Lets step away from ASP.NET Identity for a sec and lets say we are building a custom authentication/authorization system for our application.
It will contain the following tables for full flexibility:
Users
Roles
Permissions
UserRoles
RolePermissions
With the above we can have a full fledged User Management section of an application where an Administrator can say User A has Role B which has Permissions C,D,F.
The above has always worked for me in the past, but lets switch gears now to an ASP.NET Core MVC Application using ASP.NET Identity.
Attempting to utilize everything Microsoft gives you with ASP.NET Core Identity in the UserManager I would like to be able to still achieve the above, but the ASP.NET Core Identity MVC way.
What I know:
That I can easily use the UserManager to implement CRUD pages for Users and Roles and User Roles.
What I am trying to figure out:
How can I replicate the same behavior of the "which permissions/actions does a role have?" concept.
My initial guess at this is that you would use Claims in combination with Roles. Claims get assigned to Roles i.e. RoleClaims and then Roles get assigned to Users.
This way I would be able to simply check for Roles above Controllers/Action methods with Authorize tags. And additionally go even further at the page level saying hide/show the delete button if the user's Role does not have Claim "DeleteProduct" Kind of like what this view-based authorization documentation is saying.
--
I am trying to figure out if I am on the right path with this stuff. Any advice or corrections would be helpful.
This person seems to have a potential solution for your particular problem.
Users Roles Permissions using ASP.NET Core Identity 3
More information on Claims and Policies
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims
Basically
Note: Not entirely sure if that works with ASP.Net Core 2 or not or which version you were using.