Best Practices for Roles vs. Claims in ASP.NET Identity

asp.net core role claims
dynamic role based authorization asp.net core
asp.net mvc permission based authorization
asp.net core 2.2 identity roles
asp.net core 2.1 identity roles
asp.net identity roles example
claim based authorization in asp.net core
asp.net role based authorization

I am completely new to the use of claims in ASP.NETIdentity and want to get an idea of best practices in the use of Roles and/or Claims.

After all this reading, I still have questions like...

Q: Do we no longer use Roles? Q: If so, why are Roles still offered? Q: Should we only use Claims? Q: Should we use Roles & Claims together?

My initial thought is that we "should" use them together. I see Claims as sub-categories to the Roles they support.

FOR EXAMPLE: Role: Accounting Claims: CanUpdateLedger, CanOnlyReadLedger, CanDeleteFromLedger

Q: Are they intended to be mutually exclusive? Q: Or is it better to go Claims ONLY and "fully-qualify" you claims? Q: So what are the best practices here?

EXAMPLE: Using Roles & Claims Together Of course, you would have to write your own Attribute logic for this...

[Authorize(Roles="Accounting")]
[ClaimAuthorize(Permission="CanUpdateLedger")]
public ActionResult CreateAsset(Asset entity)
{
    // Do stuff here

    return View();
}

EXAMPLE: Fully-Qualifying Your Claims

[ClaimAuthorize(Permission="Accounting.Ledger.CanUpdate")]
public ActionResult CreateAsset(Asset entity)
{
    // Do stuff here

    return View();
}

A role is a symbolic category that collects together users who share the same levels of security privileges. Role-based authorization requires first identifying the user, then ascertaining the roles to which the user is assigned, and finally comparing those roles to the roles that are authorized to access a resource.

In contrast, a Claim is a right of the user to identify themselves. In other words, "I am allowed to do this because I have this Claim.". In general, claims-based authorization subsumes role-based authorization. To be precise, Role membership is determined based on identity, and identity is just one sort of right to the value of a claim. Roles are essentially a very specific kind of claim, i.e. "Because my Username is this, I am a member of this Role. Because I am a member of this Role, I have access to this resource.".

You can use both in concert, or use one type in some situations and the other in other situations. It mostly depends on the interoperation with other systems and your management strategy. For example, it might be easier for a manager to manage a list of users assigned to a role than it is to manage who has a specific Claim assigned. Claims can be very useful in a RESTful scenario where you can assign a claim to a client, and the client can then present the claim for authorization rather than passing the Username and Password for every request.

Part 1: A better way to handle authorization in ASP.NET Core – The , https://docs.microsoft.com/en-us/aspnet/core/security/authorization/ provider OR a standardized product like identity server 4, using Roles and claims would be  RBAC: a user must be assigned to a role to be authorized to perform an action. CBAC : user must have a claim with the correct value, as expected by the application, to be authorized. Claims-based access control is elegant to write and easier to maintain.


As @Claies perfectly explained, claims could be a more descriptive and is a deep kind of role. I think about them as your roles ids. I have a gym id, so I belong to the members role. I am also in the kickboxing lessons, so I have a claim for them; a kickboxing id. My application would need the declaration of a new role to fit my membership rights. Instead, I have ids for each special thing I can do at the gym; instead of lots of new membership types. That is why claims fit better for me.

There is a a great explanation video of Barry Dorrans, talking about the advantage of using claims over roles. He also states that roles, are still in .NET for backward compatibility. The video is very informative about the way claims, roles, policies, authorization and authentication works.

You can find it here: ASP.NET Core Authorization with Barr Dorrans

Using Role Claims in ASP.NET Identity Core, Scenario 1: Supporting Identity, Role, and Group Claims. Users send messages to a Web service. The access control requirements of the Web  Using Role Claims in ASP.NET Identity Core. One new feature of ASP.NET Identity is Role Claims. Since there's little documentation on how to use them I thought I'd put together a quick demo. A Role Claim is a statement about a Role. When a user is a member of a role, they automatically inherit the role's claims.


Having used various authentication and authorisation techniques over decades, my current MVC application uses the following methodology.

Claims are used for all authorisation. Users are assigned one role (multiple roles are possible but I do not need this) - more below.

As is common practice, A ClaimsAuthorize attribute class is used. Since most controller actions are CRUD, I have a routine in the code-first database generation that iterates all controller actions and creates claim types for each controller action attribute of Read/Edit/Create/Delete. E.g. from,

[ClaimsAuthorize("SomeController", "Edit")]
[HttpPost]

For use at in an MVC View, a base controller class presents view bag items

        protected override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            // get user claims
            var user = filterContext.HttpContext.User as System.Security.Claims.ClaimsPrincipal;

            if (user != null)
            {
                // Get all user claims on this controller. In this controler base class, [this] still gets the descendant instance type, hence name
                List<Claim> claims = user.Claims.Where(c => c.Type == this.GetType().Name).ToList();

                // set Viewbag with default authorisations on this controller
                ViewBag.ClaimRead = claims.Any(c => c.Value == "Read");
                ViewBag.ClaimEdit = claims.Any(c => c.Value == "Edit");
                ViewBag.ClaimCreate = claims.Any(c => c.Value == "Create");
                ViewBag.ClaimDelete = claims.Any(c => c.Value == "Delete");
            }

            base.OnActionExecuting(filterContext);
        }

For website menus and other non-controller actions, I have other claims. E.g. whether a user can view a particular monetary field.

bool UserHasSpecificClaim(string claimType, string claimValue)
{
    // get user claims
    var user = this.HttpContext.User as System.Security.Claims.ClaimsPrincipal;

    if (user != null)
    {
        // Get the specific claim if any
        return user.Claims.Any(c => c.Type == claimType && c.Value == claimValue);
    }

    return false;
}

public bool UserHasTradePricesReadClaim
{
    get
    {
        return UserHasSpecificClaim("TradePrices", "Read");
    }
}

So where do Roles fit in?

I have a table that links a Role to a (default) set of claims. When setting user authorisation, the default is to give the user the claims of their role. Each user can have more or less claims than the default. To make editing simple, the claims list is show by controller and actions (in a row), with other claims then listed. Buttons are used with a bit of Javascript to select a set of actions to minimise the "clicking" required to select claims. On Save, the users claims are deleted and all of the selected claims are added. The web application loads claims only once, so any changes must prompt a reload within this static data.

Managers can therefore select which claims are in each role and which claims a user has after setting them to a role and those default claims. The system has only a small number of users so managing this data is straightforward

ASP.NET Core - Roles vs Claims vs Policy, I like the idea of claims because it offers more flexibility in my opinion. best. level 1. AllowItMan. 7 points · 3 years ago. With roles it's only possible to identify ASP.NET Core Web Application (.NET Framework). I also saw some MVC options the HTTP request to that controller, but it calls methods in my repository class. In my previous tutorial I have explained How to do Authentication of Users in Identity in ASP.NET Core.Now I will extend it with Identity Roles. In Identity System you can create Roles that contain a set of permissions for doing a set of activities in the application.


To understand difference between Roles and Claims you mast face the limitation of roles and to feel how claims come over this issues, so lit me give you 2 scenarios to recognize the power of claims where role can't resolve this issues :

1- your site have to two modules (pages, service ..etc) the first module fore child(under 18 years old) the other for adult(over 18 years old) your user identity have birthday claim

you need to create policy on this claim so the authorization for each module will be given on this value and if the age of user come over the 18 years then he can go to adult module and not before this age

Role is Boolean data type you can have or not have the role role didn't have malty values

2- your site have role user and you wan't to prevent access of users to make some maintenance without changing the code

in claims you can create UnderConstrain policy that if true user can't view the page give property authorize for role user.

Should it be a claim, a role or a policy?, NET Core used to create a reusable authorization model and simplify The role-​based security model has been in use from the days of ASP. methods must be a member of both Manager and Administrator roles. of claims-based authorization – you can validate the identity of a user based on the claims  Best Practices for Building Async APIs with ASP.NET Core - Duration: 1:29:43. JetBrainsTV 31,637 views


Managing Claims and Authorization with the Identity Model, NET Core and some of its concepts (roles, claims and policies). Probably the best known way to implement authorization in ASP. Identity.​EntityFrameworkCore.UserStore<TUser, TRole, TContext, There are other similar methods as well, and that's what we're going to use, in this case AuthorizePage . ASP.NET Core - Roles vs Claims vs Policy Raw Coding. Entity Framework Best Practices - Should EFCore Be Your Data Access of Choice? Identity Server 4 with Angular 2 and ASP.NET Core


Roles vs Claims? : dotnet, ASP.NET Identity is currently the main framework used to add authentication and This follows the best-practice where we want to eventually assign application We're basically asking the question “Is the user in this role” and based on the Pretty sure you just reinvented claims based authorization. A better way to handle role permissions in ASP.NET Identity – IsInRole vs. HasPermission May 12, 2015 May 12, 2015 by Cristian Satnic ASP.NET Identity is currently the main framework used to add authentication and authorization capabilities to an ASP.NET site.


Policy-based Authorization in ASP.NET Core - A Deep Dive, Adding user impersonation to an ASP.NET Core web application. Part 5: A better way to handle authorization – refreshing user’s claims. Part 4: Building a robust and secure data authorization with EF Core. Part 3: A better way to handle ASP.NET Core authorization – six months on.