Table of Contents

Class TenantSuperAdminController

Namespace
KadicAuth.Api.Controllers
Assembly
KadicAuth.Api.dll

Tenant-super-admin membership administration.

  • Gated by AUTH_MANAGE_TENANT_SUPER_ADMINS permission policy at the class level — only existing tenant super admins (or platform admins) can call these endpoints.
  • Does not use the normal role assignment flow. Tenant super admins are a parallel, first-class concept — on purpose.
  • Grants and revokes are audited inside ITenantSuperAdminService.
[ApiController]
[Authorize]
[Route("api/TenantSuperAdmins")]
[Produces("application/json", new string[] { })]
[Authorize(Policy = "AUTH_MANAGE_TENANT_SUPER_ADMINS")]
public sealed class TenantSuperAdminController : ControllerBase
Inheritance
object
ControllerBase
TenantSuperAdminController

Constructors

TenantSuperAdminController(ITenantSuperAdminService, ICurrentUser, ILogger<TenantSuperAdminController>)

public TenantSuperAdminController(ITenantSuperAdminService service, ICurrentUser currentUser, ILogger<TenantSuperAdminController> logger)

Parameters

service ITenantSuperAdminService
currentUser ICurrentUser
logger ILogger<TenantSuperAdminController>

Methods

Grant(GrantTenantSuperAdminRequest, CancellationToken)

Grants tenant-super-admin status to a target user within the caller's tenant. Idempotent: calling twice on an already-active user is a no-op. Calling on a previously-revoked user re-activates them and writes a ReGranted audit entry.

[HttpPost("grant")]
public Task<IActionResult> Grant(GrantTenantSuperAdminRequest request, CancellationToken cancellationToken)

Parameters

request GrantTenantSuperAdminRequest
cancellationToken CancellationToken

Returns

Task<IActionResult>

List(CancellationToken)

Returns all tenant super admins for the caller's tenant, active first, most recent grants first.

[HttpGet]
public Task<ActionResult<IReadOnlyList<TenantSuperAdminDto>>> List(CancellationToken cancellationToken)

Parameters

cancellationToken CancellationToken

Returns

Task<ActionResult<IReadOnlyList<TenantSuperAdminDto>>>

Revoke(RevokeTenantSuperAdminRequest, CancellationToken)

Revokes tenant-super-admin status. Fails with 409 Conflict if the target is the last active super admin in the tenant (lockout guard).

[HttpPost("revoke")]
public Task<IActionResult> Revoke(RevokeTenantSuperAdminRequest request, CancellationToken cancellationToken)

Parameters

request RevokeTenantSuperAdminRequest
cancellationToken CancellationToken

Returns

Task<IActionResult>