예제 #1
0
        //Users can access and partially edit data (no create and delete capabilities) from their own department.
        private PermissionPolicyRole GetUserRole()
        {
            PermissionPolicyRole userRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Users"));

            if (userRole == null)
            {
                userRole      = ObjectSpace.CreateObject <PermissionPolicyRole>();
                userRole.Name = "Users";

                userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
                userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
                userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/EmployeeTask_ListView", SecurityPermissionState.Allow);
                userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Customer_ListView", SecurityPermissionState.Allow);
                userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Invoice_ListView", SecurityPermissionState.Allow);

                userRole.AddObjectPermission <Employee>(SecurityOperations.Read, "Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);
                userRole.AddMemberPermission <Employee>(SecurityOperations.Write, "ChangePasswordOnFirstLogon;StoredPassword;FirstName;LastName", "Oid=CurrentUserId()", SecurityPermissionState.Allow);
                userRole.AddMemberPermission <Employee>(SecurityOperations.Write, "Tasks", "Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);

                userRole.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow);

                userRole.AddObjectPermission <EmployeeTask>(SecurityOperations.ReadWriteAccess, "AssignedTo.Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);
                userRole.AddMemberPermission <EmployeeTask>(SecurityOperations.Write, "AssignedTo", "AssignedTo.Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);

                userRole.AddObjectPermission <Department>(SecurityOperations.Read, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                userRole.AddObjectPermission <Invoice>(SecurityOperations.ReadWriteAccess, "[Klient] Is Not Null And [Klient.Consultant.Oid] = CurrentUserId()", SecurityPermissionState.Allow);

                userRole.AddObjectPermission <Customer>(SecurityOperations.ReadWriteAccess, "[Consultant.Oid] = CurrentUserId()", SecurityPermissionState.Allow);
                userRole.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow);
                userRole.SetTypePermission <InvoiceItem>(SecurityOperations.Read, SecurityPermissionState.Allow);
                userRole.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow);
            }
            return(userRole);
        }
예제 #2
0
        private PermissionPolicyRole GetDepartmentAdminRole()
        {
            PermissionPolicyRole deptAdminRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Department administrator"));

            if (deptAdminRole == null)
            {
                deptAdminRole      = ObjectSpace.CreateObject <PermissionPolicyRole>();
                deptAdminRole.Name = "Department administrator";

                deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
                deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow);
                deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);



                deptAdminRole.AddObjectPermission <Department>(SecurityOperations.FullObjectAccess, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                deptAdminRole.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow);
                deptAdminRole.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                deptAdminRole.AddObjectPermission <PermissionPolicyRole>(SecurityOperations.Read, "Contains([Name], 'dept.')", SecurityPermissionState.Allow);
                deptAdminRole.AddMemberPermission <Employee>(SecurityOperations.Read, "Department", null, SecurityPermissionState.Allow);

                deptAdminRole.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow);
                deptAdminRole.SetTypePermission <InvoiceItem>(SecurityOperations.Read, SecurityPermissionState.Allow);
                deptAdminRole.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow);
                deptAdminRole.AddObjectPermission <Invoice>(SecurityOperations.ReadWriteAccess, "[Klient] Is Null Or [Klient.Consultant] Is Null Or [Klient.Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);

                deptAdminRole.AddObjectPermission <Customer>(SecurityOperations.ReadWriteAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
            }
            return(deptAdminRole);
        }
예제 #3
0
        //Managers can access and fully edit (including create and delete capabilities) data from their own department. However, they cannot access data from other departments.
        private PermissionPolicyRole GetManagerRole()
        {
            PermissionPolicyRole managerRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Managers"));

            if (managerRole == null)
            {
                managerRole      = ObjectSpace.CreateObject <PermissionPolicyRole>();
                managerRole.Name = "Managers";

                managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
                managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow);
                managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
                managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/EmployeeTask_ListView", SecurityPermissionState.Allow);

                managerRole.AddObjectPermission <Department>(SecurityOperations.FullObjectAccess, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                managerRole.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow);
                managerRole.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                managerRole.SetTypePermission <EmployeeTask>(SecurityOperations.Create, SecurityPermissionState.Allow);
                managerRole.AddObjectPermission <EmployeeTask>(SecurityOperations.FullObjectAccess,
                                                               "IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                managerRole.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow);
            }
            return(managerRole);
        }
예제 #4
0
        private PermissionPolicyRole CreateSecurityDemoRole()
        {
            PermissionPolicyRole securityDemoRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Demo"));

            if (securityDemoRole == null)
            {
                securityDemoRole      = ObjectSpace.CreateObject <PermissionPolicyRole>();
                securityDemoRole.Name = "Demo";

                // System Permissions
                securityDemoRole.AddObjectPermission <PermissionPolicyUser>(SecurityOperations.ReadOnlyAccess, "[Oid] = CurrentUserId()", SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <PermissionPolicyUser>(SecurityOperations.ReadWriteAccess, "ChangePasswordOnFirstLogon; StoredPassword", null, SecurityPermissionState.Allow);
                securityDemoRole.AddObjectPermission <PermissionPolicyRole>(SecurityOperations.ReadOnlyAccess, "[Name] = 'Demo'", SecurityPermissionState.Allow);
                securityDemoRole.AddTypePermission <PermissionPolicyTypePermissionObject>(SecurityOperations.Read, SecurityPermissionState.Allow);

                // Type Operation Permissions
                securityDemoRole.SetTypePermission <FullAccessObject>(SecurityOperations.FullAccess, SecurityPermissionState.Allow);
                securityDemoRole.SetTypePermission <ProtectedContentObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow);
                securityDemoRole.SetTypePermission <ReadOnlyObject>(SecurityOperations.ReadOnlyAccess, SecurityPermissionState.Allow);
                securityDemoRole.SetTypePermission <IrremovableObject>(SecurityOperations.Navigate + ";" + SecurityOperations.Create + ";" + SecurityOperations.ReadWriteAccess, SecurityPermissionState.Allow);
                securityDemoRole.SetTypePermission <UncreatableObject>(SecurityOperations.FullObjectAccess, SecurityPermissionState.Allow);

                // Member Operation Permissions
                securityDemoRole.SetTypePermission <MemberLevelSecurityObject>(SecurityOperations.Navigate + ";" + SecurityOperations.Create + ";" + SecurityOperations.Delete, SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "ReadWriteProperty;Name;oid;Oid;OptimisticLockField", null, SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.Read, "ReadOnlyProperty;ReadOnlyCollection", null, SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.Write, "ReadOnlyCollection;ReadOnlyProperty", null, SecurityPermissionState.Deny);
                securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "ProtectedContentProperty;ProtectedContentCollection", null, SecurityPermissionState.Deny);

                securityDemoRole.SetTypePermission <MemberLevelReferencedObject1>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow);
                securityDemoRole.SetTypePermission <MemberLevelReferencedObject2>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow);

                // Object Operation Permissions
                securityDemoRole.SetTypePermission <ObjectLevelSecurityObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow);
                securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.FullObjectAccess, "Contains([Name], 'Fully Accessible')", SecurityPermissionState.Allow);
                securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.Read, "Contains([Name], 'Read-Only')", SecurityPermissionState.Allow);
                securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "Contains([Name], 'Protected Deletion')", SecurityPermissionState.Allow);

                // Member By Criteria Operation Permissions
                securityDemoRole.SetTypePermission <MemberByCriteriaSecurityObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.ReadWriteAccess, "Name", "[Name] <> 'No Read Access Object'", SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.ReadWriteAccess, "Property1;ReferenceProperty;Oid;oid", "[Name] = 'Fully Accessible Property Object'", SecurityPermissionState.Allow);
                securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.Read, "Property1;ReferenceProperty;Oid;oid", "[Name] = 'Read-Only Property Object'", SecurityPermissionState.Allow);
            }
            return(securityDemoRole);
        }
예제 #5
0
        private PermissionPolicyRole GetAccountantRole()
        {
            PermissionPolicyRole role = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Accountants"));

            if (role == null)
            {
                role      = ObjectSpace.CreateObject <PermissionPolicyRole>();
                role.Name = "Accountants";

                role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
                role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow);
                role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);

                role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Customer_ListView", SecurityPermissionState.Allow);
                role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Invoice_ListView", SecurityPermissionState.Allow);


                role.AddObjectPermission <Department>(SecurityOperations.Read, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                role.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow);
                role.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                role.SetTypePermission <EmployeeTask>(SecurityOperations.Create, SecurityPermissionState.Allow);
                role.AddObjectPermission <EmployeeTask>(SecurityOperations.FullObjectAccess,
                                                        "IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);

                role.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow);

                role.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow);
                //  role.SetTypePermission<Invoice>(SecurityOperations.Create, SecurityPermissionState.Allow);
                role.SetTypePermission <InvoiceItem>(SecurityOperations.FullObjectAccess, SecurityPermissionState.Allow);
                role.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow);

                role.SetTypePermission <Customer>(SecurityOperations.Read, SecurityPermissionState.Allow);
                role.AddObjectPermission <Invoice>(SecurityOperations.FullObjectAccess, "[Klient] Is Null Or [Klient.Consultant] Is Null Or [Klient.Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
                role.AddObjectPermission <Customer>(SecurityOperations.FullObjectAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
                //    role.AddObjectPermission<Empl>(SecurityOperations.FullObjectAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
            }
            return(role);
        }