Table of Contents

Class TenantSuperAdminService

Namespace
KadicAuth.Infrastructure.Services
Assembly
KadicAuth.Infrastructure.dll
public sealed class TenantSuperAdminService : ITenantSuperAdminService
Inheritance
object
TenantSuperAdminService
Implements

Constructors

TenantSuperAdminService(ITenantSuperAdminRepository, IMemoryCache, ILogger<TenantSuperAdminService>)

public TenantSuperAdminService(ITenantSuperAdminRepository repository, IMemoryCache cache, ILogger<TenantSuperAdminService> logger)

Parameters

repository ITenantSuperAdminRepository
cache IMemoryCache
logger ILogger<TenantSuperAdminService>

Methods

GrantAsync(Guid, Guid, Guid, string, CancellationToken)

Grants (or re-grants) tenant-super-admin status to targetUserId within tenantId. Writes an audit log entry in the same unit of work. Invalidates the cache entry for the target user so subsequent IsTenantSuperAdminAsync(Guid, Guid, CancellationToken) calls see the change immediately.

public Task GrantAsync(Guid targetUserId, Guid tenantId, Guid actorUserId, string reason, CancellationToken cancellationToken = default)

Parameters

targetUserId Guid
tenantId Guid
actorUserId Guid
reason string
cancellationToken CancellationToken

Returns

Task

IsTenantSuperAdminAsync(Guid, Guid, CancellationToken)

Short-cached DB check. Hot path for the permission handler — invoked on every request by a user carrying the tenant_super_admin JWT claim. Cache duration is intentionally short (seconds, not minutes) so that a revoked tenant super admin loses their privileges quickly.

public Task<bool> IsTenantSuperAdminAsync(Guid userId, Guid tenantId, CancellationToken cancellationToken = default)

Parameters

userId Guid
tenantId Guid
cancellationToken CancellationToken

Returns

Task<bool>

ListAsync(Guid, CancellationToken)

public Task<IReadOnlyList<TenantSuperAdminDto>> ListAsync(Guid tenantId, CancellationToken cancellationToken = default)

Parameters

tenantId Guid
cancellationToken CancellationToken

Returns

Task<IReadOnlyList<TenantSuperAdminDto>>

RevokeAsync(Guid, Guid, Guid, string, CancellationToken)

Revokes tenant-super-admin status. Fails (business rule) if the target is the last active super admin in the tenant, to prevent lockout.

public Task RevokeAsync(Guid targetUserId, Guid tenantId, Guid actorUserId, string reason, CancellationToken cancellationToken = default)

Parameters

targetUserId Guid
tenantId Guid
actorUserId Guid
reason string
cancellationToken CancellationToken

Returns

Task