https://www.devexpress.com/Support/Center/Question/Details/T418166
Clear [C#] using DevExpress.Persistent.BaseImpl.PermissionPolicy; using DevExpress.ExpressApp.Security.Strategy; using System.Collections.Generic; //.. public override void UpdateDatabaseAfterUpdateSchema() { base.UpdateDatabaseAfterUpdateSchema(); foreach (SecuritySystemUser securitySystemUser in ObjectSpace.GetObjects<SecuritySystemUser>()) { CopyUser(securitySystemUser); } foreach (SecuritySystemRole securitySystemRole in ObjectSpace.GetObjects<SecuritySystemRole>()) { CopyRole(securitySystemRole, null); } ObjectSpace.CommitChanges(); } private void CopyUser(SecuritySystemUser securitySystemUser) { PermissionPolicyUser permissionPolicyUser = ObjectSpace.FindObject<PermissionPolicyUser>(new BinaryOperator("UserName", securitySystemUser.UserName)); if (permissionPolicyUser == null) { permissionPolicyUser = ObjectSpace.CreateObject<PermissionPolicyUser>(); permissionPolicyUser.UserName = securitySystemUser.UserName; permissionPolicyUser.IsActive = securitySystemUser.IsActive; permissionPolicyUser.ChangePasswordOnFirstLogon = securitySystemUser.ChangePasswordOnFirstLogon; foreach (SecuritySystemRole securitySystemRole in securitySystemUser.Roles) { CopyRole(securitySystemRole, permissionPolicyUser); } } } private void CopyRole(SecuritySystemRole securitySystemRole, PermissionPolicyUser permissionPolicyUser) { PermissionPolicyRole permissionPolicyRole = ObjectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", securitySystemRole.Name)); if (permissionPolicyRole == null) { permissionPolicyRole = ObjectSpace.CreateObject<PermissionPolicyRole>(); permissionPolicyRole.Name = securitySystemRole.Name; permissionPolicyRole.PermissionPolicy = SecurityPermissionPolicy.DenyAllByDefault; permissionPolicyRole.IsAdministrative = securitySystemRole.IsAdministrative; permissionPolicyRole.CanEditModel = securitySystemRole.CanEditModel; foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in securitySystemRole.TypePermissions) { CopyTypePermissions(securitySystemTypePermissionObject, securitySystemRole, permissionPolicyRole); } foreach (SecuritySystemRole parentRole in securitySystemRole.ParentRoles) { CopyParentRole(parentRole, permissionPolicyRole); } if (permissionPolicyUser != null) { permissionPolicyUser.Roles.Add(permissionPolicyRole); } } } private void CopyParentRole(SecuritySystemRole parentRole, PermissionPolicyRole permissionPolicyRole) { if (parentRole.IsAdministrative) { permissionPolicyRole.IsAdministrative = true; } if (parentRole.CanEditModel) { permissionPolicyRole.IsAdministrative = true; } foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in parentRole.TypePermissions) { CopyTypePermissions(securitySystemTypePermissionObject, parentRole, permissionPolicyRole); } foreach (SecuritySystemRole subParentRole in parentRole.ParentRoles) { CopyParentRole(subParentRole, permissionPolicyRole); } } private void CopyTypePermissions(SecuritySystemTypePermissionObject securitySystemTypePermissionObject, SecuritySystemRole securitySystemRole, PermissionPolicyRole permissionPolicyRole) { PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject = ObjectSpace.FindObject<PermissionPolicyTypePermissionObject>(new BinaryOperator("TargetType", securitySystemTypePermissionObject.TargetType)); permissionPolicyTypePermissionObject = ObjectSpace.CreateObject<PermissionPolicyTypePermissionObject>(); permissionPolicyTypePermissionObject.TargetType = GetTargetType(securitySystemTypePermissionObject.TargetType); permissionPolicyTypePermissionObject.Role = permissionPolicyRole; if (securitySystemTypePermissionObject.AllowRead) { permissionPolicyTypePermissionObject.ReadState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowWrite) { permissionPolicyTypePermissionObject.WriteState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowCreate) { permissionPolicyTypePermissionObject.CreateState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowDelete) { permissionPolicyTypePermissionObject.DeleteState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowNavigate) { permissionPolicyTypePermissionObject.NavigateState = SecurityPermissionState.Allow; } foreach (SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject in securitySystemTypePermissionObject.ObjectPermissions) { CopyObjectPermissions(securitySystemObjectPermissionsObject, permissionPolicyTypePermissionObject); } foreach (SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject in securitySystemTypePermissionObject.MemberPermissions) { CopyMemberPermission(securitySystemMemberPermissionsObject, permissionPolicyTypePermissionObject); } permissionPolicyRole.TypePermissions.Add(permissionPolicyTypePermissionObject); } private void CopyMemberPermission(SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) { PermissionPolicyMemberPermissionsObject permissionPolicyMemberPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyMemberPermissionsObject>(); permissionPolicyMemberPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject; if (securitySystemMemberPermissionsObject.AllowRead) { permissionPolicyMemberPermissionsObject.ReadState = SecurityPermissionState.Allow; } if (securitySystemMemberPermissionsObject.AllowWrite) { permissionPolicyMemberPermissionsObject.WriteState = SecurityPermissionState.Allow; } permissionPolicyMemberPermissionsObject.Members = securitySystemMemberPermissionsObject.Members; permissionPolicyMemberPermissionsObject.Criteria = securitySystemMemberPermissionsObject.Criteria; permissionPolicyTypePermissionObject.MemberPermissions.Add(permissionPolicyMemberPermissionsObject); } private void CopyObjectPermissions(SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) { PermissionPolicyObjectPermissionsObject permissionPolicyObjectPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyObjectPermissionsObject>(); permissionPolicyObjectPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject; if (securitySystemObjectPermissionsObject.AllowRead) { permissionPolicyObjectPermissionsObject.ReadState = SecurityPermissionState.Allow; } if (securitySystemObjectPermissionsObject.AllowWrite) { permissionPolicyObjectPermissionsObject.WriteState = SecurityPermissionState.Allow; } if (securitySystemObjectPermissionsObject.AllowDelete) { permissionPolicyObjectPermissionsObject.DeleteState = SecurityPermissionState.Allow; } if (securitySystemObjectPermissionsObject.AllowNavigate) { permissionPolicyObjectPermissionsObject.NavigateState = SecurityPermissionState.Allow; } permissionPolicyObjectPermissionsObject.Criteria = securitySystemObjectPermissionsObject.Criteria; permissionPolicyTypePermissionObject.ObjectPermissions.Add(permissionPolicyObjectPermissionsObject); } private Type GetTargetType(Type currentType) { Type outType; if (!SecurityAssociationClassDictionary.TryGetValue(currentType, out outType)) { outType = currentType; } return outType; } private static Dictionary<Type, Type> SecurityAssociationClassDictionary = new Dictionary<Type, Type>(){ { typeof(SecuritySystemUser),typeof(PermissionPolicyUser) }, { typeof(SecuritySystemRole),typeof(PermissionPolicyRole) }, { typeof(SecuritySystemTypePermissionObject ),typeof(PermissionPolicyTypePermissionObject ) }, { typeof(SecuritySystemObjectPermissionsObject ),typeof(PermissionPolicyObjectPermissionsObject ) }, { typeof(SecuritySystemMemberPermissionsObject ),typeof(PermissionPolicyMemberPermissionsObject ) } }; //... Close Your email address tq.y@qq.com appears to be unreachable. Please Update Now Welcome, ytq 2080 (A807018) Download Your Products Log Out Products Free Trials & Demos Buy Support My Account About Us SUPPORT CENTER FAQ Training Events Localization Examples Tickets Submit a Support Ticket Type search string and press Enter Add to Favorites Kb How to use the Allow/Deny permissions policy in the existing project Tags: .NET, Frameworks (XAF & XPO), eXpressApp Framework 0 Alexey (DevExpress Support)2 weeks ago Starting with version 16.1, application administrators can allow accessing all data within the application for a specific role and simultaneously prevent the access to a few data types or members. Alternatively, an end-user can deny access to all data for a role and only allow access to a strict list of objects or members. See Security - Introduce the 'Allow' and 'Deny' modifiers for permissions. Prior to version 16.1, the SecuritySystemUser and SecuritySystemRole classes were used to create and process permissions. By default, the DenyAll policy was used, and it was necessary to add the Allow permission for objects and types. These classes are not compatible with the Allow/Deny permissions model. This topic describes how to migrate to Allow/Deny security model in the existing application. Leave a Comment 1 Solution 0 Alexey (DevExpress Support)2 weeks ago If you do not need to transfer existing permissions to the new permissions policy, invoke the Application Designer for the YourSolutionName.Wxx/WxxApplication.xx file and set the UserType and RoleType properties of the SecurityStrategyComplex component to the PermissionPolicyUser and PermissionPolicyRole values respectively. After that, update your code that creates predefined users, roles and the required permissions as per the Using the Security System help article. If your database already contains permissions configured by end-users, you can use the example below in the YourSolutionName.Module/DatabaseUpdate/Updater.cs file to copy them to new security classes. NOTE: we cannot guarantee that all permissions will be converted correctly, because these classes use different permissions mechanisms. [C#]Open in popup window using DevExpress.Persistent.BaseImpl.PermissionPolicy; using DevExpress.ExpressApp.Security.Strategy; using System.Collections.Generic; //.. public override void UpdateDatabaseAfterUpdateSchema() { base.UpdateDatabaseAfterUpdateSchema(); foreach (SecuritySystemUser securitySystemUser in ObjectSpace.GetObjects<SecuritySystemUser>()) { CopyUser(securitySystemUser); } foreach (SecuritySystemRole securitySystemRole in ObjectSpace.GetObjects<SecuritySystemRole>()) { CopyRole(securitySystemRole, null); } ObjectSpace.CommitChanges(); } private void CopyUser(SecuritySystemUser securitySystemUser) { PermissionPolicyUser permissionPolicyUser = ObjectSpace.FindObject<PermissionPolicyUser>(new BinaryOperator("UserName", securitySystemUser.UserName)); if (permissionPolicyUser == null) { permissionPolicyUser = ObjectSpace.CreateObject<PermissionPolicyUser>(); permissionPolicyUser.UserName = securitySystemUser.UserName; permissionPolicyUser.IsActive = securitySystemUser.IsActive; permissionPolicyUser.ChangePasswordOnFirstLogon = securitySystemUser.ChangePasswordOnFirstLogon; foreach (SecuritySystemRole securitySystemRole in securitySystemUser.Roles) { CopyRole(securitySystemRole, permissionPolicyUser); } } } private void CopyRole(SecuritySystemRole securitySystemRole, PermissionPolicyUser permissionPolicyUser) { PermissionPolicyRole permissionPolicyRole = ObjectSpace.FindObject<PermissionPolicyRole>(new BinaryOperator("Name", securitySystemRole.Name)); if (permissionPolicyRole == null) { permissionPolicyRole = ObjectSpace.CreateObject<PermissionPolicyRole>(); permissionPolicyRole.Name = securitySystemRole.Name; permissionPolicyRole.PermissionPolicy = SecurityPermissionPolicy.DenyAllByDefault; permissionPolicyRole.IsAdministrative = securitySystemRole.IsAdministrative; permissionPolicyRole.CanEditModel = securitySystemRole.CanEditModel; foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in securitySystemRole.TypePermissions) { CopyTypePermissions(securitySystemTypePermissionObject, securitySystemRole, permissionPolicyRole); } foreach (SecuritySystemRole parentRole in securitySystemRole.ParentRoles) { CopyParentRole(parentRole, permissionPolicyRole); } if (permissionPolicyUser != null) { permissionPolicyUser.Roles.Add(permissionPolicyRole); } } } private void CopyParentRole(SecuritySystemRole parentRole, PermissionPolicyRole permissionPolicyRole) { if (parentRole.IsAdministrative) { permissionPolicyRole.IsAdministrative = true; } if (parentRole.CanEditModel) { permissionPolicyRole.IsAdministrative = true; } foreach (SecuritySystemTypePermissionObject securitySystemTypePermissionObject in parentRole.TypePermissions) { CopyTypePermissions(securitySystemTypePermissionObject, parentRole, permissionPolicyRole); } foreach (SecuritySystemRole subParentRole in parentRole.ParentRoles) { CopyParentRole(subParentRole, permissionPolicyRole); } } private void CopyTypePermissions(SecuritySystemTypePermissionObject securitySystemTypePermissionObject, SecuritySystemRole securitySystemRole, PermissionPolicyRole permissionPolicyRole) { PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject = ObjectSpace.FindObject<PermissionPolicyTypePermissionObject>(new BinaryOperator("TargetType", securitySystemTypePermissionObject.TargetType)); permissionPolicyTypePermissionObject = ObjectSpace.CreateObject<PermissionPolicyTypePermissionObject>(); permissionPolicyTypePermissionObject.TargetType = GetTargetType(securitySystemTypePermissionObject.TargetType); permissionPolicyTypePermissionObject.Role = permissionPolicyRole; if (securitySystemTypePermissionObject.AllowRead) { permissionPolicyTypePermissionObject.ReadState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowWrite) { permissionPolicyTypePermissionObject.WriteState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowCreate) { permissionPolicyTypePermissionObject.CreateState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowDelete) { permissionPolicyTypePermissionObject.DeleteState = SecurityPermissionState.Allow; } if (securitySystemTypePermissionObject.AllowNavigate) { permissionPolicyTypePermissionObject.NavigateState = SecurityPermissionState.Allow; } foreach (SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject in securitySystemTypePermissionObject.ObjectPermissions) { CopyObjectPermissions(securitySystemObjectPermissionsObject, permissionPolicyTypePermissionObject); } foreach (SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject in securitySystemTypePermissionObject.MemberPermissions) { CopyMemberPermission(securitySystemMemberPermissionsObject, permissionPolicyTypePermissionObject); } permissionPolicyRole.TypePermissions.Add(permissionPolicyTypePermissionObject); } private void CopyMemberPermission(SecuritySystemMemberPermissionsObject securitySystemMemberPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) { PermissionPolicyMemberPermissionsObject permissionPolicyMemberPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyMemberPermissionsObject>(); permissionPolicyMemberPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject; if (securitySystemMemberPermissionsObject.AllowRead) { permissionPolicyMemberPermissionsObject.ReadState = SecurityPermissionState.Allow; } if (securitySystemMemberPermissionsObject.AllowWrite) { permissionPolicyMemberPermissionsObject.WriteState = SecurityPermissionState.Allow; } permissionPolicyMemberPermissionsObject.Members = securitySystemMemberPermissionsObject.Members; permissionPolicyMemberPermissionsObject.Criteria = securitySystemMemberPermissionsObject.Criteria; permissionPolicyTypePermissionObject.MemberPermissions.Add(permissionPolicyMemberPermissionsObject); } private void CopyObjectPermissions(SecuritySystemObjectPermissionsObject securitySystemObjectPermissionsObject, PermissionPolicyTypePermissionObject permissionPolicyTypePermissionObject) { PermissionPolicyObjectPermissionsObject permissionPolicyObjectPermissionsObject = ObjectSpace.CreateObject<PermissionPolicyObjectPermissionsObject>(); permissionPolicyObjectPermissionsObject.TypePermissionObject = permissionPolicyTypePermissionObject; if (securitySystemObjectPermissionsObject.AllowRead) { permissionPolicyObjectPermissionsObject.ReadState = SecurityPermissionState.Allow; } if (securitySystemObjectPermissionsObject.AllowWrite) { permissionPolicyObjectPermissionsObject.WriteState = SecurityPermissionState.Allow; } if (securitySystemObjectPermissionsObject.AllowDelete) { permissionPolicyObjectPermissionsObject.DeleteState = SecurityPermissionState.Allow; } if (securitySystemObjectPermissionsObject.AllowNavigate) { permissionPolicyObjectPermissionsObject.NavigateState = SecurityPermissionState.Allow; } permissionPolicyObjectPermissionsObject.Criteria = securitySystemObjectPermissionsObject.Criteria; permissionPolicyTypePermissionObject.ObjectPermissions.Add(permissionPolicyObjectPermissionsObject); } private Type GetTargetType(Type currentType) { Type outType; if (!SecurityAssociationClassDictionary.TryGetValue(currentType, out outType)) { outType = currentType; } return outType; } private static Dictionary<Type, Type> SecurityAssociationClassDictionary = new Dictionary<Type, Type>(){ { typeof(SecuritySystemUser),typeof(PermissionPolicyUser) }, { typeof(SecuritySystemRole),typeof(PermissionPolicyRole) }, { typeof(SecuritySystemTypePermissionObject ),typeof(PermissionPolicyTypePermissionObject ) }, { typeof(SecuritySystemObjectPermissionsObject ),typeof(PermissionPolicyObjectPermissionsObject ) }, { typeof(SecuritySystemMemberPermissionsObject ),typeof(PermissionPolicyMemberPermissionsObject ) } }; //... As a result, new permissions will be created in the database. After the database is updated, manually check if all permissions are converted correctly. Please pay attention to the following: - A key value will not be copied to new objects. - Existing references to SecuritySystemUser and SecuritySystemRole in your business objects will not be redirected to corresponding PermissionPolicyUser and PermissionPolicyRole objects. - In some cases, it is better to rework permissions so that they will match the new Security System. For example: Allow all objects except some using a complex criterion -> Deny some objects using a simple criterion. Please do not hesitate to contact us if you encounter any issue. Leave a Comment Add to Favorites ID: T418166 Created On: 2016/8/23 下午7:46:13 Modified On: 2016/9/1 上午7:36:21 Related Questions Security - Introduce the 'Allow' and 'Deny' modifiers for permissions How do I implement 'Permission Policy' (new feature of 16.1) to older version 15.2 How to automatically grant security permissions to change associated reference or collection members Disclaimer: The information provided on DevExpress.com and its affiliated web properties is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information. DEVEXPRESS About Us News Our Awards Upcoming Events User Comments Case Studies Reviews and Publications Licensing Purchasing MVP Program Contact Us Logos .NET CONTROLS WinForms ASP.NET MVC WPF Windows 10 Apps CROSS PLATFORM Reporting Document Automation MOBILE DevExtreme Mobile ENTERPRISE TOOLS Report Server Analytics Dashboard FRAMEWORKS eXpressApp Framework CODE-DEBUG-REFACTOR CodeRush for Visual Studio HTML5 JS WIDGETS DevExtreme Web iOS DataExplorer FUNCTIONAL WEB TESTING TestCafe DELPHI C++BUILDER VCL SUPPORT Search the Knowledge Base My Questions Code Examples Getting Started Demos Documentation Blogs Training Webinars Current Version/Build Version History If you need additional product information, write to us at info@devexpress.com or call us at +1 (818) 844-3383 FOLLOW US DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, along with high-performance HTML JS Mobile Frameworks for developers targeting iOS, Android and Windows Phone. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible. Your Privacy - Legal Statements Copyright © 1998-2015 Developer Express Inc. All trademarks or registered trademarks are property of their respective owners