Scope/Role/Group Based Access Control

Question

I am using Azure Active Directory and am trying to understand the three types of access control described here. What are the advantages and disadvantages of each approach and when would you use them:

• Scope based access control using oauth2Permissions section of my manifest where I can add read and write permissions like so:

  {
    "adminConsentDescription": "Allow the application read access to MyApi on behalf of the signed-in user.",
    "adminConsentDisplayName": "Read access to MyApi",
    "id": "56d944c0-f3aa-4f80-9472-9c1414383abf",
    "isEnabled": true,
    "type": "User",
    "userConsentDescription": "Allow the application read access to MyApi on your behalf.",
    "userConsentDisplayName": "Read access to MyApi",
    "value": "read_my_api"
  },
  {
    "adminConsentDescription": "Allow the application write access to MyApi on behalf of the signed-in user.",
    "adminConsentDisplayName": "Write access to MyApi",
    "id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967",
    "isEnabled": true,
    "type": "User",
    "userConsentDescription": "Allow the application write access to MyApi on your behalf.",
    "userConsentDisplayName": "Write access to MyApi",
    "value": "write_my_api"
  }
  

• Role Based Access Control (RBAC) - Using appRoles section of my manifest.

• Group based access control using the groupMembershipClaims section of my manifest.

Answer 1

Two most popular one:

• Role Based Access Control - you are assigning roles to the users or groups in the your application configuration (inside Azure Portal). Then in code you can use those roles authorize users to certain parts of your application. You can do something line that: if (User.IsInRole("SuperAdmin")) {...}
• Group based access control using the groupMembershipClaims - it's similar but you are checking if user belongs to specific group