Custom rules for each tenant

[Arazesh]

Thank you for your good project. This project fulfills almost all our needs except for one thing

According to the explanation you gave here

"NOTE: Tenant admin user are not allowed to create or update a Role. Only app admin users are allowed to create / update roles."

So tenant does not have the possibility to create a role only for their own company But in our software, we need each tenant to be able to create different roles for their company and assign some permissions to each role. In fact, because the size of the companies is different, it is better to give them this possibility so that they can have different roles based on their needs, for example, maybe in a small company only defining 2 roles is enough, and in a bigger company, the number of roles even reach 20 numbers or even have different names for the roles according to their field of activity

Please advise what is the best way to do this

[JonPSmith]

Hi @Arazesh,

The AuthP's Roles are designed allow access to various pages / WebAPI in the application. If a tenant user could create a Role, then they could create a Role that allows them to delete other tenant's data. Therefore tenant user's aren't allowed to create Roles.

From what you say it sounds that you want each tenant to be pick want features in their Tenant. You can do this using the Sign up for a new tenant, with versioning - see this article for a better overview.

The "Sign up for a new tenant, with versioning" examples have simple differences, but there is no reason that you could create a list of features that they pick from instead. You would need to create a code to turn picked features into the format that the ISignInAndCreateTenant needs.

The "Sign up for a new tenant, with versioning" means that the Tenant owner has to decide on signing in, which means they can't thing later. You have two options for changing the tenant's Role in an existing Tenant are:

• Simple: The App Admin adds/removes the tenant's TenantRoles manually.
• Complex: You create code that allows the tenant admin to change the TenantRoles within their Tenant.

[Arazesh]

Hi JonPSmith,

Thanks for the advice

This is exactly what I need "Complex: You create code that allows the tenant admin to change the TenantRoles within their Tenant."

So , I want to do these things

1- Create a new roletype called TenantCustomeRole

2- Add an attribute to the permissions so that tenant admins can only choose from them "TenantCustomeRoleAttribute"

3- Add IDataKeyFilterReadWrite to the RoleToPermissions table so that if the DataKey has value , it will be applied only to this tenant. (I'm not sure about this , maybe it's better to create a new table)

Do you think this is the right solution or is there a better solution?

[JonPSmith]

Hi @Arazesh,

Here is how I would implement this:

1. I would create Roles for each of the features you want to turn on or off. These Roles should be TenantAutoAdd type Roles (see this section of the AuthP docs).
2. I would create some code to add/remove these feature Roles to a Tenant. To do this you need two methods from the IAuthTenantAdminService. NOTE: These methods needs the TenantId to define what tenant you are changing.
   • Use GetRoleNamesForTenantsAsync to get the current tenant roles
   • Add/remove the current feature Roles
   • Then use UpdateTenantRolesAsync to update the changed tenant Roles.
3. I would add a Role to make the code in step 2 can only be used by certain users, i.e. tenant admin users
4. Finally I would add the Role in step 3 to the tenant admin, either during sign on or by the App admin.

I hope that helps.