The World’s Largest Online Community for Developers
In ASP.NET Boilerplate, why does it has roles and permissions to control authorization? Which is the difference between both?
Having both roles and permissions allows flexibility and ease for admins to control authorization.
The difference is that authorization only depends on permissions, not roles.
Roles are used to group permissions. When a user has a role, then he/she will have all the permissions of that role. A user can have multiple roles. The permissions of this user will be a merge of all the permissions of all assigned roles.
For example, a site moderator can be allowed to add, edit and delete any posts, including the ones written by others. A site moderator can add, edit and delete comments as well. If there are several site moderators, then a role can be easily assigned instead of individual permissions to each user.
No, a permission can be assigned directly to a user.
No, a role does not need permissions. A role with no permissions is like a position (e.g. employee).
If we grant a permission to a role, all the users that have this role are authorized for the permission (unless explicitly prohibited for a specific user).
While the role-based permission management can be enough for most applications, we may need to control the permissions per user. When we define a permission setting for a user, it overrides the permission setting defined for the roles of the user.
In addition, there are also Organization Unit Roles (not documented yet). That is, a role can be assigned to an organization unit and users in that organization unit are considered to have that role.
Role: a group of permissions.