Data Permission
Overview
The Data Permission module implements data isolation based on organizational structure. By marking an entity with the IDataPermission interface, the system automatically appends a filter condition for the current user's department during queries, ensuring that users can only view data from their own department and its sub-departments. Administrator roles are exempt from data permission restrictions and can view all data.
Implementation
Interface Definition
Entities implement the IDataPermission interface:
public interface IDataPermission
{
long OrgId { get; set; }
}
Automatic Filtering
After enabling UseDataPermission on AdminTable, the OrgId filter condition is automatically appended during queries:
<AdminTable TItem="SysOrder" UseDataPermission="true" ... />
Automatic Assignment
When creating new records, the system automatically writes the current user's OrgId to the entity's OrgId field via RepositoryOptions.AuditValue.
Permission Scope
- Non-admin users: Can only view data from their own department and all sub-departments
- Admin roles (
IsAdministrator = true): Unrestricted, can view all data
Usage
Enabling Data Permission for an Entity
- Have the entity class implement the
IDataPermissioninterface and add theOrgIdproperty. - Set
UseDataPermission="true"on theAdminTablecomponent.
Verifying Data Permission
- Log in with a non-admin account and verify that only data from the user's department and sub-departments is visible.
- After switching departments, the data scope adjusts automatically.
Related Interfaces/Services
IDataPermission— Data permission interfaceRepositoryOptions.AuditValue— Automatic value assignment mechanismAdminTable.UseDataPermission— Table enable toggle