ASP.NET Core provides a simple declarative role and policy-based model where authorization can be defined using different criteria and gets evaluated based on the user claims.

Declarative authorization can be defined using attributes. Attributes such as AuthorizeAttribute and AllowAnonymous can be annotated on controllers and actions and validated when they are accessed by the security framework.