In the past, with ASP.NET MVC on .NET Framework, I always implemented a Rights-based authorization layer on top of the Roles-based authorization that was built-in. By "Rights-based", what I mean is that a list of enumerated Rights are assigned to each Role, and at runtime, each call checked for a Right, not a Role.
e.g. say the Post method on the OrdersController required the AddOrEditOrder Right. That would look like [MyAuthorize(MyRights.AddOrEditOrder)] on the Post action. Then somewhere else you'd be able to configure that only the Manager and CustomerRep Roles had that Right.
I always thought this little abstraction layer was easy to implement and greatly improved maintainability, even if the rights-to-roles mapping was only updated from a config file and not a UI. Coming from a Windows-based IT setting, this is just "how it's done right", IMO.
However, moving to ASP.NET Core Identity, we have all this newfangled fanciness with Claims. Now, I realized Claims and Rights are not at all the same thing. However, can you use Claims, assign them to Roles, and effectively accomplish what I described above?
It appears based on the database schema that you can assigned Claims to Roles, and you can assign Roles to Users. So, in theory, adding the Claim "AddOrEditOrder" to both the "Manager" and "CustomerRep" Roles would do what I'm thinking. Then I'd just put [Authorize("AddOrEditOrder")] on the Post action of the OrdersController, and viola, it would work!... right?
Can I use Claims & Roles this way without serious sanfus?
As the helpful answer from @Ruard-van-Elburg suggests, I mistakenly wrote "Claims" where I meant "Policies". Substitute one for the other, and everything I said works. Another word for "Rights" is "Permissions", and there are some very useful suggestions in this related question and its top answer: How to implement Permission Based Access Control with Asp.Net Core
This is not the way claims should be used. Claims are supposed to model the identity of a user, not permissions. Please read the article Identity vs Permissions for some explanation.
In your case you can use policies.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("AddOrEditOrder", policy =>
policy.RequireRole("Manager", "CustomerRep"));
});
}
And use the same attribute:
[Authorize("AddOrEditOrder")]
There are many other options to add authorization. You can also take a look at the PolicyServer.