NGB Platform

Posted on Jun 23

User Roles & Permissions for Business

#dotnet #postgres #keycloak #opensource

NGB v1.2.0 is now available.

This release adds user roles, permissions, and application-level access management to NGB Platform.

The core idea is simple:

Keycloak handles identity.
NGB handles application access.

Why this matters

Authentication and authorization are not the same thing.

Authentication answers:

Who is this user?

But a business platform also needs to answer:

What is this user allowed to do inside the application?

For simple apps, this can often be hardcoded.

For serious business applications, that does not scale.

Users have different responsibilities.
Different departments need different access.
Some users should only view data.
Some users can create drafts.
Some can post documents.
Some can run reports.
Some can export data.
Some can manage other users and roles.

That is why NGB v1.2.0 adds application-level access management as a platform capability.

Keycloak for identity, NGB for application access

NGB does not try to replace Keycloak.

Keycloak remains responsible for:

authentication
SSO sessions
external user identity
enabled / disabled identity-provider users

NGB is responsible for:

application roles
permission assignments
effective access
permission-aware metadata
menu and report filtering
backend permission checks
security audit records

This separation is intentional.

Keycloak owns identity.
NGB owns business application access.

What was added in v1.2.0

This release adds:

NGB-managed roles and permissions
user management
role assignment
permission definitions
permission matrix
effective access snapshots
access-version invalidation
permission-aware UI surfaces
backend-enforced access checks
Keycloak Admin integration
security audit foundations

The first vertical wired with this model is the NGB Property Management demo.

It includes seeded roles such as:

PM Administrator
PM Accountant
PM AR Clerk
PM AP Clerk
PM Property Manager
PM Maintenance Coordinator
PM Auditor
PM Read Only

These are not just UI labels.

They map to concrete permissions across documents, catalogs, reports, accounting tools, admin pages, audit access, and other platform surfaces.

Effective access

One important part of this release is effective access.

A user can have multiple roles.

NGB combines those roles and shows what the user can actually access.

That makes administration easier because you can answer questions like:

Can this user execute this report?
Can this user export report data?
Can this user manage roles?
Can this user access audit information?
Can this user post a specific document type?

This is especially important for business software, where permissions are not just technical details. They are part of the operating model of the company.

Permission-aware UI, but backend as the source of truth

The UI is now permission-aware.

Menus, document metadata, catalog metadata, reports, command palette entries, admin pages, and actions can be filtered or disabled based on the current user's access.

But the UI is not the security boundary.

Backend checks are still enforced by the runtime.

Hiding a button improves the user experience, but backend authorization is what actually protects the application.

Why this is a platform feature

NGB is a document-driven business application platform.

That means access control cannot be implemented as a one-off feature for one screen or one demo.

Documents, catalogs, reports, accounting tools, operational registers, reference registers, admin pages, and vertical-specific features all need a consistent authorization model.

That is what this release starts to provide.

NGB v1.2.0 is an important foundation for production-oriented vertical business applications where users do not all have the same access.