dotnet-api-docs/xml/System.Security.Claims/ClaimsAuthorizationManager.xml at inline-code-security-threading-runtime-reflection · gewarren/dotnet-api-docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
<Type Name="ClaimsAuthorizationManager" FullName="System.Security.Claims.ClaimsAuthorizationManager">
  <TypeSignature Language="C#" Value="public class ClaimsAuthorizationManager : System.IdentityModel.Configuration.ICustomIdentityConfiguration" />
  <TypeSignature Language="ILAsm" Value=".class public auto ansi beforefieldinit ClaimsAuthorizationManager extends System.Object implements class System.IdentityModel.Configuration.ICustomIdentityConfiguration" />
  <TypeSignature Language="DocId" Value="T:System.Security.Claims.ClaimsAuthorizationManager" />
  <TypeSignature Language="VB.NET" Value="Public Class ClaimsAuthorizationManager&#xA;Implements ICustomIdentityConfiguration" />
  <TypeSignature Language="F#" Value="type ClaimsAuthorizationManager = class&#xA;    interface ICustomIdentityConfiguration" />
  <TypeSignature Language="C++ CLI" Value="public ref class ClaimsAuthorizationManager : System::IdentityModel::Configuration::ICustomIdentityConfiguration" />
  <AssemblyInfo>
    <AssemblyName>System.IdentityModel</AssemblyName>
    <AssemblyVersion>4.0.0.0</AssemblyVersion>
  </AssemblyInfo>
  <Base>
    <BaseTypeName>System.Object</BaseTypeName>
  </Base>
  <Interfaces>
    <Interface>
      <InterfaceName>System.IdentityModel.Configuration.ICustomIdentityConfiguration</InterfaceName>
    </Interface>
  </Interfaces>
  <Docs>
    <summary>Defines the base implementation for a claims authorization manager.</summary>
    <remarks>
      <format type="text/markdown"><![CDATA[

## Remarks
 The <xref:System.Security.Claims.ClaimsAuthorizationManager> class provides the base implementation for a claims authorization manager. A claims authorization manager can be used in the following two scenarios:

-   In web-based applications and services, a claims authorization manager  can be added to the processing pipeline to provide an extensibility point from which you can authorize access to a resource according to the value of incoming claims before the application code that actually implements the requested resource is called.

-   When you use the <xref:System.IdentityModel.Services.ClaimsPrincipalPermission> class or the <xref:System.IdentityModel.Services.ClaimsPrincipalPermissionAttribute> class to perform either imperative or declarative claims-based access checks in your code, the claims authorization manager that is configured for your application is called by the system to perform the check. Claims-based access checks can be performed in both web-based applications and desktop applications.

 The default implementation provided by the <xref:System.Security.Claims.ClaimsAuthorizationManager> class authorizes access for each claim presented; however, you can derive from this class and override the <xref:System.Security.Claims.ClaimsAuthorizationManager.CheckAccess%2A> method to provide your own authorization logic.

 The use of a claims authorization manager is optional. You can configure your application to use a claims authorization manager either programmatically by using the <xref:System.IdentityModel.Configuration.IdentityConfiguration> class or declaratively, by specifying the [&lt;claimsAuthorizationManager&gt;](/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/claimsauthorizationmanager) element, which is a child element of the [&lt;identityConfiguration&gt;](/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/identityconfiguration) element in your application configuration file. If your application is a web site or a web application hosted in Internet Information Services (IIS), you must also add the <xref:System.IdentityModel.Services.ClaimsAuthorizationModule> in the ASP.NET HTTP Modules collection.

> [!IMPORTANT]
>  When you use the <xref:System.IdentityModel.Services.ClaimsPrincipalPermission> class or the <xref:System.IdentityModel.Services.ClaimsPrincipalPermissionAttribute> class, the claims authorization manager that is used to perform the access check is the one that is specified in the identity configuration under the <xref:System.IdentityModel.Services.FederatedAuthentication.FederationConfiguration%2A?displayProperty=nameWithType> property. In a configuration file, it is the `<identityConfiguration>` section that is referenced from the default `<federationConfiguration>` element. This is true even for Windows Communication Foundation (WCF) services and desktop applications.

 The <xref:System.Security.Claims.ClaimsAuthorizationManager> base class does not take any additional configuration; however, you can override the <xref:System.Security.Claims.ClaimsAuthorizationManager.LoadCustomConfiguration%2A> in derived classes to provide initialization of your claims authorization manager from child elements of the `<claimsAuthorizationElement>`. The typical scenario is to use these child elements to specify authorization policies which determine which claim types and values are required in order to gain access to which resource. This is not a hard requirement, though you are free to define whatever usage and syntax make sense for your implementation.


## Examples
 The code examples that are used in the <xref:System.Security.Claims.ClaimsAuthorizationManager> topics are taken from the `Claims Based Authorization` sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. The custom claims authorization manager consists of three basic components: a class derived from <xref:System.Security.Claims.ClaimsAuthorizationManager> that implements the manager, the `ResourceAction` class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see [WIF Code Sample Index](/previous-versions/dotnet/framework/windows-identity-foundation/wif-code-sample-index).

 The following code shows the implementation of the custom claims authorization manager. The <xref:System.Security.Claims.ClaimsAuthorizationManager.LoadCustomConfiguration%2A> method reads and compiles the policy from configuration by using the policy reader helper class (not shown) and the <xref:System.Security.Claims.ClaimsAuthorizationManager.CheckAccess%2A> method grants or denies access based on this policy.

 :::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/myclaimsauthorizationmanager.cs" id="Snippet2":::

 The following code shows the `ResourceAction` class used by the custom claims manager.

 :::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/resourceaction.cs" id="Snippet1":::

 The following XML shows how to configure the claims authorization manager shown above for a web application hosted in IIS 7.5. Only the elements specific to the configuration of the claims authorization manager are shown. Note that a reference to the <xref:System.IdentityModel.Services.ClaimsAuthorizationModule> class must be added to the pipeline under the `<system.Webserver>` element. For sites and applications hosted in versions of IIS prior to IIS 7 the modules can be added to the pipeline under the `<system.Web>` element. This configuration is shown but commented out.

 The policy used by the claims authorization manager is specified by custom `<policy>` elements under the [&lt;claimsAuthorizationManager&gt;](/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/claimsauthorizationmanager) element. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

```xml
<configuration>
  <configSections>
    <!--WIF 4.5 sections -->
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    ...

  </configSections>

  ...

  <system.web>
    <httpModules>
      <!--WIF 4.5 modules -->
      <!--Not needed here for IIS >= 7 -->
      <!--<add name="ClaimsAuthorizationModule" type="System.IdentityModel.Services.ClaimsAuthorizationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>-->
    </httpModules>
  </system.web>

  ...

  <system.webServer>
    <modules>
      <!--WIF 4.5 modules -->
      <add name="ClaimsAuthorizationModule" type="System.IdentityModel.Services.ClaimsAuthorizationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </modules>
  </system.webServer>

  ...

  <!-- WIF 4.5 s.im section-->
  <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
        <policy resource="http://localhost:28491/Developers.aspx" action="GET">
          <or>
            <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
            <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          </or>
        </policy>
        <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
          <and>
            <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
            <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
          </and>
        </policy>
        <policy resource="http://localhost:28491/Default.aspx" action="GET">
        </policy>
        <policy resource="http://localhost:28491/" action="GET">
        </policy>
        <policy resource="http://localhost:28491/Claims.aspx" action="GET">
        </policy>
      </claimsAuthorizationManager>

      ...

    </identityConfiguration>
  </system.identityModel>
  ...

</configuration><configuration>
  <configSections>
    <!--WIF 4.5 sections -->
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    ...

  </configSections>

  ...

  <system.web>
    <httpModules>
      <!--WIF 4.5 modules -->
      <!--Not needed here for IIS >= 7 -->
      <!--<add name="ClaimsAuthorizationModule" type="System.IdentityModel.Services.ClaimsAuthorizationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>-->
    </httpModules>
  </system.web>

  ...

  <system.webServer>
    <modules>
      <!--WIF 4.5 modules -->
      <add name="ClaimsAuthorizationModule" type="System.IdentityModel.Services.ClaimsAuthorizationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </modules>
  </system.webServer>

  ...

  <!-- WIF 4.5 s.im section-->
  <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type="MyClaimsAuthorizationManager.SimpleClaimsAuthorizationManager, MyClaimsAuthorizationManager" />
      ...

  </system.identityModel>
  ...

</configuration>
```

 ]]></format>
    </remarks>
  </Docs>
  <Members>
    <Member MemberName=".ctor">
      <MemberSignature Language="C#" Value="public ClaimsAuthorizationManager ();" />
      <MemberSignature Language="ILAsm" Value=".method public hidebysig specialname rtspecialname instance void .ctor() cil managed" />
      <MemberSignature Language="DocId" Value="M:System.Security.Claims.ClaimsAuthorizationManager.#ctor" />
      <MemberSignature Language="VB.NET" Value="Public Sub New ()" />
      <MemberSignature Language="C++ CLI" Value="public:&#xA; ClaimsAuthorizationManager();" />
      <MemberType>Constructor</MemberType>
      <AssemblyInfo>
        <AssemblyName>System.IdentityModel</AssemblyName>
        <AssemblyVersion>4.0.0.0</AssemblyVersion>
      </AssemblyInfo>
      <Parameters />
      <Docs>
        <summary>Initializes a new instance of the <see cref="T:System.Security.Claims.ClaimsAuthorizationManager" /> class.</summary>
        <remarks>To be added.</remarks>
      </Docs>
    </Member>
    <Member MemberName="CheckAccess">
      <MemberSignature Language="C#" Value="public virtual bool CheckAccess (System.Security.Claims.AuthorizationContext context);" />
      <MemberSignature Language="ILAsm" Value=".method public hidebysig newslot virtual instance bool CheckAccess(class System.Security.Claims.AuthorizationContext context) cil managed" />
      <MemberSignature Language="DocId" Value="M:System.Security.Claims.ClaimsAuthorizationManager.CheckAccess(System.Security.Claims.AuthorizationContext)" />
      <MemberSignature Language="VB.NET" Value="Public Overridable Function CheckAccess (context As AuthorizationContext) As Boolean" />
      <MemberSignature Language="F#" Value="abstract member CheckAccess : System.Security.Claims.AuthorizationContext -&gt; bool&#xA;override this.CheckAccess : System.Security.Claims.AuthorizationContext -&gt; bool" Usage="claimsAuthorizationManager.CheckAccess context" />
      <MemberSignature Language="C++ CLI" Value="public:&#xA; virtual bool CheckAccess(System::Security::Claims::AuthorizationContext ^ context);" />
      <MemberType>Method</MemberType>
      <AssemblyInfo>
        <AssemblyName>System.IdentityModel</AssemblyName>
        <AssemblyVersion>4.0.0.0</AssemblyVersion>
      </AssemblyInfo>
      <ReturnValue>
        <ReturnType>System.Boolean</ReturnType>
      </ReturnValue>
      <Parameters>
        <Parameter Name="context" Type="System.Security.Claims.AuthorizationContext" />
      </Parameters>
      <Docs>
        <param name="context">The authorization context that contains the subject, resource, and action for which authorization is to be checked.</param>
        <summary>When implemented in a derived class, checks authorization for the subject in the specified context to perform the specified action on the specified resource.</summary>
        <returns>
          <see langword="true" /> if the subject is authorized to perform the specified action on the specified resource; otherwise, <see langword="false" />.</returns>
        <remarks>
          <format type="text/markdown"><![CDATA[

## Remarks
 The base implementation always returns `true`, which authorizes access. You can override this method in a derived class to authorize access based on the requirements of your RP application. If this method returns `false`, Windows Identity Foundation (WIF) returns an unauthorized error to the caller; otherwise, execution is passed to the RP application.


## Examples
 The code examples that are used in the <xref:System.Security.Claims.ClaimsAuthorizationManager> topics are taken from the `Claims Based Authorization` sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. The custom claims authorization manager consists of three basic components: a class derived from <xref:System.Security.Claims.ClaimsAuthorizationManager> that implements the manager, the `ResourceAction` class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see [WIF Code Sample Index](/previous-versions/dotnet/framework/windows-identity-foundation/wif-code-sample-index).

 The following code shows the override of the <xref:System.Security.Claims.ClaimsAuthorizationManager.CheckAccess%2A> method. This method grants or denies access based on a policy read and compiled from the configuration file.

 :::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/myclaimsauthorizationmanager.cs" id="Snippet3":::
:::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/myclaimsauthorizationmanager.cs" id="Snippet5":::

 The following code shows the `ResourceAction` class used by the custom claims manager.

 :::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/resourceaction.cs" id="Snippet1":::

 The policy used by the claims authorization manager is specified by custom `<policy>` elements under the [&lt;claimsAuthorizationManager&gt;](/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/claimsauthorizationmanager) element. This policy is read and compiled by the <xref:System.Security.Claims.ClaimsAuthorizationManager.LoadCustomConfiguration%2A> method. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

```xml
<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
      <policy resource="http://localhost:28491/Developers.aspx" action="GET">
        <or>
          <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
        </or>
      </policy>
      <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
        <and>
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
        </and>
      </policy>
      <policy resource="http://localhost:28491/Default.aspx" action="GET">
      </policy>
      <policy resource="http://localhost:28491/" action="GET">
      </policy>
      <policy resource="http://localhost:28491/Claims.aspx" action="GET">
      </policy>
    </claimsAuthorizationManager>

    ...

  </identityConfiguration>
</system.identityModel>
```

 ]]></format>
        </remarks>
      </Docs>
    </Member>
    <Member MemberName="LoadCustomConfiguration">
      <MemberSignature Language="C#" Value="public virtual void LoadCustomConfiguration (System.Xml.XmlNodeList nodelist);" />
      <MemberSignature Language="ILAsm" Value=".method public hidebysig newslot virtual instance void LoadCustomConfiguration(class System.Xml.XmlNodeList nodelist) cil managed" />
      <MemberSignature Language="DocId" Value="M:System.Security.Claims.ClaimsAuthorizationManager.LoadCustomConfiguration(System.Xml.XmlNodeList)" />
      <MemberSignature Language="VB.NET" Value="Public Overridable Sub LoadCustomConfiguration (nodelist As XmlNodeList)" />
      <MemberSignature Language="F#" Value="abstract member LoadCustomConfiguration : System.Xml.XmlNodeList -&gt; unit&#xA;override this.LoadCustomConfiguration : System.Xml.XmlNodeList -&gt; unit" Usage="claimsAuthorizationManager.LoadCustomConfiguration nodelist" />
      <MemberSignature Language="C++ CLI" Value="public:&#xA; virtual void LoadCustomConfiguration(System::Xml::XmlNodeList ^ nodelist);" />
      <MemberType>Method</MemberType>
      <Implements>
        <InterfaceMember>M:System.IdentityModel.Configuration.ICustomIdentityConfiguration.LoadCustomConfiguration(System.Xml.XmlNodeList)</InterfaceMember>
      </Implements>
      <AssemblyInfo>
        <AssemblyName>System.IdentityModel</AssemblyName>
        <AssemblyVersion>4.0.0.0</AssemblyVersion>
      </AssemblyInfo>
      <ReturnValue>
        <ReturnType>System.Void</ReturnType>
      </ReturnValue>
      <Parameters>
        <Parameter Name="nodelist" Type="System.Xml.XmlNodeList" />
      </Parameters>
      <Docs>
        <param name="nodelist">The custom configuration elements. Each node in the list is of type <see cref="T:System.Xml.XmlElement" />.</param>
        <summary>When overridden in a derived class, loads custom configuration from XML.</summary>
        <remarks>
          <format type="text/markdown"><![CDATA[

## Remarks
 The <xref:System.Security.Claims.ClaimsAuthenticationManager.LoadCustomConfiguration%2A> method is called by the configuration infrastructure. When this method is called, the `nodelist` will contain the top-level child elements of the [&lt;claimsAuthorizationManager&gt;](/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/claimsauthorizationmanager) element from the configuration file. Each of these elements may, in turn, contain attributes or child elements depending on the configuration schema you define for your derived class. If no child elements appear under the `<claimsAuthorizationManager>` element in the configuration file, this method is not called.

 The default implementation throws a <xref:System.NotImplementedException>. Override this method in your derived class to enable initialization of your claims authorization manager from a configuration file. Typically, the configuration elements are used to express an authorization policy; however, you can define elements and use them in any way that makes sense based on the requirements of your application.


## Examples
 The code examples that are used in the <xref:System.Security.Claims.ClaimsAuthorizationManager> topics are taken from the `Claims Based Authorization` sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. The custom claims authorization manager consists of three basic components: a class derived from <xref:System.Security.Claims.ClaimsAuthorizationManager> that implements the manager, the `ResourceAction` class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see [WIF Code Sample Index](/previous-versions/dotnet/framework/windows-identity-foundation/wif-code-sample-index).

 The following code shows the override of the <xref:System.Security.Claims.ClaimsAuthorizationManager.LoadCustomConfiguration%2A> method. This method uses a helper policy reader class (not shown) to read and compile authorization policies specified in the configuration file. Policies are added to a dictionary and are accessed by a `ResourceAction` key object that is created from the resource and action for which they are intended.

 :::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/myclaimsauthorizationmanager.cs" id="Snippet3":::
:::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/myclaimsauthorizationmanager.cs" id="Snippet4":::

 The following code shows the `ResourceAction` class used by the custom claims manager.

 :::code language="csharp" source="~/snippets/csharp/System.Security.Claims/AuthorizationContext/Overview/resourceaction.cs" id="Snippet1":::

 The policy used by the claims authorization manager is specified by custom `<policy>` elements under the [&lt;claimsAuthorizationManager&gt;](/dotnet/framework/configure-apps/file-schema/windows-identity-foundation/claimsauthorizationmanager) element. This policy is read and compiled by the <xref:System.Security.Claims.ClaimsAuthorizationManager.LoadCustomConfiguration%2A> method. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

```xml
<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
      <policy resource="http://localhost:28491/Developers.aspx" action="GET">
        <or>
          <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
        </or>
      </policy>
      <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
        <and>
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
        </and>
      </policy>
      <policy resource="http://localhost:28491/Default.aspx" action="GET">
      </policy>
      <policy resource="http://localhost:28491/" action="GET">
      </policy>
      <policy resource="http://localhost:28491/Claims.aspx" action="GET">
      </policy>
    </claimsAuthorizationManager>

    ...

  </identityConfiguration>
</system.identityModel>
```

 ]]></format>
        </remarks>
      </Docs>
    </Member>
  </Members>
</Type>