Base solution for your next web application
Open Closed

Group Level Permissions #8383


User avatar
0
fawad29 created

Hi,

We need to implement group level permissions. The current permissions that we have on ANZ are role based and user based. In our multi tenant application, we would like to have permissions setup as explained below.

Roles - E.g Local Administrator is tennat wide Groups - For example, each tenant can have multiple Groups GroupA, GroupB and son on. Users - Each Users belongs to a role and a group.

Permissions

Local Administrator role is allowed to view MenuA and MenuB. Group A is allowed to view MenuA but not MenuB. Group B is allowed to view MenuB but not MenuA.

UserA belongs to Local Administrator role and Group A, if User A logs in then we would like User A to see Group A menu only even though his/her role has access to both Menu items but his Group is not allowed to access MenuB. This way we don't have to assign permissions for each user, we can assign UserA to Group A and all permissions should be set up like that. Also, we do not want to create multipl role variations such as Local Administratar A, Local Administrator B.

UserB belongs to Local Administrator role and Group B, if User B logs in then we would like User B to see Group B menu only even though his/her role has access to both Menu items but his Group is not allowed to access MenuA.

What is the best way to implement above? Do we need to create new tables/views to handle permissions for Groups, if yes, is there any guidance on how to implement it?

Product Details Product version is 8.0.0. ABP Framework is the one which came with version 8.0.0. ASP.NET Core MVC & jQuery Project


9 Answer(s)
  • User Avatar
    0
    ryancyq created
    Support Team

    Hi, you can try configuring your permissions group using organization unit provided ANZ.

    By default, a user that has the role Local Administrator and Group A will be able to view both Menu A and Menu B. To achive the case you mentioned, you can configure prohibited permission at user level.

    However, if you wish to hve prohibited permission at group/organization level. You will need to implements it yourself.

  • User Avatar
    0
    fawad29 created

    Hi,

    Thanks for your reply, I think I need to implement it my self at group level because it will be prohibitive to do so at user level due to number of users and same user can be part of more than one groups.

    Can you provide any guidance on how to go about it?

    Thanks

  • User Avatar
    0
    ryancyq created
    Support Team

    Hi, to implements custom permission grouping like organization unit, You will need to do something like this:

    • create PermissionGroup table
    • create PermissionGroupRole table
    • create PermissionGroupRoleRemover event handler when role is deleted
    • modify AbpUserManager.IsGranted method to check for your permission group logic
  • User Avatar
    0
    ryancyq created
    Support Team

    you can take a look at how role for organization unit was implemented, https://github.com/aspnetboilerplate/aspnetboilerplate/pull/4242

    note that, role for organization reuse the exisitng role permissiong and therefore did not modify the permission logic in AbpUserManager

  • User Avatar
    0
    fawad29 created

    Thank you @ryancyq, I am learning ANZ so please bear with me.

    I have created both tables, where should I create PermissionGroupRoleRemover event handler? I have created GroupID instead of UserId in PermissionGroup table.

    I can't find AbpUserManager in my solution, do I need to extend any class?

    Thanks

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @learner29

    In your project it is UserManager which is derived from AbpUserManager.

  • User Avatar
    0
    fawad29 created

    Hi @ismcagdas,

    I have found UserManager class, but it does not have IsGranted method? Where shall I find IsGranted method because as per @ryancyq suggestion I would need to changed it so that i set it to true if User's current primary group has permission for a menu and false if he/she has not? I am assuming simply setting IsGranted to false will hide the menu.

  • User Avatar
    0
    ryancyq created
    Support Team

    Hi @learner29, does the UserManager you found inherits from AbpUserManager?

    if so, IsGranted method was implemented in AbpUserManager by default. you will need to overrides IsGranted method in the UserManager

    you can reference the original implementation at https://github.com/aspnetboilerplate/aspnetboilerplate/blob/a613dd920ef6df74cdcdd642052bc2b8a8b129d0/src/Abp.ZeroCore/Authorization/Users/AbpUserManager.cs#L248

  • User Avatar
    0
    ismcagdas created
    Support Team

    This issue is closed because of no recent activity. Please create a new issue if you are still having this problem.