Diagnostic tool for Security System - YOUR FEEDBACK IS NEEDED!!!

Earlier we described the prototype of diagnostic tool. We created it to help a developer to understand why access to a certain object and its members is allowed or denied.  

  

We analyzed the feedback we got on this matter and provided the following improvements in v17.2.6:

 - To enable the security diagnostic tool, use the familiar EnableDiagnosticActions option.

 - You can select a type and a member you wish to analyze.

 - Results are presented in the XML format.

 - We provide more details on how the diagnostic tool calculates results.

 - There is a way to visualize criteria for easier analysis.

You can get more info about the tool from the KB article below:

                                     https://www.devexpress.com/kb=T589182.  

Your feedback is needed

Please test the tool and let us know whether it is useful in your development process and how you would change it. For instance, the more specific there are use cases of this tool where it was difficult to configure permissions for a user, the greater it is possible that we can arrive at technical solutions that will address them.

How to diagnose effective access rights for a specific user or get full information about inner security permissions calculations

Security permissions calculation is quite a complex process, and sometimes it is difficult to diagnose why access to a certain object and its members is allowed or denied. It is more common for application administrators or regular XAF developers who may not want to study documentation guides or be able to debug the XAF source code as per How can I debug DevExpress .NET source code using PDB files or using other approaches. So, in addition to documenting security rules, we are researching the usefulness of a tool that would show how effective permissions are calculated for each user in the UI, very similar to our Diagnostic Action. This may be helpful even to us, to reduce support time spent on diagnosing related client problems.

Learn more about a possible solution (a diagnostic tool) from the KB article below and let us know what you think:

https://www.devexpress.com/kb=T589182

As for other wish list and scenarios, you can help us by filling out the following survey, if you haven’t done so already:

https://www.devexpress.com/go/XAF_Future_Survey_2017_Dec.aspx

Linking XAF security roles and Active Directory Security Groups by name

We have recently created a new help topic devoted to one of the popular scenarios our users described: How to: Assign the Same Permissions for All Users of an Active Directory Group. This topic demonstrates how to map XAF security roles to AD groups. When a user logs on for the first time, existing roles with names matching the user's AD group names are automatically assigned. If the user membership in AD groups was modified, the associated roles collection will be updated accordingly on the next logon. Take special note that the corresponding XAF security roles with required permissions and matching the names of AD groups must be created first!

This article also required for us to avoid confusion with the AuthenticationActiveDirectory component name, because it does not support Active Directory Security Groups out of the box.  What this component does is just allow logging by the currently logged Windows user automatically or without the logon form.  To initialize the created XAF security user record, the AuthenticationActiveDirectory authentication uses the WindowsIdentity.Name property of an object obtained via the static WindowsIdentity.GetCurrent method to get a user name in the DOMAIN\USERNAME format.

I want to point out one implementation aspect that might be unclear: why did we create a AuthenticationActiveDirectory descendant instead of handling the CustomCreateUser event, which looks simpler? The main reason for using the descendant is that with it, the synchronization of XAF security roles is easier to implement when AD groups are updated.

I hope you find this example helpful. Please let us know in comments if you experienced a similar scenario and describe how you are currently handling it. Thanks in advance!