+------------------+------------------+
| Table | Description |
+------------------+------------------+
| AspNetUsers | The users. |
| AspNetRoles | The roles. |
| AspNetUserRoles | Roles of users. |
| AspNetUserClaims | Claims by users. |
| AspNetRoleClaims | Claims by roles. |
+------------------+------------------+
- A role is something assigned to a user.
- Eg. Jane is an admin.
- A claim is something claimed by a user.
- Eg. Jane’s date of birth is 1990-10-1.
- A role-claim is a claim claimed by a role.
- Eg. Admins have access to the dashboard.
If you find roles and claims confusing, it’s probably because roles are a special case of claims i.e. roles are claims.
Role vs Policy
-
For role based authorization, the authorization system checks if the user has been assigned the roles required to access the given resource.
- Eg: only users with the Admin role can access the dashboard.
-
For policy based authorization, some business logic is executed to decide if the resource access should be authorized.
- Eg: only Admins with an age above 40 can access financial data.
Say I have this scenario
I have a company that has many branches, in each branch their will be an administrator of that branch, they got full power over the branch and can do anything but nothing at another branch. At the company level there will an administrator who can do anything at the company level and any branch. Finally I have a person in the branch who can just add new employees.
Here’s one way of doing it:
2 roles: Admin, TheRoleThatCanAddUsers
A claim called Branch that can take a branch id (or anything else to identify the branch). Company admins can use a value like "CompanyWide" or 0 or -1.
Now create a policy that checks the Role and the Branch claim and decides if the user should be authorized.