per-tenant roles?

[Deenayd]

Hello,

Is this poosible to allow a tenant admin (or another user, like tenant role admin) to create / edit / delete roles created internally for the tenant?

Each tenant user could be assigned those roles and anybody in another tenants wouldn't see them.

[JonPSmith]

Already implemented. See:

• The concept of an "Tenant Admin" user in the admin.
• Tenant Admin – taking over some admin of users in their tenant in the Part2: Administration article.

The Tenant Admin features are quite sophisticated and works for single-level and hierarchical multi-tenant apps.

[Deenayd]

Thanks for you reply.

Unfortunatelly I still can't fidn what I'm searching for ;)

What I'd like to implement is something like TenantAdmin ability to create roles with type TenantAdminAdd and link those roles (created by tenant admin) automatically to their tenant (or any sub tenants).

At the moment if inside example3 application I try to edit Tenant Admin role and add a permission RoleChange to it, than an error is reported. Looks like it tries to upgrade Tenant Admin to HiddenFromTenant, so this role would not be assignable to tenant users anymore.

If tenant admins were able to configure their own tenant's roles, than app admin should be able to configure what permissions they are able to give to those roles (per tenant, to support app versioning).

[JonPSmith]

Hi @Deenayd,

The TenantAdminAdd type for a Role is designed to only be applied by an admin user. It is there to make sure powerful features, like deleting a tenant, can't be used by tenant users. One of the powerful features that the TenantAdminAdd Role type stops is tenants creating / editing Roles, as if tenant user could create a new role they could overcome of the TenantAdminAdd security features.

The aim is to create various Normal roles and the tenant admin can edit a user's Roles, or invite a new user with certain roles.

Of course you can bypass this security feature by either:

• Changing permission in the [HasPermission(...)] that has the Normal type
• Removing AutoGenerateFilter = true from the current permission (see this section that explains the AutoGenerateFilter = true on a permission).

But you need to be very careful that your tenants users can't delete users, tenants (including one they aren't in), etc.

[Deenayd]

Thanks for your reply,

I have chosen another way of achieving what I need.

I'm using a 1:1 (well, almost) relationship beetween permissions and roles so that ability to assign roles to tenants (n to n) can be effectively applied to permissions (from authp perspective it's roles to tenant assignment, but from application point of of view it's permission to tenant assignment).

Than I have wrote a custom (application level) implementation of something like 'role groups'. Tenant admin can create any 'role groups' and assign as set of roles to each of 'role groups' (n to n).
Than tenant admin can assign any set of 'role groups' to each of users in the tenant (n to n again).
And I have added some custom code that after each change of assignments of roles to 'role groups' or 'role groups' to users is intercepted and transparently recalculated as assignment of roles to users so that it mirrors the effect of setting of roles to 'role groups' and 'role groups' to users.

Net effect is the same (allow tenant admins to create roles and assign roles to users, just I'm now calling it 'role groups' instead of roles) but I didn't need to change any AuthP code.

[Deenayd]

Update: had to implement custom invite new user option as well. It offers selecting set of role groups for the new user, instead of set of roles. Now it looks like it works.