This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 70%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELN%3C/text%3E%3C/svg%3E)
Hey,
my first project with ASP.NET Core Blazor had the authorization managed by roles.
This was all fine, because one person had access to one "company".
In my rework of the app I tried to do, that a user can switch between "companies".
So the problem would be, if a page requires the balance role the user would get the role balance and then would be able to access this site on another "company" as well, even though in this company he shouldn't have access to the page.
I don't know if it would be a practical solution to create this role for every company created.
This would mean the "company" with ID 1 would get the balance_1 role name.
I would create these roles as the "company" gets created, so they can then be assigned to the users.
For example, I'm working on this for a fun project server, and around 40 "companies" with about 20 users each would use this. This would make 800 DB entries for the roles alone. I haven't built anything that "big", so I really can't tell if this is ok or too much.
On the other hand I had a peek into the policy-based authorization, and as far as I could tell there would not be a way to create a policy with a variable parameter to pass to the AuthorizationHandler expansion method.
The currently used "company" by the employee is a URL parameter, and stored in a session based class. If you need this information.
Thanks ahead for your ideas.
DaNeubi
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 78%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Hi LukasNeubauer-7238,
If you are specific requirement for role management, we could only create the new sql record for each specific policy. In my opinion, there is no better way to achieve your requirement now.
If this would also be managable by policies or in another way, I'm not bound to roles.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
I’d dynamically load the roles on each request, to match the user/company combo for the request. Easy with middleware.
So you would create a role for every "company"?
And how would you load the roles dynamically?
4 tables, users, roles, companies and user company roles.
The request needs to identify the user name via authentication, and also the companyid (url parameter or cookie value). With this info you can load the roles.
Another option is at login the user specifies the company, and the company is added as a claim value. Then you validate the company claim against the request company Id
I tried your suggestion, but the thing I struggle with is, that I don't know how to tell the middleware which role is required for the current request.
Could you give me a hint with that?
the middleware needs to know from the request the company and user. it then loads all roles for that combo. after that you just use standard authorization restringing an action to a role(s).