ASP .NET 5 MVC 6 Identity 3 Roles Claims Groups

Question

I'm currently looking for a solution to use an advanced Roles/Group Permission management in ASP .NET 5 MVC 6 with Identity 3. I started a new Preview Starter Web Project with a integrated easy login system.

Now I need a complex "users permission management" with following functions:

1. users can be in multiple groups/roles
2. a group/role have many access objects (e.g. CanAccessUser, CanEditUser...)
3. these access objects (maybe claims?) of each group/roles complement each other
4. (optional for the ultimate solution): additionally => access objects(maybe claims) can be assigned independently by a group to a user

I have seen that identity already broadly provides a fitting for me table structure . (e.g. AspNetUsers, AspNetUserRoles, AspNetRoles, AspNetRoleClaims),

But I'm missing a good example / documentation to use them.

For MVC 5, I used this example: Users have many groups, a group can have many roles (Roles are the Access Objects in source code for classes / functions) ASP.NET Identity 2.0: Implementing Group-Based Permissions Management

Exists for these requirements already a working example that you do not have to reinvent the wheel.

Answer 1

We were in the same boat here, without much in terms of reading apart from the source of course...

We ended up implementing Policies. Policies being a group of Claims that are required for authorization to be satisfied. these Policies can then be applied to Controllers.

You can define your Policies in Startup.cs, ConfigureServices:

services.AddAuthorization(options =>
{
    options.AddPolicy("SalesSenior", policy =>
    {
        policy.RequireClaim("department", "sales");
        policy.RequireClaim("status", "senior");
    });
});

We defined Roles, assigned 1 or more Claims to them and assigned Roles to Users allowing them to be checked against the appropriate Policy on hitting a Controller.

You can inject the IAuthorizationService into a Controller or Attribute as so:

public class SalesDashboardController: Controller
{
    private readonly IAuthorizationService _authz;

    public VarianceOverviewController(IAuthorizationService authz)
    {
        _authz = authz;
    }
    ...
}

You can then use the IAuthorizationService to check the validity of a users claims...

if (await _authz.AuthorizeAsync(User, "SalesSenior"))
{
    // User is authorized            
}

This article was my main source for this stuff and was a great primer for me. Good luck!

Answer 2

If you are looking for a sample project there are not that many out there at the moment. The first place to look is on the aspnet GitHub project pages.

Luckily, the ASP.NET Identity sub-project has a sample project that you can take a look at here, however it may not cover all your requirements. Note that this is using the latest beta.

Answer 3

This thread helped me get something working, but it's sad that this is not better documented.

Here are my attempts at improving that. Asp.net.Identity (3.0.0.0-rc1-final)

in Startup.cs --> ConfigurationServices

        //Define your policies here, they are strings associated with claims types, that have claim strings... 
        //they need to be in AspNetUserClaims table, user id, department, Dev to be allowed access to the Dev policy
        //add the auth option, below that makes it work, and in the api controller, add the        
        //[Authorize("Dev")] attribute
        services.AddAuthorization(
            options =>
            {
                options.AddPolicy("Dev", policy => { policy.RequireClaim("department", "Dev"); });
            });
        services.AddMvc();