For general information on XAF's Security System API, please review our landing page or watch the overview video.

Please research the information below, because additional prerequisites may apply to certain platforms. If you cannot compile or run any of these demo apps or have questions about our tutorials or supported functionality, please submit questions in the Support Center or the Issues tab above - we will be more than happy to help you.

• DevExtreme + ASP.NET Web API OData App
• WinForms App
• ASP.NET WebForms App
• ASP.NET Core MVC App
• Blazor Server App
• Xamarin Forms App
• Console App

• WinForms App
• Console App

We detailed the main integration steps for any .NET Core application in this video.

Other CRUD UI apps with EF Core, Blazor WebAssembly with XPO. To help us prioritize our future development, please tell us about the platforms and use-case scenarios you are most interested in using this short survey.

• Visual Studio 2017 or 2019 v16.4+ (for .NET Core 3.1 examples) with the following workloads:
  • .NET desktop development | ASP.NET and web development | .NET Core cross-platform development
• Download and run two unified installers for .NET Framework and .NET Core 3.1 Desktop Development
  • We recommend that you select all products when you run the DevExpress installer. It will register local NuGet package sources and item / project templates required for these tutorials. You can uninstall unnecessary components later.
• Before you run any demo apps, run (F5) the XafSolution.Win or XafSolution.Win.NetCore app depending on your target framework and log in under 'User' or 'Admin' with an empty password.
  • This Database Generation and Permision Management App will create initial users, roles, permissions and other data in the database.

Please review this KB Article. Feel free to submit additional questions in the Support Center or the Issues tab above - we will be more than happy to help you.

• XAF developers who create non-XAF .NET apps and want to reuse existing data models and Security System settings (users, roles and permissions) stored in an XAF application database. Based on experience, XAF customers create custom Web and mobile UI clients with ASP.NET MVC, DevExtreme; backend servers with ASP.NET Web API/OData or Console, Windows Service, WCF apps for various administrative tasks (data modifications, report generation, scheduled workflows).

• Non-XAF developers who create standard line-of-business (LOB) apps with login, logout forms and security related functionality for any .NET UI technologies like WinForms, WPF, ASP.NET (WebForms, MVC 5, MVC Core, Razor Pages) and .NET server technologies like ASP.NET Web API/OData, WCF, etc.

• Getting security right (safe, fast, up-to-date, flexible, and database agnostic) is complicated. Pre-built middleware libraries like ASP.NET Core Identity or Identity Server can be difficult to configure or offer unnecessary functionality. Our Role-based Access Control & User Authentication API for .NET allows you to integrate a proven, database agnostic security sub-system in the shortest possible time.

• LOB app developers want to save time and do not want to implement complex security memberships and authentication/authorization algorithms from scratch (for instance, apps that can filter protected data against a user's access rights or check whether the current user is allowed to delete records). Our Role-based Access Control & User Authentication API for .NET allows you to incorporate advanced security-related capabilities with minimal effort.

• While certain platforms like ASP.NET simplify authentication and basic authorization with a built-in design time APIs, it is difficult to build a flexible and customizable security system (allowing users to customize the system once the app is deployed). Our Role-based Access Control & User Authentication API for .NET allows you to incorporate a highly flexible/customizable security system in your next .NET app.

The primary XAF security system features used in line-of-business applications across supported platforms include:

1. Role-based access control with multi-database permission storage.

1.1. Access control permissions linked to roles and users that can be stored in more than a dozen popular data stores powered by the XPO and EF Core ORMs (including popular RDBMS like SQL Server, Oracle, PostgreSQL, MySql, Firebird, XML and "in-memory" stores).

• Type Permissions grant Read, Write, Create, and Delete access to all objects that belong to a particular type.
• Object Permissions work in conjunction with Type Permissions and grant access to object instances that fit a specified criterion.
• Member Permissions grant access to specific members unconditionally or based on a criterion.

1.2. Powerful and easy-to-use APIs to configure users, roles and permissions in code or visually in XAF apps.

1.3. Support for extensions or replacement with fully custom user, role, and permission objects to meet the needs of your business domain or address various integration scenarios.

2. Authentication.

2.1. Built-in authentication types: Forms (with username/password), Active Directory (Windows user) and Mixed (for mixing several authentication providers).

2.2. A modern and secure algorithm for password generation and validation.

2.3. Support for extension or replacement with custom authentication strategies and logon parameters. For instance, our popular example shows how to use OAuth2 with Google, Facebook or Microsoft authentication providers.

3. Authorization.

3.1. Just two code lines to read secure records filtered against a logged user (role and permission based). When you set up a secured Object Space provider, you can create an unlimited number of secure data contexts - your data query and modification APIs will remain unchanged. A bit more code is required to connect a non-XAF client to the Middle-Tier application server (XPO only).

3.2. Fine-grain access control for base and inherited objects, one to many and many to many object relationships, individual columns with or without criteria (example: can read the Full Name field, but cannot see and modify Salary) and specific object instances only.

3.3. Straightforward APIs to check CRUD or custom access rights for UI element customizations. With this, you can hide or mask protected grid columns, editors in detail forms, and disable menu toolbar commands like New, Delete, Edit, etc.

3.4. Security permission caching for the best possible performance. Two built-in Permission Policies determine the security system’s behavior when explicitly specified permissions for a specific type, object, or member do not exist.

3.5. Proven in production environments. DevExpress Support, comprehensive documentation, examples and a diagnostic tool are at your service to troubleshoot complex security permission configurations.