Base solution for your next web application
Open Closed

Can we restrict create/edit roles to Host only? #5581


User avatar
0
cpadmin created

Hi,

We are using Asp.Net Core & Angular(v5.3.0). We have a requirement as below for multi-tenant application:

  1. Tenant users are not able to create Roles.
  2. Only Host user is able to create Roles to be used in tenants along with permissions. The roles to be used for host area will be differentiated with a flag in current role entity.
  3. While creating/updating an Edition, few roles are associated/attached to the edition from the roles created by host user for tenants.
  4. When a Tenant is created an Edition is attached, so the Roles in that Edition are applied to Tenant(not copied but linked).
  5. Tenant admin cannot change Roles and its permissions(as permissions are fetched from roles that are in host area).
  6. While creating a user in a tenant, roles can be chosen only from the linked Roles from edition. Permissions are taken from these assigned Roles( i.e. from host area).
  7. When a new entity is added for the tenant area and related permissions are created, only host can change Roles to have these new permissions. These permissions should be propagated among the roles in all the tenants.

In short, only host can add/edit Roles and its permissions. Tenant can only inherit these Roles and permissions, and tenant users will behave as per these permissions.

We need to know whether this is a possibility in current architecture(both Single-DB and DB-per-tenant approach). Guide us where the changes needs to be done if this is a possibility.

Thanks


4 Answer(s)
  • User Avatar
    0
    alper created
    Support Team

    By default when creating a tenant, the tenant admin is being granted to all permissions. You can customize this behaviour!

    When assigning admin user to admin role it assigns the role called "StaticRoleNames.Tenants.Admin" to the admin. And grants all permission to the admin role. Customize this line with selected permission you want to assign to tenant admin role.

    Here you can see, all permission are granted to the tenant admin role as well! Customize here as well.

    When creating a new static role, you can provide list of selected permission to that role <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.Zero.Common/Zero/Configuration/StaticRoleDefinition.cs">https://github.com/aspnetboilerplate/as ... inition.cs</a>

  • User Avatar
    0
    cpadmin created

    Thanks alper for the feedback. But as per requirements we did not mean to create Static Roles.

    We meant that host user will create Roles and assigns it to tenant. These roles are the options to be chosen in Roles section while creating/editing a tenant user. Tenant admin user does not create/update roles/permissions, he just assigns role to a tenant user.

    The main thing is to grab roles from host area in a way so as point 7 above is fulfilled(to propagate the Role's permissions changed by host user to all the tenant users who are assigned that role).

    Please guide us on this if possible in single-DB approach as well as in DB-per-tenant approach.

    Thanks

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @cpadmin,

    This is not supported in AspNet Zero and we don't suggest such a usage in current design because it will affect many parts of the project.

  • User Avatar
    0
    cpadmin created

    Hi @imcagdas,

    Thanks for the information. We will give a try to find how much changes are involved and how does that affect when we upgrade AspNet Zero.

    We will let you know if any specific code flow information is required.

    Thanks