I have Organization, UserType, AspNetUser,Department, Stock and SIM tables as the following schema
when the user call the endpoint api/sims/1 and the user type for the user is not super admin and the organization of the user is not the same as the organization of the sim i want to return unauthorized so what is the best practice for doing this in asp.net core web api 3.1?
You could try to use Claims-based authorization or JWT authorization in the asp.net core web API application.
After user login successfully, you could add claims for the current user based on his organization. Then, according to the claims to add policy and configure the authorization. You could refer the following links:
Claim Based And Policy-Based Authorization With ASP.NET Core
Claims-based authorization in ASP.NET Core
Besides, you could also use the claims to generate a JwtSecurityToken, then protect the API application by implementing JWT authentication. Check the following tutorial:
Authentication And Authorization In ASP.NET Core Web API With JSON Web Tokens
JWT Authentication In ASP.NET Core