Skip to content
SliceFlow

Permissions

In any application that handles more than one user, you’ll inevitably need a way to control who can do what. Can any user delete another user’s account? Can a regular user access administrative settings? Answering these questions is the job of a permissions system, a critical component for security and creating a well-structured application.

SliceFlow is built with security in mind, and it includes a flexible and powerful permissions system right out of the box. It’s designed to be easy for developers to use, yet robust enough to handle complex access control scenarios.

A Single Source of Truth for Permissions

The foundation of SliceFlow’s permission system is a single, centralized file where you define every possible action a user can take in your application. This “single source of truth” approach makes it incredibly easy to see and manage all permissions at a glance.

This central hub is a file called Allow.cs, and it looks something like this:

public static class Allow
{
    public static class User
    {
        public const string ListAll = "User.ListAll";
        public const string GetById = "User.GetById";
        public const string AssignPermissions = "User.AssignPermissions";
    }


    public static class Product
    {
        public const string Create = "Product.Create";
        public const string Update = "Product.Update";
        public const string Delete = "Product.Delete";
    }
}

By organizing permissions into logical groups (like User and Product), you create a clear and maintainable structure that can easily grow with your application.

Keeping Everything in Sync, Automatically

Defining permissions in your code is great, but they also need to exist in your database so you can assign them to users. Manually keeping these two in sync would be tedious and error-prone. That’s why SliceFlow does it for you, automatically.

Every time your application starts, a special service scans your Allow.cs file and compares it to the permissions in the database.

  • If it finds a new permission in your code, it adds it to the database.
  • If you’ve removed a permission from your code, it cleans it up from the database.

This means your permissions are always up-to-date, with zero manual effort required. You can add, remove, or rename permissions in one place, and the rest of the system just adapts.

Putting Permissions to Work

Once your permissions are defined and synced, you can start using them to secure your application.

1. Protecting Your API Endpoints

The most common use for permissions is to restrict access to your API endpoints. With SliceFlow, this is as simple as adding a single line of code.

// Only users with the "Product.Delete" permission can access this endpoint
    public override void Configure()
    {
        Delete("/products/{productId}");
        Version(1);
        Group<EndpointGroup.Product>();
        Permissions(Allow.Product.Delete);
    }

You can even require a user to have multiple permissions to access a particularly sensitive endpoint.

2. Assigning Permissions to Users

Of course, a permissions system isn’t very useful if you can’t give those permissions to your users. SliceFlow provides simple API endpoints to grant or revoke permissions for any user.

For example, to give a user the ability to list all other users, you would make a simple API call:

POST /api/v1/users/{userId}/permissions
Content-Type: application/json


{
  "permissions": ["User.ListAll", "User.GetById"]
}

The system is smart enough to only add the permissions the user doesn’t already have, and it immediately updates the user’s session so the changes take effect instantly.

Seamlessly Integrated with Authentication

The beauty of SliceFlow’s permissions system is how seamlessly it works with the rest of the framework. When a user logs in, all of their assigned permissions are bundled up and included in their authentication token (a JWT, or JSON Web Token).

This token is sent with every subsequent request the user makes. When a request comes in to a protected endpoint, the system simply checks the token to see if the required permission is present. It’s a fast, secure, and stateless way to handle authorization.

Smart Defaults for a Better User Experience

To make life even easier, you can define a set of default permissions that are automatically granted to every new user who signs up. This is perfect for giving users basic access, like the ability to view their own profile, without any manual setup.

With SliceFlow, you get a complete, end-to-end solution for managing permissions that is deeply integrated, easy to manage, and built to scale.