I understand Role Based Security. I have read about Policy Based. I have read what others call Activity Based.

I see the difference between Role and Activity based. And my goal is to not have groups hard-coded in a method like Admin, SuperAdmin, SuperSuperAdmin, etc.

I think but am no sure if Policy Based does what I want, but I cannot understand how. How are these three different?

If I use the Under21 example for Policy Based I have seen many times on various blogs, I have:

[Authorize(Policy = "AtLeast21")] 

How is this different from:

[Authorize(Roles = "SuperAdministrator, ChannelAdministrator")] public class ChannelAdministrationController: Controller { } 

And Activity Based (is this Context Based?) is different but appears more “semantically” accurate. You have an UpdateUser Activity, and it is probably not likely you’d have SuperUpdateUser Activity. But with policies, it seems you could have the same as multiple roles. I know there can be many Claims used the authentication and authorization, but all I can think is there might be a better name than Over21 for my policy and create a role that my Claim needs. But somewhere in the back, I have to create those activities and roles and users. Even Role Based has policies I can use in .NET Core Middleware, so I am confused.

Edit: For example, I could just as easily require an additional policy,

[Authorize(Policy = "AtLeast21", "ExceptInTenneseeWithParent", "ExceptInChurch")] 

Edit: It this my answer (from the MS page)?

services.AddAuthorization(options => {     options.AddPolicy("BadgeEntry", policy =>         policy.RequireAssertion(context =>             context.User.HasClaim(c =>                 (c.Type == ClaimTypes.BadgeId ||                  c.Type == ClaimTypes.TemporaryBadgeId) &&                  c.Issuer == "https://microsoftsecurity"))); }); 

I am back to hardcoding requirements again.