With XAF Security System, application administrators
can now allow access to all data within the application for a specific role and simultaneously
deny access to a few data types or members. Alternatively, an end-user can deny access
to all data for a role and only allow access to a strict list of objects or members. Both
approaches make it easy to allow/deny data access across a broad range of use-case scenarios.
To use this feature, I choose Standard or Active Directory authentication, and Allow/Deny
Permission Policy on the Choose Security page of the Solution Wizard.
I logon as a default Admin user. Then I open the Role view and create a new
role named Users. The new role object exposes the PermissionPolicy
property. With this property, I can assign “deny all”, “read only all” or “deny all”
default permission policies for each role. This allows to create very complex and flexible
security configurations. For example, I choose the �deny all by default�.
In the Type Permission tab, I can set permission for a target type, for example User type.
For each operation, I can explicitly specify the Allow or Deny modifier, or leave it blank.
If the modifier is not specified, the permission is determined by the role’s policy type. The
policy has the lowest priority and has effect only when there are no explicitly specified
permissions. In the Member Permissions tab, I specify permissions
for the IsActive member, I allow read, deny write and finally save changes.