The authentication problem is now solved; application developers no longer build login screens; they delegate it to a Single Sign-On solution. So what about authorization (what a user can do)? Can we delegate that behaviour, too?

During this talk, we will look at various ways of delivering authorization to your .NET application: Access Control Lists, Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC). We will discuss the pros and cons of not embedding authorization decisions inside your application logic, reducing the administration overhead by making security decisions on ambient business data and using dynamic policies to remove the risk of birth rights and finally, looking at how easy it is to prove to all stakeholders, both technical and not, that the application implements the expected authorization decisions.