Hi,
We need to implement group level permissions. The current permissions that we have on ANZ are role based and user based. In our multi tenant application, we would like to have permissions setup as explained below.
Roles - E.g Local Administrator is tennat wide Groups - For example, each tenant can have multiple Groups GroupA, GroupB and son on. Users - Each Users belongs to a role and a group.
Permissions
Local Administrator role is allowed to view MenuA and MenuB. Group A is allowed to view MenuA but not MenuB. Group B is allowed to view MenuB but not MenuA.
UserA belongs to Local Administrator role and Group A, if User A logs in then we would like User A to see Group A menu only even though his/her role has access to both Menu items but his Group is not allowed to access MenuB. This way we don't have to assign permissions for each user, we can assign UserA to Group A and all permissions should be set up like that. Also, we do not want to create multipl role variations such as Local Administratar A, Local Administrator B.
UserB belongs to Local Administrator role and Group B, if User B logs in then we would like User B to see Group B menu only even though his/her role has access to both Menu items but his Group is not allowed to access MenuA.
What is the best way to implement above? Do we need to create new tables/views to handle permissions for Groups, if yes, is there any guidance on how to implement it?
Product Details Product version is 8.0.0. ABP Framework is the one which came with version 8.0.0. ASP.NET Core MVC & jQuery Project
9 Answer(s)
-
0
Hi, you can try configuring your permissions group using organization unit provided ANZ.
By default, a user that has the role Local Administrator and Group A will be able to view both Menu A and Menu B. To achive the case you mentioned, you can configure prohibited permission at user level.
However, if you wish to hve prohibited permission at group/organization level. You will need to implements it yourself.
-
0
Hi,
Thanks for your reply, I think I need to implement it my self at group level because it will be prohibitive to do so at user level due to number of users and same user can be part of more than one groups.
Can you provide any guidance on how to go about it?
Thanks
-
0
Hi, to implements custom permission grouping like organization unit, You will need to do something like this:
- create PermissionGroup table
- create PermissionGroupRole table
- create PermissionGroupRoleRemover event handler when role is deleted
- modify AbpUserManager.IsGranted method to check for your permission group logic
-
0
you can take a look at how role for organization unit was implemented, https://github.com/aspnetboilerplate/aspnetboilerplate/pull/4242
note that, role for organization reuse the exisitng role permissiong and therefore did not modify the permission logic in AbpUserManager
-
0
Thank you @ryancyq, I am learning ANZ so please bear with me.
I have created both tables, where should I create PermissionGroupRoleRemover event handler? I have created GroupID instead of UserId in PermissionGroup table.
I can't find AbpUserManager in my solution, do I need to extend any class?
Thanks
-
0
Hi @learner29
In your project it is UserManager which is derived from AbpUserManager.
-
0
Hi @ismcagdas,
I have found UserManager class, but it does not have IsGranted method? Where shall I find IsGranted method because as per @ryancyq suggestion I would need to changed it so that i set it to true if User's current primary group has permission for a menu and false if he/she has not? I am assuming simply setting IsGranted to false will hide the menu.
-
0
Hi @learner29, does the
UserManageryou found inherits fromAbpUserManager?if so,
IsGrantedmethod was implemented inAbpUserManagerby default. you will need to overrides IsGranted method in theUserManageryou can reference the original implementation at https://github.com/aspnetboilerplate/aspnetboilerplate/blob/a613dd920ef6df74cdcdd642052bc2b8a8b129d0/src/Abp.ZeroCore/Authorization/Users/AbpUserManager.cs#L248
-
0
This issue is closed because of no recent activity. Please create a new issue if you are still having this problem.
