Menu
Lets step away from ASP.NET Identity for a sec and lets say we are building a custom authentication/authorization system for our application.
It will contain the following tables for full flexibility:
Users
Roles
Permissions
UserRoles
RolePermissions
With the above we can have a full fledged User Management section of an application where an Administrator can say User A has Role B which has Permissions C,D,F.
The above has always worked for me in the past, but lets switch gears now to an ASP.NET Core MVC Application using ASP.NET Identity.
Attempting to utilize everything Microsoft gives you with ASP.NET Core Identity in the UserManager I would like to be able to still achieve the above, but the ASP.NET Core Identity MVC way.
What I know:
That I can easily use the UserManager to implement CRUD pages for Users and Roles and User Roles.
What I am trying to figure out:
How can I replicate the same behavior of the "which permissions/actions does a role have?" concept.
My initial guess at this is that you would use Claims in combination with Roles. Claims get assigned to Roles i.e. RoleClaims and then Roles get assigned to Users.
This way I would be able to simply check for Roles above Controllers/Action methods with Authorize tags. And additionally go even further at the page level saying hide/show the delete button if the user's Role does not have Claim "DeleteProduct" Kind of like what this view-based authorization documentation is saying.
--
I am trying to figure out if I am on the right path with this stuff. Any advice or corrections would be helpful.
565
Roles are claims, but not all claims are roles. In a claims-based authorization system, you may use roles as permissions, but you may use something else as well. On my current project, we have a many to many mapping from roles to permissions.
Claims can be created from any user or identity data which can be issued using a trusted identity provider or ASP.NET Core identity. A claim is a name value pair that represents what the subject is, not what the subject can do.
The claims-based authorization works by checking if the user has a claim to access an URL. In ASP.NET Core we create policies to implement the Claims-Based Authorization. The policy defines what claims that user must process to satisfy the policy. We apply the policy on the Controller, action method, razor page, etc.
Role-based authorization in ASP.NET Core. When an identity is created it may belong to one or more roles. For example, Tracy may belong to the Administrator and User roles whilst Scott may only belong to the User role. How these roles are created and managed depends on the backing store of the authorization process.
Security – For guarding the premises of the organization. In ASP.NET Core Identity System you can create any number of Roles and assign users to these roles. For accessing and managing roles you need the help of RoleManager class. T is the class that represents roles in the Identity Database.
Using Role Claims in ASP.NET Identity Core. One new feature of ASP.NET Identity is Role Claims. Since there's little documentation on how to use them I thought I'd put together a quick demo. A Role Claim is a statement about a Role. When a user is a member of a role, they automatically inherit the role's claims.
Role-based authorization requires first identifying the user, then ascertaining the roles to which the user is assigned, and finally comparing those roles to the roles that are authorized to access a resource. In contrast, a Claim is a right of the user to identify themselves.
This person seems to have a potential solution for your particular problem.
Users Roles Permissions using ASP.NET Core Identity 3
More information on Claims and Policies
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims
Basically
Note: Not entirely sure if that works with ASP.Net Core 2 or not or which version you were using.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
