Class Actor
- Namespace
- Trellis.Authorization
- Assembly
- Trellis.Authorization.dll
Represents the current authenticated user making the request. Contains identity, permissions, forbidden permissions, and contextual attributes used by authorization behaviors.
public sealed record Actor : IEquatable<Actor>- Inheritance
-
Actor
- Implements
- Inherited Members
- Extension Methods
Remarks
Hydrated during authentication/middleware. Permissions should be pre-flattened from all sources (JWT roles, database groups, organizational hierarchies) before constructing the Actor so that all permission checks remain O(1).
Scoped permissions use the "Permission:Scope" convention
(e.g., "Document.Edit:Tenant_A").
Add scoped entries to Permissions and check with
HasPermission(string, string).
All permission and attribute lookups use ordinal (case-sensitive) comparison. Ensure consistent casing when hydrating permissions, forbidden permissions, and attributes.
Constructors
Actor(string, IReadOnlySet<string>, IReadOnlySet<string>, IReadOnlyDictionary<string, string>)
Initializes a new Actor and snapshots the supplied authorization state.
public Actor(string id, IReadOnlySet<string> permissions, IReadOnlySet<string> forbiddenPermissions, IReadOnlyDictionary<string, string> attributes)Parameters
idstringThe unique identifier of the actor (e.g., user ID from JWT sub claim).
permissionsIReadOnlySet<string>The set of permissions granted to the actor. Implementations such as HashSet<T> and FrozenSet<T> provide O(1) lookups.
forbiddenPermissionsIReadOnlySet<string>Permissions that are explicitly denied for this actor. A permission present in both
permissionsandforbiddenPermissionsis treated as denied (deny always overrides allow).attributesIReadOnlyDictionary<string, string>Contextual attributes for attribute-based access control (ABAC). Stores environmental metadata such as IP address, MFA status, risk score, or VPN status. Use ActorAttributes constants for well-known keys.
Fields
PermissionScopeSeparator
The separator used between permission name and scope in scoped permission strings.
public const char PermissionScopeSeparator = ':'Field Value
Properties
Attributes
Contextual attributes for attribute-based access control (ABAC).
public IReadOnlyDictionary<string, string> Attributes { get; init; }Property Value
ForbiddenPermissions
Permissions that are explicitly denied for this actor.
public IReadOnlySet<string> ForbiddenPermissions { get; init; }Property Value
Id
The unique identifier of the actor (e.g., user ID from JWT sub claim).
public string Id { get; init; }Property Value
Permissions
The set of permissions granted to the actor.
public IReadOnlySet<string> Permissions { get; init; }Property Value
Methods
Create(string, IReadOnlySet<string>)
Creates an Actor with no forbidden permissions and no ABAC attributes. Convenience factory for the common case where only identity and permissions are needed.
public static Actor Create(string id, IReadOnlySet<string> permissions)Parameters
idstringThe unique identifier of the actor.
permissionsIReadOnlySet<string>The set of permissions granted to the actor.
Returns
GetAttribute(string)
Returns the value of the specified attribute, or null if the attribute does not exist.
public string? GetAttribute(string key)Parameters
keystringThe attribute key. Use ActorAttributes constants for well-known keys.
Returns
- string
The attribute value if found; otherwise
null.
HasAllPermissions(IEnumerable<string>)
Returns true if this actor has ALL of the specified permissions. Each permission is checked against ForbiddenPermissions (deny-aware).
public bool HasAllPermissions(IEnumerable<string> permissions)Parameters
permissionsIEnumerable<string>The permissions to check.
Returns
- bool
True if the actor has every specified permission and none are forbidden; otherwise false.
HasAnyPermission(IEnumerable<string>)
Returns true if this actor has ANY of the specified permissions. Each permission is checked against ForbiddenPermissions (deny-aware).
public bool HasAnyPermission(IEnumerable<string> permissions)Parameters
permissionsIEnumerable<string>The permissions to check.
Returns
- bool
True if the actor has at least one non-forbidden specified permission; otherwise false.
HasAttribute(string)
Returns true if this actor has the specified attribute.
public bool HasAttribute(string key)Parameters
keystringThe attribute key. Use ActorAttributes constants for well-known keys.
Returns
- bool
True if the attribute exists; otherwise false.
HasPermission(string)
Returns true if this actor has the specified permission and it is not forbidden. If the permission exists in both Permissions and ForbiddenPermissions, deny wins and this returns false.
public bool HasPermission(string permission)Parameters
permissionstringThe permission to check (case-sensitive, ordinal comparison).
Returns
- bool
True if the permission is granted and not explicitly denied; otherwise false.
HasPermission(string, string)
Returns true if this actor has the specified permission within the given scope
and it is not forbidden. Uses the "Permission:Scope" convention with
PermissionScopeSeparator.
public bool HasPermission(string permission, string scope)Parameters
permissionstringThe base permission (e.g.,
"Document.Edit").scopestringThe scope qualifier (e.g.,
"Tenant_A"or a resource ID). Case-sensitive.
Returns
- bool
True if the scoped permission is granted and not explicitly denied; otherwise false.
IsOwner(string)
Returns true if this actor is the owner of the specified resource. Compares the actor's Id against the resource owner ID using ordinal comparison.
public bool IsOwner(string resourceOwnerId)Parameters
resourceOwnerIdstringThe identifier of the resource owner (e.g., creator ID).
Returns
- bool
True if the actor's ID matches the resource owner ID; otherwise false.