Data Permission

Overview

The Data Permission module implements data isolation based on organizational structure. By marking an entity with the IDataPermission interface, the system automatically appends a filter condition for the current user's department during queries, ensuring that users can only view data from their own department and its sub-departments. Administrator roles are exempt from data permission restrictions and can view all data.

Implementation

Interface Definition

Entities implement the IDataPermission interface:

public interface IDataPermission
{
    long OrgId { get; set; }
}

Automatic Filtering

After enabling UseDataPermission on AdminTable, the OrgId filter condition is automatically appended during queries:

<AdminTable TItem="SysOrder" UseDataPermission="true" ... />

Automatic Assignment

When creating new records, the system automatically writes the current user's OrgId to the entity's OrgId field via RepositoryOptions.AuditValue.

Permission Scope

  • Non-admin users: Can only view data from their own department and all sub-departments
  • Admin roles (IsAdministrator = true): Unrestricted, can view all data

Usage

Enabling Data Permission for an Entity

  1. Have the entity class implement the IDataPermission interface and add the OrgId property.
  2. Set UseDataPermission="true" on the AdminTable component.

Verifying Data Permission

  • Log in with a non-admin account and verify that only data from the user's department and sub-departments is visible.
  • After switching departments, the data scope adjusts automatically.
  • IDataPermission — Data permission interface
  • RepositoryOptions.AuditValue — Automatic value assignment mechanism
  • AdminTable.UseDataPermission — Table enable toggle