Open Closed

How to limit roles in identity management #1036


User avatar
0
RonaldR created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v4.2.2
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
  • Steps to reproduce the issue:
  • We have a role that is higher than admin. we use admin as an onsite administrator and they can do just about everything. however, we create a system role above that manager for our staff when needing to configure things that we do not want onsite managers to be able to do. what we have seen though is that admins have, and should have, access to the administrator -> identity management section. when they go to a user, though, they have the abiltiy to make someone system, even though that role is above theirs. where can i put my business logic to say system and assign system, admin, and user, but an admin can only assign admin and user?

3 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    where can i put my business logic to say system and assign system, admin, and user, but an admin can only assign admin and user?

    IdentityPro Module handles the user and role relations. You can check and override IdentityUserAppService and IdentityRoleAppService necessery methods as you desire.

    PermissionManagement Module contains the UI for permission list and the related application service.

    Identity Module contains extension for RolePermissionManager and UserPermissionManager where the role and user based permissions are set.

  • User Avatar
    0
    RonaldR created

    not sure this is the answer i am looking for, i might have been ambiguous. let me explain further. we have 3 roles: user, admin, and system. an admin has permissions to the identity management tools, they can create users and assign them user or admin roles. the system role is above the admin role, and they should not have access to that role to assign it to anyone, although at the moment they can, but this is what we are trying to fix. a system user is the only one who can assign system to another user.

    so what i am wondering is whereever you select role from, is there a way i can modify that to only return valid roles? if the user is an admin they can see user and admin, if the user is system they can see user, admin, and system.

    i hope this is more clear

  • User Avatar
    0
    cotur created

    Hi @RonaldR

    In ABP, we use permissions based authorization. So that means, there is no any role that higher then other role. If any role or user has permission about something, it will authorized.

    For example, you can give the Role Management permission to a role, but you can revoke the permission name Permission Management from that role.

    Role name: admin Permissions: Role Management (all) Permission Management -

    Role name: sub-admin Permissions: Role Management (only see) Permission Management +

    At that scenario, the admin can create, update & delete roles. but it can't manage the role's permissions. The sub-admin can only see the roles, can't delete or update or add a new role. But the sub-admin can manage all permissions for any role.

    As you see, there is no permission for user role management, but there is a permission to manage user permissions.

    The base authorization element is permission, roles and organization units are permission collection relations for a user.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 26, 2024, 06:07