0

I am using the latest and greatest Identity 3.x that comes stock with MVC6 Core 1.0 when selecting 'Individual User Accounts'.

The requirements of my user auth is the following:

Users -> AspNetUsers  
Roles -> AspNetRoles  
UserRoles -> AspNetUserRoles   
RoleFunctions -> I don't see a table for this in the Identity db structure

RoleFunctions are any kind of system function such as DeleteCustomers, AccessToCustomerPage, etc.

I am going to assume ASP.NET Identity doesn't support this extra step with Roles-Based authentication so I am going to have to create the table and functions involved myself. Is this true or is it all there for me and I'm just not seeing it?

Blake Rivell
  • 13,105
  • 31
  • 115
  • 231
  • I think you are referring to **policies**. I guess you will have a known number of role functions and they will be known in your code (unless you are targeting some dynamism) ? You may consider hardcoding them and creating policies, e.g. "In order to delete customer, the user must have this, this, and/or this role". Check out here: https://docs.asp.net/en/latest/security/authorization/roles.html#policy-based-role-checks – regnauld Apr 15 '16 at 14:00
  • Ok so your saying if I have a bunch of global constants for all of the role functions and use polices that I shouldn't need the RoleFunctions table? The thing is that I need to do all of my checks at the function level not the role level. So for example: If current logged in user is part of a role that includes DeleteCustomer then show trashbin in view model. – Blake Rivell Apr 15 '16 at 16:44

1 Answers1

0

Identity allows you to determine authorization based on a controller, or a specific action in the controller. 

[Authorize]
public void controllermethod(param) {}

authorize will require authentication before this action or controller can be visited.

So, if you wanted to create an action that only the admin could perform (or any user role group you have created), above the controller method you would put

[Authorize(Roles="admin")]
public void controllerMethod(param) {}

Roles can accept a list of strings, like (Roles="Admin","Manager"), so you can put multiple roles in a single authorization claim.

You can also do this on the controller level, forcing every action in the controller to adhere to your authorization claims. Basically if you put it above the controller declaration every action will be affected, but you can whitelist a particular action with

[AllowAnonymous]
public void nosecuritycontrolleraction {}

I hope this is what you are looking for, and you can find better guides here: http://www.asp.net/identity

UPDATE 1 For the DeleteCustomer example, I'm assuming you have some methods in a controller that handles the deletion of a customer object. Above those methods, put [Authorize(Roles="CustomerAdmin")] and then only the users with the customerAdmin role in UserRoles can use that action.

like:

[Authorize(Roles="CustomerAdmin")]
public ActionResult DeleteCustomer(string/int id){}
Kyle Bachmann
  • 326
  • 3
  • 16
  • This is close to what I am looking for. Can you update your post to accommodate this example: There is a role called CustomerAdmin. Where do I specify what functions a CustomerAdmin can do? Let's say they can View and Delete customers. Let's say in the ViewModel I want to only display a trash bin icon for Users who have the role CustomerAdmin. I would much rather do a check saying if whatever role the User is has the function Delete customer then show the trash bin. Which is where my RoleFunctions part comes into play. – Blake Rivell Apr 15 '16 at 16:40
  • What I am trying to say above is that I prefer doing all of my checks at the function level rather than the role level. So for example: If the current logged in user is part of a role that includes the hard-coded function DeleteCustomer then show the trash bin in the view model. How would you go about setting up a system that does this? – Blake Rivell Apr 15 '16 at 16:46
  • For the DeleteCustomer example, I'm assuming you have some methods in a controller that handles the deletion of a customer object. Above those methods, put [Authorise(Roles="CustomerAdmin")] and then only the users with the customerAdmin role in UserRoles can use that action. – Kyle Bachmann Apr 15 '16 at 19:17
  • for the front end aspect, I'm not sure what you wanna do, you could check the role in the controller and return a different view based on what role you have. Basically make acopy of your view w/o the trash bin for users not in the role you want. Alternatively you could maybe accomplish that with javascript, and hide it if they are not in the role but I wouldn't suggest that. – Kyle Bachmann Apr 15 '16 at 19:20