This documentation is archived and is not being maintained.

ClaimsPrincipalPermission Class

Windows Identity Foundation
[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Represents the permission required to access a resource.

Namespace: Microsoft.IdentityModel.Claims
Assembly: Microsoft.IdentityModel (in Microsoft.IdentityModel.dll)

Dim instance As ClaimsPrincipalPermission

public sealed class ClaimsPrincipalPermission : IPermission, ISecurityEncodable, IUnrestrictedPermission
/** @attribute SerializableAttribute() */ 
public final class ClaimsPrincipalPermission implements IPermission, ISecurityEncodable, 
public final class ClaimsPrincipalPermission implements IPermission, ISecurityEncodable, 

The following example demonstrates how to use the ClaimsPrincipalPermission class to perform access checks. It also demonstrates the use of the ClaimsPrincipalPermissionAttribute class. For a more complete example, see the Claims based Authorization sample in the Windows® Identity Foundation (WIF) SDK.

using System;
using System.Security.Permissions;
using System.Security.Principal;
using System.Threading;
using Microsoft.IdentityModel.Claims;

namespace ClaimsBasedAuthorization
    /// <summary>
    /// Program illustrates using Claims-based authorization
    /// </summary>
    class Program
        static void Main( string[] args )

            // Configure .NET Framework to use Windows Claims Principals
            // Emulates the authentication phase supported by the Windows Identity Foundation.
            AppDomain.CurrentDomain.SetPrincipalPolicy( PrincipalPolicy.WindowsPrincipal );
            Thread.CurrentPrincipal = ClaimsPrincipal.CreateFromPrincipal( Thread.CurrentPrincipal );

            // Method 1. Simple access check using static method. 
            // Expect this to be most common method.
            ClaimsPrincipalPermission.CheckAccess( "resource", "action" );

            // Method 2. Programmatic check using the permission class
            // Follows model found at
            ClaimsPrincipalPermission cpp = new ClaimsPrincipalPermission( "resource", "action" );

            // Method 3. Access check interacting directly with the authorization manager.
            ClaimsAuthorizationManager am = new ClaimsAuthorizationManager();
            am.CheckAccess( new AuthorizationContext( (IClaimsPrincipal) Thread.CurrentPrincipal, "resource", "action" ) );

            // Method 4. Call a method that is protected using the permission attribute class

            Console.WriteLine( "Press [Enter] to continue." );

        // Declarative access check using the permission class
        [ClaimsPrincipalPermission( SecurityAction.Demand, Resource = "resource", Operation = "action")]
        [ClaimsPrincipalPermission( SecurityAction.Demand, Resource = "resource1", Operation = "action1" )]
        static void ProtectedMethod()

The ClaimsPrincipalPermission class provides programmatic access to the claims authorization manager (ClaimsAuthorizationManager) that is configured for an application. You can use the methods provided by the ClaimsPrincipalPermission class to perform access checks in your code with the claims authorization manager.

The ClaimsPrincipalPermission class checks access for the current principal for a specified action on a specified resource. The resource and action are both strings and are typically URIs. You can either initialize the ClaimsPrincipalPermission with an action and a resource when you create it and call the Demand method; or you can pass the action and resource to the CheckAccess method. Both methods throw a System.Security.SecurityException exception if the current principal is not authorized to perform the action on the resource; otherwise, execution proceeds.

For a full sample that demonstrates the use of the ClaimsPrincipalPermission class as well as a claims authorization manager that uses a configuration-based policy engine, see the Claims based Authorization sample in the <Installation Directory>\Windows Identity Foundation SDK\<Version>\Samples\Extensions directory.

This class cannot be inherited.


Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.


Target Platforms

Windows 7, Windows Server 2008 R2, Windows Vista SP2, Windows Server 2008 SP2, Windows Server 2003 SP2 (32-bit or 64-bit)

Copyright © 2008 by Microsoft Corporation. All rights reserved.