I'm in the process of evaluating DevForce and have a question regarding security. Is it possible, through the DevForce framework, to implement Row-level security. What I'm after is being able to pass the identity down with a query and then filter the data so that only the data that the identity has access to is returned.
Are there hooks in the BOS to customize the query (either the SQL or "object query)?
DevForce provides a QuerySecurityCheck() method which, when overridden on an Entity type (e.g., Customer), acts as an interception point in the submission of a query. It runs server-side and has access to the EntityQuery object that defines the query. It can add a clause to that query before it is ever turned into SQL and submitted to the database.
A similar operation can be performed client-side with a handler for the PersistenceManager.Fetching event.
For situations where the filtering is too complicated to express as a query clause, a handler for the client-side PersistenceManager.Fetched event can iterate through the returned entities and eliminate any it needs to, so that they do not end up in the client-side cache.