Adding Roles to the API - A TimCo Retail Manager Video 

Glad it was helpful!

I am glad it was helpful.

Glad it was helpful!

Glad it helped!

Glad you enjoyed it!

Thank you!

I can add that to the suggestion list. Thanks!

Thanks for the input.

@@IAmTimCorey I agree, would love to see a better solution without all the magic strings, I see loads of typos happening...

Also would really like it, if we would use blazor for that.

That suggestion is on the list. I'm considering where to put it. Thanks!

You are welcome.

You can remove these strings but I typically find that it isn't necessary if you are doing your permissions correctly. Roles should be rather big categories, not really specific. For those you want to take what you already know and dial it in even further (so identify which users can write and then do a check for that rather than creating a role for that).

The RoleID, UserID, and other items in the security database come from the Microsoft Identity system. That is how they are designed. Changing from a GUID to an int would require overriding how that entire system works, and I don't want to get into that.

Thanks for the vote. As for creating a reusable component, it already is. The part that isn't reusable is what changes per project.

@@IAmTimCorey Thank you for your reply. Oh, I didn't know that. Always learning something new from you (^_^)v

I haven't covered the differences but I will add that to the suggestion list.

Nice work catching up.

Two reasons - first, I like separating my security from my data. That allows me to be more granular with my database permissions. Second, I prefer not to use EF, especially not in production. It takes a lot to get right. I prefer to dial things in more closely with Dapper/SSDT so that I have the best possible performance.

Thanks!

Thank you!

Probably. I shortcut these a lot because of being on video.

Claims can be more granular but I don't think we need that complexity here. Roles are a great way to go to keep things simple and easy to manage.

You will see an update for that this week in the .NET Core upgrade. We will clean it up a bit but it is the start of what you are asking for.

That comes from ASP.NET. There might be a way to add something for authorization into WinForms directly, but I've not done it. Your best bet would be to do like we are doing and add an API in the middle and handle the authorization there.

@@IAmTimCorey ok. Thanks

The new .NET Core templates allow you to choose SQLite as your database as an alternative to SQL Server so yes, you can do that. However, I would caution you on the pricing issue. If a company does not have $5/month to spend on data, they don't really have the money to have data. Just because SQLite is free doesn't mean it is truly free. You now need to make sure you are doing regular backups and maintenance on it. You also need to make sure you update the SQLite version whenever a security fix comes out. Basically, you should be doing a few hours of "extra" work each month in exchange for using the "free" SQLite. Using SQL hosted by Microsoft offloads a lot of that work onto Microsoft. You are paying $5/month for better redundancy, better server security, and better maintenance. Just ignoring all of that work with your SQLite database is an option but then you are risking your company's data. That's a pretty big factor in data breaches and in catastrophic issues at companies - they ignored the regular maintenance of their data.

There is also Still SQL Server on Premise, but you pay a yearly license Fee I think. MS May be trying to Phase this out Soon though.

It is in the WebApiConfig.cs file (actually MapHttpAttributeRoutes).

I assume you mean Entity Framework. That is what the Identity server uses Entity Framework and that is what I am using. We do more Entity Framework specific work later on in the series.

@@IAmTimCorey Oh I am sorry! I meant " if we are NOT using Entity Framework?" I love the way asp.net identity lets you neatly manage role based authorizations by just adding an annotation at the top of your controller method. But what if you are not using entity framework? What if you are using ADO.NET with ASP.NET Core API? How do you manage Role Based Authorization? I am thinking may be a CustomActionFilter could do the trick?

Sure, I have a few. Start with this one though: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Et2khGnrIqc.html

I don't have a total in mind. I plan on continuing to grow and morph this project. There may be a time when we start over but I doubt it. The goal here is to create a real-world simulation of a business application. When you get hired into a job, you usually start working on an existing, complex system. That's hard to find tutorials on. This application is that tutorial. You can practice starting in the middle and getting up to speed.

Authorize is built into C#. It isn't something I built.

@@IAmTimCorey ok. Thank you

You can't use the Microsoft authentication system with MongoDB.

@@IAmTimCorey Q) Is the MS Authentication system only available in EF? If not what else?

In theory, you can rip out the EF and use your own data access. In practice, it is a paid to do and not worth the effort.