Overview

The RBAC module provides a dynamic, application-aware authorization layer for .NET. Roles, permissions, and assignments are managed at runtime and evaluated with deny-first rules and attribute conditions. Permissions only apply through roles.

Maturity: Preview

This module is under active development. Validate against published packages and your organization's compliance program before production use.

Key capabilities

• Scoped roles and permissions (application, tenant, environment).
• Deny-first evaluation with wildcard support (*, resource:*).
• Attribute-based conditions for permissions (for example: status, region, amount).
• Role hierarchy (single parent by default) and multi-role membership.
• Group hierarchy with inherited access.
• Dynamic assignments with optional expiry.
• Store abstraction with In-Memory and EF Core adapters.
• Optional audit sink for access checks and changes.

Core concepts

• Role: a named collection of permissions.
• Permission: an action and resource pair with an allow or deny effect.
• Assignment: links a principal (user, service, or group) to a role in a scope.
• Group: a hierarchical container for principals.
• Attribute: contextual key/value data used in permission conditions.
• Scope: application, tenant, and environment identifiers.

Packages

• .NET Core: PrimusSaaS.Rbac
• .NET In-Memory Adapter: PrimusSaaS.Rbac.InMemory
• .NET EF Core Adapter: PrimusSaaS.Rbac.EFCore

Admin UI

Reusable admin UI packages are available in the frontend SDKs:

• React: PrimusRbacAdmin in primus-react-ui (React docs)
• Angular: <primus-rbac-admin> in primus-angular-ui (Angular docs)

Related modules

• Identity Validator for authentication.
• Multi-Tenancy for tenant isolation.
• Audit Logging for authorization trails.