Claimsprincipal la gì

What time i have to use role-based security and when claim-based? Could you please write a few examples?

I’ve had to add more information to this answer, and this is because I didn’t clearly address the separation between Claim-Based and Role-Based Auth models. From experience and the nature of the concept itself as well presented and documented on Microsoft Docs, the two Authorization models are often used together and an example on when they’re often used together is illustrated on example 3 below. Now let’s discuss the topics in detail:

Claim-Based Authorization:

One important thing to note is that Claim-Based authorization is by nature third-party bound as compared to Role-Based one. Claims are pieces of information provided to you (your app) by a third-party application that describes the user. This information can be anything type of data. Let’s make an example:

Example 1:

Imagined you have a software app that is used to mix songs. And this app basically uses songs from Spotify or YouTube Music platform etc., but it’s built in such a way that it has full access to those platform’s music library. But this app doesn’t require you to sign in with your Spotify or google account, you basically just register with email and password. But after you’re online, to use music from either Spotify or YoutTube music, you’re asked to enter an email address you used to create your sportify or YouTube music account. And then the app requests (via web services) your subscription account number from that respective third-party app and stores it as a claim. So, every time you try to access the music when you’re online, the app uses the registered claim’s policy to check if you have a subscription account and then allow access. The nice thing about this is that the claims are stored with information such as the Issuer where you store where the claim came from. And that’s it. You used a claim, subscriotionAccountNumber, provided by a third-party, that describes you on their side. Obviously, this wouldn’t be the best model to go-about this kind of app but it’s good enough as an example. You’re authorizing your user based on some information about them claimed from another third-party application.

Role-Based Authorization:

This one here is clear enough. At its simplest, You grant access to users based on their Role and their role only.

Example 2:

Imagine an organizational app with multiple users from different positions. You can assign roles to users based on their position and grant access to different information based on their role. Managers, Owners, Employees… Basically not all employees have access to everything Managers and Owners have access to. And this applies to Managers and Owners. Managers are not granted access to some information that only belongs to owners. It’s that simple.

Putting it all together:

In applications like ERP systems, Claims and Roles are used together to build up a complex authorization model. I will always say that The current Identity Framework is so complete that often you don’t need unnecessary extensions that disrupt the existing model, Obviously needs may differ and sometimes breaking the model up could be the only option. When Roles and Claims are used together, Claims serve as Permissions. That is why you have the RoleClaim and UserClaim tables within the model. That is to allow you to extend the authorization beyond the roles themselves. When claims are used together with Roles, they merely provide access to perform certain actions.

Example 3:

Consider a case where you have a clocking system where you have a technician and a manager. At the end of every week, the technician must arrange reports with clocking information showing hours of work artisans worked for that week, which is consolidated and used by payroll. Such systems often must be amended or corrected before final reports are submitted, because you don't want to overpay or underpay your employees. You can use a Role-Based approach for the Manager and Technician by creating a Manager Role and Technician Role. But the Manager Role is the one with the ability to access and edit the clocking information of the artisans. On the other hand, you can have the Technician Role without these abilities to access that information. But Here's the interesting part; A manager can make a claim and allow a technician to access the Clocking Systems and make reports. So a claim can be made only for access without edit or can be made with access and edit capabilities. Remember, only your app understands what your claims mean. They can be named anything, GrantWriteAccess, GrantReadAccess etc, there’s nothing limiting you. After having the claims pre-Defined as permissions, all you need to do is to associate that claim with the user. In this case the Technician would have Both GrantWriteAccess and GrantReadAccess added to their UserClaim table.

This is more like saying, well, By default as the manager I can access some information that my technician can't access. But I am not always around the office? what can I do so that he can still do the work even when I am not around? To solve this the system can have the feature for the managers to create claims(permissions) for people without access to some specific information. We often see these everywhere in our ERP systems. A user without access to some modules and when they get promoted, they're given permission to more modules of the ERP system, sometimes keeping the same user role, and only with some permissions being opened.