//Managers can access and fully edit (including create and delete capabilities) data from their own department. However, they cannot access data from other departments.
        private SecuritySystemRole GetManagerRole()
        {
            SecuritySystemRole managerRole = ObjectSpace.FindObject <SecuritySystemRole>(new BinaryOperator("Name", "Managers"));

            if (managerRole == null)
            {
                managerRole      = ObjectSpace.CreateObject <SecuritySystemRole>();
                managerRole.Name = "Managers";
                managerRole.ChildRoles.Add(GetUserRole());


                SecuritySystemTypePermissionObject departmentTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                departmentTypePermission.TargetType    = typeof(Department);
                departmentTypePermission.AllowNavigate = true;
                managerRole.TypePermissions.Add(departmentTypePermission);

                SecuritySystemObjectPermissionsObject canEditOwnDepartmentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                canEditOwnDepartmentObjectPermission.Criteria = "Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canEditOwnDepartmentObjectPermission.Criteria = "Employees[Oid=CurrentUserId()]";
                //canEditOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canEditOwnDepartmentObjectPermission.AllowNavigate = true;
                canEditOwnDepartmentObjectPermission.AllowRead     = true;
                canEditOwnDepartmentObjectPermission.AllowWrite    = true;
                canEditOwnDepartmentObjectPermission.AllowDelete   = true;
                canEditOwnDepartmentObjectPermission.Save();
                departmentTypePermission.ObjectPermissions.Add(canEditOwnDepartmentObjectPermission);

                SecuritySystemTypePermissionObject employeeTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                employeeTypePermission.TargetType    = typeof(Employee);
                employeeTypePermission.AllowNavigate = true;
                employeeTypePermission.AllowCreate   = true;
                managerRole.TypePermissions.Add(employeeTypePermission);
                SecuritySystemObjectPermissionsObject canEditEmployeesFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                canEditEmployeesFromOwnDepartmentObjectPermission.Criteria = "IsNull(Department) || Department.Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canEditEmployeesFromOwnDepartmentObjectPermission.Criteria = "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]";
                //canEditEmployeesFromOwnDepartmentObjectPermission.Criteria = (new NullOperator(new OperandProperty("Department")) | new BinaryOperator(new OperandProperty("Department.Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal)).ToString();
                canEditEmployeesFromOwnDepartmentObjectPermission.AllowWrite    = true;
                canEditEmployeesFromOwnDepartmentObjectPermission.AllowDelete   = true;
                canEditEmployeesFromOwnDepartmentObjectPermission.AllowNavigate = true;
                canEditEmployeesFromOwnDepartmentObjectPermission.AllowRead     = true;
                canEditEmployeesFromOwnDepartmentObjectPermission.Save();
                employeeTypePermission.ObjectPermissions.Add(canEditEmployeesFromOwnDepartmentObjectPermission);

                SecuritySystemTypePermissionObject taskTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                taskTypePermission.TargetType    = typeof(EmployeeTask);
                taskTypePermission.AllowNavigate = true;
                taskTypePermission.AllowCreate   = true;
                managerRole.TypePermissions.Add(taskTypePermission);
                SecuritySystemObjectPermissionsObject canEditTasksOnlyFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                canEditTasksOnlyFromOwnDepartmentObjectPermission.Criteria = "IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canEditTasksOnlyFromOwnDepartmentObjectPermission.Criteria = "IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]";
                //canEditTasksOnlyFromOwnDepartmentObjectPermission.Criteria = (new NullOperator(new OperandProperty("AssignedTo")) | new NullOperator(new OperandProperty("AssignedTo.Department")) | new BinaryOperator(new OperandProperty("AssignedTo.Department.Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal)).ToString();
                canEditTasksOnlyFromOwnDepartmentObjectPermission.AllowNavigate = true;
                canEditTasksOnlyFromOwnDepartmentObjectPermission.AllowRead     = true;
                canEditTasksOnlyFromOwnDepartmentObjectPermission.AllowWrite    = true;
                canEditTasksOnlyFromOwnDepartmentObjectPermission.AllowDelete   = true;
                canEditTasksOnlyFromOwnDepartmentObjectPermission.Save();
                taskTypePermission.ObjectPermissions.Add(canEditTasksOnlyFromOwnDepartmentObjectPermission);
            }
            return(managerRole);
        }
Ejemplo n.º 2
0
        private DevExpress.ExpressApp.Security.Strategy.SecuritySystemRole CreateSecurityDemoRole()
        {
            DevExpress.ExpressApp.Security.Strategy.SecuritySystemRole securityDemoRole = ObjectSpace.FindObject <DevExpress.ExpressApp.Security.Strategy.SecuritySystemRole>(new BinaryOperator("Name", "Demo"));
            if (securityDemoRole == null)
            {
                securityDemoRole      = ObjectSpace.CreateObject <DevExpress.ExpressApp.Security.Strategy.SecuritySystemRole>();
                securityDemoRole.Name = "Demo";

                // Type Operation Permissions
                SecuritySystemTypePermissionObject fullAccessPermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                fullAccessPermission.TargetType    = typeof(FullAccessObject);
                fullAccessPermission.AllowCreate   = true;
                fullAccessPermission.AllowDelete   = true;
                fullAccessPermission.AllowNavigate = true;
                fullAccessPermission.AllowRead     = true;
                fullAccessPermission.AllowWrite    = true;
                fullAccessPermission.Save();
                securityDemoRole.TypePermissions.Add(fullAccessPermission);
                SecuritySystemTypePermissionObject protectedContentPermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                protectedContentPermission.TargetType    = typeof(ProtectedContentObject);
                protectedContentPermission.AllowNavigate = true;
                protectedContentPermission.Save();
                securityDemoRole.TypePermissions.Add(protectedContentPermission);
                SecuritySystemTypePermissionObject readOnlyPermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                readOnlyPermission.TargetType    = typeof(ReadOnlyObject);
                readOnlyPermission.AllowNavigate = true;
                readOnlyPermission.AllowRead     = true;
                readOnlyPermission.Save();
                securityDemoRole.TypePermissions.Add(readOnlyPermission);

                SecuritySystemTypePermissionObject irremovablePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                irremovablePermission.TargetType    = typeof(IrremovableObject);
                irremovablePermission.AllowCreate   = true;
                irremovablePermission.AllowNavigate = true;
                irremovablePermission.AllowRead     = true;
                irremovablePermission.AllowWrite    = true;
                irremovablePermission.Save();
                securityDemoRole.TypePermissions.Add(irremovablePermission);
                SecuritySystemTypePermissionObject uncreatablePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                uncreatablePermission.TargetType    = typeof(UncreatableObject);
                uncreatablePermission.AllowDelete   = true;
                uncreatablePermission.AllowNavigate = true;
                uncreatablePermission.AllowRead     = true;
                uncreatablePermission.AllowWrite    = true;
                uncreatablePermission.Save();
                securityDemoRole.TypePermissions.Add(uncreatablePermission);

                // Member Operation Permissions
                SecuritySystemTypePermissionObject navigateMemberLevelOperationObjectPermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                navigateMemberLevelOperationObjectPermission.TargetType    = typeof(MemberLevelSecurityObject);
                navigateMemberLevelOperationObjectPermission.AllowCreate   = true;
                navigateMemberLevelOperationObjectPermission.AllowDelete   = true;
                navigateMemberLevelOperationObjectPermission.AllowNavigate = true;
                navigateMemberLevelOperationObjectPermission.Save();
                securityDemoRole.TypePermissions.Add(navigateMemberLevelOperationObjectPermission);

                SecuritySystemMemberPermissionsObject readWriteMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                //readWriteMemberPermission.TargetType = typeof(MemberLevelSecurityObject);
                readWriteMemberPermission.Members    = "ReadWriteProperty; Name; oid; Oid; OptimisticLockField"; // TODO - Slava D - service fields - XPO responsibility
                readWriteMemberPermission.AllowRead  = true;
                readWriteMemberPermission.AllowWrite = true;
                readWriteMemberPermission.Save();
                navigateMemberLevelOperationObjectPermission.MemberPermissions.Add(readWriteMemberPermission);
                //securityDemoRole.TypePermissions.Add(readWriteMemberPermission);

                SecuritySystemMemberPermissionsObject protectedContentMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                //protectedContentMemberPermission.TargetType = typeof(MemberLevelSecurityObject);
                protectedContentMemberPermission.Members = "ProtectedContentProperty; ProtectedContentCollection";
                protectedContentMemberPermission.Save();
                navigateMemberLevelOperationObjectPermission.MemberPermissions.Add(protectedContentMemberPermission);
                //securityDemoRole.TypePermissions.Add(protectedContentMemberPermission);

                SecuritySystemMemberPermissionsObject readOnlyMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                //readOnlyMemberPermission.TargetType = typeof(MemberLevelSecurityObject);
                readOnlyMemberPermission.Members   = "ReadOnlyProperty; ReadOnlyCollection";
                readOnlyMemberPermission.AllowRead = true;
                readOnlyMemberPermission.Save();
                navigateMemberLevelOperationObjectPermission.MemberPermissions.Add(readOnlyMemberPermission);
                //securityDemoRole.TypePermissions.Add(readOnlyMemberPermission);

                SecuritySystemTypePermissionObject memberLevelReferencedObject1Permission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                memberLevelReferencedObject1Permission.TargetType  = typeof(MemberLevelReferencedObject1);
                memberLevelReferencedObject1Permission.AllowRead   = true;
                memberLevelReferencedObject1Permission.AllowWrite  = true;
                memberLevelReferencedObject1Permission.AllowCreate = true;
                memberLevelReferencedObject1Permission.AllowDelete = true;
                memberLevelReferencedObject1Permission.Save();
                securityDemoRole.TypePermissions.Add(memberLevelReferencedObject1Permission);

                SecuritySystemTypePermissionObject memberLevelReferencedObject2Permission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                memberLevelReferencedObject2Permission.TargetType  = typeof(MemberLevelReferencedObject2);
                memberLevelReferencedObject2Permission.AllowRead   = true;
                memberLevelReferencedObject2Permission.AllowWrite  = true;
                memberLevelReferencedObject2Permission.AllowCreate = true;
                memberLevelReferencedObject2Permission.AllowDelete = true;
                memberLevelReferencedObject2Permission.Save();
                securityDemoRole.TypePermissions.Add(memberLevelReferencedObject2Permission);



                // Object Operation Permissions
                SecuritySystemTypePermissionObject navigateObjectLevelSecurityObjectPermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                navigateObjectLevelSecurityObjectPermission.TargetType    = typeof(ObjectLevelSecurityObject);
                navigateObjectLevelSecurityObjectPermission.AllowNavigate = true;
                navigateObjectLevelSecurityObjectPermission.Save();
                securityDemoRole.TypePermissions.Add(navigateObjectLevelSecurityObjectPermission);

                SecuritySystemObjectPermissionsObject fullAccessObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                //fullAccessObjectPermission.TargetType = typeof(ObjectLevelSecurityObject);
                fullAccessObjectPermission.Criteria = "[Name] Like '%Fully Accessible%'";
                //fullAccessObjectPermission.AllowCreate = true;
                fullAccessObjectPermission.AllowDelete   = true;
                fullAccessObjectPermission.AllowNavigate = true;
                fullAccessObjectPermission.AllowRead     = true;
                fullAccessObjectPermission.AllowWrite    = true;
                fullAccessObjectPermission.Save();
                navigateObjectLevelSecurityObjectPermission.ObjectPermissions.Add(fullAccessObjectPermission);
                //securityDemoRole.TypePermissions.Add(fullAccessObjectPermission);

                SecuritySystemObjectPermissionsObject protectedContentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                //protectedContentObjectPermission.TargetType = typeof(ObjectLevelSecurityObject);
                protectedContentObjectPermission.Criteria      = "[Name] Like '%Protected%'";
                protectedContentObjectPermission.AllowNavigate = true;
                protectedContentObjectPermission.Save();
                navigateObjectLevelSecurityObjectPermission.ObjectPermissions.Add(protectedContentObjectPermission);
                //securityDemoRole.TypePermissions.Add(protectedContentObjectPermission);

                SecuritySystemObjectPermissionsObject readOnlyObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                //readOnlyObjectPermission.TargetType = typeof(ObjectLevelSecurityObject);
                readOnlyObjectPermission.Criteria      = "[Name] Like '%Read-Only%'";
                readOnlyObjectPermission.AllowNavigate = true;
                readOnlyObjectPermission.AllowRead     = true;
                readOnlyObjectPermission.Save();
                navigateObjectLevelSecurityObjectPermission.ObjectPermissions.Add(readOnlyObjectPermission);
                //securityDemoRole.TypePermissions.Add(readOnlyObjectPermission);

                SecuritySystemObjectPermissionsObject irremovableObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                //irremovableObjectPermission.TargetType = typeof(ObjectLevelSecurityObject);
                irremovableObjectPermission.Criteria = "[Name] Like '%Protected Deletion%'";
                //irremovableObjectPermission.AllowCreate = true;
                irremovableObjectPermission.AllowNavigate = true;
                irremovableObjectPermission.AllowRead     = true;
                irremovableObjectPermission.AllowWrite    = true;
                irremovableObjectPermission.Save();
                navigateObjectLevelSecurityObjectPermission.ObjectPermissions.Add(irremovableObjectPermission);
                //securityDemoRole.TypePermissions.Add(irremovableObjectPermission);

                securityDemoRole.Save();
            }
            return(securityDemoRole);
        }
        //Users can access and partially edit data (no create and delete capabilities) from their own department.
        private SecuritySystemRole GetUserRole()
        {
            SecuritySystemRole userRole = ObjectSpace.FindObject <SecuritySystemRole>(new BinaryOperator("Name", "Users"));

            if (userRole == null)
            {
                userRole      = ObjectSpace.CreateObject <SecuritySystemRole>();
                userRole.Name = "Users";

                SecuritySystemTypePermissionObject userTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                userTypePermission.TargetType = typeof(Employee);
                userRole.TypePermissions.Add(userTypePermission);

                SecuritySystemObjectPermissionsObject canViewEmployeesFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                canViewEmployeesFromOwnDepartmentObjectPermission.Criteria = "Department.Employees[Oid = CurrentUserId()]";
                //canViewEmployeesFromOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("Department.Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canViewEmployeesFromOwnDepartmentObjectPermission.AllowNavigate = true;
                canViewEmployeesFromOwnDepartmentObjectPermission.AllowRead     = true;
                userTypePermission.ObjectPermissions.Add(canViewEmployeesFromOwnDepartmentObjectPermission);

                SecuritySystemMemberPermissionsObject canEditOwnUserMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                canEditOwnUserMemberPermission.Members    = "ChangePasswordOnFirstLogon; StoredPassword; FirstName; LastName;";
                canEditOwnUserMemberPermission.Criteria   = "Oid=CurrentUserId()";
                canEditOwnUserMemberPermission.Criteria   = (new OperandProperty("Oid") == new FunctionOperator(CurrentUserIdOperator.OperatorName)).ToString();
                canEditOwnUserMemberPermission.AllowWrite = true;
                userTypePermission.MemberPermissions.Add(canEditOwnUserMemberPermission);

                SecuritySystemMemberPermissionsObject canEditUserAssociationsFromOwnDepartmentMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                canEditUserAssociationsFromOwnDepartmentMemberPermission.Members  = "Tasks; Department;";
                canEditUserAssociationsFromOwnDepartmentMemberPermission.Criteria = "Department.Employees[Oid = CurrentUserId()]";
                //canEditUserAssociationsFromOwnDepartmentMemberPermission.Criteria = new BinaryOperator(new OperandProperty("Department.Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canEditUserAssociationsFromOwnDepartmentMemberPermission.AllowWrite = true;
                userTypePermission.MemberPermissions.Add(canEditUserAssociationsFromOwnDepartmentMemberPermission);


                SecuritySystemTypePermissionObject roleTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                roleTypePermission.TargetType = typeof(SecuritySystemRole);
                roleTypePermission.AllowRead  = true;
                userRole.TypePermissions.Add(roleTypePermission);


                SecuritySystemTypePermissionObject taskTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                taskTypePermission.TargetType    = typeof(EmployeeTask);
                taskTypePermission.AllowNavigate = true;
                userRole.TypePermissions.Add(taskTypePermission);

                SecuritySystemMemberPermissionsObject canEditTaskAssociationsMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                canEditTaskAssociationsMemberPermission.Members  = "AssignedTo;";
                canEditTaskAssociationsMemberPermission.Criteria = "AssignedTo.Department.Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canEditTaskAssociationsMemberPermission.Criteria = "AssignedTo.Department.Employees[Oid = CurrentUserId()]";
                //canEditTaskAssociationsMemberPermission.Criteria = new BinaryOperator(new OperandProperty("AssignedTo.Department.Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canEditTaskAssociationsMemberPermission.AllowWrite = true;
                taskTypePermission.MemberPermissions.Add(canEditTaskAssociationsMemberPermission);

                SecuritySystemObjectPermissionsObject canyEditTasksFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                canyEditTasksFromOwnDepartmentObjectPermission.Criteria = "AssignedTo.Department.Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canyEditTasksFromOwnDepartmentObjectPermission.Criteria = "AssignedTo.Department.Employees[Oid = CurrentUserId()]";
                //canyEditTasksFromOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("AssignedTo.Department.Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canyEditTasksFromOwnDepartmentObjectPermission.AllowNavigate = true;
                canyEditTasksFromOwnDepartmentObjectPermission.AllowWrite    = true;
                canyEditTasksFromOwnDepartmentObjectPermission.AllowRead     = true;
                taskTypePermission.ObjectPermissions.Add(canyEditTasksFromOwnDepartmentObjectPermission);

                SecuritySystemTypePermissionObject departmentTypePermission = ObjectSpace.CreateObject <SecuritySystemTypePermissionObject>();
                departmentTypePermission.TargetType = typeof(Department);
                userRole.TypePermissions.Add(departmentTypePermission);

                SecuritySystemObjectPermissionsObject canViewOwnDepartmentObjectPermission = ObjectSpace.CreateObject <SecuritySystemObjectPermissionsObject>();
                canViewOwnDepartmentObjectPermission.Criteria = "Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canViewOwnDepartmentObjectPermission.Criteria = "Employees[Oid=CurrentUserId()]";
                //canViewOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canViewOwnDepartmentObjectPermission.AllowNavigate = true;
                canViewOwnDepartmentObjectPermission.AllowRead     = true;
                canViewOwnDepartmentObjectPermission.Save();
                departmentTypePermission.ObjectPermissions.Add(canViewOwnDepartmentObjectPermission);

                SecuritySystemMemberPermissionsObject canEditAssociationsMemberPermission = ObjectSpace.CreateObject <SecuritySystemMemberPermissionsObject>();
                canEditAssociationsMemberPermission.Members  = "Employees;";
                canEditAssociationsMemberPermission.Criteria = "Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
                canEditAssociationsMemberPermission.Criteria = "Employees[Oid=CurrentUserId()]";
                //canEditAssociationsMemberPermission.Criteria = new BinaryOperator(new OperandProperty("Oid"), currentlyLoggedEmployeeDepartmemntOid, BinaryOperatorType.Equal).ToString();
                canEditAssociationsMemberPermission.AllowWrite = true;
                departmentTypePermission.MemberPermissions.Add(canEditAssociationsMemberPermission);
            }
            return(userRole);
        }