Powered by

# Claims

Security Model claims should consist of a singular noun separated by a space-offset hyphen from a base form verb. The noun is the entity for which permissions are being granted and the verb is the action being granted on that entity. They should be capitalized with no ending punctuation:

Noun - Verb

A simple example is:

Bank - View

Which authorizes the caller to retrieve and view bank objects.

# Verbiage

For CRUD operations, the verbs Create, View, Update, and Delete are recommended. More specific operations may necessitate more specific verbs.

A detailed description is encouraged to further clarify and contextualize the meaning of a claim name:

claim: "Request - Approve",
description: "Allow approval of pending requests."

# Scope

Claims should be scoped to one action on one entity.

A claim that allows multiple actions, such as creating and deleting an entity (Bank - Administrate), is discouraged. Grouping of permissions should instead occur through roles.

# Examples

Do:

Invoice - Create
Employee - Terminate
PTO - Approve

Don't:

Can Create Invoices
Create - Invoice
Employee Termination
Manage PTO

# Motivations

  • Grouping of claims by entity when alphabetical order is applied.
  • Avoidance of redundant verbiage (like starting every claim with "can").
  • Avoidance of claims that authorize multiple actions, diminishing the ability to set granular permissions.
  • Concise and intuitive naming.

© Copyright 2025. All rights reserved.