//Users can access and partially edit data (no create and delete capabilities) from their own department.
private PermissionPolicyRole GetUserRole()
{
PermissionPolicyRole userRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Users"));
if (userRole == null)
{
userRole = ObjectSpace.CreateObject <PermissionPolicyRole>();
userRole.Name = "Users";
userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/EmployeeTask_ListView", SecurityPermissionState.Allow);
userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Customer_ListView", SecurityPermissionState.Allow);
userRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Invoice_ListView", SecurityPermissionState.Allow);
userRole.AddObjectPermission <Employee>(SecurityOperations.Read, "Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);
userRole.AddMemberPermission <Employee>(SecurityOperations.Write, "ChangePasswordOnFirstLogon;StoredPassword;FirstName;LastName", "Oid=CurrentUserId()", SecurityPermissionState.Allow);
userRole.AddMemberPermission <Employee>(SecurityOperations.Write, "Tasks", "Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);
userRole.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow);
userRole.AddObjectPermission <EmployeeTask>(SecurityOperations.ReadWriteAccess, "AssignedTo.Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);
userRole.AddMemberPermission <EmployeeTask>(SecurityOperations.Write, "AssignedTo", "AssignedTo.Department.Employees[Oid = CurrentUserId()]", SecurityPermissionState.Allow);
userRole.AddObjectPermission <Department>(SecurityOperations.Read, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
userRole.AddObjectPermission <Invoice>(SecurityOperations.ReadWriteAccess, "[Klient] Is Not Null And [Klient.Consultant.Oid] = CurrentUserId()", SecurityPermissionState.Allow);
userRole.AddObjectPermission <Customer>(SecurityOperations.ReadWriteAccess, "[Consultant.Oid] = CurrentUserId()", SecurityPermissionState.Allow);
userRole.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow);
userRole.SetTypePermission <InvoiceItem>(SecurityOperations.Read, SecurityPermissionState.Allow);
userRole.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow);
}
return(userRole);
}
private PermissionPolicyRole GetDepartmentAdminRole()
{
PermissionPolicyRole deptAdminRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Department administrator"));
if (deptAdminRole == null)
{
deptAdminRole = ObjectSpace.CreateObject <PermissionPolicyRole>();
deptAdminRole.Name = "Department administrator";
deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow);
deptAdminRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
deptAdminRole.AddObjectPermission <Department>(SecurityOperations.FullObjectAccess, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
deptAdminRole.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow);
deptAdminRole.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
deptAdminRole.AddObjectPermission <PermissionPolicyRole>(SecurityOperations.Read, "Contains([Name], 'dept.')", SecurityPermissionState.Allow);
deptAdminRole.AddMemberPermission <Employee>(SecurityOperations.Read, "Department", null, SecurityPermissionState.Allow);
deptAdminRole.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow);
deptAdminRole.SetTypePermission <InvoiceItem>(SecurityOperations.Read, SecurityPermissionState.Allow);
deptAdminRole.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow);
deptAdminRole.AddObjectPermission <Invoice>(SecurityOperations.ReadWriteAccess, "[Klient] Is Null Or [Klient.Consultant] Is Null Or [Klient.Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
deptAdminRole.AddObjectPermission <Customer>(SecurityOperations.ReadWriteAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
}
return(deptAdminRole);
}
//Managers can access and fully edit (including create and delete capabilities) data from their own department. However, they cannot access data from other departments.
private PermissionPolicyRole GetManagerRole()
{
PermissionPolicyRole managerRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Managers"));
if (managerRole == null)
{
managerRole = ObjectSpace.CreateObject <PermissionPolicyRole>();
managerRole.Name = "Managers";
managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow);
managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
managerRole.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/EmployeeTask_ListView", SecurityPermissionState.Allow);
managerRole.AddObjectPermission <Department>(SecurityOperations.FullObjectAccess, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
managerRole.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow);
managerRole.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
managerRole.SetTypePermission <EmployeeTask>(SecurityOperations.Create, SecurityPermissionState.Allow);
managerRole.AddObjectPermission <EmployeeTask>(SecurityOperations.FullObjectAccess,
"IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
managerRole.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow);
}
return(managerRole);
}
private PermissionPolicyRole CreateSecurityDemoRole()
{
PermissionPolicyRole securityDemoRole = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Demo"));
if (securityDemoRole == null)
{
securityDemoRole = ObjectSpace.CreateObject <PermissionPolicyRole>();
securityDemoRole.Name = "Demo";
// System Permissions
securityDemoRole.AddObjectPermission <PermissionPolicyUser>(SecurityOperations.ReadOnlyAccess, "[Oid] = CurrentUserId()", SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <PermissionPolicyUser>(SecurityOperations.ReadWriteAccess, "ChangePasswordOnFirstLogon; StoredPassword", null, SecurityPermissionState.Allow);
securityDemoRole.AddObjectPermission <PermissionPolicyRole>(SecurityOperations.ReadOnlyAccess, "[Name] = 'Demo'", SecurityPermissionState.Allow);
securityDemoRole.AddTypePermission <PermissionPolicyTypePermissionObject>(SecurityOperations.Read, SecurityPermissionState.Allow);
// Type Operation Permissions
securityDemoRole.SetTypePermission <FullAccessObject>(SecurityOperations.FullAccess, SecurityPermissionState.Allow);
securityDemoRole.SetTypePermission <ProtectedContentObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow);
securityDemoRole.SetTypePermission <ReadOnlyObject>(SecurityOperations.ReadOnlyAccess, SecurityPermissionState.Allow);
securityDemoRole.SetTypePermission <IrremovableObject>(SecurityOperations.Navigate + ";" + SecurityOperations.Create + ";" + SecurityOperations.ReadWriteAccess, SecurityPermissionState.Allow);
securityDemoRole.SetTypePermission <UncreatableObject>(SecurityOperations.FullObjectAccess, SecurityPermissionState.Allow);
// Member Operation Permissions
securityDemoRole.SetTypePermission <MemberLevelSecurityObject>(SecurityOperations.Navigate + ";" + SecurityOperations.Create + ";" + SecurityOperations.Delete, SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "ReadWriteProperty;Name;oid;Oid;OptimisticLockField", null, SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.Read, "ReadOnlyProperty;ReadOnlyCollection", null, SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.Write, "ReadOnlyCollection;ReadOnlyProperty", null, SecurityPermissionState.Deny);
securityDemoRole.AddMemberPermission <MemberLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "ProtectedContentProperty;ProtectedContentCollection", null, SecurityPermissionState.Deny);
securityDemoRole.SetTypePermission <MemberLevelReferencedObject1>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow);
securityDemoRole.SetTypePermission <MemberLevelReferencedObject2>(SecurityOperations.CRUDAccess, SecurityPermissionState.Allow);
// Object Operation Permissions
securityDemoRole.SetTypePermission <ObjectLevelSecurityObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow);
securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.FullObjectAccess, "Contains([Name], 'Fully Accessible')", SecurityPermissionState.Allow);
securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.Read, "Contains([Name], 'Read-Only')", SecurityPermissionState.Allow);
securityDemoRole.AddObjectPermission <ObjectLevelSecurityObject>(SecurityOperations.ReadWriteAccess, "Contains([Name], 'Protected Deletion')", SecurityPermissionState.Allow);
// Member By Criteria Operation Permissions
securityDemoRole.SetTypePermission <MemberByCriteriaSecurityObject>(SecurityOperations.Navigate, SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.ReadWriteAccess, "Name", "[Name] <> 'No Read Access Object'", SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.ReadWriteAccess, "Property1;ReferenceProperty;Oid;oid", "[Name] = 'Fully Accessible Property Object'", SecurityPermissionState.Allow);
securityDemoRole.AddMemberPermission <MemberByCriteriaSecurityObject>(SecurityOperations.Read, "Property1;ReferenceProperty;Oid;oid", "[Name] = 'Read-Only Property Object'", SecurityPermissionState.Allow);
}
return(securityDemoRole);
}
private PermissionPolicyRole GetAccountantRole()
{
PermissionPolicyRole role = ObjectSpace.FindObject <PermissionPolicyRole>(new BinaryOperator("Name", "Accountants"));
if (role == null)
{
role = ObjectSpace.CreateObject <PermissionPolicyRole>();
role.Name = "Accountants";
role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/MyDetails", SecurityPermissionState.Allow);
role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Department_ListView", SecurityPermissionState.Allow);
role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Employee_ListView", SecurityPermissionState.Allow);
role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Customer_ListView", SecurityPermissionState.Allow);
role.AddNavigationPermission("Application/NavigationItems/Items/Default/Items/Invoice_ListView", SecurityPermissionState.Allow);
role.AddObjectPermission <Department>(SecurityOperations.Read, "Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
role.SetTypePermission <Employee>(SecurityOperations.Create, SecurityPermissionState.Allow);
role.AddObjectPermission <Employee>(SecurityOperations.FullObjectAccess, "IsNull(Department) || Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
role.SetTypePermission <EmployeeTask>(SecurityOperations.Create, SecurityPermissionState.Allow);
role.AddObjectPermission <EmployeeTask>(SecurityOperations.FullObjectAccess,
"IsNull(AssignedTo) || IsNull(AssignedTo.Department) || AssignedTo.Department.Employees[Oid=CurrentUserId()]", SecurityPermissionState.Allow);
role.SetTypePermission <PermissionPolicyRole>(SecurityOperations.Read, SecurityPermissionState.Allow);
role.SetTypePermission <Department>(SecurityOperations.Read, SecurityPermissionState.Allow);
// role.SetTypePermission<Invoice>(SecurityOperations.Create, SecurityPermissionState.Allow);
role.SetTypePermission <InvoiceItem>(SecurityOperations.FullObjectAccess, SecurityPermissionState.Allow);
role.SetTypePermission <Product>(SecurityOperations.Read, SecurityPermissionState.Allow);
role.SetTypePermission <Customer>(SecurityOperations.Read, SecurityPermissionState.Allow);
role.AddObjectPermission <Invoice>(SecurityOperations.FullObjectAccess, "[Klient] Is Null Or [Klient.Consultant] Is Null Or [Klient.Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
role.AddObjectPermission <Customer>(SecurityOperations.FullObjectAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
// role.AddObjectPermission<Empl>(SecurityOperations.FullObjectAccess, "[Consultant] Is Null Or [Consultant.Department.Employees][[Oid] = CurrentUserId()]", SecurityPermissionState.Allow);
}
return(role);
}