Skip to main content
Version: Current

Overview

Use RBAC when your application needs runtime-managed roles, permissions, and tenant-scoped access checks. PrimusSaaS RBAC evaluates access with deny-first rules, optional attribute conditions, and scoped assignments.

Maturity: Stable

Current workspace validation supports a stable release posture for the RBAC core and shipped adapters. Consumers still need to validate their own storage, hosting, and compliance integrations before production rollout.

Use this module when

  • You need permissions that can change without redeploying the app.
  • You need tenant-scoped authorization decisions.
  • You need more than static claim checks or one-off policies.
  • You need an API-first RBAC surface that frontend admin screens can call.

Do not start here if

  • Simple framework policies already solve your authorization problem.
  • You do not yet have authentication in place. Start with Identity Validator.
  • You need a full browser login and membership flow first. Use the combined composition guide instead of starting from RBAC in isolation.

Start here

GoalStart withWhat it proves
Fastest first successVerified .NET QuickstartA fresh net9.0 app built with 0 Warning(s), 0 Error(s) and returned one allow plus one deny decision.
Exact five-role, two-tenant matrixVerified Multi-Tenant Role Matrix31/31 focused tests passed on net9.0, and the blind verifier path defines 50 live HTTP cases.
Production-style auth plus tenant-scoped admin APIVerified Production-Style Role Matrix63/63 focused tests passed on net9.0, and the production-style verifier path defines 72 live HTTP cases.
SQL-backed path without EF CoreVerified Dapper QuickstartCurrent-run validation passed 16/16 focused infrastructure tests plus 6 live SQLite quickstart checks.
Wire RBAC into your hostIntegration GuideService registration, seeding, and API surface for In-Memory and EF Core adapters.
Compose Identity Validator + Multi-Tenancy + RBACCombined .NET IntegrationCross-module startup order and the recommended combined learning path.

What this module does

  • Scoped roles and permissions across application and tenant boundaries.
  • Deny-first evaluation with wildcard support such as * and resource:*.
  • Attribute-based conditions for decisions such as status, region, or amount.
  • Role hierarchy, group hierarchy, and dynamic assignments with optional expiry.
  • Store abstraction for In-Memory, EF Core, and Dapper-backed usage.
  • Optional audit, diagnostics, and decision caching hooks.

Core concepts

  • Role: a named collection of permissions.
  • Permission: an action and resource pair with an allow or deny effect.
  • Assignment: links a principal to a role in a scope.
  • Group: a hierarchical container for principals.
  • Attribute: contextual key/value data used in permission conditions.
  • Scope: application, tenant, and environment identifiers.

Packages

  • PrimusSaaS.Rbac
  • PrimusSaaS.Rbac.InMemory
  • PrimusSaaS.Rbac.EFCore
  • PrimusSaaS.Rbac.Dapper

Current validated evidence

  • dotnet test sdk/dotnet/tests/PrimusSaaS.Rbac.Tests/PrimusSaaS.Rbac.Tests.csproj --no-restore --nologo Current run: 385/385 passed across net8.0, net9.0, and net10.0.
  • dotnet test sdk/dotnet/tests/PrimusSaaS.Rbac.Tests/PrimusSaaS.Rbac.Tests.csproj --framework net9.0 --filter FullyQualifiedName~BlindUserRbacDocsValidationTests /p:CollectCoverage=false --nologo Current run: 31/31 passed.
  • dotnet test sdk/dotnet/tests/PrimusSaaS.Rbac.Tests/PrimusSaaS.Rbac.Tests.csproj --framework net9.0 --filter FullyQualifiedName~ProductionStyleRbac /p:CollectCoverage=false --nologo Current run: 63/63 passed.
  • The blind-docs and production-style verifier flows are also represented in .github/workflows/rbac-docs-blind-validation.yml and .github/workflows/rbac-production-style-validation.yml.

Admin UI

Reusable admin UI packages are available in the frontend SDKs:

  • React: PrimusRbacAdmin in primus-react-ui (React docs)
  • Angular: <primus-rbac-admin> in primus-angular-ui (Angular docs)