Authorization in WCF

Roles-based authorization is used to group users into groups (roles) and then set permissions on the role rather than on individual users. This eases management by allowing you to administer a smaller set of roles rather than a larger set of users.

Resource-based authorization sets permissions on the resource itself. For instance, you would set an access control list (ACL) on a Windows resource and then use the identity of the original caller to determine access rights to the resource.

              If you use resource-based authorization in WCF, you will need to impersonate the original caller through the application layer (e.g., ASP.NET application), through the WCF service layer, and to the business logic code that is accessing the file resource.

Claims-based authorization provides additional layers of abstraction on your authorization strategy to make it easier to separate your authorization rules from the mechanism you use for authorization and authentication.

             For instance, you could authenticate a user with a certificate or with username/password credentials and then pass that claim-set to the service to determine access to resources. You create authorization policies that are used to generate a claim-set based on the authentication evidence presented by the user (e.g., username and password, certificate, Kerberos). The claim-set is then used by your service to determine what resources the original caller can access.