search

JonPSmith / AuthPermissions.AspNetCore

This library provides extra authorization and multi-tenant features to an ASP.NET Core application.
https://www.thereformedprogrammer.net/finally-a-library-that-improves-role-authorization-in-asp-net-core/
MIT License
770 stars 158 forks source link

Version 2: Multi-tenant roles improvements #9

Closed JonPSmith closed 2 years ago

JonPSmith commented 2 years ago

Version 1 of the AuthP library allowed you to create multi-tenant / SaaS applications and introduced the feature of a Tenant Admin who could manage users within a tenant. That reduces the work on the support people for your application.

In version 1 of AuthP library the Tenant Admin was limited to managing users in the Tenant Admin, BUT the Tenant Admin had access to every AuthP's Role (referred to a Role in this issue). This means the Tenant Admin could add roles to tenant users which gave total control over all its features, which is not a good idea.

In version 2 of the AuthP I will restrict the what a Tenant Admin can do, plus add a new feature so that you create different versions of your SaaS application (e.g. Free, Pro, Enterprise).

A Tenant admin cannot create / update / delete an Role

In version 1 of AuthP library I allowed a Tenant Admin to create / update / delete an Role, but they couldn't include advanced Permissions, which filters out advanced Permissions from a list of Permissions a Tenant Admin user. This stopped a Tenant Admin from creating a Role with an advanced Permissions.

But a problem existed in version 1 is if a Tenant Admin can create new Roles, then in Company1 could create a role that a Tenant Admin in Company2 would see. This is likely to cause confusion, especially if you have lots of tenants.

Therefore in AuthP version 2 a Tenant Admin should be barred from creating, updating or deleting a Role - only a App Admin (i.e. a user manages the whole application, not linked to tenant) can do that. The Tenant Admin's job is to manage tenant users and their Roles.

Restrict the more powerful Role from the Tenant Admin

In version 2 a Role will now have a new RoleType enum property with the following settings:

In AuthP version 2 a Role that contains a advanced Permission will, by default, have the RoleType property to HiddenFromTenant. A Role can also be set to HiddenFromTenant manually by the App Admin user.

Provide different versions of your application (e.g. Free, Pro, Enterprise).

Many SaaS applications have different versions, which allows you to get a range of income from different levels of users. In AuthP version 2 I introduce the concept of a Tenant Role.

Each Tenant will have a one-to-many link to the TenantRoles allocated to the Tenant. TenantRoles are created and added to a Tenant by the App Admin user, or it could be automated. The Tenant's TenantRoles be used in two ways:

  1. For applications that provide the same features to all the users, e.g. Visual Studio with its Community, Pro, Enterprise versions, the Tenant's list of TenantRoles are automatically added to the Roles that a user has. In this case the Role's RoleType property is set to TenantAutoAdd.
  2. For applications that has different types of users, e.g. Staff, Manager, CEO, then the Tenant's TenantRoles are manually added by a tenant admin user, e.g. an advanced paid-for TenantRole is only added to Managers. In this case the Role's RoleType property is set to TenantAdminAdd.
JonPSmith commented 2 years ago

Documents updated to version 2.1.0 that implements this feature