Hi
I am still confused about all this Identity stuff.
First I am still confused the difference between Roles, Policies/Claims. From what I read roles is the old way of doing stuff and was kept for backward compatibility (I wish they had an option to omit it, maybe that would clear some confusion).
I think I understand Claims and Policies when thinking of them individual, like policy is basically a set of rules that must pass and gives the ability to change rules without having to go through out all the code and change roles.
Were a claim, is basically a trusted source is vouching for about that user(ie this is their age, which might come from a government source ).
Now what confuses me is putting it all together.
I generated the Identity tables and see
- AspNetUsers
- AspNetUserRoles
- AspNetRoles
- AspNetRoleClaims
- AspNetUserClaims
- AspNetUserLogins
I get what the AspNetUsers table does and AspNetUserLogins(seems to be if they use like external login providers).
I get confused on what the difference between AspNetRoleClaims and AspNetUserClaims. Do I just use AspNetUserClaims or do I use everything?
Say I have this secenario
I have a company that has many branches, in each branch their will be an administrator of that branch, they got full power over the branch and can do anything but nothing at another branch. At the company level there will an administrator who can do anything at the company level and any branch. Finally I have a person in the branch who can just add new employees.
What does this all look like? Do I make 3 roles?
- CompanyAdmin
- BranchAdmin
- AddUsersAtBranchLevel (or is this some sort of claim??)
What do the tables look like? Is there anything going to be in AspNetRoleClaims? AspNetUserClaims?
Now I can make a policy to check if the user is a branch admin and if they are trying to edit their branch? Or would it just be a claim I am checking?