I am trying to create a user management module. But i am quite confuse between user role and Authorization (<a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents/Authorization">http://www.aspnetboilerplate.com/Pages/ ... horization</a>).
I can't see how to assign "Authorization" to a user, but i can see how to create a role and assign a role to user while creating a user. But i don't think it is the same one.
May need your suggestion.
3 Answer(s)
-
0
Abp user permission to authorize the users. If you are using the attribute [AbpAuthorize("name of permission")] in your controller or action, Abp will authorize the user based on that. You can think of a role as a way to group a number of permissions together. For instance, an Admin role can do CRUD on all users. This can be done with [Authorize(Role="admin)"] from asp.net mvc. The problem is when you need to prevent a particular admin user from doing it all. Let's say you want John to Create, Update but not Delete.
Basically, they serve the "same purpose", but permission give you more granular control. Hope that helps
-
0
Thank for your clarification. But i have a bit more question.
From my understanding now, it seems that permissions are the subset of a a role. So we create a role (role name) and assign permissions (permission name) to its, and then we assign the role to a user. If so, then i can understand this code
var adminRoleForDefaultTenant = context.Roles.FirstOrDefault(r => r.TenantId == defaultTenant.Id && r.Name == "Admin"); if (adminRoleForDefaultTenant == null) { adminRoleForDefaultTenant = context.Roles.Add(new Role(defaultTenant.Id, "Admin", "Admin")); context.SaveChanges(); //Permission definitions for Admin of 'Default' tenant context.Permissions.Add(new RolePermissionSetting { RoleId = adminRoleForDefaultTenant.Id, Name = "CanDeleteAnswers", IsGranted = true }); context.Permissions.Add(new RolePermissionSetting { RoleId = adminRoleForDefaultTenant.Id, Name = "CanDeleteQuestions", IsGranted = true }); context.SaveChanges(); }
However, I still don't understand why we have to declare this code :
public class MyAuthorizationProvider : AuthorizationProvider { public override void SetPermissions(IPermissionDefinitionContext context) { var administration = context.CreatePermission("Administration"); var userManagement = administration.CreateChildPermission("Administration.UserManagement"); userManagement.CreateChildPermission("Administration.UserManagement.CreateUser"); var roleManagement = administration.CreateChildPermission("Administration.RoleManagement"); } }
And if so, why do i have to declare Administration.UserManagement, not only Administration.CreateUser.
Your suggestion may help a lot.
-
0
Hi,
You are using module-zero. So, you should also read also Permission Management, Role Management and User Management documents under Module Zero section in the documents (<a class="postlink" href="http://www.aspnetboilerplate.com/Pages/Documents">http://www.aspnetboilerplate.com/Pages/Documents</a>).
You truly understood relations of permissions and roles. Note that a permission can also be assigned directly to a specific user.
So, why you define a permission? Because, in the [AbpAuthorize("MyPermissionName")] property you are setting a permission name. Defining a permission helps ABP to know what is "MyPermissionName". So, permissions are explicit in ABP.
For the last question:
"why do i have to declare Administration.UserManagement, not only Administration.CreateUser"
You don't have to. You can directly define a 'Administration.CreateUser' permission. Also "." is a convention here and has no effect on authorization or permission definition.
Note: You can create a demo on <a class="postlink" href="http://www.aspnetzero.com/">http://www.aspnetzero.com/</a> to see authorization in action. Create demo, go to roles or users and open permissions modal.