diff --git a/common-features/src/extensions/Modules/Authorization/BasePermissionService.cs b/common-features/src/extensions/Modules/Authorization/BasePermissionService.cs
new file mode 100644
index 0000000000..666289aeb7
--- /dev/null
+++ b/common-features/src/extensions/Modules/Authorization/BasePermissionService.cs
@@ -0,0 +1,249 @@
+
+namespace Serenity.Extensions;
+
+using Microsoft.Extensions.Caching.Memory;
+using System.Reflection;
+using System.Security.Claims;
+
+/// <summary>
+/// Base permission service that provides common functionality for permission services.
+/// </summary>
+/// <param name="userAccessor">User accessor</param>
+/// <param name="rolePermissions">Role permission service</param>
+/// <param name="httpContextItemsAccessor">HTTP context items accessor</param>
+public abstract class BasePermissionService(
+    IUserAccessor userAccessor,
+    IRolePermissionService rolePermissions,
+    IHttpContextItemsAccessor httpContextItemsAccessor = null) : IPermissionService, ITransientGrantor
+{
+    private readonly IRolePermissionService rolePermissions = rolePermissions ?? throw new ArgumentNullException(nameof(rolePermissions));
+    private readonly IUserAccessor userAccessor = userAccessor ?? throw new ArgumentNullException(nameof(userAccessor));
+    private readonly TransientGrantingPermissionService transientGrantor = new(permissionService: null, httpContextItemsAccessor);
+
+    /// <summary>
+    /// Gets whether the specified permission is a valid permission key.
+    /// By default, a permission key is valid if it is not null or empty.
+    /// </summary>
+    /// <param name="permission">Permission</param>
+    protected virtual bool IsValidKey(string permission)
+    {
+        return !string.IsNullOrEmpty(permission);
+    }
+
+    /// <summary>
+    /// Gets whether the specified permission is an asterisk, e.g. "*" that
+    /// grants permission to all including anonymous users.
+    /// </summary>
+    /// <param name="permission">Permission</param>
+    protected virtual bool IsAsterisk(string permission)
+    {
+        return permission == "*";
+    }
+
+    /// <summary>
+    /// Gets whether the specified permission is a question mark, e.g. "?" that
+    /// grants permission to logged in users.
+    /// </summary>
+    /// <param name="permission">Permission</param>
+    protected virtual bool IsQuestionMark(string permission)
+    {
+        return permission == "?";
+    }
+
+    /// <summary>
+    /// Checks if the transient grantor has the specified permission.
+    /// </summary>
+    /// <param name="permission">Permission</param>
+    protected virtual bool IsTransientlyGranted(string permission)
+    {
+        return transientGrantor.HasPermission(permission);
+    }
+
+    /// <summary>
+    /// Checks if anonymous users have the specified permission.
+    /// By default, they don't have any permission.
+    /// </summary>
+    /// <param name="permission"></param>
+    /// <returns></returns>
+    protected virtual bool AnonymousUsersHavePermission(string permission)
+    {
+        return false;
+    }
+
+    /// <summary>
+    /// Returns true if the provided user has the permission to impersonate as another user.
+    /// Unless overridden, no user have this permission.
+    /// </summary>
+    /// <param name="user">User</param>
+    /// <param name="permission">Permission</param>
+    protected virtual bool HasImpersonationPermission(ClaimsPrincipal user, string permission)
+    {
+        return IsSuperAdmin(user);
+    }
+
+    /// <summary>
+    /// Gets whether the specified permission is an impersonation permission.
+    /// By default, impersonation permissions are permissions that start with "ImpersonateAs".
+    /// </summary>
+    /// <param name="permission"></param>
+    /// <returns></returns>
+    protected virtual bool IsImpersonationPermission(string permission)
+    {
+        return permission.StartsWith("ImpersonateAs", StringComparison.OrdinalIgnoreCase);
+    }
+
+    /// <summary>
+    /// Gets whether the specified user is a super admin.
+    /// </summary>
+    /// <param name="username">Username</param>
+    protected virtual bool IsSuperAdmin(ClaimsPrincipal user)
+    {
+        return false;
+    }
+
+    /// <summary>
+    /// Checks if the super admin has the specified permission.
+    /// By default, super admin has all permissions.
+    /// </summary>
+    /// <param name="username">Username</param>
+    /// <param name="permission">Permission</param>
+    /// <returns></returns>
+    protected virtual bool SuperAdminHasPermission(ClaimsPrincipal user, string permission)
+    {
+        return true;
+    }
+
+    /// <inheritdoc/>
+    public virtual bool HasPermission(string permission)
+    {
+        if (!IsValidKey(permission))
+            return false;
+
+        if (IsAsterisk(permission) || IsTransientlyGranted(permission))
+            return true;
+
+        var isLoggedIn = userAccessor.IsLoggedIn();
+
+        if (IsQuestionMark(permission))
+            return isLoggedIn;
+
+        if (!isLoggedIn)
+            return AnonymousUsersHavePermission(permission);
+
+        var user = userAccessor.User;
+        if (string.IsNullOrEmpty(user?.Identity?.Name))
+            return AnonymousUsersHavePermission(permission);
+
+        if (IsImpersonationPermission(permission))
+            return HasImpersonationPermission(user, permission);
+
+        if (IsSuperAdmin(user) &&
+            SuperAdminHasPermission(user, permission))
+            return true;
+
+        var userPermission = UserHasPermission(user, permission);
+        if (userPermission != null)
+            return userPermission.Value;
+
+        foreach (var role in GetUserRoles(user))
+        {
+            if (rolePermissions.HasPermission(role, permission))
+                return true;
+        }
+
+        return false;
+    }
+
+
+    /// <summary>
+    /// Gets the roles of the specified user.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected abstract IEnumerable<string> GetUserRoles(ClaimsPrincipal user);
+
+    /// <summary>
+    /// Gets if user has the specified permission directly, not via roles.
+    /// Returns null if permission is not granted or denied directly.
+    /// </summary>
+    /// <param name="user">User</param>
+    /// <param name="permission">Permission</param>
+    protected abstract bool? UserHasPermission(ClaimsPrincipal user, string permission);
+
+    /// <summary>
+    /// Gets implicit permissions defined in the application.
+    /// </summary>
+    /// <param name="memoryCache">Memory cache</param>
+    /// <param name="typeSource">Type source</param>
+    /// <returns></returns>
+    public static IDictionary<string, HashSet<string>> GetImplicitPermissions(IMemoryCache memoryCache,
+        ITypeSource typeSource)
+    {
+        ArgumentNullException.ThrowIfNull(memoryCache);
+
+        ArgumentNullException.ThrowIfNull(typeSource);
+
+        return memoryCache.Get<IDictionary<string, HashSet<string>>>("ImplicitPermissions", TimeSpan.Zero, () =>
+        {
+            var result = new Dictionary<string, HashSet<string>>(StringComparer.OrdinalIgnoreCase);
+
+            void addFrom(Type type)
+            {
+                foreach (var member in type.GetFields(BindingFlags.Static | BindingFlags.DeclaredOnly |
+                    BindingFlags.Public | BindingFlags.NonPublic))
+                {
+                    if (member.FieldType != typeof(string))
+                        continue;
+
+                    if (member.GetValue(null) is not string key)
+                        continue;
+
+                    foreach (var attr in member.GetCustomAttributes<ImplicitPermissionAttribute>())
+                    {
+                        if (!result.TryGetValue(key, out HashSet<string> list))
+                        {
+                            list = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+                            result[key] = list;
+                        }
+
+                        list.Add(attr.Value);
+                    }
+                }
+
+                foreach (var nested in type.GetNestedTypes(BindingFlags.Public | BindingFlags.DeclaredOnly))
+                    addFrom(nested);
+            }
+
+            foreach (var type in typeSource.GetTypesWithAttribute(
+                typeof(NestedPermissionKeysAttribute)))
+            {
+                addFrom(type);
+            }
+
+            return result;
+        });
+    }
+
+    /// <inheritdoc/>
+    public virtual void Grant(params string[] permissions)
+    {
+        transientGrantor.Grant(permissions);
+    }
+
+    /// <inheritdoc/>
+    public virtual void GrantAll()
+    {
+        transientGrantor.GrantAll();
+    }
+
+    /// <inheritdoc/>
+    public virtual void UndoGrant()
+    {
+        transientGrantor.UndoGrant();
+    }
+
+    /// <inheritdoc/>
+    public virtual bool IsAllGranted() => transientGrantor.IsAllGranted();
+
+    /// <inheritdoc/>
+    public virtual IEnumerable<string> GetGranted() => transientGrantor.GetGranted();
+}
\ No newline at end of file
diff --git a/common-features/src/extensions/Modules/Authorization/BasePermissionServiceT.cs b/common-features/src/extensions/Modules/Authorization/BasePermissionServiceT.cs
new file mode 100644
index 0000000000..fbb73e4109
--- /dev/null
+++ b/common-features/src/extensions/Modules/Authorization/BasePermissionServiceT.cs
@@ -0,0 +1,194 @@
+
+using System.Security.Claims;
+
+namespace Serenity.Extensions;
+
+/// <summary>
+/// Base permission service that provides common functionality for permission services.
+/// </summary>
+/// <typeparam name="TUserPermissionRow">User permission row type</typeparam>
+/// <typeparam name="TUserRoleRow">User role row type</typeparam>
+/// <param name="cache">Cache</param>
+/// <param name="sqlConnections">Sql connections</param>
+/// <param name="typeSource">Type source</param>
+/// <param name="userAccessor">User accessor</param>
+/// <param name="rolePermissions">Role permissions</param>
+/// <param name="httpContextItemsAccessor">HTTP context items accessor</param>
+public abstract class BasePermissionService<TUserPermissionRow, TUserRoleRow>(
+    ITwoLevelCache cache,
+    ISqlConnections sqlConnections,
+    ITypeSource typeSource,
+    IUserAccessor userAccessor,
+    IRolePermissionService rolePermissions,
+    IHttpContextItemsAccessor httpContextItemsAccessor = null) :
+    BasePermissionService(userAccessor, rolePermissions, httpContextItemsAccessor)
+    where TUserPermissionRow : class, IUserPermissionRow, new()
+    where TUserRoleRow : class, IUserRoleRow, new()
+{
+    private readonly ITwoLevelCache cache = cache ?? throw new ArgumentNullException(nameof(cache));
+    private readonly ISqlConnections sqlConnections = sqlConnections ?? throw new ArgumentNullException(nameof(sqlConnections));
+
+    /// <inheritdoc/>
+    protected override bool? UserHasPermission(ClaimsPrincipal user, string permission)
+    {
+        return GetUserPermissions(user)?
+            .TryGetValue(permission, out bool grant) == true ? grant : null;
+    }
+
+    /// <summary>
+    /// Gets directly assigned permissions for the specified user.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual IDictionary<string, bool> GetUserPermissions(ClaimsPrincipal user)
+    {
+        if (user == null)
+            return null;
+
+        return GetCachedUserPermissions(user);
+    }
+
+    /// <summary>
+    /// Gets the cache duration for user permissions.
+    /// Default is zero, meaning it will be cached indefinitely, unless
+    /// expired by using the cache group key.
+    /// </summary>
+    protected virtual TimeSpan GetUserPermissionsCacheDuration()
+    {
+        return TimeSpan.Zero;
+    }
+
+    private TUserPermissionRow userPermissionRow;
+
+    /// <summary>
+    /// Gets the cache group key for user permissions.
+    /// </summary>
+    protected virtual string GetUserPermissionsCacheGroupKey()
+    {
+        return (userPermissionRow ??= new()).Fields.GenerationKey;
+    }
+
+    /// <summary>
+    /// Gets the cache key for user permissions.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual string GetUserPermissionsCacheKey(ClaimsPrincipal user)
+    {
+        return "UserPermissions:" + user.GetIdentifier();
+    }
+
+    /// <summary>
+    /// Gets the cached user permissions.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual IDictionary<string, bool> GetCachedUserPermissions(ClaimsPrincipal user)
+    {
+        return cache.GetLocalStoreOnly(GetUserPermissionsCacheKey(user),
+            GetUserPermissionsCacheDuration(), GetUserPermissionsCacheGroupKey(), 
+            () => LoadUserPermissions(user));
+    }
+
+    /// <summary>
+    /// Loads user permissions from database.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual IDictionary<string, bool> LoadUserPermissions(ClaimsPrincipal user)
+    {
+        using var connection = sqlConnections.NewFor<TUserPermissionRow>();
+        var result = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
+        userPermissionRow ??= new();
+
+        connection.List<TUserPermissionRow>(query =>
+        {
+            var userId = userPermissionRow.UserIdField.ConvertValue(
+                user.GetIdentifier(), CultureInfo.InvariantCulture);
+
+            query.Select(userPermissionRow.PermissionKeyField)
+                .Where(userPermissionRow.UserIdField == new ValueCriteria(userId));
+
+            if (userPermissionRow.GrantedField is not null)
+                query.Select(userPermissionRow.GrantedField);
+        }).ForEach(x => result[x.PermissionKeyField[x]] = x.GrantedField?[x] ?? true);
+
+        var implicitPermissions = GetImplicitPermissions(cache.Memory, typeSource);
+        foreach (var pair in result.ToArray())
+        {
+            if (pair.Value && implicitPermissions.TryGetValue(pair.Key, out var list))
+                foreach (var x in list)
+                    result[x] = true;
+        }
+
+        return result;
+    }
+
+    /// <summary>
+    /// Gets the cache duration for user roles. Default is zero, 
+    /// meaning it will be cached indefinitely, unless expired by using 
+    /// the cache group key.
+    /// </summary>
+    protected virtual TimeSpan GetUserRolesCacheDuration()
+    {
+        return TimeSpan.Zero;
+    }
+
+    private TUserRoleRow userRoleRow;
+
+    /// <summary>
+    /// Gets the cache group key for user roles.
+    /// </summary>
+    protected virtual string GetUserRolesCacheGroupKey()
+    {
+        return (userRoleRow ??= new()).Fields.GenerationKey;
+    }
+
+    /// <summary>
+    /// Gets the cache key for user roles.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual string GetUserRolesCacheKey(ClaimsPrincipal user)
+    {
+        return "UserRoles:" + user;
+    }
+
+    /// <summary>
+    /// Gets the cached user roles.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual IEnumerable<string> GetCachedUserRoles(ClaimsPrincipal user)
+    {
+        return cache.GetLocalStoreOnly(GetUserRolesCacheKey(user),
+            GetUserRolesCacheDuration(), GetUserRolesCacheGroupKey(),
+            () => LoadUserRoles(user));
+    }
+
+    /// <summary>
+    /// Gets the roles of the specified user.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected override IEnumerable<string> GetUserRoles(ClaimsPrincipal user)
+    {
+        if (user == null)
+            return null;
+
+        return GetCachedUserRoles(user);
+    }
+
+    /// <summary>
+    /// Loads user roles from database.
+    /// </summary>
+    /// <param name="user">User</param>
+    protected virtual IEnumerable<string> LoadUserRoles(ClaimsPrincipal user)
+    { 
+        using var connection = sqlConnections.NewFor<TUserRoleRow>();
+        var result = new HashSet<string>();
+        userRoleRow ??= new();
+        var userId = userRoleRow.UserIdField.ConvertValue(user.GetIdentifier(), 
+            CultureInfo.InvariantCulture);
+
+        connection.List<TUserRoleRow>(q => q
+            .Select(userRoleRow.RoleKeyOrNameField)
+            .Where(userRoleRow.UserIdField == new ValueCriteria(userId)))
+                .ForEach(x => result.Add(x.RoleKeyOrNameField[x]));
+
+        return result;
+    }
+}
\ No newline at end of file
diff --git a/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveService.cs b/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveService.cs
index 813106629c..2cbe3352d0 100644
--- a/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveService.cs
+++ b/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveService.cs
@@ -1,9 +1,14 @@
 namespace Serenity.Extensions;
 
+/// <summary>
+/// Base user retrieve service that provides common functionality for user retrieve services.
+/// </summary>
+/// <param name="cache">Cache</param>
 public abstract class BaseUserRetrieveService(ITwoLevelCache cache) : IUserRetrieveService, IRemoveCachedUser, IRemoveAll
 {
     private readonly ITwoLevelCache cache = cache ?? throw new ArgumentNullException(nameof(cache));
 
+    /// <inheritdoc/>
     public virtual IUserDefinition ById(string id)
     {
         if (!IsValidUserId(id))
@@ -12,6 +17,7 @@ public virtual IUserDefinition ById(string id)
         return GetCachedById(id);
     }
 
+    /// <inheritdoc/>
     public virtual IUserDefinition ByUsername(string username)
     {
         if (!IsValidUsername(username))
@@ -20,36 +26,80 @@ public virtual IUserDefinition ByUsername(string username)
         return GetCachedByUsername(username);
     }
 
+    /// <summary>
+    /// Gets the cache duration for user retrieval. Default is zero, meaning it will be 
+    /// cached indefinitely unless expired by using the cache group key.
+    /// </summary>
     protected virtual TimeSpan GetCacheDuration() => TimeSpan.Zero;
+
+    /// <summary>
+    /// Gets the cache group key for user retrieval.
+    /// </summary>
     protected abstract string GetCacheGroupKey();
 
+    /// <summary>
+    /// Gets the cache key for the specified user ID.
+    /// </summary>
+    /// <param name="id">User ID</param>
     protected virtual string GetIdCacheKey(string id) => "UserByID_" + id;
+
+    /// <summary>
+    /// Gets the cache key for the specified username.
+    /// </summary>
+    /// <param name="username">Username</param>
     protected virtual string GetUsernameCacheKey(string username) => "UserByName_" + username.ToLowerInvariant();
 
+    /// <summary>
+    /// Gets the cached user by the specified ID.
+    /// </summary>
+    /// <param name="id">User ID</param>
     protected virtual IUserDefinition GetCachedById(string id)
     {
         return cache.GetLocalStoreOnly(GetIdCacheKey(id), GetCacheDuration(), GetCacheGroupKey(),
             () => LoadById(id));
     }
 
+    /// <summary>
+    /// Gets the cached user by the specified username.
+    /// </summary>
+    /// <param name="username">Username</param>
     protected virtual IUserDefinition GetCachedByUsername(string username)
     {
         return cache.GetLocalStoreOnly(GetUsernameCacheKey(username), GetCacheDuration(), GetCacheGroupKey(),
             () => LoadByUsername(username));
     }
 
+    /// <summary>
+    /// Checks if the specified user ID is valid. By default, it checks if it is not null or empty.
+    /// </summary>
+    /// <param name="userId">User ID</param>
     protected virtual bool IsValidUserId(string userId) => !string.IsNullOrEmpty(userId);
 
+    /// <summary>
+    /// Checks if the specified username is valid. By default, it checks if it is not null or empty.
+    /// </summary>
+    /// <param name="username">Username</param>
     protected virtual bool IsValidUsername(string username) => !string.IsNullOrEmpty(username);
 
+    /// <summary>
+    /// Loads the user by the specified ID from database.
+    /// </summary>
+    /// <param name="id">User ID</param>
     protected abstract IUserDefinition LoadById(string id);
+
+    /// <summary>
+    /// Loads the user by the specified username from database
+    /// </summary>
+    /// <param name="username">Username</param>
     protected abstract IUserDefinition LoadByUsername(string username);
 
+    /// <inheritdoc/>
     public virtual void RemoveAll()
     {
         cache.ExpireGroupItems(GetCacheGroupKey());
     }
 
+    /// <inheritdoc/>
     public virtual void RemoveCachedUser(string userId, string username)
     {
         if (IsValidUserId(userId))
diff --git a/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveServiceT.cs b/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveServiceT.cs
index 7655df797c..cd6e121ceb 100644
--- a/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveServiceT.cs
+++ b/common-features/src/extensions/Modules/Authorization/BaseUserRetrieveServiceT.cs
@@ -1,13 +1,28 @@
 namespace Serenity.Extensions;
 
+/// <summary>
+/// Base user retrieve service that provides common functionality for user retrieve services.
+/// </summary>
+/// <typeparam name="TRow">User row type</typeparam>
+/// <param name="cache">Cache</param>
+/// <param name="sqlConnections">SQL connections</param>
 public abstract class BaseUserRetrieveService<TRow>(ITwoLevelCache cache, ISqlConnections sqlConnections) 
     : BaseUserRetrieveService(cache)
     where TRow : class, IRow, IIdRow, INameRow, new()
 {
     private readonly ISqlConnections sqlConnections = sqlConnections ?? throw new ArgumentNullException(nameof(sqlConnections));
 
+    /// <summary>
+    /// Converts the specified row to a user definition.
+    /// </summary>
+    /// <param name="row">User row</param>
     protected abstract IUserDefinition ToUserDefinition(TRow row);
 
+    /// <summary>
+    /// Loads a user from the database by the specified criteria.
+    /// </summary>
+    /// <param name="connection">Connection</param>
+    /// <param name="criteria">Criteria</param>
     protected virtual IUserDefinition LoadByCriteria(System.Data.IDbConnection connection, BaseCriteria criteria)
     {
         var user = connection.TrySingle<TRow>(criteria);
@@ -21,11 +36,18 @@ protected virtual IUserDefinition LoadByCriteria(System.Data.IDbConnection conne
     private Field idField;
     private Field nameField;
 
+    /// <summary>
+    /// Gets the cache group key for user retrieval.
+    /// </summary>
     protected override string GetCacheGroupKey()
     {
         return (cacheGroupKey ??= new TRow().Fields.GenerationKey);
     }
 
+    /// <summary>
+    /// Checks if the specified user ID is valid.
+    /// </summary>
+    /// <param name="userId">User ID</param>
     protected override bool IsValidUserId(string userId)
     {
         if (!base.IsValidUserId(userId))
@@ -44,6 +66,10 @@ protected override bool IsValidUserId(string userId)
         return true;
     }
 
+    /// <summary>
+    /// Loads the user by the specified ID from database.
+    /// </summary>
+    /// <param name="id">User ID</param>
     protected override IUserDefinition LoadById(string id)
     {
         idField ??= new TRow().IdField;
@@ -53,6 +79,10 @@ protected override IUserDefinition LoadById(string id)
             new ValueCriteria(idField.ConvertValue(id, CultureInfo.InvariantCulture)));
     }
 
+    /// <summary>
+    /// Loads the user by the specified username from database.
+    /// </summary>
+    /// <param name="username">Username</param>
     protected override IUserDefinition LoadByUsername(string username)
     {
         nameField ??= new TRow().NameField;
diff --git a/common-features/src/extensions/Modules/Authorization/IUserPermissionRow.cs b/common-features/src/extensions/Modules/Authorization/IUserPermissionRow.cs
new file mode 100644
index 0000000000..6a3f3d79b3
--- /dev/null
+++ b/common-features/src/extensions/Modules/Authorization/IUserPermissionRow.cs
@@ -0,0 +1,23 @@
+namespace Serenity.Data;
+
+/// <summary>
+/// User permission row interface
+/// </summary>
+public interface IUserPermissionRow : IRow
+{
+    /// <summary>
+    /// User ID field
+    /// </summary>
+    Field UserIdField { get; }
+
+    /// <summary>
+    /// Permission key field
+    /// </summary>
+    StringField PermissionKeyField { get; }
+
+    /// <summary>
+    /// Granted field, might be null if not available. Used to optionally 
+    /// revoke permissions granted via roles.
+    /// </summary>
+    BooleanField GrantedField { get; }
+}
\ No newline at end of file
diff --git a/common-features/src/extensions/Modules/Authorization/IUserRoleRow.cs b/common-features/src/extensions/Modules/Authorization/IUserRoleRow.cs
new file mode 100644
index 0000000000..82ff49ca76
--- /dev/null
+++ b/common-features/src/extensions/Modules/Authorization/IUserRoleRow.cs
@@ -0,0 +1,17 @@
+namespace Serenity.Data;
+
+/// <summary>
+/// User role row interface
+/// </summary>
+public interface IUserRoleRow : IRow
+{
+    /// <summary>
+    /// User ID field
+    /// </summary>
+    Field UserIdField { get; }
+
+    /// <summary>
+    /// User role key or the role name field
+    /// </summary>
+    StringField RoleKeyOrNameField { get; }
+}
diff --git a/serene/src/Serene.Web/Modules/Administration/UserPermission/ImplicitPermissionsDataScript.cs b/serene/src/Serene.Web/Modules/Administration/UserPermission/ImplicitPermissionsDataScript.cs
index bfc4d545d6..e30d24f3cf 100644
--- a/serene/src/Serene.Web/Modules/Administration/UserPermission/ImplicitPermissionsDataScript.cs
+++ b/serene/src/Serene.Web/Modules/Administration/UserPermission/ImplicitPermissionsDataScript.cs
@@ -1,27 +1,15 @@
+using Microsoft.Extensions.Caching.Memory;
 
 namespace Serene.Administration;
 
-using Microsoft.Extensions.Caching.Memory;
-using Serenity.Abstractions;
-using Serenity.ComponentModel;
-using Serenity.Web;
-using System;
-using System.Collections.Generic;
-
 [DataScript("Administration.ImplicitPermissions", Permission = PermissionKeys.Security)]
-public class ImplicitPermissionsDataScript : DataScript<IDictionary<string, HashSet<string>>>
+public class ImplicitPermissionsDataScript(IMemoryCache cache, ITypeSource typeSource) : DataScript<IDictionary<string, HashSet<string>>>
 {
-    private readonly IMemoryCache cache;
-    private readonly ITypeSource typeSource;
-
-    public ImplicitPermissionsDataScript(IMemoryCache cache, ITypeSource typeSource)
-    {
-        this.cache = cache ?? throw new ArgumentNullException(nameof(cache));
-        this.typeSource = typeSource ?? throw new ArgumentNullException(nameof(typeSource));
-    }
+    private readonly IMemoryCache cache = cache ?? throw new ArgumentNullException(nameof(cache));
+    private readonly ITypeSource typeSource = typeSource ?? throw new ArgumentNullException(nameof(typeSource));
 
     protected override IDictionary<string, HashSet<string>> GetData()
     {
-        return AppServices.PermissionService.GetImplicitPermissions(cache, typeSource);
+        return BasePermissionService.GetImplicitPermissions(cache, typeSource);
     }
 }
\ No newline at end of file
diff --git a/serene/src/Serene.Web/Modules/Administration/UserPermission/UserPermissionRow.cs b/serene/src/Serene.Web/Modules/Administration/UserPermission/UserPermissionRow.cs
index cf7b3561fc..5427455117 100644
--- a/serene/src/Serene.Web/Modules/Administration/UserPermission/UserPermissionRow.cs
+++ b/serene/src/Serene.Web/Modules/Administration/UserPermission/UserPermissionRow.cs
@@ -1,10 +1,10 @@
-namespace Serene.Administration;
+namespace Serene.Administration;
 
 [ConnectionKey("Default"), Module("Administration"), TableName("UserPermissions")]
 [DisplayName("UserPermissions"), InstanceName("UserPermissions")]
 [ReadPermission(PermissionKeys.Security)]
 [ModifyPermission(PermissionKeys.Security)]
-public sealed class UserPermissionRow : Row<UserPermissionRow.RowFields>, IIdRow, INameRow
+public sealed class UserPermissionRow : Row<UserPermissionRow.RowFields>, IIdRow, INameRow, IUserPermissionRow
 {
     [DisplayName("User Permission Id"), Identity, IdProperty]
     public long? UserPermissionId { get => fields.UserPermissionId[this]; set => fields.UserPermissionId[this] = value; }
@@ -24,6 +24,10 @@ public sealed class UserPermissionRow : Row<UserPermissionRow.RowFields>, IIdRow
     [DisplayName("User Display Name"), Expression("jUser.[DisplayName]")]
     public string User { get => fields.User[this]; set => fields.User[this] = value; }
 
+    Field IUserPermissionRow.UserIdField => fields.UserId;
+    StringField IUserPermissionRow.PermissionKeyField => fields.PermissionKey;
+    BooleanField IUserPermissionRow.GrantedField => fields.Granted;
+
     public class RowFields : RowFieldsBase
     {
         public Int64Field UserPermissionId;
diff --git a/serene/src/Serene.Web/Modules/Administration/UserRole/UserRoleRow.cs b/serene/src/Serene.Web/Modules/Administration/UserRole/UserRoleRow.cs
index 20ed363823..426e7959eb 100644
--- a/serene/src/Serene.Web/Modules/Administration/UserRole/UserRoleRow.cs
+++ b/serene/src/Serene.Web/Modules/Administration/UserRole/UserRoleRow.cs
@@ -4,7 +4,7 @@ namespace Serene.Administration;
 [DisplayName("UserRoles"), InstanceName("UserRoles")]
 [ReadPermission(PermissionKeys.Security)]
 [ModifyPermission(PermissionKeys.Security)]
-public sealed class UserRoleRow : Row<UserRoleRow.RowFields>, IIdRow
+public sealed class UserRoleRow : Row<UserRoleRow.RowFields>, IIdRow, IUserRoleRow
 {
     const string jRole = nameof(jRole);
     const string jUser = nameof(jUser);
@@ -27,6 +27,10 @@ public sealed class UserRoleRow : Row<UserRoleRow.RowFields>, IIdRow
     [DisplayName("Role"), Expression($"{jRole}.[RoleName]")]
     public string RoleName { get => fields.RoleName[this]; set => fields.RoleName[this] = value; }
 
+    public Field UserIdField => fields.UserId;
+
+    public StringField RoleKeyOrNameField => fields.RoleName;
+
     public class RowFields : RowFieldsBase
     {
         public Int64Field UserRoleId;
diff --git a/serene/src/Serene.Web/Modules/Common/AppServices/PermissionService.cs b/serene/src/Serene.Web/Modules/Common/AppServices/PermissionService.cs
index 0c0e26294e..5f2f888e1c 100644
--- a/serene/src/Serene.Web/Modules/Common/AppServices/PermissionService.cs
+++ b/serene/src/Serene.Web/Modules/Common/AppServices/PermissionService.cs
@@ -1,7 +1,5 @@
-using Microsoft.Extensions.Caching.Memory;
 using Serene.Administration;
-using System.Globalization;
-using System.Reflection;
+using System.Security.Claims;
 
 namespace Serene.AppServices;
 
@@ -10,168 +8,13 @@ public class PermissionService(ITwoLevelCache cache,
     ITypeSource typeSource,
     IUserAccessor userAccessor,
     IRolePermissionService rolePermissions,
-    IHttpContextItemsAccessor httpContextItemsAccessor = null) : IPermissionService, ITransientGrantor
+    IHttpContextItemsAccessor httpContextItemsAccessor = null) :
+    BasePermissionService<UserPermissionRow, UserRoleRow>(cache, sqlConnections, typeSource,
+        userAccessor, rolePermissions, httpContextItemsAccessor)
 {
-    private readonly ITwoLevelCache cache = cache ?? throw new ArgumentNullException(nameof(cache));
-    private readonly IRolePermissionService rolePermissions = rolePermissions ?? throw new ArgumentNullException(nameof(rolePermissions));
-    private readonly ISqlConnections sqlConnections = sqlConnections ?? throw new ArgumentNullException(nameof(sqlConnections));
-    private readonly ITypeSource typeSource = typeSource ?? throw new ArgumentNullException(nameof(typeSource));
-    private readonly IUserAccessor userAccessor = userAccessor ?? throw new ArgumentNullException(nameof(userAccessor));
-    private readonly TransientGrantingPermissionService transientGrantor = new(permissionService: null, httpContextItemsAccessor);
-
-    public bool HasPermission(string permission)
-    {
-        if (string.IsNullOrEmpty(permission))
-            return false;
-
-        if (permission == "*" || transientGrantor.HasPermission(permission))
-            return true;
-
-        var isLoggedIn = userAccessor.IsLoggedIn();
-
-        if (permission == "?")
-            return isLoggedIn;
-
-        if (!isLoggedIn)
-            return false;
-
-        var username = userAccessor.User?.Identity?.Name;
-        if (username == "admin")
-            return true;
-
-        // only admin has impersonation permission
-        if (string.Compare(permission, "ImpersonateAs", StringComparison.OrdinalIgnoreCase) == 0)
-            return false;
-
-        var userId = Convert.ToInt32(userAccessor.User.GetIdentifier(), CultureInfo.InvariantCulture);
-
-        if (GetUserPermissions(userId).TryGetValue(permission, out bool grant))
-            return grant;
-
-        foreach (var role in GetUserRoles(userId))
-        {
-            if (rolePermissions.HasPermission(role, permission))
-                return true;
-        }
-
-        return false;
-    }
-
-    private Dictionary<string, bool> GetUserPermissions(int userId)
-    {
-        var fld = UserPermissionRow.Fields;
-
-        return cache.GetLocalStoreOnly("UserPermissions:" + userId, TimeSpan.Zero, fld.GenerationKey, () =>
-        {
-            using var connection = sqlConnections.NewByKey("Default");
-            var result = new Dictionary<string, bool>(StringComparer.OrdinalIgnoreCase);
-
-            connection.List<UserPermissionRow>(q => q
-                    .Select(fld.PermissionKey)
-                    .Select(fld.Granted)
-                    .Where(new Criteria(fld.UserId) == userId))
-                .ForEach(x => result[x.PermissionKey] = x.Granted ?? true);
-
-            var implicitPermissions = PermissionService.GetImplicitPermissions(cache.Memory, typeSource);
-            foreach (var pair in result.ToArray())
-            {
-                if (pair.Value && implicitPermissions.TryGetValue(pair.Key, out HashSet<string> list))
-                    foreach (var x in list)
-                        result[x] = true;
-            }
-
-            return result;
-        });
-    }
-
-    private HashSet<string> GetUserRoles(int userId)
-    {
-        var fld = UserRoleRow.Fields;
-
-        return cache.GetLocalStoreOnly("UserRoles:" + userId, TimeSpan.Zero, fld.GenerationKey, () =>
-        {
-            using var connection = sqlConnections.NewByKey("Default");
-            var result = new HashSet<string>();
-
-            connection.List<UserRoleRow>(q => q
-                    .Select(fld.RoleName)
-                    .Where(new Criteria(fld.UserId) == userId))
-                .ForEach(x => result.Add(x.RoleName));
-
-            return result;
-        });
-    }
-
-    public static IDictionary<string, HashSet<string>> GetImplicitPermissions(IMemoryCache memoryCache,
-        ITypeSource typeSource)
-    {
-        ArgumentNullException.ThrowIfNull(memoryCache);
-
-        ArgumentNullException.ThrowIfNull(typeSource);
-
-        return memoryCache.Get<IDictionary<string, HashSet<string>>>("ImplicitPermissions", TimeSpan.Zero, () =>
-        {
-            var result = new Dictionary<string, HashSet<string>>(StringComparer.OrdinalIgnoreCase);
-
-            void addFrom(Type type)
-            {
-                foreach (var member in type.GetFields(BindingFlags.Static | BindingFlags.DeclaredOnly |
-                    BindingFlags.Public | BindingFlags.NonPublic))
-                {
-                    if (member.FieldType != typeof(string))
-                        continue;
-
-                    if (member.GetValue(null) is not string key)
-                        continue;
-
-                    foreach (var attr in member.GetCustomAttributes<ImplicitPermissionAttribute>())
-                    {
-                        if (!result.TryGetValue(key, out HashSet<string> list))
-                        {
-                            list = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
-                            result[key] = list;
-                        }
-
-                        list.Add(attr.Value);
-                    }
-                }
-
-                foreach (var nested in type.GetNestedTypes(BindingFlags.Public | BindingFlags.DeclaredOnly))
-                    addFrom(nested);
-            }
-
-            foreach (var type in typeSource.GetTypesWithAttribute(
-                typeof(NestedPermissionKeysAttribute)))
-            {
-                addFrom(type);
-            }
-
-            return result;
-        });
-    }
-
     /// <inheritdoc/>
-    public void Grant(params string[] permissions)
+    protected override bool IsSuperAdmin(ClaimsPrincipal user)
     {
-        transientGrantor.Grant(permissions);
+        return user.Identity?.Name == "admin";
     }
-
-    /// <inheritdoc/>
-    public void GrantAll()
-    {
-        transientGrantor.GrantAll();
-    }
-
-    /// <inheritdoc/>
-    public void UndoGrant()
-    {
-        transientGrantor.UndoGrant();
-    }
-
-    /// <inheritdoc/>
-    public bool IsAllGranted() => transientGrantor.IsAllGranted();
-
-    /// <inheritdoc/>
-    public IEnumerable<string> GetGranted() => transientGrantor.GetGranted();
-
 }
\ No newline at end of file