question

LukasNeubauer-7238 avatar image
0 Votes"
LukasNeubauer-7238 asked Bruce-SqlWork commented

How can I do authorization in my scenario

Hey,

my first project with ASP.NET Core Blazor had the authorization managed by roles.
This was all fine, because one person had access to one "company".
In my rework of the app I tried to do, that a user can switch between "companies".
So the problem would be, if a page requires the balance role the user would get the role balance and then would be able to access this site on another "company" as well, even though in this company he shouldn't have access to the page.


I don't know if it would be a practical solution to create this role for every company created.
This would mean the "company" with ID 1 would get the balance_1 role name.
I would create these roles as the "company" gets created, so they can then be assigned to the users.

For example, I'm working on this for a fun project server, and around 40 "companies" with about 20 users each would use this. This would make 800 DB entries for the roles alone. I haven't built anything that "big", so I really can't tell if this is ok or too much.

On the other hand I had a peek into the policy-based authorization, and as far as I could tell there would not be a way to create a policy with a variable parameter to pass to the AuthorizationHandler expansion method.

The currently used "company" by the employee is a URL parameter, and stored in a session based class. If you need this information.

Thanks ahead for your ideas.

DaNeubi

dotnet-aspnet-core-blazordotnet-aspnet-core-securitydotnet-aspnet-core-auth
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi LukasNeubauer-7238,

If you are specific requirement for role management, we could only create the new sql record for each specific policy. In my opinion, there is no better way to achieve your requirement now.

0 Votes 0 ·

If this would also be managable by policies or in another way, I'm not bound to roles.

0 Votes 0 ·

1 Answer

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered Bruce-SqlWork commented

I’d dynamically load the roles on each request, to match the user/company combo for the request. Easy with middleware.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So you would create a role for every "company"?
And how would you load the roles dynamically?

0 Votes 0 ·
Bruce-SqlWork avatar image Bruce-SqlWork LukasNeubauer-7238 ·

4 tables, users, roles, companies and user company roles.

The request needs to identify the user name via authentication, and also the companyid (url parameter or cookie value). With this info you can load the roles.

Another option is at login the user specifies the company, and the company is added as a claim value. Then you validate the company claim against the request company Id

1 Vote 1 ·

I tried your suggestion, but the thing I struggle with is, that I don't know how to tell the middleware which role is required for the current request.
Could you give me a hint with that?

0 Votes 0 ·
Show more comments