Permissions

WebCorporativa uses a role-based access control (RBAC) model where permissions are granted at the module + action level, attached to a user profile, and embedded directly in the JWT. The API checks permissions on every protected endpoint without a separate authorization server call.

How permissions work

Assign permissions to a profile

Use the POST /api/PermisoPerfil/guardar-permisos endpoint to grant specific module actions to a profile. Each permission is a combination of a module key and an action name.

Assign the profile to a user

Every user has exactly one profile (perfilId). When the user logs in, the API reads the profile’s permission set.

Permissions are embedded in the JWT

Each granted permission becomes a permiso claim in the issued token. The API never queries the database again to check permissions during a request — everything is in the token.

Endpoint enforces the permission

Protected endpoints call user.TienePermiso("modulo.accion"). If the claim is not present, the endpoint returns 403 Forbidden.

Permission format

Every permission string follows the pattern:

{moduleKey}.{action}

For example:

usuario.agregar — create users
perfil.editar — edit profiles
modulo.eliminar — delete modules

Actions

Five actions are defined for every module:

Action	Meaning
`agregar`	Create a new record
`editar`	Modify an existing record
`eliminar`	Delete a record
`consultar`	List or search records
`detalle`	Retrieve a single record by ID

Administrator bypass

If a user’s profile has BitAdministrador = true, the API injects permission claims for all actions on all modules into the JWT at login time. The esAdmin claim is also set to "true". The permission check short-circuits for admins:

public static bool TienePermiso(this ClaimsPrincipal user, string permiso)
{
    if (user.Claims.Any(c => c.Type == "esAdmin" && c.Value.Equals("true", StringComparison.OrdinalIgnoreCase)))
        return true;

    return user.Claims
        .Where(c => c.Type == "permiso")
        .Any(c => c.Value == permiso);
}

An administrator’s JWT will contain every permiso claim for every registered module. If new modules are added to the system, the administrator must log out and back in to receive updated permissions in a new token.

HTTP responses for authorization failures

Scenario	HTTP status
No token or invalid token	`401 Unauthorized`
Valid token but missing required permission	`403 Forbidden`

A 403 Forbidden response means the user is authenticated but their profile does not grant the required permission. Re-authenticating will not help — the profile itself must be updated via POST /api/PermisoPerfil/guardar-permisos.

Built-in module permissions

The following table lists every permission string for all built-in modules. Custom modules you create follow the same pattern using the Clave field you set when creating them.

Module	agregar	editar	eliminar	consultar	detalle
`modulo`	`modulo.agregar`	`modulo.editar`	`modulo.eliminar`	`modulo.consultar`	`modulo.detalle`
`perfil`	`perfil.agregar`	`perfil.editar`	`perfil.eliminar`	`perfil.consultar`	`perfil.detalle`
`permisosperfil`	`permisosperfil.agregar`	`permisosperfil.editar`	`permisosperfil.eliminar`	`permisosperfil.consultar`	`permisosperfil.detalle`
`usuario`	`usuario.agregar`	`usuario.editar`	`usuario.eliminar`	`usuario.consultar`	`usuario.detalle`
`principal11`	`principal11.agregar`	`principal11.editar`	`principal11.eliminar`	`principal11.consultar`	`principal11.detalle`
`principal12`	`principal12.agregar`	`principal12.editar`	`principal12.eliminar`	`principal12.consultar`	`principal12.detalle`
`principal21`	`principal21.agregar`	`principal21.editar`	`principal21.eliminar`	`principal21.consultar`	`principal21.detalle`
`principal22`	`principal22.agregar`	`principal22.editar`	`principal22.eliminar`	`principal22.consultar`	`principal22.detalle`

Checking permissions in the JWT

You can verify which permissions a token carries by decoding it. A non-admin user token with profile-level access might include:

{
  "esAdmin": "false",
  "permiso": [
    "usuario.consultar",
    "usuario.detalle",
    "perfil.consultar"
  ]
}

An admin token for a system with two modules would include:

{
  "esAdmin": "true",
  "permiso": [
    "modulo.agregar",
    "modulo.editar",
    "modulo.eliminar",
    "modulo.consultar",
    "modulo.detalle",
    "usuario.agregar",
    "usuario.editar"
  ]
}

Use the decoded JWT to debug 403 errors during development. Confirm the required permission string is present in the permiso claims before assuming the endpoint is broken.

JWT structure

How claims are structured and how to decode the token.

Authentication overview

The full login flow, token lifetime, and 401 handling.

Get Started

Authentication

Core Concepts

How permissions work

Permission format

Actions

Administrator bypass

HTTP responses for authorization failures

Built-in module permissions

Checking permissions in the JWT

JWT structure

Authentication overview

Build docs developers (and LLMs) love

Get Started

Authentication

Core Concepts

​How permissions work

​Permission format

​Actions

​Administrator bypass

​HTTP responses for authorization failures

​Built-in module permissions

​Checking permissions in the JWT

​Related pages

JWT structure

Authentication overview

Build docs developers (and LLMs) love

How permissions work

Permission format

Actions

Administrator bypass

HTTP responses for authorization failures

Built-in module permissions

Checking permissions in the JWT

Related pages