//Users can access and partially edit data (no create and delete capabilities) from their own department. private PermissionPolicyRole GetUserRole() { PermissionPolicyRole userRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Users")); if (userRole == null) { userRole = ObjectSpace.CreateObject <PermissionPolicyRole>(); userRole.Name = "Users"; userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow); userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow); userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/EmployeeTask_ListView", SecurityPermissionState.Allow); userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Customer_ListView", SecurityPermissionState.Allow); userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Invoice_ListView", SecurityPermissionState.Allow); userRole.AddObjectPermission <Employee>(SecurityOperations.Read, "Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow); userRole.AddMemberPermission <Employee>(SecurityOperations.Write, "ChangePasswordOnFirstLogon;StoredPassword;FirstName;LastName", "Oid=CurrentUserId()", SecurityPermissionState.Allow); userRole.AddMemberPermission <Employee>(SecurityOperations.Write, "Tasks", "Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow); userRole.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow); userRole.AddObjectPermission <EmployeeTask>(SecurityOperations.ReadWriteAccess, "AssignedTo.Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow); userRole.AddMemberPermission <EmployeeTask>(SecurityOperations.Write, "AssignedTo", "AssignedTo.Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow); userRole.AddObjectPermission <Department>(SecurityOperations.Read, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); userRole.AddObjectPermission <Invoice>(SecurityOperations.ReadWriteAccess, "[Klient] Is Not Null And [Klient.Consultant.Oid] = CurrentUserId()", SecurityPermissionState.Allow); userRole.AddObjectPermission <Customer>(SecurityOperations.ReadWriteAccess, "[Consultant.Oid] = CurrentUserId()", SecurityPermissionState.Allow); userRole.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow); userRole.SetTypePermission <InvoiceItem>(SecurityOperations.Read, SecurityPermissionState.Allow); userRole.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow); } return(userRole); }
private PermissionPolicyRole GetDepartmentAdminRole() { PermissionPolicyRole deptAdminRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Department administrator")); if (deptAdminRole == null) { deptAdminRole = ObjectSpace.CreateObject <PermissionPolicyRole>(); deptAdminRole.Name = "Department administrator"; deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow); deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow); deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow); deptAdminRole.AddObjectPermission <Department>(SecurityOperations.FullObjectAccess, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); deptAdminRole.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow); deptAdminRole.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); deptAdminRole.AddObjectPermission <PermissionPolicyRole>(SecurityOperations.Read, "Contains([Name], 'dept.')", SecurityPermissionState.Allow); deptAdminRole.AddMemberPermission <Employee>(SecurityOperations.Read, "Department", null, SecurityPermissionState.Allow); deptAdminRole.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow); deptAdminRole.SetTypePermission <InvoiceItem>(SecurityOperations.Read, SecurityPermissionState.Allow); deptAdminRole.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow); deptAdminRole.AddObjectPermission <Invoice>(SecurityOperations.ReadWriteAccess, "[Klient] Is Null Or [Klient.Consultant] Is Null Or [Klient.Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow); deptAdminRole.AddObjectPermission <Customer>(SecurityOperations.ReadWriteAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow); } return(deptAdminRole); }
//Managers can access and fully edit (including create and delete capabilities) data from their own department. However, they cannot access data from other departments. private PermissionPolicyRole GetManagerRole() { PermissionPolicyRole managerRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Managers")); if (managerRole == null) { managerRole = ObjectSpace.CreateObject <PermissionPolicyRole>(); managerRole.Name = "Managers"; managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow); managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow); managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow); managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/EmployeeTask_ListView", SecurityPermissionState.Allow); managerRole.AddObjectPermission <Department>(SecurityOperations.FullObjectAccess, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); managerRole.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow); managerRole.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); managerRole.SetTypePermission <EmployeeTask>(SecurityOperations.Create, SecurityPermissionState.Allow); managerRole.AddObjectPermission <EmployeeTask>(SecurityOperations.FullObjectAccess, "IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); managerRole.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow); } return(managerRole); }
private PermissionPolicyRole CreateSecurityDemoRole() { PermissionPolicyRole securityDemoRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Demo")); if (securityDemoRole == null) { securityDemoRole = ObjectSpace.CreateObject <PermissionPolicyRole>(); securityDemoRole.Name = "Demo"; // System Permissions securityDemoRole.AddObjectPermission <PermissionPolicyUser>(SecurityOperations.ReadOnlyAccess, "[Oid] = CurrentUserId()", SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <PermissionPolicyUser>(SecurityOperations.ReadWriteAccess, "ChangePasswordOnFirstLogon; StoredPassword", null, SecurityPermissionState.Allow); securityDemoRole.AddObjectPermission <PermissionPolicyRole>(SecurityOperations.ReadOnlyAccess, "[Name] = 'Demo'", SecurityPermissionState.Allow); securityDemoRole.AddTypePermission <PermissionPolicyTypePermissionObject>(SecurityOperations.Read, SecurityPermissionState.Allow); // Type Operation Permissions securityDemoRole.SetTypePermission <FullAccessObject>(SecurityOperations.FullAccess, SecurityPermissionState.Allow); securityDemoRole.SetTypePermission <ProtectedContentObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow); securityDemoRole.SetTypePermission <ReadOnlyObject>(SecurityOperations.ReadOnlyAccess, SecurityPermissionState.Allow); securityDemoRole.SetTypePermission <IrremovableObject>(SecurityOperations.Navigate + ";" + SecurityOperations.Create + ";" + SecurityOperations.ReadWriteAccess, SecurityPermissionState.Allow); securityDemoRole.SetTypePermission <UncreatableObject>(SecurityOperations.FullObjectAccess, SecurityPermissionState.Allow); // Member Operation Permissions securityDemoRole.SetTypePermission <MemberLevelSecurityObject>(SecurityOperations.Navigate + ";" + SecurityOperations.Create + ";" + SecurityOperations.Delete, SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "ReadWriteProperty;Name;oid;Oid;OptimisticLockField", null, SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.Read, "ReadOnlyProperty;ReadOnlyCollection", null, SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.Write, "ReadOnlyCollection;ReadOnlyProperty", null, SecurityPermissionState.Deny); securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "ProtectedContentProperty;ProtectedContentCollection", null, SecurityPermissionState.Deny); securityDemoRole.SetTypePermission <MemberLevelReferencedObject1>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow); securityDemoRole.SetTypePermission <MemberLevelReferencedObject2>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow); // Object Operation Permissions securityDemoRole.SetTypePermission <ObjectLevelSecurityObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow); securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.FullObjectAccess, "Contains([Name], 'Fully Accessible')", SecurityPermissionState.Allow); securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.Read, "Contains([Name], 'Read-Only')", SecurityPermissionState.Allow); securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "Contains([Name], 'Protected Deletion')", SecurityPermissionState.Allow); // Member By Criteria Operation Permissions securityDemoRole.SetTypePermission <MemberByCriteriaSecurityObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.ReadWriteAccess, "Name", "[Name] <> 'No Read Access Object'", SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.ReadWriteAccess, "Property1;ReferenceProperty;Oid;oid", "[Name] = 'Fully Accessible Property Object'", SecurityPermissionState.Allow); securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.Read, "Property1;ReferenceProperty;Oid;oid", "[Name] = 'Read-Only Property Object'", SecurityPermissionState.Allow); } return(securityDemoRole); }
private PermissionPolicyRole GetAccountantRole() { PermissionPolicyRole role = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Accountants")); if (role == null) { role = ObjectSpace.CreateObject <PermissionPolicyRole>(); role.Name = "Accountants"; role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow); role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow); role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow); role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Customer_ListView", SecurityPermissionState.Allow); role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Invoice_ListView", SecurityPermissionState.Allow); role.AddObjectPermission <Department>(SecurityOperations.Read, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); role.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow); role.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); role.SetTypePermission <EmployeeTask>(SecurityOperations.Create, SecurityPermissionState.Allow); role.AddObjectPermission <EmployeeTask>(SecurityOperations.FullObjectAccess, "IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow); role.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow); role.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow); // role.SetTypePermission<Invoice>(SecurityOperations.Create, SecurityPermissionState.Allow); role.SetTypePermission <InvoiceItem>(SecurityOperations.FullObjectAccess, SecurityPermissionState.Allow); role.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow); role.SetTypePermission <Customer>(SecurityOperations.Read, SecurityPermissionState.Allow); role.AddObjectPermission <Invoice>(SecurityOperations.FullObjectAccess, "[Klient] Is Null Or [Klient.Consultant] Is Null Or [Klient.Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow); role.AddObjectPermission <Customer>(SecurityOperations.FullObjectAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow); // role.AddObjectPermission<Empl>(SecurityOperations.FullObjectAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow); } return(role); }