreateObject(); mngDepartment.Title = "Management"; mngDepartment.Office = "3"; mngDepartment.Save(); } //Create employees. //Admin is a god that can do everything. Employee administrator = ObjectSpace.FindObject(CriteriaOperator.Parse("UserName == 'Admin'")); if(administrator == null) { administrator = ObjectSpace.CreateObject(); administrator.UserName = "Admin"; administrator.FirstName = "Admin"; administrator.LastName = "Admin"; administrator.Department = mngDepartment; administrator.IsActive = true; administrator.SetPassword(""); administrator.Roles.Add(GetAdministratorRole()); administrator.Save();

ID :E4045

Mod if ied O n :10/9/2013 1:33:16 PM

Tech n o logy:.NET

Platfo rm:F ramew orks (XAF & XPO )

Produ ct:eXp ressApp F ramew ork

DownloadsExamp le

Examp le Ru n n er

SUPPORT CENTER FAQTraining EventsLocalizationExamplesTickets

Submit a Support TicketSubmit a Support TicketType search string and press Enter

EHow to separate data between employees and managers of different departments usingsecurity permissions

1ScenarioThis example demonstrates how to use the new security system to implement the subject:

- Users (Joe, John) can view and edit their own tasks, but cannot delete them or create new ones. They also have readonly access to tasks,employees and other data of their own department.

- Managers (Sam, Mary) can fully manage (CRUD) their own department, its employees and tasks. However, they cannot access data fromother departments.

- Administrators (Admin) can do everything within the application.

All users have empty passwords by default. You can see how it works in action at http://www.screencast.com/t/TBKEiCEfxc (or you can runfunctional tests in the MainDemo.EasyTests folder).

Steps to implement

1. Permissions at the type and object level (with a criteria) are configured in the MainDemo.Module/DatabaseUpdate/Updater file.

Take special note that for building a complex criteria against associated objects, the JoinOperand together with the built-in CurrentUserId andIsCurrentUserInRole criteria functions. For greater convenience, strongly typed criteria for permissions are accompanied with their string representation.

2. The SecuredObjectSpaceProvider is used in the CreateDefaultObjectSpaceProvider method of the XafApplication descendants located inthe WinForms and ASP.NET projects.

3. The Department, Employee and EmployeeTask classes are implemented in the MainDemo.Module/BusinessObjects folder.

To quickly understand relationships between involved business classes, their class diagram is attached.

IMPORTANT NOTES1. Be aware of the issue described in the Security - The "Entering state 'GetObjectsNonReenterant'" error may occur while saving data if apermission criteria involves a collection property thread.2. The State of the New Security System

Show all comments Leave a Comment

Updater.cs C# v2013 vol 1.4 - v2014 vol 2.7

Products Free Trials & Demos Buy Support My Account About Us

Log In

E4045 - How to separate data between employees and managers of different departments using security permissions | DevExpress Support Center 25-May-15

https://www.devexpress.com/Support/Center/Example/Details/E4045 1 / 4

} //Sam is a manager and he can do everything with his own department Employee managerSam = ObjectSpace.FindObject(CriteriaOperator.Parse("UserName == 'Sam'")); if(managerSam == null) { managerSam = ObjectSpace.CreateObject(); managerSam.UserName = "Sam"; managerSam.FirstName = "Sam"; managerSam.LastName = "Jackson"; managerSam.IsActive = true; managerSam.SetPassword(""); managerSam.Department = devDepartment; managerSam.Roles.Add(GetManagerRole()); managerSam.Save(); } //John is an ordinary user within the Sam's department. Employee userJohn = ObjectSpace.FindObject(CriteriaOperator.Parse("UserName == 'John'")); if(userJohn == null) { userJohn = ObjectSpace.CreateObject(); userJohn.UserName = "John"; userJohn.FirstName = "John"; userJohn.LastName = "Doe"; userJohn.IsActive = true; userJohn.SetPassword(""); userJohn.Department = devDepartment; userJohn.Roles.Add(GetUserRole()); userJohn.Save(); } //Mary is a manager of another department. Employee managerMary = ObjectSpace.FindObject(CriteriaOperator.Parse("UserName == 'Mary'")); if(managerMary == null) { managerMary = ObjectSpace.CreateObject(); managerMary.UserName = "Mary"; managerMary.FirstName = "Mary"; managerMary.LastName = "Tellinson"; managerMary.IsActive = true; managerMary.SetPassword(""); managerMary.Department = supDepartment; managerMary.Roles.Add(GetManagerRole()); managerMary.Save(); } //Joe is an ordinary user within the Mary's department. Employee userJoe = ObjectSpace.FindObject(CriteriaOperator.Parse("UserName == 'Joe'")); if(userJoe == null) { userJoe = ObjectSpace.CreateObject(); userJoe.UserName = "Joe"; userJoe.FirstName = "Joe"; userJoe.LastName = "Pitt"; userJoe.IsActive = true; userJoe.SetPassword(""); userJoe.Department = supDepartment; userJoe.Roles.Add(GetUserRole()); userJoe.Save(); } //Create tasks for employees. if(ObjectSpace.FindObject(CriteriaOperator.Parse("Subject == 'Do homework'")) == null) { EmployeeTask task = ObjectSpace.CreateObject(); task.Subject = "Do homework"; task.AssignedTo = managerSam; task.DueDate = DateTime.Now; task.Status = TaskStatus.NotStarted; task.Description = "This is a task for Sam"; task.Save(); } if(ObjectSpace.FindObject(CriteriaOperator.Parse("Subject == 'Prepare coffee for everyone'")) == null) { EmployeeTask task = ObjectSpace.CreateObject(); task.Subject = "Prepare coffee for everyone"; task.AssignedTo = userJohn; task.DueDate = DateTime.Now; task.Status = TaskStatus.InProgress; task.Description = "This is a task for John"; task.Save(); } if(ObjectSpace.FindObject(CriteriaOperator.Parse("Subject == 'Read latest news'")) == null) { EmployeeTask task = ObjectSpace.CreateObject(); task.Subject = "Read latest news"; task.AssignedTo = managerMary; task.DueDate = DateTime.Now; task.Status = TaskStatus.Completed; task.Description = "This is a task for Mary"; task.Save(); } if(ObjectSpace.FindObject(CriteriaOperator.Parse("Subject == 'Book tickets'")) == null) { EmployeeTask task = ObjectSpace.CreateObject(); task.Subject = "Book tickets"; task.AssignedTo = userJoe; task.DueDate = DateTime.Now; task.Status = TaskStatus.Deferred; task.Description = "This is a task for Joe"; task.Save(); } ObjectSpace.CommitChanges(); } //[][Oid = CurrentUserId()].Single(Department.Oid) JoinOperand joinEmployeesToAccessOwnDepartmemnt = new JoinOperand("Employee", new OperandProperty("Oid") == new FunctionOperator(CurrentUserIdOperator.OperatorName

//Administrators can do everything within the application. private SecuritySystemRole GetAdministratorRole() { SecuritySystemRole administratorRole = ObjectSpace.FindObject(new BinaryOperator("Name", "Administrators")); if(administratorRole == null) { administratorRole = ObjectSpace.CreateObject(); administratorRole.Name = "Administrators"; //Can access everything. administratorRole.IsAdministrative = true; } return administratorRole; } //Users can do everything with their own tasks and can also view data of their own department. private SecuritySystemRole GetUserRole() { SecuritySystemRole userRole = ObjectSpace.FindObject(new BinaryOperator("Name", "Users")); if(userRole == null) { userRole = ObjectSpace.CreateObject(); userRole.Name = "Users";

//Cannot navigate to employees. SecuritySystemTypePermissionObject userPermissions = ObjectSpace.CreateObject(); userPermissions.TargetType = typeof(Employee);



userPermissions.AllowNavigate = false; userRole.TypePermissions.Add(userPermissions); //Can view employees only from own department. SecuritySystemObjectPermissionsObject canViewEmployeesFromOwnDepartmentPermission = ObjectSpace.CreateObject canViewEmployeesFromOwnDepartmentPermission.Criteria = "Department.Oid = [][Oid = CurrentUserId()].Single(Department.Oid)"; canViewEmployeesFromOwnDepartmentPermission.Criteria = new BinaryOperator(new OperandProperty("Department.Oid"), joinEmployeesToAccessOwnDepartmemnt canViewEmployeesFromOwnDepartmentPermission.AllowNavigate = true; canViewEmployeesFromOwnDepartmentPermission.AllowRead = true; userPermissions.ObjectPermissions.Add(canViewEmployeesFromOwnDepartmentPermission); //Can change a couple properties of own user. SecuritySystemMemberPermissionsObject canEditOwnUserPermission = ObjectSpace.CreateObject(); canEditOwnUserPermission.Members = "ChangePasswordOnFirstLogon; StoredPassword; FirstName; LastName"; canEditOwnUserPermission.Criteria = "Oid=CurrentUserId()"; canEditOwnUserPermission.Criteria = (new OperandProperty("Oid") == new FunctionOperator(CurrentUserIdOperator.OperatorName)).ToString(); canEditOwnUserPermission.AllowWrite = true; userPermissions.MemberPermissions.Add(canEditOwnUserPermission); //Cannot access roles. SecuritySystemTypePermissionObject rolePermissions = ObjectSpace.CreateObject(); rolePermissions.TargetType = typeof(SecuritySystemRole); userRole.TypePermissions.Add(rolePermissions);

//Can navigate to tasks, but cannot create them. SecuritySystemTypePermissionObject employeeTaskPermissions = ObjectSpace.CreateObject(); employeeTaskPermissions.TargetType = typeof(EmployeeTask); employeeTaskPermissions.AllowNavigate = true; employeeTaskPermissions.AllowCreate = false; userRole.TypePermissions.Add(employeeTaskPermissions); //Can view and edit own tasks, but cannot delete them. SecuritySystemObjectPermissionsObject canManageOwnTasksObjectPermission = ObjectSpace.CreateObject(); canManageOwnTasksObjectPermission.Criteria = "AssignedTo.Oid=CurrentUserId()"; canManageOwnTasksObjectPermission.Criteria = (new OperandProperty("AssignedTo.Oid") == new FunctionOperator(CurrentUserIdOperator.OperatorName)).ToString canManageOwnTasksObjectPermission.AllowNavigate = true; canManageOwnTasksObjectPermission.AllowRead = true; canManageOwnTasksObjectPermission.AllowWrite = true; canManageOwnTasksObjectPermission.AllowDelete = false; canManageOwnTasksObjectPermission.Save(); employeeTaskPermissions.ObjectPermissions.Add(canManageOwnTasksObjectPermission);

//Can view, but cannot edit tasks from other users within own department. SecuritySystemObjectPermissionsObject canSeeTasksOnlyFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject

canSeeTasksOnlyFromOwnDepartmentObjectPermission.Criteria = "AssignedTo.Department.Oid=[][Oid=CurrentUserId()].Single(Department.Oid)"; canSeeTasksOnlyFromOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("AssignedTo.Department.Oid"), joinEmployeesToAccessOwnDepartmemnt canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowNavigate = true; canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowRead = true; canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowWrite = true; canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowDelete = true; canSeeTasksOnlyFromOwnDepartmentObjectPermission.Save(); employeeTaskPermissions.ObjectPermissions.Add(canSeeTasksOnlyFromOwnDepartmentObjectPermission); } return managerRole; } }}

DEVEXPRESSAbout UsNewsOur AwardsUpcoming EventsUser CommentsCase StudiesReviews and PublicationsLicensingPurchasingMVP ProgramContact UsLogos

.NET CONTROLSWinFormsASP.NETMVCWPFSilverlightWindows 8 XAML

CROSS PLATFORMReportingDocument Automation

MOBILEDevExtreme Mobile

ENTERPRISE TOOLSReport ServerAnalytics Dashboard

FRAMEWORKSeXpressApp Framework

CODE-DEBUG-REFACTORCodeRush for Visual Studio

HTML5 JS WIDGETSDevExtreme Web

iOS 7DataExplorer

FUNCTIONAL WEB TESTINGTestCafe

DELPHI C++BUILDERVCL

SUPPORTSearch the Knowledge BaseMy QuestionsCode ExamplesGetting StartedDemosDocumentationBlogsTrainingWebinars

Current Version/BuildVersion History

FOLLOW US

Your Privacy - Legal Statements Copyright 1998-2014 Developer Express Inc.All trademarks or registered trademarks are property of their respective owners

DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, BusinessApplication Frameworks, and Reporting Systems for Visual Studio, along with high-performanceHTML JS Mobile Frameworks for developers targeting iOS, Android and Windows Phone. Whetherusing WPF, Silverlight, ASP.NET, WinForms, HTML5 or Windows 8, DevExpress tools help youbuild and deliver your best in the shortest time possible.

If you need additional product information, write to us at [email protected] or call us at +1 (818) 844-3383



How to separate data between employees and managers of different departments using security permissionsDownloads

Documents

E4045 - How to Separate Data Between Employees and Managers