I'm currently looking for a solution to use an advanced Roles/Group Permission management in ASP .NET 5 MVC 6 with Identity 3. I started a new Preview Starter Web Project with a integrated easy login system.
Now I need a complex "users permission management" with following functions:
- users can be in multiple groups/roles
- a group/role have many access objects (e.g. CanAccessUser, CanEditUser...)
- these access objects (maybe claims?) of each group/roles complement each other
- (optional for the ultimate solution): additionally => access objects(maybe claims) can be assigned independently by a group to a user
I have seen that identity already broadly provides a fitting for me table structure . (e.g. AspNetUsers, AspNetUserRoles, AspNetRoles, AspNetRoleClaims),
But I'm missing a good example / documentation to use them.
For MVC 5, I used this example: Users have many groups, a group can have many roles (Roles are the Access Objects in source code for classes / functions) ASP.NET Identity 2.0: Implementing Group-Based Permissions Management
Exists for these requirements already a working example that you do not have to reinvent the wheel.
We were in the same boat here, without much in terms of reading apart from the source of course...
We ended up implementing Policies. Policies being a group of Claims that are required for authorization to be satisfied. these Policies can then be applied to Controllers.
You can define your Policies in Startup.cs, ConfigureServices:
services.AddAuthorization(options =>
{
options.AddPolicy("SalesSenior", policy =>
{
policy.RequireClaim("department", "sales");
policy.RequireClaim("status", "senior");
});
});
We defined Roles, assigned 1 or more Claims to them and assigned Roles to Users allowing them to be checked against the appropriate Policy on hitting a Controller.
You can inject the IAuthorizationService
into a Controller or Attribute as so:
public class SalesDashboardController: Controller
{
private readonly IAuthorizationService _authz;
public VarianceOverviewController(IAuthorizationService authz)
{
_authz = authz;
}
...
}
You can then use the IAuthorizationService
to check the validity of a users claims...
if (await _authz.AuthorizeAsync(User, "SalesSenior"))
{
// User is authorized
}
This article was my main source for this stuff and was a great primer for me. Good luck!
If you are looking for a sample project there are not that many out there at the moment. The first place to look is on the aspnet GitHub project pages.
Luckily, the ASP.NET Identity sub-project has a sample project that you can take a look at here, however it may not cover all your requirements. Note that this is using the latest beta.
This thread helped me get something working, but it's sad that this is not better documented.
Here are my attempts at improving that. Asp.net.Identity (3.0.0.0-rc1-final)
in Startup.cs --> ConfigurationServices
//Define your policies here, they are strings associated with claims types, that have claim strings...
//they need to be in AspNetUserClaims table, user id, department, Dev to be allowed access to the Dev policy
//add the auth option, below that makes it work, and in the api controller, add the
//[Authorize("Dev")] attribute
services.AddAuthorization(
options =>
{
options.AddPolicy("Dev", policy => { policy.RequireClaim("department", "Dev"); });
});
services.AddMvc();
来源:https://stackoverflow.com/questions/29966792/asp-net-5-mvc-6-identity-3-roles-claims-groups