ASP .NET 5 MVC 6 Identity 3 Roles Claims Groups [closed]

Question

I'm currently looking for a solution to use an advanced Roles/Group Permission management in ASP .NET 5 MVC 6 with Identity 3. I started a new Preview Starter Web Project with a integrated easy login system.

Now I need a complex "users permission management" with following functions:

1. users can be in multiple groups/roles
2. a group/role have many access objects (e.g. CanAccessUser, CanEditUser...)
3. these access objects (maybe claims?) of each group/roles complement each other
4. (optional for the ultimate solution): additionally => access objects(maybe claims) can be assigned independently by a group to a user

I have seen that identity already broadly provides a fitting for me table structure . (e.g. AspNetUsers, AspNetUserRoles, AspNetRoles, AspNetRoleClaims),

But I'm missing a good example / documentation to use them.

For MVC 5, I used this example: Users have many groups, a group can have many roles (Roles are the Access Objects in source code for classes / functions) ASP.NET Identity 2.0: Implementing Group-Based Permissions Management

Exists for these requirements already a working example that you do not have to reinvent the wheel.

Answer 1

We were in the same boat here, without much in terms of reading apart from the source of course...

We ended up implementing Policies. Policies being a group of Claims that are required for authorization to be satisfied. these Policies can then be applied to Controllers.

You can define your Policies in Startup.cs, ConfigureServices:

services.AddAuthorization(options =>
{
    options.AddPolicy("SalesSenior", policy =>
    {
        policy.RequireClaim("department", "sales");
        policy.RequireClaim("status", "senior");
    });
});

We defined Roles, assigned 1 or more Claims to them and assigned Roles to Users allowing them to be checked against the appropriate Policy on hitting a Controller.

You can inject the IAuthorizationService into a Controller or Attribute as so:

public class SalesDashboardController: Controller
{
    private readonly IAuthorizationService _authz;

    public VarianceOverviewController(IAuthorizationService authz)
    {
        _authz = authz;
    }
    ...
}

You can then use the IAuthorizationService to check the validity of a users claims...

if (await _authz.AuthorizeAsync(User, "SalesSenior"))
{
    // User is authorized            
}

This article was my main source for this stuff and was a great primer for me. Good luck!