Security and Authorization

Radzen provides security support out of the box. It relies on ASP.NET Core Identity and needs a MS SQL server, MySQL or PostgreSQL data source to be configured in order to persist the users and roles.

The built-in security support provides the following features:

  • Login and registration of new users.
  • Optional email confirmation during user registration.
  • Ability to define custom user roles.
  • Specify the level of access for pages - everybody, authenticated users or members of a role.
  • Adding custom properties to the user entity.

Quick video

Enable security

To enable security in Radzen follow these steps.

  1. Click the security link at the top right corner (next to data).
  2. Select Default from the providers dropdown.
  3. Check the Auto generate pages for user and role management if you want Radzen to create login, register, user and role management pages.
  4. Pick an existing MS SQL Server, MySQL or PostgreSQL data source from the available list. You will have to add at least one in order to use the security feature of Radzen.
  5. Click the Save button.

Specify the access of a page

When security is enabled Radzen will allow you to specify which users can access a page. If a user doesn’t have access to certain page it will not appear in the application navigation. If the user enters that page URL manually in the browser he or she will see a generated unauthorized page.

  1. Click the edit button of any page.
  2. Pick the access level from the Access dropdown. The available options are:
    • Everybody - everyone can access this page - anonymous and authenticated users.
    • Authenticated - only users that have logged in can access that page.
    • Roles defined in the application - only members of the specified role(s) can access that page. If the application hasn’t been run or there are no roles defined yet you will only see Everybody and Authenticated.
  3. Click Save

The least restrictive role is taken under consideration when determining the current access rules. For example if a page is configured to be accessible to Everybody and the Marketing role it would end up being accessible by all users.

In-Development security

During development you can use a special account for testing. Log in with admin as both username and password. This account is only available during development when the ASPNETCORE_ENVIRONMENT environment variable is set to Development. It also belongs to all roles defined by the application and has full access as a result.

After deployment the account is no longer available! Be sure to either allow user registration (done by default if you allow Radzen to generate security pages) or create at least one user account during development.

Adding roles

An authorized user can add roles from the Roles page accessible from the top right-hand application menu.

By default all authenticated (logged-in) users have access to the role management pages. Make sure you restrict the access to those pages for production applications. Create an Administrator role and allow only member of this role to access the role management pages.

Adding users

A Radzen application starts with no users apart from the development-only special admin account.

By default all authenticated (logged-in) users have access to the user management pages. Make sure you restrict the access to those pages for production applications. Create an Administrator role and allow only member of this role to access the user management pages.

There are two ways to add users to an application

  1. By allowing user registration (enabled by default).
  2. Manually adding users from the Users page accessible from the top right-hand menu.

API

Client-side API

When security is enabled Radzen will inject the Security Angular service to all pages.

Security methods

isAuthenticated(): boolean

Returns true if the user is authenticated; otherwise false;

Example
<div *ngIf="security.isAuthenticated()">
  Only authenticated users will see this.
</div>

isInRole(role: string): boolean

Returns true if the user is from the specified role or Administrator; otherwise false;

Example
<div *ngIf="security.isInRole('Sales')">
  Only sales people or administrators will see this.
</div>

Security properties

get name(): string

Returns the name of the authenticated user.

Example
<div *ngIf="security.isAuthenticated()">
  {{ security.name }}
</div>

get profile(): any

Returns the profile object of the authenticated user. Contains all claims associated with the user - name, role and custom ones.

Example
<div *ngIf="security.isAuthenticated()">
  {{ security.profile | json }}
</div>

get roles(): string[]

Returns the roles of the authenticated user.

Example
<div *ngIf="security.isAuthenticated()">
  {{ security.roles | json }}
</div>

Server-side API

Extensibility

Please visit this Extend application user article for more info about how to extend application user.

Access current user server-side

Please visit this Get current user article for more info about how to get current user.

Custom password policy

By default, ASP.NET Core Identity requires that passwords contain an uppercase character, lowercase character, a digit, and a non-alphanumeric character and must be at least six characters long. Please check Custom security password policy article for more info how to customize it.

Custom UserStore/RoleStore and UserManager

You can write your own custom user store (IUserStore)/role store (IRoleStore) and hook them using Startup class OnConfigureServices partial method. Sample app

Services authorization

Radzen can access services with following authorizations:

  • OData: HTTP Basic, OAuth, API Key and Azure AD

  • Swagger and Rest: OAuth, API Key

Custom query parameters are supported for both OAuth and Azure AD authorizations.

We are here for you

Making our users happy is always a priority for us.