Are claims based identities a way to implement more granular control of a identity that is part of a role?
My theoretical best guess, since I don't know at this point, is that the answer to my own question is yes.
I am guessing that roles are composed(or made up of) claims that authorize what a user can do. And possibly cannot do. This raises another question, can claims restrict access as well as grant it to certain methods in a web api?
So for real wordl examples. If I create a user role called "Admin". Maybe I would add 5 claims to that "Admin" role so that all users that are a part of the "Admin" role can excute those 5 api methods because they have the proper claims. But maybe I want to add a user to the "Admin" role I don't fully trust. So, I could either A)add him to the "Admin" role and take away 2 of the most powerful claims or B)not add him to the "Admin" role at all but instead grant to him 3 of the 5 default claims of the "Admin" role until a more appropriate time period when trust in the user has been fully realized and earned.
Is this the way this new Asp.Net Identity stuff works...am I close at all...if I am...it just immediately occurs to me....that this might be very similar to the way the default security system has been implemented in Windows 7 operating system. Would I be correct in that observation as well?
I think somebody needs to write a book that teaches, from the ground up, how to use and understand this Asp.Net Identity system. Tutorials are all well and good but being able to follow 7 steps of a tutorial and create a working example are nowhere equivalent to understanding what the hell you actually just did. And how this whole new Membership system fits into the scheme of things.