XAF - Permissions for UI Actions and Security System for non-XAF Apps Powered by Entity Framework Core 3 (v20.1)

This new XAF security layer allows developers to prohibit execution of both custom and XAF system Actions within WinForms and ASP.NET applications.

First, a word or two about Actions – XAF Actions represent UI commands within an application. These include a broad range of UI commands – from menu items and Ribbon commands, to navigation links. To demonstrate how XAF developers can institute fine-grain control over user roles and hide or deactivate UI Actions as needed, we recently published the following YouTube video:

To enable this feature, set the static EnableSecurityForActions property to True. To add custom Actions or remove system Actions available in the Denied Actions tab, handle the NonSecureActionsInitializing event.

Note that Action permissions will hide Actions unconditionally: we don't expect to interfere with Conditional Appearance, State Machine, TargetObjectsCriteriaMode or any custom rules that are driven by criteria or object/UI changes within Controllers. If you require dynamic functionality for Actions, use these specific methods and built-in criteria functions such as IsCurrentUserInRole and CurrentUserId.

Security System for Entity Framework Core (CTP)

Our goal is to help DevExpress and non-DevExpress customers benefit from XAF's Security System and Entity Framework Core. In v20.1, we've added a secured Object Space (a DbContext wrapper) for EF Core 3.1+ and demonstrated its use for basic CRUD operations in Console and WinForms applications. This functionality mirrors our XPO ORM implementation. This feature is currently available as a community tech preview, so we welcome your feedback.

Three main steps to integrate XAF's User Authentication and Group Authorization API using EF Core data access are shown below:

Similar code will work in any client or server .NET Core app, (including Blazor Server). Note that primary protection takes place at the data store level - secured record fields get 'null' values or whole records are filtered out internally if role permissions deny access. 

You can also use CanRead or other CanXXX methods to mask secured fields or modify the UI further (in the following image departments are masked with 'Protected Content' when title does not contain the word 'Development').

Security System - New Learning Materials

• This GitHub repository demonstrates how to generate database updater code for security roles created via the application UI in a development environment. 
• This KB article explains how to prevent deletion of the last active Administrator and the last administrative role with active users.
• We extended the SecurityStrategy class with numerous methods you can use to check if a user can perform CRUD operations: IsGrantedExtensions. For supplementary information, please review the following article: How to: Display a List of Users Allowed to Read an Object.