How to Assign Users, Roles and Permissions to a LightSwitch HTML Mobile Client
I’ve gotten a few questions lately on how to assign user permissions to a LightSwitch HTML mobile app so I thought I’d post a quick How To. The short answer is you need to deploy a desktop client to perform the security administration for your application. Typically an administration console also manages other types of global data that your app may use, like lookup tables and other reference data, and is used by one or a few system administrators. However, if you just need access to the Users and Roles screens so you can grant users access to the system, then the steps are simple.
Let’s take an example. I have a simple HTML client application and I’ve enabled Forms Authentication on the Access Control tab of the project properties.
I’ve already added permission checks in code to perform business rules and control access to application functionality. If you’re not familiar with how to do this, please read: LightSwitch Authentication and Authorization. The basic gist is that you use the access control hooks (_CanInsert, _CanDelete, _CanRead, etc.) on your data service (via the data designer) to perform permission checks in the middle-tier. If you also need to access user permissions on the HTML client in order to enable/disable UI elements then see my post: Using LightSwitch ServerApplicationContext and WebAPI to Get User Permissions.
In order to add a desktop client (our administration console), right-click on the project and select “Add Client”.
Then give it a name and click OK.
Now your solution will contain a desktop client. (Note: Once you add it, the desktop client will be set as the startup client for debug. Right-click on the HTMLClient and select “Set as StartUp Client” to switch it back.)
You actually do not need to add any screens to the desktop client. The Users and Roles admin screens will appear to anyone logged in with the SecurityAdministration permission. In order to get the first administrator into the database, you need to deploy your application, but first there’s a couple options to consider around the desktop client.
Right-click on the DesktopClient and select Properties. This will open the client-specific properties where you can specify a logo, icon, theme, etc. You can also change the screen navigation here. On the Client Type tab you can decide whether you want to deploy the desktop client as in-browser or out-of-browser. The LightSwitch desktop client is a Silverlight 5 client so it will run on a variety of desktop browsers (see system requirements here).
By default, when you add a Desktop client to a LightSwitch application the client type will be set to Web. This is a good choice if you are simply managing administrative data. If you need to automate other programs or devices on the Windows desktop via COM (i.e. Excel, Word, eye scanners, etc.) then you will want to choose “Desktop” option. This option will only run on Windows machines but it runs with higher trust so you can talk to other programs.
For this simple administrative console, leave it as Web. Now right-click on the LightSwitch application in the Solution Explorer and select Publish. The key piece of information that the publish wizard needs is the Application Administrator information on the Security Settings tab. This is the user that will be added to the database the first time the application runs.
For more information on deploying see: How to: Deploy a 3-tier Application
Once we’ve deployed the application navigate to the DesktopClient and provide the same credentials you specified in the Publish Wizard. The application now has two clients so remember to navigate the correct virtual directory to run the associated client. For example, the name of our desktop client is “DesktopClient” so to run this one navigate to: https://www.mydomain.com/**DesktopClient**and to run the mobile client named “HTMLClient’ navigate to: https://www.mydomain.com/**HTMLClient**
When you open the desktop client and log in, you will see the Users and Roles screens under the Administration menu.
Once the administrator sets up the Roles and Users, those users can navigate to the HTMLClient on their mobile devices and log in.