I'm designing a permissioning system for a new ser of services that my team is creating. It is the first time that I'm doing this with a client who is using Entra ID for their authorization management. In the past I have dealt with clients where this was managed using hand rolled UIs.
I want the system to be Permission Based Access Control rather than Role Based Access Control.
Consider a scenario where I have the trader.senior
and trader.junior
roles. I have already created these as App Roles against my application in EntraId, and assinged them to my test users. However this requires me to securing my /executeTrade
endpoint with an [Authorize(Roles = "trader.senior, trader.junior")]
.
I want to be able to do [MyCustomAuthorizaion(permission = "trade.execute"]
. This means I need to create a permission called trade.execute
and assign that permission to both the trader.senior
and trader.junior
role.
However, I have not been able to figure out how to set this up on Entra ID. Is it not possible, or am I simply looking in the wrong place? Should I be taking a different approach entirely?
Alternate approaches I have considered:
Senior Trader
and Junior Trader
groups, and a trade.execute
role. Then I can assign the trade.execute
role to the aforementioned groups, and assign users to the groups.Note that: Microsoft Entra ID does not support permission-based access control in the way you described, where permissions are directly assigned to roles. You will need to implement a custom solution to achieve this functionality.
Otherwise as mentioned by you, you can make use of Entra Groups to manage permissions:
Senior Trader
and Junior Trader
Create a group:
Create the app roles in the Microsoft Entra ID application based on your requirement:
And assign the roles to the groups in the Enterprise application: