Auth Requirements

AuthorizationHub comes with many pre-built authorization requirements that you can use to build your own policies.

# Organizations By DisplayName

In case where you want to restrict access based on membership in an organization (group), you can use the AllowedOrganizationsByDisplayNameRequirement. It will look at the user's claims to see if there is a claim for an organization that matches with a DisplayName defined in the requirement. Let's say you wanted to restrict access to a page to users who were part of the "Accounting", "Administrators", and "SuperUsers" groups.

You'll need to add Authorization to the service collection, and define the policy by adding a requirement. Because we've choosen to use the DisplayName as our method for identifiying claims, we'll use the AllowedOrganizationsByDisplayNameRequirement. Just pass in a list of strings that identify which organizations should be used the requirement.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("SalaryInfoDisplay", policyBuilder => policyBuilder.AddRequirements(
        new AllowedOrganizationsByDisplayNameRequirement(["Accounting", "Administrators", "SuperUsers"])
        ));
});

# Organizations By ExternalId

Sometimes it is preferable to use an organization's ExternalId as the criteria for checking a user's claims. To define which ExternalIds would allow you to pass an authorization check, you can pass them into the constructor of AllowedOrganizationsByDisplayNameRequirement.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("SalaryInfoDisplay", policyBuilder => policyBuilder.AddRequirements(
        new AllowedOrganizationsByExternalIdRequirement(["90f7989e-c10d-4b86-840b-0be0ecdd8043", "b3d74050-9f12-40a7-a720-94e111c5147c", "c8aee824-a2ca-4e35-9e6d-368c486f8931"])
        ));
});

# Organizaitions By PartyId

If you wanted to use AuthorizationHub's identifier for organizations to inspect a user's claims, you can use the AllowedOrganizationByPartyIdRequirement. This will allow you to pass in a list of integers to define which organizations will allow a user to pass an authorization check.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("SalaryInfoDisplay", policyBuilder => policyBuilder.AddRequirements(
        new AllowedOrganizationsByPartyIdRequirement(["41", "103", "22"])
        ));
});

# Roles By DisplayName

In case where you want to restrict access based on membership in a Role, you can use the AllowedRolessByDisplayNameRequirement. It will look at the user's claims to see if there is a claim for a role that matches with a DisplayName defined in the requirement. Let's say you wanted to restrict access to a page to users who were part of the "Accounting Manager", "CFO", or "CEO" roles.

You'll need to add Authorization to the service collection, and define the policy by adding a requirement. Because we've choosen to use the DisplayName as our method for identifiying claims, we'll use the AllowedRolesByDisplayNameRequirement. Just pass in a list of strings that identify which roles should be used the requirement.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("SalaryInfoDisplay", policyBuilder => policyBuilder.AddRequirements(
        new AllowedRolesByDisplayNameRequirement(["Accounting Manager", "CFO", "CEO"])
        ));
});

# Roles By ExternalId

Sometimes it is preferable to use an role's ExternalId as the criteria for checking a user's claims. To define which ExternalIds would allow you to pass an authorization check, you can pass them into the constructor of AllowedRolesByDisplayNameRequirement.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("SalaryInfoDisplay", policyBuilder => policyBuilder.AddRequirements(
        new AllowedRolesByExternalIdRequirement(["90f7989e-c10d-4b86-840b-0be0ecdd8043", "b3d74050-9f12-40a7-a720-94e111c5147c", "c8aee824-a2ca-4e35-9e6d-368c486f8931"])
        ));
});

# Roles By PartyId

If you wanted to use AuthorizationHub's identifier for roles to inspect a user's claims, you can use the AllowedRolesByPartyIdRequirement. This will allow you to pass in a list of integers to define which roles will allow a user to pass an authorization check.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("SalaryInfoDisplay", policyBuilder => policyBuilder.AddRequirements(
        new AllowedRolesByPartyIdRequirement(["42", "104", "23"])
        ));
});