The Permission Policy determines Security System behavior when there are no explicitly specified permissions for a specific type, object or member. The default permission policy can be selected when creating a new XAF application using the Solution Wizard.
Deny
This policy type is required for providing compatibility to an older versions of XAF. The Deny policy implies that access is always denied when there are no explicitly specified permissions. In new applications, using the Allow/Deny policy instead of Deny is recommended. The Allow/Deny policy allows you to create more complex and flexible security configurations.
Navigation Permissions are not supported for individual navigation items when the Deny Permission Policy is selected. The Navigation Permissions tab is not available in this mode. However, you can specify nevigation permissions for each type in the Type Permissions tab.
Allow/Deny
With the Allow/Deny permission policy, your application administrators can allow access to all data within the application for a specific role and simultaneously deny access to a few data types or members. Alternatively, it is possible to deny access to all data for a role and only allow access to a strict list of objects or members. Both approaches make it easy to allow/deny data access across a broad range of use-case scenarios. To use this feature, choose Allow/Deny Permission Policy on the Choose Security page of the Solution Wizard.
If your application is created in earlier XAF versions, you need to upgrade an existing project to the Allow/Deny permissions policy. If you use Entity Framework as the ORM system, you may also need to perform a migration to switch from Deny to the Allow/Deny policy.
The following types of security users and roles are used with the Allow/Deny permission policy.
| Built-in XPO classes | Built-in Entity Framework classes | Common interfaces to support in custom classes | |
|---|---|---|---|
| User Type | PermissionPolicyUser | PermissionPolicyUser | IPermissionPolicyUser |
| Role Type | PermissionPolicyRole | PermissionPolicyRole | IPermissionPolicyRole |
The Entity Framework and XPO versions of these classes are declared in the Business Class Library. The primary difference with classes used for the Deny policy (SecuritySystemUser/User and SecuritySystemRole/Role) is that the role object exposes the IPermissionPolicyRole.PermissionPolicy property (declared in the IPermissionPolicyRole interface).
With this property, you can assign "deny all", "read only all" or "allow all" default permission policies for each role. For each operation, you can explicitly specify the Allow or Deny modifier or leave it blank.
If the modifier is not specified, the permission is determined by the role's policy type. Note that the role's policy has the lowest priority and is in play only when permissions are not explicitly specified.