I am still confused about all this Identity stuff.
First I am still confused the difference between Roles, Policies/Claims. From what I read roles is the old way of doing stuff and was kept for backward compatibility, so does that mean AspNetRoleClaims is part of this backward compatibility?
I think I understand Claims and Policies when thinking of them individual, like policy is basically a set of rules that must pass and gives the ability to change rules without having to go through out all the code and change roles.
Were a claim, is basically a trusted source is vouching for about that user(ie this is their age, which might come from a government source ).
Now what confuses me is putting it all together.
I generated the Identity tables and see
AspNetUsers AspNetUserRoles AspNetRoles AspNetRoleClaims AspNetUserClaims AspNetUserLogins
I get what the AspNetUsers table does and AspNetUserLogins(seems to be if they use like external login providers).
I get confused on what the difference between AspNetRoleClaims and AspNetUserClaims. Do I just use AspNetUserClaims or do I use everything?
Say I have this secenario
I have a company that has many branches, in each branch their will be an administrator of that branch, they got full power over the branch and can do anything but nothing at another branch. At the company level there will an administrator who can do anything at the company level and any branch. Finally I have a person in the branch who can just add new employees.
What does this all look like? Do I make 3 roles?
CompanyAdmin BranchAdmin AddUsersAtBranchLevel (or is this some sort of claim??) What do the tables look like? Is there anything going to be in AspNetRoleClaims? AspNetUserClaims?
Now I can make a policy to check if the user is a branch admin and if they are trying to edit their branch?
Or do I just forget all the role stuff and have in the AspNetUserClaims
User1 CanAddUserToBranch true User1 CanDeleteUserBranch true User1 CanAddUserToCompany true
Then in my code make those all different "ClaimTypes" and create a polciy that sees if they have say "CanAddUserToBranch" and then another claim or policy to check what branch they are in to make sure they are trying to add something to the right branch?
Edit
Do you think I Need to use Resource-based authorization?
A claim is a statement that an entity (a user or another application) makes about itself, it's just a claim. For example a claim list can have the user's name, user's e-mail, user's age, user's authorization for an action. In role-based Security, a user presents the credentials directly to the application.
ASP.NET Core Identity: Is an API that supports user interface (UI) login functionality. Manages users, passwords, profile data, roles, claims, tokens, email confirmation, and more.
The claims-based authorization works by checking if the user has a claim to access an URL. In ASP.NET Core we create policies to implement the Claims-Based Authorization. The policy defines what claims that user must process to satisfy the policy. We apply the policy on the Controller, action method, razor page, etc.
+------------------+------------------+ | Table | Description | +------------------+------------------+ | AspNetUsers | The users. | | AspNetRoles | The roles. | | AspNetUserRoles | Roles of users. | | AspNetUserClaims | Claims by users. | | AspNetRoleClaims | Claims by roles. | +------------------+------------------+
If you find roles and claims confusing, it's probably because roles are a special case of claims i.e. roles are claims.
Role vs Policy
For role based authorization, the authorization system checks if the user has been assigned the roles required to access the given resource.
For policy based authorization, some business logic is executed to decide if the resource access should be authorized.
Say I have this scenario
I have a company that has many branches, in each branch their will be an administrator of that branch, they got full power over the branch and can do anything but nothing at another branch. At the company level there will an administrator who can do anything at the company level and any branch. Finally I have a person in the branch who can just add new employees.
Here's one way of doing it:
2 roles: Admin
, TheRoleThatCanAddUsers
A claim called Branch
that can take a branch id (or anything else to identify the branch). Company admins can use a value like "CompanyWide"
or 0
or -1
.
Now create a policy that checks the Role and the Branch claim and decides if the user should be authorized.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With