Reputation: 38527
Scope/Role/Group Based Access Control
I am using Azure Active Directory and am trying to understand the three types of access control described here. What are the advantages and disadvantages of each approach and when would you use them:
Scope based access control using
oauth2Permissionssection of my manifest where I can add read and write permissions like so:{ "adminConsentDescription": "Allow the application read access to MyApi on behalf of the signed-in user.", "adminConsentDisplayName": "Read access to MyApi", "id": "56d944c0-f3aa-4f80-9472-9c1414383abf", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application read access to MyApi on your behalf.", "userConsentDisplayName": "Read access to MyApi", "value": "read_my_api" }, { "adminConsentDescription": "Allow the application write access to MyApi on behalf of the signed-in user.", "adminConsentDisplayName": "Write access to MyApi", "id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application write access to MyApi on your behalf.", "userConsentDisplayName": "Write access to MyApi", "value": "write_my_api" }Role Based Access Control (RBAC) - Using
appRolessection of my manifest.- Group based access control using the
groupMembershipClaimssection of my manifest.
Upvotes: 13
Views: 6864
Answers (2)
Reputation: 23494
I think the most significant difference between scopes and roles/groups is who determines what the client is allowed to do.
- Resource scopes are granted by the resource owner (the user) to an application through the consent screen. For example, the client application can post to my timeline or see my friends list.
- User roles and groups are assigned by an administrator of the Azure AD directory. For example, the user can submit expense reports or the user can approve expense reports.
Scopes are typically used when an external application wants to gain access to the user's data via an exposed API. They determine what the client application can do.
Role- or group based access is typically used within an application to determine what a user can do.
Upvotes: 32
Reputation: 2756
Two most popular one:
- Role Based Access Control - you are assigning roles to the users or groups in the your application configuration (inside Azure Portal). Then in code you can use those roles authorize users to certain parts of your application. You can do something line that:
if (User.IsInRole("SuperAdmin")) {...} - Group based access control using the groupMembershipClaims - it's similar but you are checking if user belongs to specific group
Upvotes: 3
Related Questions
- Permission Based instead of Role Based
- Need some conceptual guidance of scope vs roles
- Microsoft OAuth authorization for specific user roles
- Azure Active Directory Group - controlling user access
- custom OAuth scopes in azure
- How to do Authorization based on Azure AD groups?
- Azure AD OAuth2.0 Application Permissions
- Azure Access Control for Resource Groups
- How to configure users access to an API protected with Azure AD oAuth2
- Implementing Azure Active Directory Access Control