Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Predefine static roles for a Tenant, and limit the permissions they can assign #9134


User avatar
0
marble68 created

In my solution, when an tenant signs up - I'd like to define 4 roles with predefined permissions.

Level 1 Level 2 (Which has all permissions of level 1 + some) Level 3 (which has all permissiosn of level 2 + some) Level 4 (which is level 3 + some).

So, when a tenant signs up, these roles already exist and permissions already exist and cannot be modified. Then I'd remove the permission to modify roles at the host level.

This way, when users are added, they are, by default, in the Level 1 role.

I've accomplished this to this point.

However, In the event I want to allow a tenant to create new roles so they can name them what they want, how do I hide permissions from them (much like the Editions Features)?

Would I clone the GetUserPermissionsForEdit in UserAppService - and then, based on if the user is a tenant, filter out the permissions I don't want them to be able to see?

Is there a better way?

From a support standpoint, if I did this, if I logged in as host then impersonated the tenant admin, I could check if the host is impersonnating their admin and then show all permissions?

Thanks for suggestions.


5 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    The main point for getting list of permissions is here https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp/Authorization/PermissionManager.cs#L64.

    So, you can override this method by implementing a cutom PermissionManager class and return role list according to your use case.

    After implementing your own PermissionManager (let's say MyPermissionManager), you need to replace default one in the PreInitialize method of your Code module like below;

    Configuration.ReplaceService<IPermissionManager,MyPermissionManager>(DependencyLifeStyle.Singleton);
    
  • User Avatar
    0
    marble68 created

    What I'm trying to do is hide certain permissions from being assignable by a tenant.

    For example, I have several entities the Tenant manages.

    Be default, I have static roles that have permissions assigned for the entities.

    What I'm trying to do is allow the Tenant admin create a new role, and assign permissions for the entities.

    However, when they're assigning roles, I do not want some of the permissions to be visible when the admin is assigning roles. Such as WebHooks.

    I don't want the tenant admin to be able to assign them to any other role, so I do not want them visible when editing / creating roles.

    I do, however, want the tenant admin to be able to see web hooks permission.

    In summary, what I'm trying to do is limit the assignable permissions for the tenant.

    I want the tenant admin to only allow to create roles and apply permissions for entities, but be unable to grant all the permisisons under administration, except for things like audit logs, organization units, Subscription.

    In effect, what I'm thinking is the answer is to use Properties on permissions.

    In the Properties for the permissions, I could assign a custom string that defines a permission I'd create in the AppPermissions (similar to Pages permission structure).

  • User Avatar
    0
    marble68 created

    If I could do this based on edition - that might be the way to go.

  • User Avatar
    0
    marble68 created

    I think I found a way other than making the permission host only in the auth provider, adding a property to every permission "HostOnlyAssignable", true | false.

    Then, I add a permission to host only, for HostOnlyAssign.

    Then, in the common controller, when it builds the tree, I remove any permissions from the list that where that property is set so they don't show up in the tree.

    In this way, the tenant admin can have permissions to DynamicProperties, but cannot assign that permission to another role - or even remove that permission from themselves.

  • User Avatar
    0
    marble68 created

    I figured it out, the documentation has a bug in it.

    In Main Definition section, it says to inert:

    var helloWorld = new WidgetDefinition(
        id:AbpZeroTemplateDashboardCustomizationConsts.Widgets.Tenant.HelloWorld,
        name:"WidgetRecentTenants",//localized string key
        side: MultiTenancySides.Tenant,
        usedWidgetFilters: new List<string>() { helloWorldFilter.Id },// you can use any filter you need
        permissions: tenantWidgetsDefaultPermission);
    

    What is Should say is:

    var helloWorld = new WidgetDefinition(
        id:AbpZeroTemplateDashboardCustomizationConsts.Widgets.Tenant.HelloWorld,
        name:"WidgetHelloWorld",//localized string key
        side: MultiTenancySides.Tenant,
        usedWidgetFilters: new List<string>() { helloWorldFilter.Id },// you can use any filter you need
        permissions: tenantWidgetsDefaultPermission);