Permission Management Module

This module implements the IPermissionStore to store and manage permissions values in a database.

This document covers only the permission management module which persists permission values to a database. See the Authorization document to understand the authorization and permission systems.

How to Install

This module comes as pre-installed (as NuGet/NPM packages) when you create a new solution with the ABP Framework. You can continue to use it as package and get updates easily, or you can include its source code into your solution (see get-source CLI command) to develop your custom module.

The Source Code

The source code of this module can be accessed here. The source code is licensed with MIT, so you can freely use and customize it.

User Interface

Permission Management Dialog

Permission management module provides a reusable dialog to manage permissions related to an object. For example, the Identity Module uses it to manage permissions of users and roles. The following image shows Identity Module's Role Management page:

permissions-module-open-dialog

When you click Actions -> Permissions for a role, the permission management dialog is opened. An example screenshot from this dialog:

permissions-module-dialog

In this dialog, you can grant permissions for the selected role. The tabs in the left side represents main permission groups and the right side contains the permissions defined in the selected group.

IPermissionManager

IPermissionManager is the main service provided by this module. It is used to read and change the permission values. IPermissionManager is typically used by the Feature Management Dialog. However, you can inject it if you need to set a permission value.

If you just want to read/check permission values for the current user, use the IAuthorizationService or the [Authorize] attribute as explained in the Authorization document.

Example: Grant permissions to roles and users using the IPermissionManager service

public class MyService : ITransientDependency
{
    private readonly IPermissionManager _permissionManager;

    public MyService(IPermissionManager permissionManager)
    {
        _permissionManager = permissionManager;
    }

    public async Task GrantRolePermissionDemoAsync(
        string roleName, string permission)
    {
        await _permissionManager
            .SetForRoleAsync(roleName, permission, true);
    }

    public async Task GrantUserPermissionDemoAsync(
        Guid userId, string roleName, string permission)
    {
        await _permissionManager
            .SetForUserAsync(userId, permission, true);
    }
}

Permission Management Providers

Permission Management Module is extensible, just like the permission system. You can extend it by defining permission management providers.

Identity Module defines the following permission management providers:

  • UserPermissionManagementProvider: Manages user-based permissions.
  • RolePermissionManagementProvider: Manages role-based permissions.

IPermissionManager uses these providers when you get/set permissions. You can define your own provider by implementing the IPermissionManagementProvider or inheriting from the PermissionManagementProvider base class.

Example:

public class CustomPermissionManagementProvider : PermissionManagementProvider
{
    public override string Name => "Custom";

    public CustomPermissionManagementProvider(
        IPermissionGrantRepository permissionGrantRepository,
        IGuidGenerator guidGenerator,
        ICurrentTenant currentTenant)
        : base(
            permissionGrantRepository,
            guidGenerator,
            currentTenant)
    {
    }
}

PermissionManagementProvider base class makes the default implementation (using the IPermissionGrantRepository) for you. You can override base methods as you need. Every provider must have a unique name, which is Custom in this example (keep it short since it is saved to database for each feature value record).

Once you create your provider class, you should register it using the FeatureManagementOptions options class:

Configure<PermissionManagementOptions>(options =>
{
    options.ManagementProviders.Add<CustomPermissionManagementProvider>();
});

The order of the providers are important. Providers are executed in the reverse order. That means the CustomPermissionManagementProvider is executed first for this example. You can insert your provider in any order in the Providers list.

See Also

In this document