0

As Azman is now on its way out of support, we need to need to find a new way of configuring the access control for our applications.

Currently, in Azman, we have a list of "Operations", e.g. CanReadForm, CanEditForm. These operations can be mapped to one or more roles, so you can build up a set of "things a role can do". Users generally are assigned a single role and so they have a list of operations, or "things a user can do"

This worked well because on logging in, Azman would know what role they had, and pass a list of operations. The code could then be configured for example:

if(currentUser.HasOperation("CanEditForm"))
{
//allow editing of form
}

For ADFS I'm struggling to understand how we can have a list of operations that we can map to a role. Presumably you could have a list of claims, that could be like azman operations, but these only map to a user - right??? Can you map a list of claims to an Active Directory group for example? If you could then the Active Directory group would act as the "role" If so, would you need to create a new claim list for each AD group?

Can anyone offer any advice?

Calanus
  • 25,619
  • 25
  • 85
  • 120

1 Answers1

1

Azman doesn't really translate to claims-based authentication but here is my take:

Claims : Azman in the new claims-based world .

It works but it's not as "clean".

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks for that, was useful reading. Can you confirm that only users can have "claims". not roles/AD groups? If this is the case then ADFS is probably not the authorisation mechanism that I am looking for – Calanus Dec 21 '16 at 13:54
  • A claim can contain any attribute in AD. That includes security groups. Normally security groups are mapped to a claim of type "Role". – rbrayb Dec 21 '16 at 17:56