Tracking Permission Changes for a Role in AbpAuditLogs - AbpEntityChanges

[alihdev]

Is there an existing issue for this?

• I have searched the existing issues

Description

Each time a permission is modified, the AbpPermissionGrants table is affected.

• If we assign a new permission (e.g., permission X) to the VisitorRole, a new row is added to the AbpPermissionGrants table with Id: X.
• This change is logged in AbpEntityChanges with EntityId: X.
• If we later revoke permission X, the corresponding entry (Id: X) is removed from AbpPermissionGrants.
• A new log entry is added to AbpEntityChanges, recording that EntityId: X was removed from AbpPermissionGrants.

Everything works correctly. However, the issue arises when we try to retrieve all permission changes for the VisitorRole.

❌ Problem

Since EntityId: X is removed from AbpPermissionGrants, it only exists in the AbpEntityChanges table.
We need a way to track all permission changes, including removals, for a specific role.

Reproduction Steps

🔄 Steps to Reproduce

1. ✅ Assign a permission to VisitorRole.
2. 📌 Observe the new entry in AbpPermissionGrants and its corresponding log in AbpEntityChanges.
3. ❌ Remove the same permission.
4. 🗑️ The entry is deleted from AbpPermissionGrants, but a new log is recorded in AbpEntityChanges.
5. ❓ Attempt to retrieve all permission changes for VisitorRole.

Expected Behavior

Retrieve the ID of the removed permissions so we can track their changes in the audit log.

Actual Behavior

The ID of the removed permission is not retrievable because it is hard deleted.

Regression?

This issue occurs because permissions are hard deleted from the AbpPermissionGrants table when removed.
If permissions were soft deleted, we could still retrieve their IDs and track changes in the audit log.

Known Workarounds

💡 How We Think to Resolve This Issue

Instead of hard deleting the removed permissions from AbpPermissionGrants, we can mark them as soft deleted.

• This will allow us to keep a record of the removed permission while still tracking active permissions.
• When retrieving permission changes for a role, we can query both active and soft-deleted records.
• The Audit Log can then be used to get the exact history of when and how a permission was granted or revoked.

or

One possible workaround is to save all IDs of granted permissions on each update.
You could store these IDs in a separate property of the role or as extra properties within the role itself.
This way, you could retrieve these IDs later to get the corresponding logs, even after permissions have been removed from AbpPermissionGrants.
this approach may result in a large extra properties field if the number of permissions is substantial.

Version

8

User Interface

MVC

Database Provider

EF Core (Default)

Tiered or separate authentication server

Separate Auth Server

Operation System

Windows (Default)

Other information

We are using (api/permission-management/permissions) to change permissions for roles

[maliming]

hi

Based on the data below, I think you can know what permissions are changed of a role.