I have a requirement to configure the user's authorization per module per screen per action. For example, one user should be able to Create/Save WorkOrders in WorkOrder Module, but another user should only able to View/Delete WorkOrders. Similarly, a third user should only be able to View WorkOrders. This is an example of one screen. Now there are many screens in the application. Let's keep the actions same for all i.e. View, New, Update, Delete.
There is a reports module also, in which the user will create reports on the fly and add it into the application. So authorization is required here too. For example, a user can View/Print WorkOrder reports. But another user can only view reports. Let's keep the actions in reports only View & Print.
I am not sure Asp.Net Core built-in authorization is capable of this or not. What I have looked so far, it is not possible. Please correct me if I am wrong.
Now question is, how should I do this? I had a similar kind of requirement in a previously built application where I used database tables to store rights against each user and each screen. And upon log-in, I used to fetch that data, and then while loading the web page; I used to show or hide the relevant buttons & menus based on user's rights. But here in Asp.Net Razor Pages, the action method matters (If I'm not wrong), and certain functionality can be accessed via route. I am looking for some attribute-based solution.
I found this link with more or less above mentioned implementation using database tables and route URL to determine action name. So the URLs are saved in the database and on runtime they are checked and matched with the current URL and the user is authenticated.
Another link here, where the developer has used attribute-based filtering on action methods. But URL Routes are not being saved in the database or anywhere.
Are these the only & best solution to my problem? I have no problem implementing them, they look logical. But I just want to use the best available approach. Can anyone assist me with any other more suitable approach?