DEVHIDE
Login Or Sign up

.NET Core 7 and ASP.NET authorization (with identity)

100 Views Asked by At

I am trying to implement a specific security setup using the tables provided by .NET Identity.

We are talking about the tables:

  • Aspnet.Users: one row per user
  • Aspnet.Roles: one row per role
  • Aspnet.UserRole: cross-reference between user and role
  • Aspnet.UserClaims: list of claims assigned directly to a user
  • Aspnet.RoleClaims: list of claims assigned to a role.

I have "rights" that are assigned to my users (either directly or via roles):

CAN_PURCHASE_STUFF
CAN_MANAGE_EMPLOYEE_PROFILE
CAN_MODIFY_PRODUCT
CAN_CREATE_PRODUCT
etc..

A user can receive rights either DIRECTLY or through ROLES.

RoleA (ProductManager) will have the rights:

CAN_PURCHASE_STUFF
CAN_MODIFY_PRODUCT
CAN_CREATE_PRODUCT

RoleB (System_admin) will have the rights:

CAN_CREATE_PRODUCT
CAN_MANAGE_USER
CAN_... (and so on)

Essentially, all possible rights.

In the system, I have "security axes": user, departments, geographic region. The rights must always be applied based on an AXIS (or ALL axes).

A user can have roles but must also be "assigned" to an axis.

  • User001 has the 'ProductManager' role, applied to DEPARTMENT A.
  • User001 has the 'ProductManager' role, applied to DEPARTMENT B.
  • User002 has the RIGHT 'CAN_MANAGE_EMPLOYEE_PROFILE' for ALL departments.
  • ... and so on.

I then have a concept of "effective rights". This "breaks down" the rights by privilege.

For instance:

  • User001 CAN_PURCHASE_STUFF DEPARTMENT=A (via a role)
  • User001 CAN_MODIFY_PRODUCT DEPARTMENT=A (via a role)
  • User001 CAN_CREATE_PRODUCT DEPARTMENT=A (via a role)
  • User001 CAN_PURCHASE_STUFF DEPARTMENT=B (directly)
  • User002 CAN_MANAGE_EMPLOYEE_PROFILE DEPARTMENT=ALL
  • User003 CAN_MODIFY_PRODUCT DEPARTMENT=C (directly assigned)

My challenge lies with UserClaims.

How should I store this?

Currently, the UserClaims table only offers 'TYPE' and 'VALUE'.

If I want to store the concept of "right assigned via a ROLE (and which one), as well as the type of right, and the AXIS of the right, I will lack columns in the Aspnet.UserClaims table!

At the moment, I've created a custom table like this:

UserID: ...the user id...
RoleID: the roleID if assigned via a role
PrivilegeCode: the privilege code if a privilege is assigned directly
DepartmentID: the department ID if we want to limit
CustomerID: the customer ID if we want to restrict user rights.

However, I feel I am not utilizing the ASP.NET security model adequately (in fact, I don't even use the UserClaims table). I feels that storing a "claim-value" with all my data would not be efficient

ClaimType:PRIVILEGE
ClaimValue:CAN_PURCHASE_STUFF|ROLE=ProductManager|DEPARTEMENT=A

But then, my Angular will have some intense pain trying to filter on that

Any advice?

I tried a lot if different approach.

I tried storing everything in my Aspnet.UserClaims, but it is not "clean" nor manageable.

I ended up doing a custom table, but I really don't want to extend the base model if it is already made for my needs.

c# authorization claims-based-identity claims
Original Q&A
0

There are 0 best solutions below

Related Questions in C#

Related Questions in AUTHORIZATION

Related Questions in CLAIMS-BASED-IDENTITY

Related Questions in CLAIMS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.