Understand AuthorizationPolicy and AuthorizedRole

Hey all,

ok, so to not highjack Adminmode based on New-UDAuthorizationPolicy? anymore than needed.

dont AuthorizationPolicy assign a role with the name to the person that meet the condition?

well I only use the “New-UDAuthorizationPolicy” and control access by the “new-udpage -AuthorizedRole ‘AuthorizationPolicyName’”

if this should not work, how do I assign roles ?
I cant use the listed examples here: https://docs.universaldashboard.io/security/authorization/role-based
as it uses form login. (I am using ADFS claims.)

How do I assign a role by using the new-udauthorizationPolicy? is it just to use that “New-UDAuthenticationResult” ?

it just seems conflicting with eachother. (Policy and Role) why the confusion and separation?

okey, I can see that new-udpage both have AuthorizedRole and AuthorizationPolicy I were pretty sure I had it tested :slight_smile: I guess not or got it all mixed together just like here :slight_smile:
So I do need to use that AuthorizationPolicy for Policies, and the Role if used with form based.

but I still dont understand why the differences ? why not just have one type?
I would say that a Policy Assign roles. and Roles are then used instead of policies in the code going forward.

I’d be fine deprecating roles since they don’t work for all types of authentication. Roles are only used for forms auth. But yeah, the policies are really just assigning a “role” to the user. Not in the sense that they actually end up with a Role but that you are checking some conditions and then they have this status of “Authorized Policy” on them. That said they aren’t mixing with the existing role stuff. So if you have a user that passes a policy, nothing is happening with their Role and the AuthorizedRole parameter of pages is not evaluating based on that policy.

I’d be curious to hear if anyone is actually using roles.

Effectively the change would be to completely remove all “Role” stuff and you would just use AuthorizationPolicies going forward.

The reason for both is mostly historical. Role-based access can along with Forms authentication when that was the only way to authenticate against UD. When other authentication methods were added, so was claims-based authentication (authorization policies). So now we have 2 ways of doing this and Roles is redundant and not as useful.

New-UDAuthorizationPolicy + AuthorizedPolicy every where.

Thanks for clearing that up :slight_smile:
I would also vote for the form bases login to be changed to use the Authorizationpolicy. :slight_smile:

Cool. I’ll file an issue for this. I’ll start with a warning in the next minor version (2.9) and then we can totally remove it for the next major version (3.0).