Using Windows Identity Foundation (WIF) in tandem with a Security Token Service (STS), is it possible to create complex claims that could satisfy a question such as:

For a user with a claim to a role "Support", that user:

• Can only view and use resource1
• CAN NOT update, create, or delete resource2
• CAN NOT create, or delete resource3
• Can only use and update resources with a "resource" tag.

It's a necessarily contrived example but is this possible? I'm thinking I want to authorize the authenticated user with basic claims and then add the relevant complex claims in the application (where those claims will be stored in a database and under control of application users).

Thanks, Richard

You can definitely model it like that - they are just strings - whatever you can do to strings you can do to claims ;)

But it would be definitely an anti-pattern. Claims describe the identity of a user - which might include coarse grained authorization information. There's a fine line here.

But for your use case you would rather implement your authorization policy in a ClaimsAuthorizationManager and use the identity claims as input to "calculate" your fine grained authorization decisions.