Released: Mar 31, 2026

Updates in 10.2

Funktionen

• Multi-Tenant Account Usage: Shared User Accounts:
  • Introduced Shared User Accounts: a single user account can belong to multiple tenants, and the user can choose or switch the active tenant when signing in. This enables a "one account, multiple tenants" experience - for example, inviting the same email address into multiple tenants.
  • When you use Shared User Accounts:
    • Username/email uniqueness becomes global (Host + all tenants).
    • Users are prompted to select the tenant at login if they belong to multiple tenants.
    • Users can switch between tenants using the tenant switcher in the user menu.
    • Tenant administrators can invite existing or new users to join a tenant.
• Prevent Privilege Escalation: Assignment Restrictions for Roles and Permissions:
  • Implemented a unified privilege escalation prevention model to address security vulnerabilities where users could assign themselves or others roles or permissions they do not possess:
    • Role Assignment Restriction: Users can only assign or remove roles they currently have. Users cannot add new roles to themselves (removal only) and cannot assign or remove roles they do not possess.
    • Permission Grant/Revoke Authorization: Users can only grant or revoke permissions they currently have. Validation applies to both grant and revoke operations.
    • Incremental Permission Protection: When updating user or role permissions, permissions the current user does not have are treated as non-editable and are preserved as-is during updates.
    • Users with the admin role can assign any role and grant/revoke any permission. All validations are enforced on the backend — the UI is not a security boundary.
• ClientResourcePermissionValueProvider for OAuth/OpenIddict:
  • Added ClientResourcePermissionValueProvider, extending resource-based authorization to OAuth clients. When using IdentityServer or OpenIddict, clients can now have resource permissions aligned with the standard user and role permission model.
  • This allows you to control which OAuth clients can access which resources, providing fine-grained authorization for API consumers. The implementation integrates with ABP's existing resource permission infrastructure.
• Angular: Hybrid Localization Support:
  • Introduced Hybrid Localization for Angular applications, combining server-side and client-side localization strategies. This gives you flexibility in how translations are loaded and resolved — you can use server-provided localization, client-side fallbacks, or a mix of both.
  • This feature is useful when you want to reduce initial load time, support offline scenarios, or have environment-specific localization behavior. The Angular packages have been updated to support the hybrid approach seamlessly.
• Angular: Extensible Table Row Detail:
  • Added the ExtensibleTableRowDetailComponent for expandable row details in extensible tables. You can now display additional information for each row in a collapsible detail section.
  • The feature supports row detail templates via both direct input and content child component. It adds toggle logic and emits rowDetailToggle events, making it easy to customize the behavior and appearance of expandable rows in your data tables.
• Angular: CMS Kit Module Features:
  • Brought CMS Kit features to Angular, completing the cross-platform UI coverage for the CMS Kit module. The Angular implementation includes: Blogs, Blog Posts, Comments, Menus, Pages, Tags, Global Resources, and CMS Settings.
  • Together with the CMS Kit Pro Angular implementation (FAQ, Newsletters, Page Feedbacks, Polls, Url forwarding), ABP now provides full Angular UI coverage for both the open-source CMS Kit and CMS Kit Pro modules.
• Blazor: Upgraded to Blazorise 2.0:
  • Upgraded the Blazorise library to version 2.0 for Blazor UI. If you are upgrading your project to v10.2 RC, please ensure that all Blazorise-related packages are updated to v2.0 in your application.
  • Blazorise 2.0 includes various improvements and changes. Please refer to the Blazorise 2.0 Release Notes and the ABP Blazorise 2.0 Migration Guide for upgrade instructions.
• Identity: Single Active Token Providers:
  • Introduced a single active token policy for password reset, email confirmation, and change-email flows. Three new token providers are available: AbpPasswordResetTokenProvider, AbpEmailConfirmationTokenProvider, and AbpChangeEmailTokenProvider.
  • When a new token is generated, it invalidates any previously issued tokens for that purpose. This improves security by ensuring that only the most recently issued token is valid. Token lifespan can be customized via the respective options classes for each provider.
• TickerQ Package Upgrade to 10.1.1:
  • If you are using the TickerQ integration packages (Volo.Abp.TickerQ, Volo.Abp.BackgroundJobs.TickerQ, or Volo.Abp.BackgroundWorkers.TickerQ), you need to apply breaking changes when upgrading to ABP 10.2. TickerQ has been upgraded from 2.5.3 to 10.1.1, which only targets .NET 10.0 and contains several API changes.
  • Key changes include:
    • UseAbpTickerQ moved from IApplicationBuilder to IHost — use context.GetHost().UseAbpTickerQ() in your module
    • Entity types renamed: TimeTicker → TimeTickerEntity, CronTicker → CronTickerEntity
    • Scheduler and dashboard configuration APIs have changed
    • New helpers: context.GetHost(), GetWebApplication(), GetEndpointRouteBuilder()
• AI Management: MCP (Model Context Protocol) Support:
  • The AI Management Module now supports MCP (Model Context Protocol), enabling AI workspaces to use external MCP servers as tools. MCP allows AI models to interact with external services, databases, APIs, and more through a standardized protocol.
  • You can create and manage MCP servers via the AI Management UI. Each MCP server supports one of the following transport types: Stdio (runs a local command), SSE (Server-Sent Events), or StreamableHttp. For HTTP-based transports, you can configure authentication (API Key, Bearer token, or custom headers). Once MCP servers are defined, you can associate them with workspaces. When a workspace has MCP servers associated, the AI model can invoke tools from those servers during chat conversations — tool calls and results are displayed in the chat interface.
  • You can test the connection to an MCP server after creating it to verify connectivity and list available tools before use:
  • When a workspace has MCP servers associated, the AI model can invoke tools from those servers during chat conversations. Tool calls and results are displayed in the chat interface.
• AI Management: RAG with File Upload:
  • The AI Management module supports RAG (Retrieval-Augmented Generation) with file upload, which enables workspaces to answer questions based on the content of uploaded documents. When RAG is configured, the AI model searches the uploaded documents for relevant information before generating a response.
  • To enable RAG, configure an embedder (e.g., OpenAI, Ollama) and a vector store (e.g., PgVector) on the workspace.
  • You can then upload documents (PDF, Markdown, or text files, max 10 MB) through the workspace management UI. Uploaded documents are automatically processed - their content is chunked, embedded, and stored in the configured vector store:
  • When you ask questions in the chat interface, the AI model uses the uploaded documents as context for accurate, grounded responses.
• AI Management: OpenAI-Compatible Chat Endpoint:
  • The AI Management module exposes an OpenAI-compatible REST API at the /v1 path. This allows any application or tool that supports the OpenAI API format — such as AnythingLLM, Open WebUI, Dify, or custom scripts using the OpenAI SDK — to connect directly to your AI Management instance.
  • Each AI Management workspace appears as a selectable model in the client application. The workspace's configured AI provider handles the actual inference transparently. Available endpoints include /v1/chat/completions, /v1/models, /v1/embeddings, /v1/files, and more. All endpoints require authentication via a Bearer token in the Authorization header.
• File Management: Resource-Based Authorization:
  • The File Management Module now supports resource-based authorization. You can control access to individual files and folders per user, role, or client. Permissions can be granted at the resource level via the UI, and the feature integrates with ABP's resource permission infrastructure.
  • This feature is implemented for all three supported UIs: MVC/Razor Pages, Blazor, and Angular, providing a consistent experience across your application regardless of the UI framework you use.
• Other Improvements and Enhancements:
  • Angular signal APIs: ABP Angular packages migrated to signal queries, output functions, and signal input functions for alignment with Angular 21.
  • Angular Vitest: ABP Angular templates now use Vitest as the default testing framework instead of Karma/Jasmine.
  • Ambient auditing: Programmatic disable/enable of auditing via IAuditingHelper.DisableAuditing() and IsAuditingEnabled().
  • Complex property auditing: Entity History and ModifierId now support EF Core complex properties.
  • RabbitMQ correlation ID: Correlation ID support added to RabbitMQ JobQueue for distributed tracing.
  • Concurrent config retrieval: MvcCachedApplicationConfigurationClient now fetches configuration and localization concurrently for faster startup.
  • Environment localization fallback: Angular can use environment.defaultResourceName when the backend does not provide it.
  • JS proxy namespace fix: Resolved namespace mismatch for multi-segment company names in generated proxies.
  • Audit Logging max length: Entity/property type full names increased to 512 characters to reduce truncation.
  • AI guidelines: Cursor and Copilot AI guideline documents added for ABP development.