ABP best practices for permission management #6907 | Support

auxo-devsu created 8 months ago

ABP Framework version: v8.0.0
UI Type: Angular / MVC / Blazor WASM / Blazor Server
Database System: EF Core (SQL Server)

I'm struggling to get around how to manage permissions, permissions no longer used and permissions per role.

I would like to delete the permission groups above. What are the options I have for doing that?
I would like to define the permissions of a given role. What are the options I have for doing that?
How do I ensure that new tenants being created always get the latest set of default permissions for the application?
Can I disable the out-of-the-box admin role?

Thanks!

7 Answer(s)

0
maliming created 8 months ago
Support Team Fullstack Developer
hi

I would like to delete the permission groups above. What are the options I have for doing that?

See https://docs.abp.io/en/abp/latest/Authorization#changing-permission-definitions-of-a-depended-module

I would like to define the permissions of a given role. What are the options I have for doing that?

group.AddPermission("MyPermission6").WithProviders(RolePermissionValueProvider.ProviderName);

https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/PermissionDefinition.cs#L140-L148

https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/PermissionDefinition.cs#L31-L35

How do I ensure that new tenants being created always get the latest set of default permissions for the application?

The template project already did this.

See MyProjectNameTenantDatabaseMigrationHandler

https://github.com/abpframework/abp/blob/dev/modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/PermissionDataSeeder.cs#L28-L52

Can I disable the out-of-the-box admin role?

Yes.
0

auxo-devsu created 8 months ago

Sorry, maybe I'm missing something here.

1. I would like to delete the permission groups above. What are the options I have for doing that?

How does this help deleting the groups I posted in my question? I would like to have permissions that I no longer define deleted from the application.

2. I would like to define the permissions of a given role. What are the options I have for doing that? Currently, I create my roles using IdentityRoleManager.CreateAsync and then the permissions are loaded into the system through the class inheriting from PermissionDefinitionProvider. If I am to create my roles and associate the default permissions for my role, are you saying that I create group.AddPermission("MyPermissionName").WithProviders("IdentityRoleName); ?

3. How do I ensure that new tenants being created always get the latest set of default permissions for the application? I'm on ABP commercial and would like to ensure that new tenants have the roles and also the permissions associated with the role created by default. If I do what is explained in step 2, do I achieve what I would like to?

4. Can I disable the out-of-the-box admin role? How do I do that?

Thanks
0

maliming created 8 months ago
Support Team Fullstack Developer

hi

You can check out these two documents to learn how to define permissions and initialize some permissions for tenants.

https://docs.abp.io/en/abp/latest/Authorization https://docs.abp.io/en/abp/latest/Data-Seeding

Can I disable the out-of-the-box admin role?

You can override the IdentityDataSeeder to disable the admin role.
0

auxo-devsu created 8 months ago

I'm sorry, but I checked both documents before coming here; otherwise, I wouldn't have created a ticket.

If you refuse to give me an answer, that's OK. I have a fully functional system, but I can't see how I can remove the permission groups in either document you have suggested so far. If that's as simple as you suggested, I would really appreciate if you could copy something from the actual page that indicates how to do what I am asking.

maliming created 8 months ago

Support Team Fullstack Developer

I'd be happy to provide an answer. :)

how I can remove the permission groups in either document you have suggested so far.

You can try to remove the permission group from your PermissionDefinitionProvider.

public class MyProjectNamePermissionDefinitionProvider : PermissionDefinitionProvider
{
    public override void Define(IPermissionDefinitionContext context)
    {
        var myGroup = context.AddGroup(MyProjectNamePermissions.GroupName);
        //Define your own permissions here. Example:
        //myGroup.AddPermission(MyProjectNamePermissions.MyPermission1, L("Permission:MyPermission1"));

        // var identityGroup = context.GetGroupOrNull(IdentityPermissions.GroupName);
        // if (identityGroup != null)
        // {
        //    context.RemoveGroup(identityGroup.Name);
        // }
    }

    private static LocalizableString L(string name)
    {
        return LocalizableString.Create<MyProjectNameResource>(name);
    }
}

0

auxo-devsu created 8 months ago

Thanks!

Regarding Item 1, I will try to work with that but so far no luck.

Regarding Item 2, this is what I've done but no luck too:

What am I missing?
0
maliming created 8 months ago
Support Team Fullstack Developer
hi

2.

You can use RolePermissionValueProvider.ProviderName as the Provider of a permission definition. You can't use Roles.Admin and Roles.Workshop.Owner.

group.AddPermission("MyPermission6").WithProviders(RolePermissionValueProvider.ProviderName);

If you want to grant permissions to a role, you don't need to do this.

You can use:

await permissionManager.SetForRoleAsync("your_role_name", TestPermissionNames.MyPermission1, true);

Have an answer to this question? Log in and write your answer.