Permission-Based Authorization Setup
Overview
This skill implements fine-grained permission-based authorization:
- Custom [HasPermission] attribute - Declarative permission requirements
- Policy provider - Dynamically creates policies from permissions
- Authorization handler - Validates user permissions
- Claims transformation - Converts roles to permissions
Quick Reference
| Component | Purpose |
|---|---|
Permissions | Static permission constants |
Roles | Static role constants |
HasPermissionAttribute | Custom authorize attribute |
PermissionAuthorizationHandler | Validates permissions |
PermissionAuthorizationPolicyProvider | Creates policies dynamically |
RoleToPermissionClaimsTransformation | Maps roles to permissions |
Authorization Structure
/Infrastructure/Authorization/
├── Permissions.cs
├── Roles.cs
├── HasPermissionAttribute.cs
├── PermissionRequirement.cs
├── PermissionAuthorizationHandler.cs
├── PermissionAuthorizationPolicyProvider.cs
├── RoleToPermissionClaimsTransformation.cs
└── AuthorizationExtensions.cs
Template: Permissions Definition
// src/{name}.infrastructure/Authorization/Permissions.cs
namespace {name}.infrastructure.authorization;
/// <summary>
/// All available permissions in the system
/// Format: {resource}:{action}
/// </summary>
public static class Permissions
{
// ═══════════════════════════════════════════════════════════════
// ORGANIZATION PERMISSIONS
// ═══════════════════════════════════════════════════════════════
public const string OrganizationsRead = "organizations:read";
public const string OrganizationsWrite = "organizations:write";
public const string OrganizationsDelete = "organizations:delete";
public const string OrganizationsManageSettings = "organizations:manage_settings";
// ═══════════════════════════════════════════════════════════════
// USER PERMISSIONS
// ═══════════════════════════════════════════════════════════════
public const string UsersRead = "users:read";
public const string UsersWrite = "users:write";
public const string UsersDelete = "users:delete";
public const string UsersManageRoles = "users:manage_roles";
// ═══════════════════════════════════════════════════════════════
// DEPARTMENT PERMISSIONS
// ═══════════════════════════════════════════════════════════════
public const string DepartmentsRead = "departments:read";
public const string DepartmentsWrite = "departments:write";
public const string DepartmentsDelete = "departments:delete";
// ═══════════════════════════════════════════════════════════════
// ASSESSMENT PERMISSIONS
// ═══════════════════════════════════════════════════════════════
public const string AssessmentsRead = "assessments:read";
public const string AssessmentsWrite = "assessments:write";
public const string AssessmentsSubmit = "assessments:submit";
public const string AssessmentsReview = "assessments:review";
// ═══════════════════════════════════════════════════════════════
// REPORT PERMISSIONS
// ═══════════════════════════════════════════════════════════════
public const string ReportsRead = "reports:read";
public const string ReportsExport = "reports:export";
public const string ReportsViewSensitive = "reports:view_sensitive";
// ═══════════════════════════════════════════════════════════════
// ADMIN PERMISSIONS
// ═══════════════════════════════════════════════════════════════
public const string AdminAccess = "admin:access";
public const string AdminManageSystem = "admin:manage_system";
}
Template: Roles Definition
// src/{name}.infrastructure/Authorization/Roles.cs
namespace {name}.infrastructure.authorization;
/// <summary>
/// All available roles in the system
/// </summary>
public static class Roles
{
public const string SuperAdmin = "SuperAdmin";
public const string Admin = "Admin";
public const string Consultant = "Consultant";
public const string Manager = "Manager";
public const string Associate = "Associate";
public const string Viewer = "Viewer";
}
Template: Role-Permission Mapping
// src/{name}.infrastructure/Authorization/RolePermissions.cs
namespace {name}.infrastructure.authorization;
/// <summary>
/// Maps roles to their granted permissions
/// </summary>
public static class RolePermissions
{
private static readonly Dictionary<string, HashSet<string>> RolePermissionMap = new()
{
// ═══════════════════════════════════════════════════════════════
// SUPER ADMIN - Full system access
// ═══════════════════════════════════════════════════════════════
[Roles.SuperAdmin] = new HashSet<string>
{
Permissions.OrganizationsRead,
Permissions.OrganizationsWrite,
Permissions.OrganizationsDelete,
Permissions.OrganizationsManageSettings,
Permissions.UsersRead,
Permissions.UsersWrite,
Permissions.UsersDelete,
Permissions.UsersManageRoles,
Permissions.DepartmentsRead,
Permissions.DepartmentsWrite,
Permissions.DepartmentsDelete,
Permissions.AssessmentsRead,
Permissions.AssessmentsWrite,
Permissions.AssessmentsSubmit,
Permissions.AssessmentsReview,
Permissions.ReportsRead,
Permissions.ReportsExport,
Permissions.ReportsViewSensitive,
Permissions.AdminAccess,
Permissions.AdminManageSystem
},
// ═══════════════════════════════════════════════════════════════
// ADMIN - Organization-level admin
// ═══════════════════════════════════════════════════════════════
[Roles.Admin] = new HashSet<string>
{
Permissions.OrganizationsRead,
Permissions.OrganizationsWrite,
Permissions.OrganizationsManageSettings,
Permissions.UsersRead,
Permissions.UsersWrite,
Permissions.UsersManageRoles,
Permissions.DepartmentsRead,
Permissions.DepartmentsWrite,
Permissions.DepartmentsDelete,
Permissions.AssessmentsRead,
Permissions.AssessmentsWrite,
Permissions.AssessmentsReview,
Permissions.ReportsRead,
Permissions.ReportsExport,
Permissions.ReportsViewSensitive,
Permissions.AdminAccess
},
// ═══════════════════════════════════════════════════════════════
// CONSULTANT - External consultants
// ═══════════════════════════════════════════════════════════════
[Roles.Consultant] = new HashSet<string>
{
Permissions.OrganizationsRead,
Permissions.UsersRead,
Permissions.DepartmentsRead,
Permissions.AssessmentsRead,
Permissions.AssessmentsReview,
Permissions.ReportsRead,
Permissions.ReportsExport
},
// ═══════════════════════════════════════════════════════════════
// MANAGER - Department managers
// ═══════════════════════════════════════════════════════════════
[Roles.Manager] = new HashSet<string>
{
Permissions.OrganizationsRead,
Permissions.UsersRead,
Permissions.DepartmentsRead,
Permissions.DepartmentsWrite,
Permissions.AssessmentsRead,
Permissions.AssessmentsWrite,
Permissions.AssessmentsSubmit,
Permissions.AssessmentsReview,
Permissions.ReportsRead
},
// ═══════════════════════════════════════════════════════════════
// ASSOCIATE - Regular employees
// ═══════════════════════════════════════════════════════════════