Administering a LightSwitch Application
When authentication is enabled for a LightSwitch application, two administrative screens are added to the application. The Users and Roles screens allow an administrator to add and remove users, create groups of users known as roles, and grant permissions to users and roles.
When you publish for the first time, you must provide authentication information for a default administrator. Once published, the default administrator must log in and define users, roles, and permissions before anyone else can access the application.
Note
The Users and Roles screens are Silverlight-based. For an HTML client application you need to add a Silverlight client to the solution – see Administration. LightSwitch apps that have been enabled for SharePoint use SharePoint authentication for access control and don’t use the Users and Roles screens.
Defining a Default Administrator
When you help secure your application, the final step is to publish it. When you publish for the first time, you must provide authentication information for a default administrator. When you publish again, you don’t have to repeat this step.
To provide authentication information when you publish an application
In the LightSwitch Publish Application Wizard, choose the Security Settings page, and then choose the Yes, create an Application Administrator option button.
Note
You must perform the remaining steps only if you’re publishing directly to a server. If you’re creating a package, you will be prompted to add an administrative account when you deploy the package.
In the User Name text box, enter a username.
If you’re using Windows authentication, you must specify a valid Windows logon name that has the form Domain\Username.
Tip
You can also assign a security group in Active Directory as the default administrator.
In the Full Name text box, enter the full name of the user or group that will be the default administrator.
In the Password text box, enter a password.
Note
If you’re using Windows authentication, the Full Name, Password and Confirm Password fields don’t appear.
In the Confirm Password text box, enter the password again.
Remember the username and password because you'll need to specify them the first time that you run the application.
Finish publishing the application.
Defining Roles and Users
If you're the application administrator, you must run the published application the first time. You then use the Roles screen and the Users screen to define roles, assign permissions to the roles, and assign roles to users or groups of users. You can access these screens in the running application at design time or when it’s deployed. At design time, set a debug permission to access the screens. In a deployed application, anyone who has been granted the Security Administration permission can access the screens.
Note
To log on, you must use the username and password that you specified when you published the application.
To define a role and assign permissions
In a published application that’s running under administrator permissions, on the menu bar, choose Roles.
In the Roles pane, choose the +… (Add) button.
In the Add New Role dialog box, enter a name for the role, and then choose the OK button.
In the Permissions pane, choose the +… (Add) button.
A new row appears in the Permissions grid.
In the first column of the grid, choose a permission in the list.
The list contains all of the available permissions for your application. You can add as many permissions as you need, but you must choose the +… (Add) button for each one to add it.
On the application toolbar, choose the Save button to save your changes.
To add a user or group of users
On the menu bar, choose Users to display the Users screen.
In the Users and Groups pane, choose the +… (Add) button.
In the Name text box, enter a username.
If you’re using Windows authentication, you must specify a valid username in the form of an alias (terry), a domain and an alias (example\terry), an alias and a domain (terry@example.com), or a fully qualified domain name and an alias (northamerica.corp.example.com\terry). The entire string must contain fewer than than 256 characters. You can also specify the name of a security group in Active Directory. If you’re using Forms authentication, the username must be unique and contain fewer than 256 characters.
In the Full Name text box, enter the user’s full name.
The information in the Full Name field is used only for display purposes.
Note
For Windows authentication, the Full Name field is automatically populated based on the username and can’t be edited.
In the Password text box, enter a password.
Note
The Password and Confirm Password fields don’t appear if you’re using Windows authentication.
In the Confirm Password text box, enter the same password.
In the Roles pane, choose the Add button, and then choose a role in the Roles list.
You can assign a user to multiple roles by repeating this step for each role.
On the application toolbar, choose the Save button to save the changes.
To remove a user or group of users
On the menu bar, choose Users to display the Users screen.
In the Users and Groups pane, choose the account that you want to remove, and then choose the X (delete) button.
Note
If a user is logged on with an account that’s deleted, the user can no longer save or access data on the server. If the user tries to access data from the server, an Access Denied message appears.
Note
If a group account is deleted, any user whose role was inherited from that group will lose permissions for that role.
On the application toolbar, choose the Save button to save the changes.