Open Closed

Control Tenant Side #6762


User avatar
0
Navneet@aol.com.au created
  • ABP Framework version: v8.0.4
  • UI Type: MVC
  • Database System: MySQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no

Hi Abp team,

I am building a license management and Virtual Server Provisioning system. below are few entity I have created Product.cs ProductVersion.cs ProductFeature.cs License.cs ServerDetail.cs ServerFeature.cs Plan.cs Pricing.cs

The challenge, I am facing is that I want my tenant to only ReadOnly Access of entities (not allowing to add / update or delete). and only want them to add an entry in Plan.cs entity, how can i control as the Host user? Also, Is there anyway, I can manage Tenant roles where I as a host create delete and update, however Tenant only able to see pre seeded/created roles?

many thx, Nav


12 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    ABP supports multi-tenancy as a first class citizen. You can define multi-tenancy side option while defining a new permission. It gets one of the three values defined below:

    Host: The permission is available only for the host side. Tenant: The permission is available only for the tenant side. Both (default): The permission is available both for tenant and host sides.

    https://docs.abp.io/en/abp/latest/Authorization#multi-tenancy

    You can set the create, edit, and delete permission definitions to host, in this way, the tenant will not have permissions

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Also, Is there anyway, I can manage Tenant roles where I as a host create delete and update, however Tenant only able to see pre seeded/created roles?

    You can set role create, delete, and edit permissions to only apply to the host.

    And create a new manage tenant roles page for the host:

    public class CreateTenantRoleInput
    {
        public string TenantName {get; set;}
        
        ....
    }
    public class ManageTenantRolesAppService:...
    {
         public async Task CreateAsync(CreateTenantRoleInput input)
         {
               var tenant = await _tenantStore.FindAsync(input.Tenant);
               
               using(currentTenant.Change(tenant.Id))
               {
                    _roleRepositpry.InsertAsync(..);
               }
         }
    }
    
  • User Avatar
    0
    Navneet@aol.com.au created

    Hi,

    ABP supports multi-tenancy as a first class citizen. You can define multi-tenancy side option while defining a new permission. It gets one of the three values defined below:

    Host: The permission is available only for the host side. Tenant: The permission is available only for the tenant side. Both (default): The permission is available both for tenant and host sides.

    https://docs.abp.io/en/abp/latest/Authorization#multi-tenancy

    You can set the create, edit, and delete permission definitions to host, in this way, the tenant will not have permissions

    Hi liangshiwei,

    Thanks for your suggestion, that was easy to implement.

    As I have complex query to run, how can i determine if current uses is from Host or Tenant? one idea is to inject ICurrentUser and query as ( _currentUser.TenantId == null ) to determine, Is this correct way or are there any other way?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can inject the ICurrentTenant and ICurrentUser

    
    if(!_currentTenant.IsAvailable)
    {
       ...host
    }
    
    Or
    
    if(_currentTenant.TenantId == null)
    {
       ...host
    }
    
  • User Avatar
    0
    Navneet@aol.com.au created

    Also, Is there anyway, I can manage Tenant roles where I as a host create delete and update, however Tenant only able to see pre seeded/created roles?

    You can set role create, delete, and edit permissions to only apply to the host.

    And create a new manage tenant roles page for the host:

    public class CreateTenantRoleInput 
    { 
        public string TenantName {get; set;} 
         
        .... 
    } 
    public class ManageTenantRolesAppService:... 
    { 
         public async Task CreateAsync(CreateTenantRoleInput input) 
         { 
               var tenant = await _tenantStore.FindAsync(input.Tenant); 
                
               using(currentTenant.Change(tenant.Id)) 
               { 
                    _roleRepositpry.InsertAsync(..); 
               } 
         } 
    } 
    

    Hi liangshiwei,

    I tried to investigate your solution, however, I believe I am may complicating it further while trying to adjust my project. I have below options and may be you can help me with another idea

    1. Remove multi tenancy completely and control Users actions by defining roles permission
    2. Another idea is to remove multi-tenancy and create a "Company Id" and somehow I filter uses of one company who buy license and VPS servers, if I follow this path, any suggestion how can I filter it
    3. Third option is keep it multi-tenant and try to build custom pages for roles and users similar to your suggestions above

    Any other idea??

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Remove multi tenancy completely and control Users actions by defining roles permission

    I think this is the easiest way

    Another idea is to remove multi-tenancy and create a "Company Id" and somehow I filter uses of one company who buy license and VPS servers, if I follow this path, any suggestion how can I filter it

    You can check the document: https://docs.abp.io/en/abp/latest/Data-Filtering#defining-custom-filters

  • User Avatar
    0
    Navneet@aol.com.au created

    Another idea is to remove multi-tenancy and create a "Company Id" and somehow I filter uses of one company who buy license and VPS servers, if I follow this path, any suggestion how can I filter it

    You can check the document: https://docs.abp.io/en/abp/latest/Data-Filtering#defining-custom-filters

    Many thanks liangshiwei,

    We have decided to use your above suggestion, it is easy to set a global filter, however not sure how to convert bool to a company filter?

    could you please suggest?

    I created an interface as ICompany

    public interface ICompany
    {
     string CompanyName { get; }
    }
    

    what am I missing below? how can I filter as e.CompanyName == _user.CompanyName

    protected bool IsCompanyFilterEnabled => DataFilter?.IsEnabled<ICompany>() ?? false;
    
    protected override bool ShouldFilterEntity<TEntity>(IMutableEntityType entityType)
    {
        if (typeof(ICompany).IsAssignableFrom(typeof(TEntity)))
        {
            return true;
        }
    
        return base.ShouldFilterEntity<TEntity>(entityType);
    }
    
    protected override Expression<Func<TEntity, string>> CreateFilterExpression<TEntity>()
    {
        var expression = base.CreateFilterExpression<TEntity>();
    
        if (typeof(ICompany).IsAssignableFrom(typeof(TEntity)))
        {
            Expression<Func<TEntity, string>> isCompanyFilter = e => !IsCompanyFilterEnabled || 
                 EF.Property<string>(e, "ICompany").where(e.CompanyName == _user.CompanyName);
                 
            expression = expression == null 
                ? isCompanyFilter 
                : QueryFilterExpressionHelper.CombineExpressions(expression, isCompanyFilter);
        }
    
        return expression;
    }
    
    
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can add the CompanyName to the user's claims.

    https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory https://docs.abp.io/en/abp/latest/Modules/OpenIddict#updating-claims-in-access_token-and-id_token

    protected override Expression> CreateFilterExpression()
    {
        var expression = base.CreateFilterExpression();
        
        var companyName = currentUser.FindClaimValue("....")
    
        if (typeof(ICompany).IsAssignableFrom(typeof(TEntity)))
        {
            Expression> isCompanyFilter = e => !IsCompanyFilterEnabled || 
                 EF.Property(e, "ICompany").where(e.CompanyName == companyName);
                 
            expression = expression == null 
                ? isCompanyFilter 
                : QueryFilterExpressionHelper.CombineExpressions(expression, isCompanyFilter);
        }
    
        return expression;
    }
    
  • User Avatar
    0
    Navneet@aol.com.au created

    Hi,

    You can add the CompanyName to the user's claims.

    https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory https://docs.abp.io/en/abp/latest/Modules/OpenIddict#updating-claims-in-access_token-and-id_token

    protected override Expression> CreateFilterExpression() 
    { 
        var expression = base.CreateFilterExpression(); 
         
        var companyName = currentUser.FindClaimValue("....") 
     
        if (typeof(ICompany).IsAssignableFrom(typeof(TEntity))) 
        { 
            Expression> isCompanyFilter = e => !IsCompanyFilterEnabled ||  
                 EF.Property(e, "ICompany").where(e.CompanyName == companyName); 
                  
            expression = expression == null  
                ? isCompanyFilter  
                : QueryFilterExpressionHelper.CombineExpressions(expression, isCompanyFilter); 
        } 
     
        return expression; 
    } 
    

    Hi liangshiwei,

    We follow ABP modular practice (Instead of Application Template, we develop Module Template), so what is the correct place to put the above Custom Filter, IN Module.EntityFrameworkCore or my Tiered Application.EntityFrameworkCore?

    Also, how can I make sure that when I am creating a Module and Tiered Application via ABP SUITE, it is Host-only and does not have Tenant or Edition?

    By default does the ABP suite include Tenant Management & Edition Management in the application?

    Thanks, Navneet

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    We follow ABP modular practice (Instead of Application Template, we develop Module Template), so what is the correct place to put the above Custom Filter, IN Module.EntityFrameworkCore or my Tiered Application.EntityFrameworkCore?

    You can add a custom filter both in Module.EntityFrameworkCore and Application.EntityFrameworkCore

    Also, how can I make sure that when I am creating a Module and Tiered Application via ABP SUITE, it is Host-only and does not have Tenant or Edition?

    https://docs.abp.io/en/abp/latest/Multi-Tenancy#abpmultitenancyoptions-enable-disable-multi-tenancy

    Multi-Tenancy is disabled in the ABP Framework by default. However, it is enabled by default when you create a new solution using the startup template. MultiTenancyConsts class in the solution has a constant to control it in a single place.

    By default does the ABP suite include Tenant Management & Edition Management in the application?

    Yes, it's

  • User Avatar
    0
    Navneet@aol.com.au created

    Hi liangshiwei,

    Many thx for your help.

    Final question, should I remove Tenant Management and Edition Management module so that my client not able to enable it without my permission

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can remove them, but I don't recommend it.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11