Extending Role / Role Group in ASP.NET Identity

Question

I have an MVC application where ASP.NET Identity 2 is used and I can properly manage the Laboratory parts by giving permission to the corresponding role group i.e. giving read permission to Lab1 students by Lab1Group. However, I want the application is flexible so that the admin can create new laboratory lessons i.e. Lab2 and add it to the corresponding role group i.e. Lab2Group that will be created after creation of new laboratory. As far as I know creating a new Laboratory role group requires creating a new Controller having CRUD operations, but I want to use the same Controller with the newly created lab lessons. Is it possible? Because normally we need to define the access permission to a Controller by using [Authorize] attribute and I am not sure if it is possible to add the newly created role(s) to this attribute? Any idea?

Answer 1

If you want to put dynamic behaviour in role authorization, you can create route and role mapping in your database, which you can also cache in your application if required. Second, you have to create a custom authorize attribute, which can get required roles for the current route (controller or controller + action) and can access current user roles from current context. You have both the information and now you can authorize/ unauthorize user by overriding OnAuthorization method in your new attribute as per your application logic.

Lets divide the problem statement and then try to solve.

1. You have to create new role/ role- group and you need to assign them to appropriate users, which should be state forward and app admin can do that. Identity 2.0 is good for this.

2. As per your question, route for Lab1 and Lab2 could be something labcontroller/lab1 , labcontroller/lab2. I was trying to tell that if you want to make authorization process dynamic, you can have mapping of route and role in db.

3. When any user will access labcontroller/lab1, your custom authorization attribute's OnAuthorization method will read the current route from context and get its required role from above mentioned mapping.
4. If current user also have the required role, permission will be granted.