The Problem: In our ERP system, we have entities* called Company and Branch that have a one-to-many relationship and a two-level, non-nested structure. The overall structure of these two entities is as follows:
All other entities (such as AccountingDocument, Account, Order, Proforma, Invoice, etc.) are linked to a Branch either through a junction table or a direct field within the entity itself. When a Role is assigned to a User, we need to specify in which Company**/Branch the User has been given this Role to restrict CRUD access accordingly. Similarly, when a Permission is granted directly to a User, the Company/Branch must be specified.
For example, when a request (which also includes the desired Branch’s Id) is sent to AccountingDocument creation API, it must be checked during Authorization whether the User has access to create an AccountingDocument in the requested Branch or not.
The Question: Does the OrganizationUnit built-in feature fulfill this requirement? Or we have to create a new module, or customize the Identity and/or Administration modules (or any other modules)?
These entities are supposed to be created for access control purposes only. If we can use entities like OrganizationUnit instead, there would be no need to create them. ** Granting a Permission at the Company level means access to all Branches within that Company.
3 Answer(s)
-
0
Hi,
I think you can use the
OrganizationUnitwithout a problem.OrganizationUnitis a tree structure.You can use the first-level node as the company and the sub-level nodes as branches.
-
0
Hi,
I think you can use the
OrganizationUnitwithout a problem.OrganizationUnitis a tree structure.You can use the first-level node as the company and the sub-level nodes as branches.
I appreciate you taking the time to consider my question. However, your answer essentially restates my question! While you suggest that
OrganizationUnitcould work, I was hoping for a more definitive answer regarding whether they fully satisfy the requirements I outlined. My question wasn't simply whetherOrganizationUnitcould be used as a hierarchical structure; it was whether it provides the necessary functionality for granular access control at the Company/Branch level or not. To clarify, my goal is to assign a role to a user within the context of a specific Company and Branch. NOTE that I am not looking to assign roles directly to Companies or Branches themselves(like what is done in ABP where the role or user itself is linked to anOrganizationUnit). The ability to control access to entities likeAccountingDocumentbased on the user's role within a specific Branch is crucial. Could you please confirm whether theOrganizationUnitfeature provides this level of fine-grained access control, or if a custom solution would be necessary? -
0
Hi,
Okay, it seems you also need to filter with the current branch.
I don't recommend that you use the organization unit, It is very different.
you need to implement it yourself to control any details,
Here are some documents for your reference
- https://abp.io/docs/latest/framework/fundamentals/authorization
- https://abp.io/docs/latest/framework/infrastructure/data-filtering
