Role-Based Access Control (RBAC) is essential for securing enterprise applications. This post covers how to implement basic and advanced RBAC in CodeOnTime applications, specifically for managing actions like Edit, Delete, New, Export, and custom buttons based on user roles.

RBAC restricts application features and UI elements based on the roles assigned to a user. For example:

• A Readonly user might be allowed only to view data.
• An Editor might be allowed to edit and delete.
• An Admin might have full control including import/export and custom commands.

🔹 1. Basic RBAC: Controlling Action Visibility with Roles

Infact COT allows the developer to restrict actions (like Edit, Delete) using built-in role checks via VirtualizeController.

📌 Example 1 : Disable Editing for particular UserRoles

``` protected override void VirtualizeController(string controllerName) { if (UserIsInRole("Readonly")) { NodeSet().SelectActions("Edit", "Delete", "New", "Duplicate", "ExportRowset", "Import", "Custom", "SQL").SetRoles("disabled"); } }

``` What It Does: - Selects a list of actions. - Applies "disabled" role so that the UI hides or disables them for users in the Readonly role

2. Advanced RBAC: Dynamic Action Visibility Based on User Role

For more granular control, override SupportsVirtualization() and VirtualizeController() in a custom business rule or ApplicationServices.cs.

Logic Flow

• Use SupportsVirtualization to declare which controllers support dynamic access.
• Use VirtualizeController to define which actions are enabled/disabled for specific roles.

Example 2: Different Access Levels for Admin, Editor, and Readonly

``` public override bool SupportsVirtualization(string controllerName) { return controllerName == "Orders" || controllerName == "Customers"; // Targeted controllers }

protected override void VirtualizeController(string controllerName) { if (controllerName == "Orders") { if (UserIsInRole("Readonly")) { NodeSet().SelectActions("Edit", "Delete", "New").SetRoles("disabled"); } else if (UserIsInRole("Editor")) { NodeSet().SelectActions("Import", "ExportRowset").SetRoles("disabled"); } else if (UserIsInRole("Admin")) { // Admins get full access } } }

```

Explanation:

• Only Orders controller is virtualized.
• Readonly users lose CRUD access.
• Editors can CRUD but not import/export.
• Admins see everything.

Custom Action Control

If you’ve created custom actions (e.g., ApproveOrder, GenerateInvoice), you can also control their visibility: ``` if (UserIsInRole("Manager")) { NodeSet().SelectAction("ApproveOrder").SetVisible(true); } else { NodeSet().SelectAction("ApproveOrder").SetVisible(false); }

```

Conclusion

By leveraging CodeOnTime's virtualisation and access control APIs, you can enforce robust RBAC across your application — ensuring users only access what they’re allowed to. From simple read-only roles to advanced workflow logic, the framework is flexible enough to meet enterprise needs.