Open Closed

ABP best practices for permission management #6907


User avatar
0
auxo-devsu created
  • ABP Framework version: v8.0.0
  • UI Type: Angular / MVC / Blazor WASM / Blazor Server
  • Database System: EF Core (SQL Server)

I'm struggling to get around how to manage permissions, permissions no longer used and permissions per role.

  1. I would like to delete the permission groups above. What are the options I have for doing that?
  2. I would like to define the permissions of a given role. What are the options I have for doing that?
  3. How do I ensure that new tenants being created always get the latest set of default permissions for the application?
  4. Can I disable the out-of-the-box admin role?

Thanks!


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    1. I would like to delete the permission groups above. What are the options I have for doing that?

    See https://docs.abp.io/en/abp/latest/Authorization#changing-permission-definitions-of-a-depended-module

    1. I would like to define the permissions of a given role. What are the options I have for doing that?
    group.AddPermission("MyPermission6").WithProviders(RolePermissionValueProvider.ProviderName);
    

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/PermissionDefinition.cs#L140-L148

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/PermissionDefinition.cs#L31-L35

    1. How do I ensure that new tenants being created always get the latest set of default permissions for the application?

    The template project already did this.

    See MyProjectNameTenantDatabaseMigrationHandler

    https://github.com/abpframework/abp/blob/dev/modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/PermissionDataSeeder.cs#L28-L52

    1. Can I disable the out-of-the-box admin role?

    Yes.

  • User Avatar
    0
    auxo-devsu created

    Sorry, maybe I'm missing something here.

    1. I would like to delete the permission groups above. What are the options I have for doing that?

    How does this help deleting the groups I posted in my question? I would like to have permissions that I no longer define deleted from the application.

    2. I would like to define the permissions of a given role. What are the options I have for doing that? Currently, I create my roles using IdentityRoleManager.CreateAsync and then the permissions are loaded into the system through the class inheriting from PermissionDefinitionProvider. If I am to create my roles and associate the default permissions for my role, are you saying that I create group.AddPermission("MyPermissionName").WithProviders("IdentityRoleName); ?

    3. How do I ensure that new tenants being created always get the latest set of default permissions for the application? I'm on ABP commercial and would like to ensure that new tenants have the roles and also the permissions associated with the role created by default. If I do what is explained in step 2, do I achieve what I would like to?

    4. Can I disable the out-of-the-box admin role? How do I do that?

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can check out these two documents to learn how to define permissions and initialize some permissions for tenants.

    https://docs.abp.io/en/abp/latest/Authorization https://docs.abp.io/en/abp/latest/Data-Seeding

    Can I disable the out-of-the-box admin role?

    You can override the IdentityDataSeeder to disable the admin role.

  • User Avatar
    0
    auxo-devsu created

    I'm sorry, but I checked both documents before coming here; otherwise, I wouldn't have created a ticket.

    If you refuse to give me an answer, that's OK. I have a fully functional system, but I can't see how I can remove the permission groups in either document you have suggested so far. If that's as simple as you suggested, I would really appreciate if you could copy something from the actual page that indicates how to do what I am asking.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I'd be happy to provide an answer. :)

    how I can remove the permission groups in either document you have suggested so far.

    You can try to remove the permission group from your PermissionDefinitionProvider.

    public class MyProjectNamePermissionDefinitionProvider : PermissionDefinitionProvider
    {
        public override void Define(IPermissionDefinitionContext context)
        {
            var myGroup = context.AddGroup(MyProjectNamePermissions.GroupName);
            //Define your own permissions here. Example:
            //myGroup.AddPermission(MyProjectNamePermissions.MyPermission1, L("Permission:MyPermission1"));
    
            // var identityGroup = context.GetGroupOrNull(IdentityPermissions.GroupName);
            // if (identityGroup != null)
            // {
            //    context.RemoveGroup(identityGroup.Name);
            // }
        }
    
        private static LocalizableString L(string name)
        {
            return LocalizableString.Create<MyProjectNameResource>(name);
        }
    }
    
  • User Avatar
    0
    auxo-devsu created

    Thanks!

    Regarding Item 1, I will try to work with that but so far no luck.

    Regarding Item 2, this is what I've done but no luck too:

    What am I missing?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    2.

    You can use RolePermissionValueProvider.ProviderName as the Provider of a permission definition. You can't use Roles.Admin and Roles.Workshop.Owner.

    group.AddPermission("MyPermission6").WithProviders(RolePermissionValueProvider.ProviderName);

    If you want to grant permissions to a role, you don't need to do this.

    You can use:

    await permissionManager.SetForRoleAsync("your_role_name", TestPermissionNames.MyPermission1, true);
    
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11