Difference between Roles and Claims

c# asp.net vb.net security claims-based-identity
14,072

Solution 1

Roles-based authorization is used to group users into groups (roles) and then set permissions on the role rather than on individual users.

E.g: In your case you can create Admin role and provide permission to do "AddCompany, ViewCompany, DeleteCompany, EditCompany" tasks.

In this case easier to manage large set of users through small set of roles. This is the most commonly used model for authentication.

Claims-based authorization provides additional layers of abstraction on your authorization strategy. Further, claims are a method of providing information about an user rather than group of users. You create authorization policies that are used to generate a claim-set based on the authentication evidence presented by the user. Then the user presents claims to the application in order to access resources.

A claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS)

Resources : http://msdn.microsoft.com/en-gb/library/ff649821.aspx

http://msdn.microsoft.com/en-gb/library/ff649821.aspx

http://msdn.microsoft.com/en-gb/library/ff359101.aspx

Hope this helps.

Solution 2

Roles are claims, but not all claims are roles.

In a claims-based authorization system, you may use roles as permissions, but you may use something else as well. On my current project, we have a many to many mapping from roles to permissions.

Share:
14,072
Gillardo
Author by

Gillardo

Updated on June 14, 2022

Comments

  • Gillardo
    Gillardo almost 2 years

    In our system we have a way to setup users with permissions. They create a group name, for example, Admin and then assign all the permissions for the tasks they would like to do.

    For example, they can add AddCompany, ViewCompany, DeleteCompany, EditCompany

    This makes it very easy to make different permissions groups and we can control security very easily.

    Am i right in thinking that in this instance the group name = Role and each permission is a claim?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Sending email with smtp.secureserver.net with C# and GoDaddy
How to add dynamic Texbox in GridView at RunTime?
ASP.NET Core using custom authenticationhandler with cookieauthentication
ASP.NET TextBox - is it possible to initialize text attribute with in line code <% %>
Build Security Token Service (STS) application for ASP.NET website
Asynchronous webservice in Asp.net
The control with ID 'UpdatePanel1' requires a ScriptManager on the page
ASP.NET AJAX Control toolkit file upload
How to implement BaseValidator and IValidator in custom control - ASP.Net
Simple ASP.NET Database Query