Implementing Security in Role-based LightSwitch Applications

[Infragistics] Mihail Mateev / Monday, October 11, 2010

Security is a very important feature for business applications.
Visual Studio LightSwitch supports security, build in screens, queries and entities that allow you easily check defined permissions.

Security is implemented in role based LightSwitch applications.

Role based applications could implement different roles, permissions to the roles and assign roles to the users.
To be possible to have security implementation you need to have authentication for you application (either Forms authentication or Windows authentication).

Demo Application:

Demo application is based on the application used for article: “Introduction to Visual Studio LightSwitch”


  • SQL Server 2008 Express or higher license

Steps to reproduce:

  • Download a sample application from the article: “Introduction to Visual Studio LightSwitch”
  • Change the access control (define Forms authentication) of the application.
  • Define a permissions.
  • Write Security Methods to check the permissions.
  • Publish the Application
  • Setting Up LightSwitch Authorization

Demo application will be deployed like a 2-tier client desktop LightSwitch application

Download a sample application from the article: “Introduction to Visual Studio LightSwitch”

Change the access control (define Forms authentication) of the application.

Check default option: probably it is “Do not enable authentication”.

Change the access control to “Use Forms authentication”. In the sample will be used this option. When application is used from users that are not in the same organization (not in the one domain) it is better to set “Forms authentication” Otherwise, if all users are in one domain probably “Windows authentication” will be more appropriate option.

Define a permissions.

Add a permissions that could be used in the LightSwitch application.

  • CanAccessInitialScreen – allow access to the initial screen.
  • CanAddProduct – allow users to add new product entities.
  • CanDeleteProduct – allow users to delete product entities.
  • CanEditProduct – allow users to update product entities.

Write Security Methods to check the permissions.

Select EditableIGProductsGrid screen and open designer.

Open WriteCode drop-down list and select under SecurityMethods CanRunEditableIGProductsGrid method.
Implementation of this method will control user access to the initial screen.

Implement CanRunEditableIGProductsGrid  method with a condition for CanAccessInitialScreen permission.

   1: partial void CanRunEditableIGProductsGrid(ref bool result)
   2: {
   3:     // Set result to the desired field value
   4:     result = this.User.HasPermission(Permissions.CanAccsessInitialScreen);
   6: }

From Solution Explorer select from Data Sources IGProducsSet and implement security methods:

  • IGProducsSet_CanDelete using  CanDeleteProduct to allow users to delete product entities.
  • IGProducsSet_CanUnsert using CanAddProduct permission to allow users to add new product entities.
  • IGProducsSet_CanUpdate using CanEditProduct to allow users to update product entities.
   1: public partial class ApplicationDataService
   2:     {
   3:         partial void IGProductsSet_CanDelete(ref bool result)
   4:         {
   5:             result = this.Application.User.HasPermission(Permissions.CanDeleteProduct);
   6:         }
   8:         partial void IGProductsSet_CanInsert(ref bool result)
   9:         {
  10:             result = this.Application.User.HasPermission(Permissions.CanAddProduct);
  11:         }
  13:         partial void IGProductsSet_CanUpdate(ref bool result)
  14:         {
  15:             result = this.Application.User.HasPermission(Permissions.CanEditProduct);
  16:         }
  17:     }


Run the LightSwitch application in debug mode.
The initial screen is not accessible. The reason is because in development stage when application is not published there are still no set roles and users.

Stop the application.
In InfraProducs project –> Properties –> Access Control for permission CanAccessInitialScreen check “Granted for debug”.
This will allow in debug mode to grant permissions for all users.

Run the application again in debug mode. Now initial screen is accessible.

Try to edit the first product entity named “Net Advantage for .NET”.
Save option is nor available because we didn’t granted CanEditProduct permission in debug mode.

Publish the Application

LightSwitch demo application type is 2-tier, desktop client (default option).

Publishing is described in the article Deploying Visual Studio LightSwitch Beta 1 2-Tier Desktop Applications.

When application has access control with Forms authentication there is screen when deploying demo
to set an administrator for the LightSwitch application.
You need to set an administrator user and password.


Setting Up LightSwitch Authorization

 Login like an administrator (user that you set when the LightSwitch application is published)

The initial screen is not visible because of permissions. By default administrator has no permission CanAccessInitialScreen.

Select “Administration” and for role Administrator add all new created permissions.

Add a role “Visitor” and create a user “demouser” . Fir “Visitor” role users add demouser.
Set only permission CanAccessInitialScreen  for this role.

Save all changes in administration and restart the application.

Log in as user with Administrator role

Select “Add..” button above the grid and add a new product, named “NetAdvantage for .Net”.

Save changes and refresh the current screen.
In the grid there must be displayed a new added product.

Test with Visitor role

Login like a demouser (user that has a visitor role)

Initial page is visible (delete button is disabled)

Add a new product, named “NedAdvantage for Silverlight LoB” and fill the required properties.

Try to save the product entity. There is an error message that current user doesn’t have permissions to insert entities into the “IGProductsSet”.