Is it possible to prepare such a scenario and is it a good direction:
User logged as the host:
- creates roles for Tenants,
- assigns permissions to roles,
- can see all roles for all tenants, edit, delete, etc.,
User logged within particular tenant:
- can see only roles
- (admin of tenant) can assign a user to roles (roles should work additively - if the user has 2 roles, it is enough some permission is granted only in one of them)
5 Answer(s)
-
0
Hi @flaskone
If I understand correctly, AspNet Zero supports this scenario out of the box.
is it a good direction
This depends on your needs.
-
0
Can this be done in the settings or does it need to be programmed? If coding, how do you approach it? Are there any tips?
-
0
Hi,
Maybe I couldn't understand the question properly. If I understand correctly, these can be done via UI by opening the roles page and grand specific permissions to roles and assigning these roles to specific users.
-
0
We would like to give tenants only limited option to manage permissions / roles. As part of the process, we have very granular permissions created in the solution, while only very limited part should be avaible for tenant to manage.
That is why we considered to deny tenants access to manage permissions but let them only manage some selected set or roles (which role configuration would remain on host level) but as far as we understand, assigning permissions to roles for particular tenants cannot be managed centrally on host level ? (could you please confirm) ?
So the scenario would be as follows: Host user can predefine and configure roles that could be used on the tenant level tenant user can assign a role to particular users but cannot see / edit granular permissions Or alternatively can we somehow filter the list of permissions available for tenant to configure to avoid confusion ?
-
0
Hi,
Thanks, got it now. So, when a host user uses impersonation and logins as a tenant user, then this user will have no limitation. But, if a tenant user logins directly, there will be limitations.
I think you can check
AbpSession.ImpersonatorTenantIdand adjust your logic depending on this value on roles page and roles permissions modal.You also need to modify user permissions modal as well.
