Section 4 of 6

Policy-Based Authorization

🎯 What You'll Learn

  • What are policies
  • Creating policies
  • Combining requirements
  • Using policies
  • Policy advantages

What are Policies?

Policies are named authorization rules that combine multiple requirements (roles, claims, custom logic) into reusable authorization strategies.

Creating Simple Policies

Program.cs C# 
builder.Services.AddAuthorization(options =>
{
    // Require authenticated user
    options.AddPolicy("RequireAuth", policy =>
        policy.RequireAuthenticatedUser());

    // Require specific role
    options.AddPolicy("RequireAdmin", policy =>
        policy.RequireRole("Admin"));

    // Require specific claim
    options.AddPolicy("ITOnly", policy =>
        policy.RequireClaim("Department", "IT"));
});

Combining Requirements

Multiple Requirements (AND) C# 
options.AddPolicy("AdminInIT", policy =>
{
    policy.RequireRole("Admin");
    policy.RequireClaim("Department", "IT");
});
Age Requirement C# 
options.AddPolicy("Over18", policy =>
    policy.RequireAssertion(context =>
    {
        var birthDate = context.User.FindFirst("BirthDate")?.Value;
        if (DateTime.TryParse(birthDate, out var date))
        {
            var age = DateTime.Today.Year - date.Year;
            return age >= 18;
        }
        return false;
    }));

Using Policies

[Authorize(Policy)] C# 
[Authorize(Policy = "RequireAdmin")]
public class AdminController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
}

[Authorize(Policy = "AdminInIT")]
public IActionResult ITAdmin()
{
    return View();
}

InvenTrack Example

Program.cs - InvenTrack Policies C# 
builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("CanManageProducts", policy =>
    {
        policy.RequireRole("Admin", "Manager");
        policy.RequireClaim("CanEditProducts", "true");
    });

    options.AddPolicy("CanDeleteProducts", policy =>
        policy.RequireRole("Admin"));
});
ProductsController.cs C# 
public class ProductsController : Controller
{
    [Authorize]
    public IActionResult Index()
    {
        return View();
    }

    [Authorize(Policy = "CanManageProducts")]
    public IActionResult Edit(int id)
    {
        return View();
    }

    [Authorize(Policy = "CanDeleteProducts")]
    public IActionResult Delete(int id)
    {
        return View();
    }
}

Policy Advantages

  • Reusable: Define once, use everywhere
  • Testable: Easy to unit test
  • Maintainable: Change logic in one place
  • Flexible: Combine multiple requirements
  • Readable: Named policies are self-documenting

Key Takeaways

  • Policies: Named authorization rules
  • AddPolicy(): Define policies
  • RequireRole/RequireClaim: Add requirements
  • RequireAssertion(): Custom logic
  • [Authorize(Policy)]: Apply policy
  • Combine requirements: Multiple conditions (AND)