As Azman is now on its way out of support, we need to need to find a new way of configuring the access control for our applications.
Currently, in Azman, we have a list of "Operations", e.g. CanReadForm, CanEditForm. These operations can be mapped to one or more roles, so you can build up a set of "things a role can do". Users generally are assigned a single role and so they have a list of operations, or "things a user can do"
This worked well because on logging in, Azman would know what role they had, and pass a list of operations. The code could then be configured for example:
if(currentUser.HasOperation("CanEditForm"))
{
//allow editing of form
}
For ADFS I'm struggling to understand how we can have a list of operations that we can map to a role. Presumably you could have a list of claims, that could be like azman operations, but these only map to a user - right??? Can you map a list of claims to an Active Directory group for example? If you could then the Active Directory group would act as the "role" If so, would you need to create a new claim list for each AD group?
Can anyone offer any advice?
Azman doesn't really translate to claims-based authentication but here is my take:
Claims : Azman in the new claims-based world .
It works but it's not as "clean".