ASP.NET Core authorization not working for nested roles

Question

I have implemented role based access control (RBAC) in an ASP.NET Core project. I require a user to belong to at least one Active Directory role, depending on which environment the code is deployed to (DEV,STAGING, PROD). The code below works. However, rather than using multiple roles per environment, I am now required to use a single "nested"/grouped/hierarchical role ie the new role groups the other roles together. Using the new AD role no longer works. I have confirmed that I am a member of the new role but I get an Authorization error. I cannot find anything online discussing if it's possible to use grouped roles in ASP.NET Core.

public void ConfigureServices(IServiceCollection services)
{
    try
    {
        services.AddAuthentication(IISDefaults.AuthenticationScheme);
        services.AddMvc().AddApplicationPart(typeof(ProcessController).Assembly).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
        services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
        services.AddRequestScopingMiddleware(() => _scopeProvider.Value = new Scope());
        services.AddCustomControllerActivation(Resolve);
        services.AddCustomViewComponentActivation(Resolve);

        services.AddAuthorization(options =>
        {
            var policyBuilder = new AuthorizationPolicyBuilder().RequireAuthenticatedUser();
            switch (HostingEnvironment.EnvironmentName)
            {
                case "Development":
                    policyBuilder.RequireRole("roleA", "roleB");
                    //policyBuilder.RequireRole("roleAandB");//this doesn't work
                    break;
                case "Staging":
                    policyBuilder.RequireRole("roleC", "roleD");
                    break;
                case "Production":
                    policyBuilder.RequireRole("roleE", "roleF");
                    break;
                default:
                    policyBuilder.RequireRole("roleG");
                    break;
            }

            options.AddPolicy("Environment", policyBuilder.Build());
        });

    }
    catch (Exception e)
    {
        _logger.Error(e, "Unhandled exception");
        throw;
    }
}

[Authorize(Policy = "Environment")]
public class ProcessController : ControllerBase 
{
    ...
}

How do I use nested roles in ASP.NET Core authorization?

Answer 1

What are called "roles" in ASP.NET correspond to groups in Active Directory. So checking if an AD user has a role is really checking if the user is in a group.

Let's say you want to give "power users" access to a certain part of the website. You would create a group in AD called MyAppPowerUsers , and use that as the role in your application:

policyBuilder.RequireRole("MyAppPowerUsers");

Then you add whoever you consider "power users" to that group in AD. For example, if you want to give all managers and team leads access to that "power users" part of your site, then you create groups called Managers and TeamLeads and add it to MyAppPowerUsers .

In that case, any user that is a member of either Managers or TeamLeads will be considered to be a member of MyAppPowerUsers .

So the idea is that, for the most part, you:

• Create a group named after the role in your application
• Create groups for job descriptions. You might even already have these, for example, as distribution lists (as long those DLs have a "Group type" of "Security")
• Add the job description groups to the roles

There, of course, can be exceptions to that, if you want to add one person to a role and not all people with their job description.