Most .NET developers are familiar with using the [Authorize]
attribute on
their controller actions to specify access requirements for certain operations.
It’s often combined with a Role
property to require the current user to belong
to a certain role. Recent versions of .NET and .NET Core introduced a Policy
authorization mechanism as well.
Instead of specifying a Role
you can specify a required Policy
. This is an
improvement because we can get a little more precise: an operation requires the
Read
permission policy, not simply that the user belongs to the Admin
role.
Flexibility! We can easily change what permissions are granted by each role, and
have very little code to change.
This all works pretty well for coarse permissions like “can this user read
things in general?” but it is insufficient for the more complicated case of
evaluating access to particular resources and entities in the system. Just
because the user is in the right role or group to grant them the ReadRecipe
permission doesn’t mean they have access to “this particular recipe”. Handling
rules like that requires a bit of custom code, but ASP.NET Core provides some
hooks that can help us make our business logic clear, without being too muddled
with authorization concerns.
What follows is a sketch of my approach to resource based authorization.