Best practice for claims based permission handling

Question

In a C# Web API project I need to define and check granular permissions, such as "CanEditOrder" / "CanViewOrder", etc. Currently I'm using claims authorization, so if I want to stay within the ASP.NET standard I need to set those permissions as "mini-roles" in order to check them via the Authorize attribute on an ApiController.

Is this really the recommended best practice for handling granular permissions, or does claims authorization offer another (more light weight) approach to set and check granular permissions aside from the more general "role"?

Answer 1

On whole project, i'm setting Roles as [Flag] Enum, then I can use it in Authorization Filters as [Authorization(Roles.Admin, Roles.CanEdit, Roles.AnotherRolesFromAnotherProcess, ...)]

Here a Roles' example from my current project

[Flags]
public enum Roles
{
    None = 0,
    ReadOnly = 1 << 0,
    ManageUsers = 1 << 1,
    // utilisateur restreint à voir ses propres bases.
    RestrictedBases = 1 << 2,
    // utilisateur pouvant voir toutes les bases.
    FullBases = 1 << 3,

    Prepaye = 1 << 4,
    AnalyseRSH = 1 << 5,

    // Admin à tous les roles non restrictif.
    Admin = ManageUsers | FullBases | Prepaye | AnalyseRSH
}

You can see that roles mix technical roles (user can see all or restricted), or functionnal roles (user is HR, billing manager, ...). This is very easy to use and you can quickly adapt this for every ask from customer.

And Admin has obviously the whole Roles unless restricted.

For your need, you can create something like this :

    [Flags]
    public enum Roles
    {
        None = 0,
        HR = 1 << 0,
        Recuriter= 1 << 1,
        CanWrite = 1 << 2,
        CanRead = 1 << 3

        HRFull = HR | CanWrite | CanRead
    }