Dynamic Authorization Policies

cloudscribe Dynamic Authorization Policies allow you to manage authorization policy requirements from the UI. cloudscribe Core allows you to manage user roles and claims from the UI and Dynamic Authorization Policies is the missing piece that makes it possible to manage access. You can configure which roles are allowed and/or any claim requirements needed to meet the policy requirements.

Typically ASP.NET Core authorization policies are configured in Startup.cs with code. The problem with that is that if you want to change the policy requirements you must re-compile and re-deploy your web application. Controllers actions are usually decorated with an Authorize attribute with a named policy like this:

[Authorize(Policy = "SomePolicyName")]
[HttpGet]
public virtual IActionResult SomeAction()
{       
   return View();
}

If the policy does not exist then an error would be thrown at application startup time.

When you use Dynamic Authorization policies this error will not happen, instead a policy will be created automatically and persisted to the database. To keep things secure the policy is initialized with "Administrators" role requirement, so if you want to allow others roles you have to edit the generate policy.

Note that you can still put policies in Startup code and any policies configured there will not be managed from the UI. Not every policy should be managed from the UI, in fact there is a policy named "PolicyManagementPolicy" which controls who can edit authorization polices, and this one should be registered in Startup code as you generally want it to be locked down to administrators. There may be other administrative policies that also should not be managed from the UI.  The key thing is that it is up to you which policies can be managed from the UI, and those should be configured in application startup code. Any policies configured in application startup code will not be managed from the UI.

Note also, there is a known limitation, the DynamicAuthorizationPolicyProvider, sub classes the DefaultAuthorizationProvider. If you decorate the controller class with an AuthorizeAttribute it will throw a null reference exception. To use Dynamic Authorization policies you should only decorate controller actions with Authorize attributes and not do that at the class level.

Note also that Dynamic Authorization Policies does NOT depend on cloudscribe Core, it can be used with any ASP.NET Core MVC application. We have samples here of both using it with and without cloudscribe Core.

You can easily create new cloudscribe projects that include Dynamic Authorization Policies using our project templates for Visual Studio and dotnet new command as discussed in the Introduction. You should see an item in the administration for Authorization Policies.

cloudscribe Dynamic Authorization Policies has some configuration options that can be set in appsettings:

"PolicyManagementOptions": {
 "AutoCreateMissingPolicies": true,
 "AutoPolicyAllowedRoleNamesCsv": "Administrators",
 "ShowRequireAuthenticatedUserOption": true,
 "ShowRequiredUserNameOption": true,
 "ShowAuthenticationSchemeOptions": true,
 "ShowClaimRequirementOptions": true,
 "PolicyNamesToConfigureAsAllowAnonymous": [ "BlogViewPolicy", "ForumViewPolicy" ]
 },

Comments