-
Notifications
You must be signed in to change notification settings - Fork 162
Roles explained
An AuthP's Role represent a set of features on your application that a user (human or machine) can access. Roles are normally named after the user's job, say "Sales Person", "Sales Manager", and so on. These Roles manage what pages/WebAPIs a logged in user can access.
The idea of using Roles started in ASP.NET MVC and is in ASP.NET Core. In ASP.NET Roles are hard-coded into your application via the [Authorize(Roles = "Sales Person,Sales Manager")]. The downsides of the ASP.NET Roles approach are:
- If you want to change what a Role can access you need to edit your application and redeploy it.
- In larger applications the authorize attributes get pretty long (e.g.
[Authorize(Roles = “Staff, SalesManager , DevManage, Admin, SuperAdmin”)]) and hard to manage.
The AuthP's library keeps the Roles concept for users, but provides a lower-level concept called Permissions that manage what pages/WebAPIs can be accessed. The mapping from a user to Permissions is held in a database so that you can use AuthP's admin features:
- Change what Permissions (i.e. what pages/WebAPI can be accessed) are in a AuthP's Role.
- Change want AuthP's Roles a user has.
The end result is you have a cleaner implementation of the Roles concept, and a more manageable pages/WebAPI scheme.
If you are using AuthP's multi-tenant features, then there are different Role types. Here is a list of the types and what they do:
NOTES:
- app-users means users not linked to a tenant
- tenant-users means users linked to a tenant.
- Assignable means the Role can be added to user type
- Visible means the admin user can see it but it not suitable for app-users
| Role Type | app-users | tenant-users | Description |
|---|---|---|---|
| Normal | Assignable | Assignable | Normal Roles used by anyone |
| HiddenFromTenant | Assignable | NOT visible | Role contains advanced permissions and aren't seen / assignable to tenant users |
| TenantAutoAdd | Visible | Assigned always | Role can be linked to Tenants, and every user in the tenant will automatically gain that Role |
| TenantAdminAdd | Visible | Assignable | Role can be linked to Tenants, and can be added to a tenant user by an admin user |
A Role's RoleType is manually set, but if the permissions in a Role contain any advanced permissions the RoleType will be forced to HiddenFromTenant.
The Roles with the RoleType of TenantAutoAdd and TenantAdminAdd are referred to a tenant roles, because they are only used in multi-tenant application. These tenant roles are linked to AuthP's Tenant class via a many-to-many relationship.
The different types of Roles allows you to use two features in an multi-tenant application:
- Because the Roles containing advanced permissions (that is permissions that control features that only your admin staff should be allowed to use) are hidden from tenant users, you can allow a tenant admin to manage what their tenant users are allowed to access.
- The Roles with a
RoleTypeofTenantAutoAddandTenantAdminAddcan allow you to have extra Roles added to a tenant. This means you can offer different versions of your application, e.g. Free, Pro, Enterprise, with different prices for each.
NOTE: See articles Part 2 and 3 in the "Building ASP.NET Core and EF Core multi-tenant apps" series, which explains the extra tenant user extra features such as inviting a user to join their tenant, and setting up a new tenant using versioning.
- Intro to multi-tenants (ASP.NET video)
- Articles in date order:
- 0. Improved Roles/Permissions
- 1. Setting up the database
- 2. Admin: adding users and tenants
- 3. Versioning your app
- 4. Hierarchical multi-tenant
- 5. Advanced technique with claims
- 6. Sharding multi-tenant setup
- 7. Three ways to add new users
- 8. The design of the sharding data
- 9. Down for maintenance article
- 10: Three ways to refresh claims
- 11. Features of Multilingual service
- 12. Custom databases - Part1
- Videos (old)
- Authentication explained
- Permissions explained
- Roles explained
- AuthUser explained
- Multi tenant explained
- Sharding explained
- How AuthP handles sharding
- How AuthP handles errors
- Languages & cultures explained
- JWT Token refresh explained
- Setup Permissions
- Setup Authentication
- Startup code
- Setup the custom database feature
- JWT Token configuration
- Multi tenant configuration
- Using Permissions
- Using JWT Tokens
- Creating a multi-tenant app
- Supporting multiple languages
- Unit Test your AuthP app