Table of Contents

Interface ITenantSuperAdminService

Namespace
KadicAuth.Application.TenantSuperAdmins.Abstractions
Assembly
KadicAuth.Application.dll

Application-level entry point for tenant-super-admin membership. Handlers and the controller depend on this, not directly on the repository, so the service can layer caching, audit-log coordination and business rules (e.g. last-admin protection) in one place.

public interface ITenantSuperAdminService

Methods

GrantAsync(Guid, Guid, Guid, string, CancellationToken)

Grants (or re-grants) tenant-super-admin status to targetUserId within tenantId. Writes an audit log entry in the same unit of work. Invalidates the cache entry for the target user so subsequent IsTenantSuperAdminAsync(Guid, Guid, CancellationToken) calls see the change immediately.

Task GrantAsync(Guid targetUserId, Guid tenantId, Guid actorUserId, string reason, CancellationToken cancellationToken = default)

Parameters

targetUserId Guid
tenantId Guid
actorUserId Guid
reason string
cancellationToken CancellationToken

Returns

Task

IsTenantSuperAdminAsync(Guid, Guid, CancellationToken)

Short-cached DB check. Hot path for the permission handler — invoked on every request by a user carrying the tenant_super_admin JWT claim. Cache duration is intentionally short (seconds, not minutes) so that a revoked tenant super admin loses their privileges quickly.

Task<bool> IsTenantSuperAdminAsync(Guid userId, Guid tenantId, CancellationToken cancellationToken = default)

Parameters

userId Guid
tenantId Guid
cancellationToken CancellationToken

Returns

Task<bool>

ListAsync(Guid, CancellationToken)

Task<IReadOnlyList<TenantSuperAdminDto>> ListAsync(Guid tenantId, CancellationToken cancellationToken = default)

Parameters

tenantId Guid
cancellationToken CancellationToken

Returns

Task<IReadOnlyList<TenantSuperAdminDto>>

RevokeAsync(Guid, Guid, Guid, string, CancellationToken)

Revokes tenant-super-admin status. Fails (business rule) if the target is the last active super admin in the tenant, to prevent lockout.

Task RevokeAsync(Guid targetUserId, Guid tenantId, Guid actorUserId, string reason, CancellationToken cancellationToken = default)

Parameters

targetUserId Guid
tenantId Guid
actorUserId Guid
reason string
cancellationToken CancellationToken

Returns

Task