Authorization in ASP.NET Core is flexible and powerful.
You can secure your applications using multiple techniques based on roles, claims, attributes or even complex logic tied to the current resource.
Here are all the main types of authorization in ASP.NET Core.
🔑 1. Role-Based Authorization (RBAC)
Use this when your application has fixed roles like Admin, Manager or User.
[Authorize(Roles = "Admin")]
public IActionResult AdminOnly()
{
return View();
}
You define roles during authentication and check them declaratively with [Authorize].
✅ Simple to implement
❌ Hard to scale with complex permissions
🧾 2. Claim-Based Authorization
This works on user claims such as "Department", "Region", "SubscriptionLevel".
[Authorize(Policy = "HROnly")]
public IActionResult HRDashboard()
{
return View();
}
Policy is configured in Program.cs or Startup.cs:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("HROnly", policy =>
policy.RequireClaim("Department", "HR"));
});
✅ More flexible than roles
❌ Still limited for complex logic
⚙️ 3. Policy-Based Authorization
This is a broader system that includes roles, claims and custom requirements.
You can create policies using:
RequireRoleRequireClaimRequireAssertionCustom
IAuthorizationRequirementandAuthorizationHandler
options.AddPolicy("Over18", policy =>
policy.RequireAssertion(context =>
context.User.HasClaim(c =>
c.Type == "Age" && int.Parse(c.Value) >= 18)));
✅ Centralized and composable
❌ Slightly more complex setup
🧩 4. Resource-Based Authorization
Use this when access depends on a specific object or instance.
public class DocumentAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Document>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement, Document resource)
{
if (resource.OwnerId == context.User.Identity.Name)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
Then use in controller:
var authResult = await _authorizationService.AuthorizeAsync(User, document, "EditPolicy");
✅ Good for per-resource access
❌ Requires custom handlers and service injection
🧬 5. Attribute-Based Access Control (ABAC)
ABAC is not a built-in feature but can be implemented using policies and custom handlers.
You evaluate access based on user attributes, resource attributes and context attributes.
Example logic:
User.Age >= Resource.MinimumAge
User.Country == Resource.AvailableInCountry
Request.Time between 9AM and 5PM
This often overlaps with resource-based authorization but with more dynamic inputs.
✅ Most flexible
❌ Most complex to manage
🧠 Summary Table
Type | Use Case | Flexibility | Complexity |
|---|---|---|---|
Role-Based (RBAC) | Simple role access like Admin | Low | Low |
Claim-Based | Checks user properties | Medium | Low |
Policy-Based | Composable roles and claims | High | Medium |
Resource-Based | Object-specific authorization | High | High |
Attribute-Based | Attribute and context-driven logic | Very High | Very High |
🧭 Choose Wisely
Start with Role-Based or Claim-Based if your needs are simple.
Move to Policy-Based or Resource-Based when logic becomes more complex.
Use ABAC when access depends on multiple attributes across user and resource context.
Authorization is not just about blocking access.
It is about designing secure and flexible boundaries that grow with your app.