PrimusSaaS.Rbac
2.0.1
dotnet add package PrimusSaaS.Rbac --version 2.0.1
NuGet\Install-Package PrimusSaaS.Rbac -Version 2.0.1
<PackageReference Include="PrimusSaaS.Rbac" Version="2.0.1" />
<PackageVersion Include="PrimusSaaS.Rbac" Version="2.0.1" />
<PackageReference Include="PrimusSaaS.Rbac" />
paket add PrimusSaaS.Rbac --version 2.0.1
#r "nuget: PrimusSaaS.Rbac, 2.0.1"
#:package PrimusSaaS.Rbac@2.0.1
#addin nuget:?package=PrimusSaaS.Rbac&version=2.0.1
#tool nuget:?package=PrimusSaaS.Rbac&version=2.0.1
PrimusSaaS.Rbac
Release status: stable.
Core RBAC engine for Primus SaaS. Includes the data model, evaluation logic, and service interfaces. Storage adapters are shipped separately.
Validation
- Current workspace validation:
385/385tests passed onnet9.0 - Current workspace validation:
385/385tests passed onnet10.0 - Current workspace validation: total coverage
95.9%line /86.34%branch /98.09%method - Scope boundary: core evaluator first; seeded/sample data is optional and not required for production usage
Telemetry
- Emits
ActivitySourcespans for decisions, snapshots, what-if checks, cleanup, and mutations. - Emits exporter-agnostic metrics counters for decisions, mutations, and cleanup events.
- Consumers still need to wire their own exporter or
MeterListenerif they want the telemetry exported. - The module intentionally keeps telemetry generic and backend-neutral.
Combined ASP.NET Core Host
If you are wiring RBAC together with PrimusSaaS.Identity.Validator and PrimusSaaS.MultiTenancy, use the verified combined onboarding guide at /docs/modules/combined-dotnet-integration.
Start here
- First-time package overview:
/docs/modules/rbac - Exact five-role, two-tenant access-control walkthrough:
/docs/modules/rbac/verified-multi-tenant-role-matrix - Same walkthrough under JWT authentication and membership-validated tenant selection, including tenant-scoped admin-role lifecycle validation:
/docs/modules/rbac/verified-production-style-role-matrix - First runnable SQL-backed path without EF Core:
/docs/modules/rbac/verified-dapper-quickstart - Initial host setup:
/docs/modules/rbac/integration-guide - Advanced topics such as caching, what-if evaluation, and telemetry:
/docs/modules/rbac/advanced
Quick Start
using PrimusSaaS.Rbac;
using PrimusSaaS.Rbac.InMemory;
var services = new ServiceCollection();
services.AddPrimusRbacInMemory(options =>
{
options.SeedMode = "none";
});
What it includes
- Scoped roles/permissions (application, tenant, qualifier)
- Deny-first evaluation with wildcard support
- Role hierarchy (single parent by default) and group hierarchy
- Attribute conditions (attributes on access requests)
- Role-based permission resolution (permissions only apply via roles)
- Optional audit sink for access checks and changes
- Snapshot, export/import, and what-if evaluation helpers
- Exporter-agnostic traces and metrics for decision flows
Storage adapters
PrimusSaaS.Rbac.InMemory— in-process, no database required (dev/test)PrimusSaaS.Rbac.EFCore— Entity Framework Core (SQL Server, PostgreSQL, SQLite, ...)PrimusSaaS.Rbac.Dapper— Dapper micro-ORM (same databases, no EF dependency)PrimusSaaS.Rbac.Redis— Redis pub/sub distributed cache invalidation bus for multi-instance deployments
Distributed Cache Invalidation
When running multiple API replicas, each instance has its own IRbacDecisionCache. The IDistributedRbacInvalidationBus interface allows mutations on one instance to flush caches across all instances. Install PrimusSaaS.Rbac.Redis for a production-ready Redis pub/sub implementation:
builder.Services.AddPrimusRbacCore(opts => { /* ... */ });
builder.Services.AddPrimusRbacRedisInvalidation("redis:6379");
Ownership Policy
IRbacOwnershipPolicy enables resource-level ownership checks. After RBAC grants access, the ownership policy verifies the caller owns the specific resource instance:
services.AddSingleton<IRbacOwnershipPolicy, MyOwnershipPolicy>();
When a request includes a ResourceInstanceId, the policy's IsOwnerAsync is called. If it returns false, the decision is downgraded to deny with reason "ownership_check_failed".
Configuration
SeedMode:none,minimal, orsample.minimalseeds only a generic permission placeholder; it does not create built-in roles.sampleseeds demo roles and groups for local experimentation only.AllowMultipleInheritance: settrueto allow more than one parent role.
Compliance note
This package is designed to support common enterprise access-control requirements. It does not provide certification. Align it with your organization's compliance program.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Hosting.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Options (>= 10.0.5)
-
net8.0
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Hosting.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Options (>= 10.0.5)
-
net9.0
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Hosting.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.5)
- Microsoft.Extensions.Options (>= 10.0.5)
NuGet packages (9)
Showing the top 5 NuGet packages that depend on PrimusSaaS.Rbac:
| Package | Downloads |
|---|---|
|
PrimusSaaS.MultiTenancy
Core multi-tenancy abstractions and runtime for tenant context resolution, isolation, and membership modeling. |
|
|
PrimusSaaS.Security
Offline, zero-infrastructure .NET SAST scanner embedded directly in your SDK. Unlike SonarQube (Java 17 + PostgreSQL + 2 GB RAM), Primus Security activates with one NuGet package and one line of code. v2.1.0 ships 60 Roslyn-based SAST analyzers, 100 secret-detection patterns, SARIF 2.1.0 export, OWASP Top 10 2021 compliance report, configurable quality gates, A–E security ratings, persistent suppression store, baseline delta, and a 40-rule catalog with before/after code patches — all offline, air-gap safe. Beats SonarQube Community Edition for .NET on: SARIF export, OWASP report, CWE/PCI-DSS compliance, AI-agent MCP tools, and zero server infrastructure. |
|
|
PrimusSaaS.Rbac.InMemory
In-memory storage adapter for PrimusSaaS.Rbac. Intended for development, tests, and demos. |
|
|
PrimusSaaS.Rbac.Dapper
Dapper storage adapter for PrimusSaaS.Rbac. A lightweight alternative to the EF Core adapter with full control over SQL. |
|
|
PrimusSaaS.Memberships.Rbac
Optional bridge that provisions RBAC assignments from Memberships lifecycle events. |
GitHub repositories
This package is not used by any popular GitHub repositories.