How to: Enable Access to the Data Service (WCF Data Services)


WCF Data Services has been deprecated and will no longer be available for download from the Microsoft Download Center. WCF Data Services supported earlier versions of the Microsoft OData (V1-V3) protocol only and has not been under active development. OData V1-V3 has been superseded by OData V4, which is an industry standard published by OASIS and ratified by ISO. OData V4 is supported through the OData V4 compliant core libraries available at Microsoft.OData.Core. Support documentation is available at OData.Net, and the OData V4 service libraries are available at Microsoft.AspNetCore.OData.

RESTier is the successor to WCF Data Services. RESTier helps you bootstrap a standardized, queryable, HTTP-based REST interface in minutes. Like WCF Data Services before it, Restier provides simple and straightforward ways to shape queries and intercept submissions before and after they hit the database. And like Web API + OData, you still have the flexibility to add your own custom queries and actions with techniques you're already familiar with.

In WCF Data Services, you must explicitly grant access to the resources that are exposed by a data service. This means that after you create a new data service, you must still explicitly provide access to individual resources as entity sets. This topic shows how to enable read and write access to five of the entity sets in the Northwind data service that is created when you complete the quickstart. Because the EntitySetRights enumeration is defined by using the FlagsAttribute, you can use a logical OR operator to specify multiple permissions for a single entity set.


Any client that can access the ASP.NET application can also access the resources exposed by the data service. In a production data service, to prevent unauthorized access to resources, you should also secure the application itself. For more information, see Securing ASP.NET Web Sites.

To enable access to the data service

  • In the code for the data service, replace the placeholder code in the InitializeService function with the following:

     // Grant only the rights needed to support the client application.
    config.SetEntitySetAccessRule("Orders", EntitySetRights.AllRead
         | EntitySetRights.WriteMerge
         | EntitySetRights.WriteReplace );
     config.SetEntitySetAccessRule("Order_Details", EntitySetRights.AllRead
         | EntitySetRights.AllWrite);
     config.SetEntitySetAccessRule("Customers", EntitySetRights.AllRead);
    ' Grant only the rights needed to support the client application.
    config.SetEntitySetAccessRule("Orders", EntitySetRights.AllRead _
         Or EntitySetRights.WriteMerge _
         Or EntitySetRights.WriteReplace)
    config.SetEntitySetAccessRule("Order_Details", EntitySetRights.AllRead _
        Or EntitySetRights.AllWrite)
    config.SetEntitySetAccessRule("Customers", EntitySetRights.AllRead)

    This enables clients to have read and write access to the Orders and Order_Details entity sets and read-only access to the Customers entity sets.

See also