Perhaps I've misunderstood the concept of Roles in ASP.NET Identity and the database model, but I'm struggling to wrap my head around how to implement the following scenario: With ASP.NET Identity, it seems a User has permissions globally based on a Role, as opposed to permissions on a more granular level. I'm trying to implement a DB Schema in EF6 with Code-First where a User can be a member of several Groups. Instead of having a global Role however, I want the User to have one role in one Group, and a different Role in another.
For example, a User can create a Group, and therefore be the Group Admin, but could also be a Teacher in the Group and therefore be able to contribute Content. The same User could also be a Student in a different Group, and have different permissions in that Group as a result. Users can perform multiple Roles in a given Group, and their permissions should be based on their Role(s) within that Group.
From what I can see this isn't the intended structure for ASP.NET Identity, as I can't see how to limit the scope of a specific Role to a Group. Also, ideally I'd like to be able to assign a User to a Group, and then assign a Group of Users to another group, so for example I have a Group of Users and I assign that Group to a specific Role within another Group.
What I have in mind is a Membership table that has UserId, GroupId and RoleId to deal with mapping the Roles to specific Groups, but how would I extend that to have Roles inherited from Groups, and would I be able to leverage ASP.NET Identity to help me manage these Roles or do I have to cook my own solution up from scratch?
Take a look at this if you haven't already found it and you're working with MVC.
I've been working on the same same issue as you recently. This covers a lot of the requirements but there is a gap - ASP.NET Identity doesn't differentiate between authorization and authentication. In all cases, a user that does not have the required permission gets sent to the login screen. That's fine if they're not logged in, but not if they are logged in and trying to access something that they have no permission for. That is probably address here, but I haven't had time to test it yet.