I have implemented the below scenario successfully using .NET Framework, Windows Authentication, ASP.NET Impersonation, and SQL Server Row-Level Security. My goal with this question is to determine how to migrate this to .NET 6.

The current flow has the application initiating a query on behalf of the windows user. The application impersonates the windows user and sends the request to SQL Server. SQL Server then filters the data based on an underlying access predicate, and returns only the relative data for that user.

Example as follows:

UserAccess Table

Money Table

The results for a SELECT * FROM Money statement will vary based on the user who is accessing the application:

Tom Jones

Robert Martin

Sue Brown

At this point we intend to migrate to .NET 6, I am reassessing our methodology for implementing security since ASP.NET does not implement impersonation:

https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&tabs=visual-studio#impersonation

ASP.NET Core doesn't implement impersonation. Apps run with the app's identity for all requests, using app pool or process identity.

What is the best way to implement Authorization for a .NET 6 API project where a user is authenticated with Windows Authentication, and then authorized based on what roles (country in this example) their username is assigned to? Now, rather than using RLS, the application would receive all the data but filter based on a user's authorization by matching their Windows Authentication to an authorization table.

A few quick points to highlight:

• This is an intranet application only. Iron clad security is not the primary concern.
• Windows Authentication is important. Users are not going to want to login each time they enter.
• Ease of use for employees is top priority.

Thank you for the suggestions.