RbacAuthorization 2.0.0

.NET 6.0

dotnet add package RbacAuthorization --version 2.0.0

NuGet\Install-Package RbacAuthorization -Version 2.0.0

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="RbacAuthorization" Version="2.0.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add RbacAuthorization --version 2.0.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: RbacAuthorization, 2.0.0"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install RbacAuthorization as a Cake Addin
#addin nuget:?package=RbacAuthorization&version=2.0.0

// Install RbacAuthorization as a Cake Tool
#tool nuget:?package=RbacAuthorization&version=2.0.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

RbacAuthorization

A flexible Role Based Access Control library that's simple to setup and configure.

The library allows you to assign permissions to controller actions and then group these permissions into roles which are then assigned to users.

The default implementation stores the role definitions in memory and retrieves the user's id and roles from their token claims. However these can be retrieved from any location. See Customizing Role Retrieval.

Roles can be scoped to a particular request path to further restrict the assigned permissions. See Scoping Role Permissions.

Basic Configuration

Add the RbacAuthorization Nuget package.

dotnet add package RbacAuthorization

Configure and assign permissions to you controller actions.

public static class Permissions
{
    public const string TasksCreate = "Tasks.Create";
    public const string TasksRead = "Tasks.Read";
}

[HttpPost]
[AuthorizePermission(Permissions.TasksCreate)]
public ActionResult<TaskDto> CreateTask(TaskCreateDto dto)
{
...
}

[HttpGet("{taskId}")]
[AuthorizePermission(Permissions.TasksRead)]
public ActionResult<TaskDto> GetTask(int taskId)
{
...
}

Configure your role definitions.

public static class Roles
{
    public static readonly RoleDefinition Admin = new(
        name: "Admin",
        permissions:
        [
            Permissions.TasksCreate,
            Permissions.TasksRead,
        ]);
}

builder.Services.AddRbacAuthorization(options =>
{
    options.AddClaimsPrincipalUserId(ClaimTypes.NameIdentifier);

    options.AddClaimsPrincipalUserRoles(ClaimTypes.Role);

    options.AddInMemoryRoleDefinitions(
        Roles.Admin);
});

Configure users with roles.

Configure your Identity Provider to include the relevant roles as role claims for your users. This typically involves creating a group with the name of each role and assigning them to your users.

For example: Configuring roles in Active Directory

Scoping Role Permissions

Roles can be scoped to a particular request path to further restrict the assigned permissions. The path scope can also include parameters to avoid having to define multiple similar roles.

In the below example a role called ProjectAdmin has been scoped to the path /projects/{ProjectId} which restricts its permissions to a particular project.

When the role is assigned to a user, it must also include the path scope and any parameters must be replaced with values.

For example a user with the ProjectAdmin:/projects/123 role would have the admin permissions for only project 123.

public static readonly RoleDefinition ProjectAdmin = new(
    name: "ProjectAdmin",
    permissions:
    [
        Permissions.TasksCreate,
        Permissions.TasksDelete,
    ],
    pathScope: "/projects/{ProjectId}");

Customizing Role Retrieval

How role definitions and user roles are retrieved can be customized by implementing a custom locator. The following are available:

IRoleDefinitionsLocator
IUserRolesLocator
IUserIdLocator

A common scenario would be to retrieve the user's roles from a database instead of from the user's token.

The custom locator will be called for each authorization.

The custom implementations should be registered as a singleton. For example:

options.Services.AddSingleton<IUserRolesLocator, MyCustomUserRolesLocator>();

Example WebApi

An example WebApi showing the core functionality is available below:

View Source

Product	Compatible and additional computed target framework versions.
.NET	net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed.

Product

.NET

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net6.0
- Microsoft.Identity.Web (>= 2.18.0)
net8.0
- Microsoft.Identity.Web (>= 2.18.0)

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
2.0.0	74	4/26/2024
2.0.0-prerelease.1	47	4/23/2024
1.0.1	195	4/30/2023
1.0.0	168	4/30/2023
1.0.0-alpha.4	124	12/28/2022
1.0.0-alpha.3	103	12/25/2022
1.0.0-alpha.2	105	12/22/2022
1.0.0-alpha.1	109	12/22/2022