Open Closed

Prevent Tenant From Creating New Tenants #4713


User avatar
0
mateworkx@gmail.com created

I greatly apologize if this is documented somewhere. I tried to search for answers and either I'm not understanding or I didn't find the answer. When I create a new tenant, this tenant should NOT have the ability to create new tenants or modify permissions of tenants. When a tenant admin is created as the default user I've noticed that they have ALL the permissions that the host does, well except host feature management. I don't known if I'm explaining this correctly or not. Hopefully I am. Also, when do I use the "Default & Public" checkboxes when creating a new role?

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v7.0.0
  • UI type: Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace: N/A
  • Steps to reproduce the issue:" N/A

9 Answer(s)
  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    . When a tenant admin is created as the default user I've noticed that they have ALL the permissions that the host does,

    This is the default behavior, but you can change it by removing PermissionDataSeedContributor from the DI.

    https://github.com/abpframework/abp/blob/dev/modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/PermissionDataSeedContributor.cs#L35

    when do I use the "Default & Public" checkboxes when creating a new role?

    /// <summary>
    /// A default role is automatically assigned to a new user
    /// </summary>
    public virtual bool IsDefault { get; set; }
    
    /// <summary>
    /// A static role can not be deleted/renamed
    /// </summary>
    public virtual bool IsStatic { get; set; }
    
    /// <summary>
    /// A user can see other user's public roles
    /// </summary>
    public virtual bool IsPublic { get; set; }
    
  • User Avatar
    0
    mateworkx@gmail.com created

    hi

    . When a tenant admin is created as the default user I've noticed that they have ALL the permissions that the host does,

    This is the default behavior, but you can change it by removing PermissionDataSeedContributor from the DI.

    https://github.com/abpframework/abp/blob/dev/modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/PermissionDataSeedContributor.cs#L35

    when do I use the "Default & Public" checkboxes when creating a new role?

    /// <summary> 
    /// A default role is automatically assigned to a new user 
    /// </summary> 
    public virtual bool IsDefault { get; set; } 
     
    /// <summary> 
    /// A static role can not be deleted/renamed 
    /// </summary> 
    public virtual bool IsStatic { get; set; } 
     
    /// <summary> 
    /// A user can see other user's public roles 
    /// </summary> 
    public virtual bool IsPublic { get; set; } 
    

    So am I able to change the default await PermissionDataSeeder.SeedAsync( RolePermissionValueProvider.ProviderName, "admin", permissionNames, context?.TenantId );

    to another role that I setup such as orgadmin? await PermissionDataSeeder.SeedAsync( RolePermissionValueProvider.ProviderName, "orgadmin", permissionNames, context?.TenantId );

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Yes

    https://github.com/abpframework/abp/blob/dev/modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/PermissionDataSeeder.cs#L28

  • User Avatar
    0
    mateworkx@gmail.com created

    I appreciate the links. What is the best way to implement this in my Blazor Server project so that I may modify as needed?

  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    
    Configure<AbpDataSeedOptions>(options =>
    {
        options.Contributors.RemoveAll(x => x == typeof(PermissionDataSeedContributor))
    });```
    
  • User Avatar
    0
    mateworkx@gmail.com created

    So this helps to remove the default behavior of creating a tenant admin with the default permissions?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Yes, You can give it a try.

  • User Avatar
    0
    mateworkx@gmail.com created

    Thank you much. I will try this tomorrow (EST) and possibly close ticket. As always, thanks for your help.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    You're welcome.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38