Skip to content

NGB v1.2.0

Latest
Latest

Choose a tag to compare

View all tags
@ngbplatform ngbplatform released this 20 Jun 05:07
Immutable release. Only release title and notes can be modified.
v1.2.0
This tag was signed with the committer’s verified signature.
ngbplatform NGB Platform
SSH Key Fingerprint: I3zoAX53yjQwyoi3lVCsT5YuOi8uvX5aPdXG5d/NueU
Verified
Learn about vigilant mode.
24471f0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

NGB v1.2.0 — User Roles, Permissions, and Keycloak-backed Access Management

NGB v1.2.0 introduces production-oriented user roles, permissions, and access management for NGB Platform.

This release adds an application-level authorization layer on top of Keycloak identity. Keycloak continues to own authentication, SSO sessions, and external user identity, while NGB now owns application roles, permissions, effective access, permission-aware metadata, menu/report filtering, and security audit records.

Highlights

  • Added NGB-managed roles and permissions.
  • Added user management UI for creating, updating, deactivating, and reactivating users.
  • Added backend Keycloak Admin integration for user provisioning and lifecycle operations.
  • Added permission-aware main menu, document metadata, catalog metadata, command palette, reports, report exports, report variants, audit access, and admin surfaces.
  • Added effective access snapshots and access-version invalidation for fast permission checks.
  • Added security audit records for user, role, and permission changes.
  • Added Property Management security defaults and seeded PM roles:
    • PM Administrator
    • PM Accountant
    • PM AR Clerk
    • PM AP Clerk
    • PM Property Manager
    • PM Maintenance Coordinator
    • PM Auditor
    • PM Read Only
  • Added Users and Roles & Permissions pages to the shared UI framework.
  • Added permission matrix, effective access panel, access audit panel, and access-denied UI states.
  • Added backend, frontend, browser, and e2e coverage for the new security feature.
  • Added documentation for Security and Permissions and updated local run instructions.

Backend

  • Added core permission model:
    • resource kinds
    • resource codes
    • action codes
    • permission keys
    • system permissions
  • Added RBAC persistence:
    • platform_roles
    • platform_role_permissions
    • platform_user_roles
    • platform_user_access_versions
    • platform_user_provisioning_operations
  • Added permission snapshot provider and in-memory security cache.
  • Added INgbAccessChecker and backend permission enforcement.
  • Added permission-aware wrappers for documents, catalogs, admin services, audit log access, and reports.
  • Added security APIs for:
    • current access
    • permission definitions
    • users
    • roles
    • effective access
    • user role assignment
    • role permission assignment
  • Added Keycloak Admin client for backend-owned user provisioning.
  • Added normalized email uniqueness guard for platform_users.

Frontend

  • Added Users page.
  • Added User Editor page.
  • Added Roles page.
  • Added Role Editor page.
  • Added Permission Matrix.
  • Added Effective Access panel.
  • Added Access Audit panel.
  • Added Access Denied state.
  • Added permission-aware PM landing behavior.
  • Added permission-aware command palette, sidebar, top bar, metadata lists, registers, and entity audit UI.

Property Management

Property Management is the first vertical solution wired with the new authorization model.

It now includes seeded application roles and permission sets for realistic PM operations across receivables, payables, maintenance, portfolio, reports, accounting, admin tools, and read-only/audit use cases.

Seeded roles include:

  • PM Administrator
  • PM Accountant
  • PM AR Clerk
  • PM AP Clerk
  • PM Property Manager
  • PM Maintenance Coordinator
  • PM Auditor
  • PM Read Only

Security Model

NGB now uses a deny-by-default application authorization model.

Keycloak owns:

  • authentication;
  • SSO sessions;
  • external user identity;
  • enabled/disabled identity-provider users.

NGB owns:

  • application roles;
  • permission assignments;
  • effective access snapshots;
  • access-version invalidation;
  • menu filtering;
  • metadata capabilities;
  • report access;
  • security audit records.

The UI hides or disables unavailable actions, but backend permission checks remain the source of truth.

Documentation

  • Added docs/platform/security-and-permissions.md.
  • Updated local run documentation with Keycloak Admin client configuration.
  • Updated the main README with the new role-based authorization capability.

Upgrade Notes

This release adds new platform security tables and indexes. Run database migrations before starting updated workloads.

For local Property Management development, run:

dotnet run --project NGB.PropertyManagement.Migrator -- \
  --connection "$NGB_PM_CONNECTION" \
  --modules pm \
  --repair

Then seed defaults:

dotnet run --project NGB.PropertyManagement.Migrator -- \
  seed-defaults \
  --connection "$NGB_PM_CONNECTION"

To create, update, deactivate, and reactivate users from the NGB UI, configure the API with Keycloak Admin client settings:

KeycloakAdminClientSettings__BaseUrl
KeycloakAdminClientSettings__Realm
KeycloakAdminClientSettings__ClientId
KeycloakAdminClientSettings__ClientSecret

Do not expose Keycloak Admin credentials to the frontend.

Validation

Recommended validation before deployment:

dotnet build NGB.sln
dotnet test NGB.sln

cd ui
npm install
npm run test:all
npm run build:pm-web
npm run build:trade-web
npm run build:ab-web

Full Changelog

v1.1.1...v1.2.0

What's Changed

Other Changes

Full Changelog: v1.1.1...v1.2.0

Contributors

ngbplatform
Assets 3
Loading