AuthorizationOptions does not allow to query list of available policies

[ptsneves]

Due to the dictionary of policies being private there is currently no way to get all the available policies. Getting all the available policies is very useful when building Administration dashboards where you want to control and check what permissions a given user has.

Multiple users seem to have the same requirement.

[analogrelay]

What kind of information would you want to get here? We can provide the names and a list of the IAuthorizationRequirement instances but those have no descriptive metadata associated with them.

Can you provide an example of what you'd want to do with this information. A code sample would be best, or a description of a specific use case (more detailed that just "administration dashboards", for example: what would those dashboards show?)

[ptsneves]

Hello @anurse

What I want is to take a user and check all the policies that he/she complies with. Imagine I only have a policy called "IsAdmin" registered. Also consider that i have 2 users User1 and User2.

My dashboard would be

| Name  | Complied Policies |
| User1 |     IsAdmin       |
| User2 |                   |
| UserN |       ....        |

[analogrelay]

That's not really something you can do with the Auth system though. @Tratcher and @HaoK can correct me if I'm wrong but in order to evaluate a requirement you have to have an authenticated user. You can't just take a list of users from a database or other source and test policies against them. You need a fully-authenticated ClaimsPrincipal.

[Tratcher]

AuthZ is pretty decoupled, it should be possible to run specific policies against users enumerated from the database. Enumerating those users in a form that AuthZ would recognize might take a bit of work, but the information is all there in the Identity database. @HaoK would know better how to go about it.

[HaoK]

We don't have any build in way to enumerate all the policies, but that is something you could probably add yourself. You could use UserManager.Users to iterate over all the users and call IUserClaimsPrincipalFactory.CreateAsync(user) to get the ClaimsPrincipal and then call IAuthorizationService.AuthorizeAsync against every policy.

[ptsneves]

@HaoK So i still need a way to enumerate/query the list of all available policies. Am i correct in this analysis? If so @anurse does this mean my issue got a bit more legitimate, and the removal of the private or the addition of an accessor seems a viable way.

Grateful for the support ptsneves

[analogrelay]

The request was certainly always legitimate :). Just trying to understand prioritization. Making any API public is costly (as it has a high support burden for the future because we can't break/change it) so it's important to understand the specific usefulness of the change so we can use that to evaluate the priority.