基于范围/角色/组的访问控制 [英] Scope/Role/Group Based Access Control
本文介绍了基于范围/角色/组的访问控制的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在使用 Azure Active Directory 并试图了解所描述的三种类型的访问控制 此处.每种方法的优缺点是什么,您将在何时使用它们:
使用清单的
<前>{"adminConsentDescription": "允许应用程序代表登录用户对 MyApi 进行读取访问.","adminConsentDisplayName": "MyApi 的读取权限","id": "56d944c0-f3aa-4f80-9472-9c1414383abf",已启用":真,"type": "用户","userConsentDescription": "允许应用程序代表您对 MyApi 进行读取访问.","userConsentDisplayName": "MyApi 的读取权限",值":read_my_api"},{"adminConsentDescription": "允许应用程序代表登录用户对 MyApi 进行写访问.","adminConsentDisplayName": "MyApi 的写入权限","id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967",已启用":真,"type": "用户","userConsentDescription": "允许应用程序代表您对 MyApi 进行写访问.","userConsentDisplayName": "对 MyApi 的写入权限",值":write_my_api"}oauth2Permissions部分的基于范围的访问控制,我可以在其中添加读写权限,如下所示:基于角色的访问控制 (RBAC) - 使用清单的
appRoles部分.- 使用清单的
groupMembershipClaims部分进行基于组的访问控制.
解决方案
最流行的两个:
- 基于角色的访问控制 - 您正在为应用程序配置中的用户或组分配角色(在 Azure 门户内).然后在代码中,您可以使用这些角色授权用户访问应用程序的某些部分.您可以执行以下操作:
if (User.IsInRole("SuperAdmin")) {...} - 使用 groupMembershipClaims 基于组的访问控制 - 类似,但您正在检查用户是否属于特定组
I am using Azure Active Directory and am trying to understand the three types of access control described here. What are the advantages and disadvantages of each approach and when would you use them:
Scope based access control using
oauth2Permissionssection of my manifest where I can add read and write permissions like so:{ "adminConsentDescription": "Allow the application read access to MyApi on behalf of the signed-in user.", "adminConsentDisplayName": "Read access to MyApi", "id": "56d944c0-f3aa-4f80-9472-9c1414383abf", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application read access to MyApi on your behalf.", "userConsentDisplayName": "Read access to MyApi", "value": "read_my_api" }, { "adminConsentDescription": "Allow the application write access to MyApi on behalf of the signed-in user.", "adminConsentDisplayName": "Write access to MyApi", "id": "6d66a2bd-c8c7-4ee0-aef4-9424b51b4967", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application write access to MyApi on your behalf.", "userConsentDisplayName": "Write access to MyApi", "value": "write_my_api" }Role Based Access Control (RBAC) - Using
appRolessection of my manifest.- Group based access control using the
groupMembershipClaimssection of my manifest.
解决方案
Two most popular one:
- Role Based Access Control - you are assigning roles to the users or groups in the your application configuration (inside Azure Portal). Then in code you can use those roles authorize users to certain parts of your application. You can do something line that:
if (User.IsInRole("SuperAdmin")) {...} - Group based access control using the groupMembershipClaims - it's similar but you are checking if user belongs to specific group
这篇关于基于范围/角色/组的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
