Overview
Use RBAC when your application needs runtime-managed roles, permissions, and tenant-scoped access checks. PrimusSaaS RBAC evaluates access with deny-first rules, optional attribute conditions, and scoped assignments.
Maturity: Stable
Current workspace validation supports a stable release posture for the RBAC core and shipped adapters. Consumers still need to validate their own storage, hosting, and compliance integrations before production rollout.
Use this module when
- You need permissions that can change without redeploying the app.
- You need tenant-scoped authorization decisions.
- You need more than static claim checks or one-off policies.
- You need an API-first RBAC surface that frontend admin screens can call.
Do not start here if
- Simple framework policies already solve your authorization problem.
- You do not yet have authentication in place. Start with Identity Validator.
- You need a full browser login and membership flow first. Use the combined composition guide instead of starting from RBAC in isolation.
Start here
| Goal | Start with | What it proves |
|---|---|---|
| Fastest first success | Verified .NET Quickstart | A fresh net9.0 app built with 0 Warning(s), 0 Error(s) and returned one allow plus one deny decision. |
| Exact five-role, two-tenant matrix | Verified Multi-Tenant Role Matrix | 31/31 focused tests passed on net9.0, and the blind verifier path defines 50 live HTTP cases. |
| Production-style auth plus tenant-scoped admin API | Verified Production-Style Role Matrix | 63/63 focused tests passed on net9.0, and the production-style verifier path defines 72 live HTTP cases. |
| SQL-backed path without EF Core | Verified Dapper Quickstart | Current-run validation passed 16/16 focused infrastructure tests plus 6 live SQLite quickstart checks. |
| Wire RBAC into your host | Integration Guide | Service registration, seeding, and API surface for In-Memory and EF Core adapters. |
| Compose Identity Validator + Multi-Tenancy + RBAC | Combined .NET Integration | Cross-module startup order and the recommended combined learning path. |
What this module does
- Scoped roles and permissions across application and tenant boundaries.
- Deny-first evaluation with wildcard support such as
*andresource:*. - Attribute-based conditions for decisions such as status, region, or amount.
- Role hierarchy, group hierarchy, and dynamic assignments with optional expiry.
- Store abstraction for In-Memory, EF Core, and Dapper-backed usage.
- Optional audit, diagnostics, and decision caching hooks.
Core concepts
- Role: a named collection of permissions.
- Permission: an action and resource pair with an allow or deny effect.
- Assignment: links a principal to a role in a scope.
- Group: a hierarchical container for principals.
- Attribute: contextual key/value data used in permission conditions.
- Scope: application, tenant, and environment identifiers.
Packages
PrimusSaaS.RbacPrimusSaaS.Rbac.InMemoryPrimusSaaS.Rbac.EFCorePrimusSaaS.Rbac.Dapper
Current validated evidence
dotnet test sdk/dotnet/tests/PrimusSaaS.Rbac.Tests/PrimusSaaS.Rbac.Tests.csproj --no-restore --nologoCurrent run:385/385passed acrossnet8.0,net9.0, andnet10.0.dotnet test sdk/dotnet/tests/PrimusSaaS.Rbac.Tests/PrimusSaaS.Rbac.Tests.csproj --framework net9.0 --filter FullyQualifiedName~BlindUserRbacDocsValidationTests /p:CollectCoverage=false --nologoCurrent run:31/31passed.dotnet test sdk/dotnet/tests/PrimusSaaS.Rbac.Tests/PrimusSaaS.Rbac.Tests.csproj --framework net9.0 --filter FullyQualifiedName~ProductionStyleRbac /p:CollectCoverage=false --nologoCurrent run:63/63passed.- The blind-docs and production-style verifier flows are also represented in
.github/workflows/rbac-docs-blind-validation.ymland.github/workflows/rbac-production-style-validation.yml.
Admin UI
Reusable admin UI packages are available in the frontend SDKs:
- React:
PrimusRbacAdmininprimus-react-ui(React docs) - Angular:
<primus-rbac-admin>inprimus-angular-ui(Angular docs)
Related modules
- Identity Validator for authentication.
- Multi-Tenancy for tenant isolation.
- Combined .NET Integration for the recommended cross-module path.
- Audit Logging for authorization trails.