...
With the CoreOne Authentication Service, permissions are represented as role_claims. Those role_claims are a simple text representation of something, the relying party will understand. A simple example is a role_claim with the content “Administrator”, which will indicate to the relying party, that the current user is an “Administrator”. Those role_claims can be created within the CoreOne Suite Admin UI and simply follow the requirements of the relying party.
The CoreOne Suite also allows for context aware resource assignments / permissions. This means, in addition to simply be in the possession of a permission like a role_claim, the possesion possession can have a context. The context itself can be various things like I posses this permission for another user or in the context of an organization or company.
...
Permission without a context are simply published in the tokens roles claim by default. Permissions with a context can be requested by requesting the roles_with_context scope.
roles_with_context
Whenever you are requesting the roles_with_context claim scope, the token will be extend with the appropriate dataclaim. Instead of simple string array, you will get a complex JSON object as shown below:
| Code Block |
|---|
"roles_with_context": [
"{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "User", "ContextObjectIdentifier": "3" } ] }",
"{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "Organizational Unit", "ContextObjectIdentifier": "7" } ] }"
] |
...