Role-based authorization
It is quite common for certain areas of your application to be available to only certain users. Instead of granting access at the user level, a general practice is to group users into roles and grant access to roles. Let's consider a typical e-commerce application, in which users can place orders, support staff can view, update, or cancel orders and resolve user queries, and the admin role approves or rejects orders, manages inventory, and so on.
Role-based authorization can address such requirements. When you create a user, you may assign it to one or more roles, and when we configure the [Authorize]
attribute, we can pass one or more role names to the Roles
property of the Authorize
attribute.
The following code restricts access to all action methods under the Admin
controller to users who belong to the Admin
role:
[Authorize(Roles ="Admin")] public class AdminController : Controller { public IActionResult Index() { &...