Stack Overflow: Alternatives for Roles/Claims Access Control Systems

Axiomatics   ·   Monday, November 12th, 2018

The Axiomatics technical teams across sales engineering, development and customer relations often engage with the Stack Overflow community to get insights and answers. They also contribute knowledge on access control and dynamic authorization.

This question on Alternatives for Roles/Claims Access Control Systems was asked by Yaroslav Veremenko.I am developing REST API for the growing system. And in general Role/Claims Access Control work perfectly like this.

[HttpGet]
[Route("settings")]
[Authorization(Type = AuthorizationType.Admin, Permission = Permission.StoreSettings)]
public IHttpActionResult GetSettings() { /*...*/ }

Problem occurs when I have users who can for example control access deeper like in the figure below. This is an abstract example of the system.

And if I need to query something in the one of the area, it is quite simple, but when I need to get all Items from Departments I have to write the same ugly code I can’t really reuse. Not real code, but looks like this.

Db.Items.Where(i =>
    i.Stores.Any(s => s.CityId == User.CityId) &&
    Db.UserDepartmentRights.Any(udr => udr.UserId == User.UserId && i.DepartmentId == udr.DepartmentId));

It is obviously ugly and very hard to maintain, especially if I need to bring another level into the system.

Is there any framework which can handle this or at formalized architecture I can implement?

You can find the rest of the detailed discussion on this topic and guidance from David Brossard here on Stack Overflow.