I get confused on what the difference between AspNetRoleClaims and AspNetUserClaims. Do I just use AspNetUserClaims or do I use everything?
AspNetRoleClaims map Roles to Claims. This can be helpful if you are migrating from an older membership framework that uses roles.
chobo2
I have a company that has many branches, in each branch their will be an administrator of that branch, they got full power over the branch and can do anything but nothing at another branch. At the company level there will an administrator who can do anything
at the company level and any branch. Finally I have a person in the branch who can just add new employees.
What does this all look like? Do I make 3 roles?
CompanyAdmin
BranchAdmin
AddUsersAtBranchLevel (or is this some sort of claim??)
What do the tables look like? Is there anything going to be in AspNetRoleClaims? AspNetUserClaims?
Sure... You would add the roles to the dbo.AspNetRoles; CompanyAdmin, BranchAdmin, User. Then assign the role to the user; dbo.AspNetUserRoles. If those roles have claims then add those claim to dbo.AspNetRoleClaims. This is a good approach if you have
an existing system with defined roles.
Otherwise, you could skip the Roles altogether and just add User Claims.
chobo2
Now I can make a policy to check if the user is a branch admin and if they are trying to edit their branch? Or would it just be a claim I am checking?
It depends... policies are for dealing with complex behaviors like the Branch manager can only make edits during business hours. Policies are centralized so I create policies for everything even simple access just in case something changes in the future.
I am starting a new database, so your recommendation would be just to use AspNetUserClaims then and forget basically all the role stuff?
like in terms of my claims in the "AspNetUserClaims" it would be
User1 CanAddUserToBranch true
User1 CanDeleteUserBranch true
User1 CanAddUserToCompany true
I guess then in my code I going to have to make some custom claim type called "CanAddUserToBranch", "CanDeleteUserBranch ", "CanAddUserToCompany "
But how about locking them down to only their branch? Would this also be a claim or a policy? As I would not want to store the their branch number for instance in a claim as what happens if they move branches and now are at a new branch? Would it not be
better to have a secondary look to see if A) they have permission to do something to a branch B) they are in the right branch
Member
13 Points
607 Posts
Re: Need Help Understanding Identity on Asp.net Core
May 17, 2018 09:55 PM|chobo2|LINK
I am starting a new database, so your recommendation would be just to use AspNetUserClaims then and forget basically all the role stuff?
like in terms of my claims in the "AspNetUserClaims" it would be
I guess then in my code I going to have to make some custom claim type called "CanAddUserToBranch", "CanDeleteUserBranch ", "CanAddUserToCompany "
But how about locking them down to only their branch? Would this also be a claim or a policy? As I would not want to store the their branch number for instance in a claim as what happens if they move branches and now are at a new branch? Would it not be better to have a secondary look to see if A) they have permission to do something to a branch B) they are in the right branch