BitzOrcas implements identity and access management through a role-based access control (RBAC) model backed by CSV seed data. Unlike traditional ASP.NET Identity approaches, BitzOrcas uses a lightweight custom identity system integrated with SqlSugar.

Permission model

PlatformTenant
       │
       ▼
   RoleType (Admin, Operator, EndUser, etc.)
       │
       ▼
   SysRole
       │
       ▼
SysRoleModulePermission (Role + Module + Permission → CRUD matrix)
       │
       ▼
SysModule → SysPermission

Core entities

Entity	Table	Purpose
`PlatformTenantEntity`	`platform_tenant`	Tenant registration (name, status, config)
`SysRoleEntity`	`sys_role`	Role definitions per tenant
`SysRoleTypeEntity`	`sys_role_type`	Role type catalog (Admin, Operator, etc.)
`SysModuleEntity`	`sys_module`	Permission module catalog
`SysPermissionEntity`	`sys_permission`	Individual permission definitions
`SysRoleModulePermissionEntity`	`sys_role_module_permission`	Role-permission mapping

Authorization decision service

BitzOrcas implements a multi-strategy authorization pipeline:

services.AddSingleton<IAuthorizationPolicyEvaluator, RbacPolicyEvaluator>();
services.AddSingleton<IAuthorizationPolicyEvaluator, AppScopePolicyEvaluator>();
services.AddSingleton<IAuthorizationPolicyEvaluator, AbacPolicyEvaluator>();
services.AddSingleton<IAuthorizationPolicyEvaluator, ReBacPolicyEvaluator>();
services.AddScoped<IAuthorizationDecisionService, AuthorizationDecisionService>();

Evaluator	Strategy	Description
`RbacPolicyEvaluator`	Role-Based	Permission checking via role assignments
`AppScopePolicyEvaluator`	Application Scope	Cross-tenant application-level permissions
`AbacPolicyEvaluator`	Attribute-Based	Context-aware policy evaluation
`ReBacPolicyEvaluator`	Relationship-Based	Relationship-graph based access

Seed data

Identity data is seeded from CSV files during --init-schema --seed-demo:

Seeders/Assets/Identity/
├── platform_tenant.csv      → Default tenant registrations
├── sys_role.csv             → Role definitions
├── sys_role_type.csv        → Role type catalog
├── sys_module.csv           → Permission module catalog
├── sys_permission.csv        → Permission definitions
└── sys_role_module_permission.csv → Role-permission mappings

Each CSV uses SqlSugar’s Storageable upsert — safe to re-run.

Authentication schemes

Identity integrates with three authentication schemes (see Authentication):

Scheme	Caller type	Identity source
JWT Bearer	User Caller	`user_id`, `tenant_id`, `roles` claims
HMAC	Application Caller	`client_id` with `TenantId`
API Key	Application Caller	`client_id` with `TenantId`, `Scopes`

Current user

The ICurrentUser interface provides identity information throughout the application:

// Populated from JWT claims by HttpContextCurrentUser
UserId → Guid
TenantId → string
UserName → string
Roles → IEnumerable<string>

Impersonation (Delegation)

BitzOrcas supports operator impersonation through the Delegation subsystem:

DelegationTokenService — generates impersonation tokens
DelegationGrantEntity — stores grant records
DelegationTokenMiddleware — validates delegation tokens in request pipeline
Grants have configurable TTL and scope restrictions

Data scope resolver

public interface IDataScopeResolver
{
    DataScope Resolve(ICurrentUser user, string resourceTenantId);
}

public enum DataScope
{
    Own,        // Own data only
    Tenant,     // All data in tenant
    CrossTenant // Cross-tenant (admin/superuser)
}

Identity module