8

In our system we have a way to setup users with permissions. They create a group name, for example, Admin and then assign all the permissions for the tasks they would like to do.

For example, they can add AddCompany, ViewCompany, DeleteCompany, EditCompany

This makes it very easy to make different permissions groups and we can control security very easily.

Am i right in thinking that in this instance the group name = Role and each permission is a claim?

Gillardo
  • 9,518
  • 18
  • 73
  • 141

2 Answers2

13

Roles-based authorization is used to group users into groups (roles) and then set permissions on the role rather than on individual users.

E.g: In your case you can create Admin role and provide permission to do "AddCompany, ViewCompany, DeleteCompany, EditCompany" tasks.

In this case easier to manage large set of users through small set of roles. This is the most commonly used model for authentication.

Claims-based authorization provides additional layers of abstraction on your authorization strategy. Further, claims are a method of providing information about an user rather than group of users. You create authorization policies that are used to generate a claim-set based on the authentication evidence presented by the user. Then the user presents claims to the application in order to access resources.

A claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS)

Resources : http://msdn.microsoft.com/en-gb/library/ff649821.aspx

http://msdn.microsoft.com/en-gb/library/ff649821.aspx

http://msdn.microsoft.com/en-gb/library/ff359101.aspx

Hope this helps.

DSR
  • 4,588
  • 29
  • 28
  • Ok, i understand the difference here, thanks. So i guess roles could be setup using claims, and the claim would be the group they are in?? Also in our system we also have another part of security in that if a user is part of a particular company, then they can see certain data. Would this be considered a claim? Since they are claiming to be part of a company? In our current project, we added this as a property against the user.... – Gillardo Sep 27 '14 at 06:55
  • 1
    I think post explains things better and in fact shows u that roles can be used as claims and why http://stackoverflow.com/questions/22814023/role-based-access-control-rbac-vs-claims-based-access-control-cbac-in-asp-n – Gillardo Sep 27 '14 at 08:19
5

Roles are claims, but not all claims are roles.

In a claims-based authorization system, you may use roles as permissions, but you may use something else as well. On my current project, we have a many to many mapping from roles to permissions.

recursive
  • 83,943
  • 34
  • 151
  • 241
  • 1
    Maybe an example of what u ment? – Gillardo Sep 27 '14 at 08:07
  • 2
    I think he meant; role "admin" can be one of a claim. But claim can also be "date of birth", which is not a role. In .net there's claim type class System.Security.Claims.ClaimTypes, and you have ClaimTypes.Role there. – Hrvoje Hudo Jan 26 '17 at 17:43