I'm designing an webbased application. I don't have much experience with security but with a bunch of research i'm getting closer to what I need. The next challenge Is as following:
Users can create a group of users and will be the admin of this group, the same user will be able to join another group as a normal user. So the authorization is context dependant. I called it group-based roles, I if thats the the official name or not, but i'm having trouble with the implementation of the idea.
I like the ideo of using the claimsprincipalpermission attribute to seperate business logic and the authentication logic. So something like this. The required permission will probally stay the same. But I might define extra users or roles that can execute this action.
[ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "Group", Operation = "Edit")]void EditGroup(int GroupID) { }
But the problem is that from what I understand the ClaimsAuthorizationManager that authenticates the user will only see the Resource and the Operation parameter but not the GroupID. Is there some other way to get this to work or am completly on the wrong track.