You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am wondering if someone has implemented Data Access Permission (row level permission/filtering of data) based on authenticated user. I know that in this (Meeting) application there is HasPermission attribute that checks the Permission on API level. But what I am looking for is little different. Just to give you a background, imagine that there is a Company who works on different Projects. There are many Employees who work for that Company. There are different roles of Employees, SysAdmin who can edit/view projects... and SysUsers who only have Read access to the projects. Now till here things are quite Simple. I am using the same approach of *HasPermission on the API level to fetch the Role from logged in User JWT and based on that allow or disallow the execution of Action.
Just to give the design idea, I have some of the following modules in the system (not all the modules are displayed)
Projects
Employees
Billing
UserAccess
Now one of the requirement of this system is, only certain Employees will have access to certain Projects. so imagine that in the system your have 3 users (User1, User2, User3) and 5 projects (Project1, Project2.... Project5)..... In the system User1 is SysAdmin so he should be able to edit/view projects.... But User1 only has access to Project1 and Project5.... So inside the Projects module, when User1 tries to fetch the list of Projects, he should only see Project1 and Project5. Similarly in the Billing Module, User1 should only be able to view/edit Billing data related to Project1 and Project5. Also, in the above example, I have only talked about permission on Projects, but there are other Entities in the system (in different modules) which needs similar data level permissions...
I have been thinking about different solutions to address this problem.....
Solution # 1) Put all the Project ids that a User has access to in the Authentication token.. and in each module, get those project ids from ExecutionContextAccessor and filter the data accordingly.... but then Projects isn't the only thing that has user permission, there are other Entities that has similar data level permission, and putting all those entities in the token doesn't feel like a good solution to me...
Solution # 2 a) Put all the permissions in the UserAccess module..... and each module makes a query to UserAccess module to fetch the permissions before executing any Command or Query and filter the data accordingly.... that creating a coupling between UserAccess and other modules...
Solution # 2 b) Put all the permissions in the UserAccess module..... in the IExecutionContextAccessor create a property called UserPermissions and load all the Authenticated User permission on API level in a middleware and populate the UserPermissions field.....
Next, all the modules would have access to IExecutionContextAccessor so they can check the permission in every Command/Query...
Solution # 3) Each module should have it's own permissions defined.... for example, on the Projects module, there is something called ProjectPermissions which consists of UserId and ProjectId...... similarly in the Billing module there is going to be a BillingPermissions entity/table that would be used to filter the data....... in other modules, there will be similar {Entity}Permissions that would be used..... This way, all the Modules in the system needs to know about the UserId of the user... so anytime a new user is created, an integration even will fire and all modules will have that UserId.
Solution # 4) Combination of solution#2 and solution#3...... All the permissions will be maintained in *UserAccess module but anytime a new permission will be created/modified and integration even will fire and Other modules (Projects, Billing etc) will take those permission and keep a copy of it... that way each module will do the filtering on the Module level without communicating to UserAccess module....
Or if there is any other solution that someone has used in the system for handling similar Permissions in modular or microservice architecture and would like to share....
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello,
I am wondering if someone has implemented Data Access Permission (row level permission/filtering of data) based on authenticated user. I know that in this (Meeting) application there is HasPermission attribute that checks the Permission on API level. But what I am looking for is little different. Just to give you a background, imagine that there is a Company who works on different Projects. There are many Employees who work for that Company. There are different roles of Employees, SysAdmin who can edit/view projects... and SysUsers who only have Read access to the projects. Now till here things are quite Simple. I am using the same approach of *HasPermission on the API level to fetch the Role from logged in User JWT and based on that allow or disallow the execution of Action.
Just to give the design idea, I have some of the following modules in the system (not all the modules are displayed)
Now one of the requirement of this system is, only certain Employees will have access to certain Projects. so imagine that in the system your have 3 users (User1, User2, User3) and 5 projects (Project1, Project2.... Project5)..... In the system User1 is SysAdmin so he should be able to edit/view projects.... But User1 only has access to Project1 and Project5.... So inside the Projects module, when User1 tries to fetch the list of Projects, he should only see Project1 and Project5. Similarly in the Billing Module, User1 should only be able to view/edit Billing data related to Project1 and Project5. Also, in the above example, I have only talked about permission on Projects, but there are other Entities in the system (in different modules) which needs similar data level permissions...
I have been thinking about different solutions to address this problem.....
Solution # 1) Put all the Project ids that a User has access to in the Authentication token.. and in each module, get those project ids from ExecutionContextAccessor and filter the data accordingly.... but then Projects isn't the only thing that has user permission, there are other Entities that has similar data level permission, and putting all those entities in the token doesn't feel like a good solution to me...
Solution # 2 a) Put all the permissions in the UserAccess module..... and each module makes a query to UserAccess module to fetch the permissions before executing any Command or Query and filter the data accordingly.... that creating a coupling between UserAccess and other modules...
Solution # 2 b) Put all the permissions in the UserAccess module..... in the IExecutionContextAccessor create a property called UserPermissions and load all the Authenticated User permission on API level in a middleware and populate the UserPermissions field.....
Next, all the modules would have access to IExecutionContextAccessor so they can check the permission in every Command/Query...
Solution # 3) Each module should have it's own permissions defined.... for example, on the Projects module, there is something called ProjectPermissions which consists of UserId and ProjectId...... similarly in the Billing module there is going to be a BillingPermissions entity/table that would be used to filter the data....... in other modules, there will be similar {Entity}Permissions that would be used..... This way, all the Modules in the system needs to know about the UserId of the user... so anytime a new user is created, an integration even will fire and all modules will have that UserId.
Solution # 4) Combination of solution#2 and solution#3...... All the permissions will be maintained in *UserAccess module but anytime a new permission will be created/modified and integration even will fire and Other modules (Projects, Billing etc) will take those permission and keep a copy of it... that way each module will do the filtering on the Module level without communicating to UserAccess module....
Or if there is any other solution that someone has used in the system for handling similar Permissions in modular or microservice architecture and would like to share....
Thanks
Beta Was this translation helpful? Give feedback.
All reactions