Fine-grained permissions support across multiple components

[emilvberglind]

First, thank you for the great work on this project!

I have been reading through the examples and trying to piece together a solution for the problem I'm trying to solve, but I'm coming up a little short.

Background: We have a back-end written using Minimal API and a front-end that is Blazor WASM, and we're adding multi-tenant support via sharding. Authentication and authorization is handled via Entra ID with JWT tokens, like so:

builder.Services.AddMsalAuthentication(options =>
{
    builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
    options.ProviderOptions.DefaultAccessTokenScopes.Add("........");
});

So, the authentication happens in the Blazor app and then upon authentication, we'll fetch the additional permissions the user has.

For our initial version we were just using a couple of super coarse groups/roles but we now have a need for a much more robust authorization system. We'll have some different roles, but then within each role we also need the ability to set more fine-grained permissions at the user level - these could be either explicit allows or explicit denys. I started down the path of building this myself, but then came across this library which looks like it ticks a lot of the boxes for what I'm trying to do, but was curious if you've come across any similar applications and had some pointers on how to use AuthP in this manner?

What I'm trying to do is to set up a separate "Auth Service" project that would leverage AuthP to manage user permissions.

Rather than using the database directly for the Blazor and Minimal API apps, I would want to host all of the permissions in this "Auth Service" component, and the Blazor WASM and back-end API would both access this via an API to pull back the permissions the user has access to.

Note: We also have some mobile app stuff (MAUI) coming down the pipe which would also wind up leveraging this same "Auth Service" to retrieve user permissions.

So, a couple of questions:

1. Would AuthP fit in a scenario where I need to be able to support fine-grained user-level permissions on top of the roles?
2. Would AuthP fit in a scenario where I need to manage permissions in a centralized component that all other components/apps will access via API?

[JonPSmith]

Hi @emilvberglind,

I understand the need for fine-grained permissions. In fact the AuthP's permissions comes from company which engaged to build a new ASP.NET Core version of there large multi-tenant application, which was running on Windows computers at that time. They thought they would thousands of options, so I created a fine-grained permission, e.g. Something(read), Something(add), Something(update),.... This turned out to be a Bad Idea.. It was very hard to understand and hard update the permissions. Also, there wasn't thousands of options, more like hundreds (I can't remember).

So, when I build the AuthP library I used one Enum per permission, e.g., SomethingRead, SomethingAdd, etc. The only limitations is the number of permissions that a user can have to fit into the ASP.NET Core's cookie, which have a limit to 4096 bytes (each permission Enum is stored in a unicode character). But in your case you are using a API Token, so there no limit for you.

The other thing I learnt that to make it easy for the developer and the admin users to understand what each permission. Have a look at Example7Permissions and you will see I add GroupName and Description.

Have a look at the Finally, a library that improves role authorization in ASP.NET Core which shows the basics.

[emilvberglind]

Hi @JonPSmith,

Thanks for the response! I have been reading through the documentation and many of the articles, but what I was unable to find was how to best store individual permissions "overrides" at the user level.

Say, for example, that I had a role called SalesAdmin that included several permission enum values, like: AddOrder, UpdateOrder. But, then there is one user out of the 100 or so that needs to have a DeleteOrder permission. So, I want to effectively be able to add that permission to just that user. What I was digging around in the articles/codebase for was some way to store individual UserPermissions at the user/tenant level so I could add just this one permission. Does that exist, or would I effectively need to create a new role for just that user and assign the set of permissions to this role? And, conversely, if I need just one user to have an explicit deny on a permission, is there a way to accomplish that, or would I need to just create a new role where that permission does not exist?

These are just simplified examples for illustration, but they do represent real scenarios that we need to solve for.

Thanks!

[JonPSmith]

Hi @emilvberglind,

First, for your question if "some way to store individual UserPermissions at the user/tenant level" and the answer is no. Permissions are held in the users cookie/Token. Each tenant's capabilities are controlled by the Permissions.

I think you need is some code to add the right permissions to a new user - I call these adapters. AuthP has two versions of adapters:

• Sign up for a new tenant, with versioning (see this article which gives a more detailed overview)
• Invite new user service

These adapters, especially the first one, decides what permissions the new user should have.

So you could create an adapter that provides the normal sets of the user's role, e.g. buyer, seller, manager, with the permissions for each role, PLUS other tick boxes to add those rare features. If you know all the roles / rare features then you code it, or if the roles / rare features could change, then you could save the roles / rare features permissions in a database (but that's harder).