Authorization
Authorization determines what authenticated users can do in your Endatix application. While authentication verifies who a user is, authorization controls what resources and actions they can access.
Authentication vs. Authorization
- Authentication: Verifies user identity (who you are)
- Authorization: Controls access to resources (what you can do)
Endatix supports both default authorization (with Endatix JWT) and external authorization providers (like Keycloak) for more advanced scenarios.
Authorization Providers
Default Authorization
The built-in Endatix JWT provider stores all required info such as roles, permissions and assigned roles in the database. The authorization pipelines provides the following authorization capabilities:
- Role-based access control
- Permission-based authorization
- Policy-based authorization
- Tenant-based isolation
This is suitable for most applications and requires no additional configuration. Endatix can be extended to support more advanced authorization scenarios such as custom permissions, temp permissions or even support for external authorization providers.
External Authorization
For advanced scenarios, Endatix can use external identity providers (like Keycloak) for role-based access control in your Endatix application. This enables use cases such as enterprise-wide authentication and authorization with single sign-on (SSO) and centralized role management, where Endatix is acting as a relying party for the external identity provider and authorization policies are managed in the external authorization provider.
Endatix maps external authroization data such as permissions, roles and claims to the built-in Endatix authorization system giving you maximum flexibility and control over your authorization logic.
For a comprehensive guide on external authorization concepts and benefits, see the External Authorization guide.
Default Authorization System
Endatix includes a built-in authorization system with predefined roles and permissions that you can use out of the box. Additionally, you can define your own custom roles and permissions to suit your specific needs.
System Roles
| Role | Description | Hub Access |
|---|---|---|
| Admin | Tenant administrator with full access to all features and settings of their tenant | ✅ |
| PlatformAdmin | Platform administrator with full access to all features and settings of the platform. Platform administrators can manage and administer tenants, settings, integrations, users, metrics, logs and usage statistics. | ✅ |
| Creator | Form creator user who can create, edit, and manage forms and templates. They are given access for the tenant they are assigned to. | ✅ |
| Authenticated | This is pseudo role, which is given to every authenticated user and gives the "access.authenticated" permission to every signed in user. | No |
| Public | This is pseudo role, which is given to every anonymous user and gives no permissions to anonymous users. | No |
Granular Permissions
Endatix comes with a set of predefined permissions that are organized into categories for easy management and organization. There are action based permissions (verbs)and as well as access level permissions (resources).
Permission names follow the pattern: {category}.{action}.{scope}
List of built-in permissions
Access-Level Permissions
These are access-level permissions (not action-based):
access.authenticated- User is authenticated (signed in). Basic authentication level authorizationaccess.apps.hub- User has access to the Endatix Hub application.
Platform-Level Permissions
Platform-wide management permissions:
platform.tenants.manage- Manage tenantsplatform.settings.manage- Manage platform settingsplatform.integrations.manage- Manage platform integrationsplatform.users.impersonate- Impersonate usersplatform.metrics.view- View platform metricsplatform.logs.view- View platform logsplatform.usage.view- View platform usage statistics
Tenant-Level Permissions
Tenant-specific management permissions:
tenant.users.invite- Invite users to the tenanttenant.users.view- View tenant userstenant.users.manage- Manage tenant userstenant.roles.view- View tenant rolestenant.roles.manage- Manage tenant rolestenant.settings.view- View tenant settingstenant.settings.manage- Manage tenant settingstenant.usage.view- View tenant usage statistics
Form Management Permissions
forms.view- View formsforms.create- Create formsforms.edit- Edit formsforms.delete- Delete forms
Template Management Permissions
templates.view- View templatestemplates.create- Create templatestemplates.edit- Edit templatestemplates.delete- Delete templates
Theme Management Permissions
themes.view- View themesthemes.create- Create themesthemes.edit- Edit themesthemes.delete- Delete themes
Submission Management Permissions
submissions.view- View submissionssubmissions.create- Create submissionssubmissions.edit- Edit submissionssubmissions.delete- Delete submissionssubmissions.export- Export submissionssubmissions.delete.owned- Delete own submissions (ownership-based)
Question Management Permissions
questions.view- View questionsquestions.create- Create questionsquestions.edit- Edit questionsquestions.delete- Delete questions
Quick Start
Basic Authorization Setup
Built-in default authorization is automatically configured when you set up Endatix application. This also includes the system roles and permissions mentioned above.
Using Roles in Your Code
Once authorization is configured, you can use roles in your Fast endpoints using the Permissions() method (Claims, Roles, Policies, etc work as well).
Use simple permission e.g. "forms.create". Note that it's accessed via convenient Actions class.
public class CreateForm(IMediator mediator) : Endpoint<CreateFormRequest, Results<Created<FormModel>, BadRequest>>
{
public override void Configure()
{
Post("forms");
Permissions(Actions.Forms.Create);
Summary(s =>
{
s.Summary = "Create a new form";
s.Description = "Creates a new form with the provided data";
});
}
public override async Task<Results<Created<FormModel>, BadRequest>> ExecuteAsync(
CreateFormRequest request, CancellationToken cancellationToken)
{
// Only users with forms.create permission will reach this endpoint. Note that Admins will also pass this permission check
var command = new CreateFormCommand(/* map from request */);
var result = await mediator.Send(command, cancellationToken);
return TypedResultsBuilder
.MapResult(result, Mapper.Map<FormModel>)
.SetTypedResults<Created<FormModel>, BadRequest>();
}
}
You can also require multiple permissions (user needs at least one):
public override void Configure()
{
Delete("submissions/{submissionId}");
Permissions(Actions.Submissions.Delete, Actions.Submissions.DeleteOwned);
// User needs either Delete or DeleteOwned permission
}
Or check permissions programmatically in use cases:
public class MyUseCase(ICurrentUserAuthorizationService authService)
{
public async Task<Result> ExecuteAsync(CancellationToken cancellationToken)
{
var accessResult = await authService.authorizationService.ValidateAccessAsync(
Actions.Forms.Edit,
cancellationToken);
if (!accessResult.IsSuccess)
{
return Result.Forbidden("Permission required");
}
// User has permission, proceed with operation
return Result.Success();
}
}
Admins and PlatformAdmins will always pass any permission check.
To restrict access to Platform-level features and settings to PlatformAdmins only, you can use the PlatformAdmin policy on your endpoints e.g. Policy("PlatformAdmin", () => { ... });
Advanced Authorization Scenarios
External Authorization with Keycloak
For role-based access control with Keycloak using token introspection, see the Keycloak RBAC Setup guide.
Next Steps
- Learn about External Authorization concepts
- Set up Keycloak RBAC for advanced authorization
- Explore Authentication providers for your application