Implement user roles

Follows from #52

ASP.NET Identity includes a concept of "Roles", which are in effect a specific type of "claim" in the claim-based security model.

For users authenticated by Identity (ie those defined AspNetUsers in IdentitiesP) these roles are defined in the IdentitesP database.

For users authenticated against the domain the Roles collected are the Domain groups that the user belongs to.

Being Claims, the Roles are embedded into the Bearer token - so that, every request made to the server has access to the Role membership of the user.

Web Api lets you decorate methods with a Role attribute to determine which role(s) can access that method - so you can implement server side security this way.

On the client, we send the Role memberships to the client with the Bearer Token, so they are accessible in the client-side code. This is the package that comes down in response to api/token:

In particular, the module angular-permission gives a simple way to tie an authorization condition to a state in ui-router - so you cannot navigate to that state if the condition is not met. So the intention is to set up conditions matched to Role membership, and assign these on the states on the client, just as we do to the corresponding functions on the server.

So I think we can use these structures to give us quite fine-grained control over authorization for various functions. We we need are

• abstract definitions of rights represented as Roles (e.g. can save a school, can read teacher info) and

• a mechanism to map into such Roles from domain groups