Row-Level Authorization for Data Management¶

Context and Problem Statement¶

The GMSS (GridLab Modeling and Simulation Suite) requires fine-grained, row-level authorization for File and Directory entities to support sharing within organization units and specific users. Currently, the system lacks mechanisms to restrict data access based on organizational boundaries and explicit sharing relationships.

Decision Drivers¶

• Security: Ensure users can only access files and directories they own or have been explicitly shared with them
• Multi-tenancy: Support data isolation across different tenants and organizations
• Collaboration: Enable secure sharing of files and directories within organization units and with specific users
• Compliance: Meet enterprise security standards for data access control
• Scalability: Support growing numbers of users, organizations, and sharing relationships

Constraints and Assumptions¶

• Must integrate with existing ABP Framework infrastructure
• Should leverage existing multi-tenancy implementation
• Performance impact should be minimal for common query patterns
• Solution should work with Entity Framework Core and repository pattern

Considered Options¶

1. Simple Ownership Filter: Basic filter based only on entity ownership
2. Custom Data Filter with Sharing Table: Comprehensive solution with explicit sharing relationships
3. Repository-Level Manual Filtering: Application-level filtering in each repository method

Decision Outcome¶

We will implement Option 2: Custom Data Filter with Sharing Table using ABP Framework's data filtering infrastructure.

Consequences¶

Benefits:

• Enhanced Security: Automatic row-level security applied to all queries
• Collaboration Enablement: Flexible sharing across users and organization units
• Framework Alignment: Native integration with ABP Framework patterns.
• Performance: Database-level filtering reduces data transfer
• Auditability: Explicit sharing records provide audit trail

Negative:

• Complexity: Additional infrastructure and database tables required
• Performance Overhead: JOIN operations on sharing table may impact query performance

More Information¶

Trade-offs¶

• Complexity vs. Security: Accepted complexity for enterprise-grade security
• Performance vs. Features: Minimal performance impact for essential sharing features
• Development Time vs. Long-term Maintainability: Investment in robust infrastructure

Compliance¶

• Data Isolation: Users can only access authorized entities
• Audit Trail: All sharing relationships are recorded and traceable
• Permission Granularity: Support for different permission levels (Read/Write/Share)

Technical Requirements¶

• ABP Framework Compatibility: Integrates with existing ABP infrastructure
• Entity Framework Core: Works with EF Core query translation
• Multi-tenancy: Respects tenant boundaries in filtering
• Performance: Meets performance benchmarks for common operations

Business Requirements¶

• Collaboration: Enables secure file and directory sharing
• Organization Structure: Supports hierarchical organization unit sharing
• User Experience: Transparent security without complicating user workflows

Notes¶

Dependencies¶

• ABP Framework 8.0+
• Entity Framework Core 8.0
• Existing multi-tenancy infrastructure

Testing Strategy¶

• Unit tests for sharing logic and filter expressions
• Integration tests for EF Core query translation
• Performance tests with large datasets
• Security penetration testing

References¶

• ABP Framework Data Filtering Documentation
• Entity Framework Core Query Filters
• Row-Level Security Patterns