CrowdStrike joins the Axiomatics partner community with risk-based authorization for enterprise Learn more  

Stack Overflow: Alternatives for Roles/Claims Access Control Systems

The Axiomatics technical teams across sales engineering, development and customer relations often engage with the Stack Overflow community to get insights and answers. They also contribute knowledge on access control and dynamic authorization.

This question on Alternatives for Roles/Claims Access Control Systems was asked by Yaroslav Veremenko.I am developing REST API for the growing system. And in general Role/Claims Access Control work perfectly like this.

[Authorization(Type = AuthorizationType.Admin, Permission = Permission.StoreSettings)]
public IHttpActionResult GetSettings() { /*...*/ }

Problem occurs when I have users who can for example control access deeper like in the figure below. This is an abstract example of the system.

User Types

And if I need to query something in the one of the area, it is quite simple, but when I need to get all Items from Departments I have to write the same ugly code I can’t really reuse. Not real code, but looks like this.

Db.Items.Where(i =>
    i.Stores.Any(s => s.CityId == User.CityId) &&
    Db.UserDepartmentRights.Any(udr => udr.UserId == User.UserId && i.DepartmentId == udr.DepartmentId));

It is obviously ugly and very hard to maintain, especially if I need to bring another level into the system.

Is there any framework which can handle this or at formalized architecture I can implement?

You can find the rest of the detailed discussion on this topic and guidance from David Brossard here on Stack Overflow.

Archived under:
  Join us on LinkedIn for more insights
About the author

The world’s largest enterprises and government agencies continually depend on Axiomatics’ award-winning authorization platform to share sensitive, valuable and regulated digital assets – but only to authorized users and in the right context.