Xafari Security. Extra Permissions Types
The Xafari framework provides a Complex Security Strategy to secure business application data. According to this strategy, there are several user groups (Roles) in the system. Each role is characterized by its unique Permission Set. Standard XAF Permissions allow or deny access to various operations with the objects (see the Complex Security Strategy: Permission Types topic). The Xafari Security System complements Permissions by two further types: Action Access Permissions and Navigation Item Access Permissions. These extra Permissions are supported by both Xafari DC Security and Xafari XPO Security.
To see Xafari Extra Permissions in action, refer to the Northwind or Northwind.DC demos installed with Xafari.
Navigation Item Access Permissions
Navigation Item Access Permissions restrict the users access to any particular items in the XAF Navigation System.
In general, XAF allows to control the visibility of the corresponding navigational element via the Navigation option and its Type Permissions tab (see the image below). However, this strategy assumes that there is only one navigation element designed to interact with the fixed type objects. And the Navigation option disables or enables all the menu items corresponding to a certain type. However, in real practice there are situations when one type is represented via several Views designed for the users of different types. One solution is to create an individual Navigation Item for each specialized View, and manage access to these items when configuring roles.
This feature is declared by the INavigationItemAccessSettings interface; therefore, the Role Type used in the application should implement this interface. Xafari DC Security provides the Xafari.Security.DC.IDCSecuritySystemRole type to support the INavigationItemAccessSettings interface; to support this interface, Xafari XPO Security also provides the Xafari.Security.Xpo.XafariSecuritySystemRole type. To learn how to use Role Types in the application, examine the corresponding topics.
If the INavigationItemAccessSettings interface is implemented in a custom Role Type, a special Property Editor should be set up for the Role's Navigation property. Invoke the Model Editor and navigate to the BOMOdel|...|RoleType|OwnMembers|Navigation node, then set the PropertyEditorType property to the "NavigationItemAccessPropertyEditor" value.
The image below demonstrates the Permission Sets for two different roles: Manager and Clerk. See the First Objects and the Second Objects records that grant the Navigate permissions to these roles.
In addition to the default one, there are 2 custom List Views: Fast Registration and Management. They differ in the provided functionality. Each List View is presented via the corresponding item in the navigation system. The image below shows these Views and Navigation Items.
To configure the navigation system according to the user role, invoke the Role Detail View and activate the Navigation Item Access Permissions tab. Check the items that should be hidden, as the below images demonstrate.
In case the user belongs to multiple roles, the following rule applies: if the item is prohibited in at least one of the roles, it does not appear at all.
After these changes, the application will show only the permitted Navigation Items.