Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. ASP.NET Core Blazor authentication and authorization
In this articleThis article describes ASP.NET Core's support for the configuration and management of security in Blazor apps. Security scenarios differ between Blazor Server and Blazor WebAssembly apps. Because Blazor Server apps run on the server, authorization checks are able to determine:
Blazor WebAssembly apps run on the client. Authorization is only used to determine which UI options to show. Since client-side checks can be modified or bypassed by a user, a Blazor WebAssembly app can't enforce authorization access rules. Razor Pages authorization conventions don't apply to routable Razor components. If a non-routable Razor component is embedded in a page, the page's authorization conventions indirectly affect the Razor component along with the rest of the page's content. ASP.NET Core Identity is designed to work in the context of HTTP request and response communication, which generally isn't the Blazor app client-server communication model. ASP.NET Core apps that use ASP.NET Core Identity for user management should use Razor Pages instead of Razor components for Identity-related UI, such as user registration, login, logout, and other user management tasks. ASP.NET Core abstractions, such as SignInManager<TUser> and UserManager<TUser>, aren't supported in Razor components. For more information on using ASP.NET Core Identity with Blazor, see Scaffold ASP.NET Core Identity into a Blazor Server app. AuthenticationBlazor uses the existing ASP.NET Core authentication mechanisms to establish the user's identity. The exact mechanism depends on how the Blazor app is hosted, Blazor WebAssembly or Blazor Server. Blazor WebAssembly authenticationIn Blazor WebAssembly apps, authentication checks can be bypassed because all client-side code can be modified by users. The same is true for all client-side app technologies, including JavaScript SPA frameworks or native apps for any operating system. Add the following:
To handle authentication, use of a built-in or custom AuthenticationStateProvider service is covered in the following sections. For more information on creating apps and configuration, see Secure ASP.NET Core Blazor WebAssembly. Blazor Server authenticationBlazor Server apps operate over a real-time connection that's created using SignalR. Authentication in SignalR-based apps is handled when the connection is established. Authentication can be based on a cookie or some other bearer token. The built-in
AuthenticationStateProvider service for Blazor Server apps obtains authentication state data from ASP.NET Core's For more information on creating apps and configuration, see Secure ASP.NET Core Blazor Server apps. AuthenticationStateProvider serviceAuthenticationStateProvider is the underlying service used by the AuthorizeView component and CascadingAuthenticationState component to get the authentication state. You don't typically use
AuthenticationStateProvider directly. Use the The AuthenticationStateProvider service can provide the current user's ClaimsPrincipal data, as shown in the following example:
If For more information on dependency injection (DI) and services, see ASP.NET Core Blazor dependency injection and Dependency injection in ASP.NET Core. For information on how to implement a custom AuthenticationStateProvider in Blazor Server apps, see Secure ASP.NET Core Blazor Server apps. Expose the authentication state as a cascading parameterIf authentication state data is required for procedural logic, such as when performing an action triggered by the user, obtain the authentication state data by defining a cascading parameter of type
If Set up the
In a Blazor WebAssembly App, add services for options and authorization to
In a Blazor Server app, services for options and authorization are already present, so no further action is required. AuthorizationAfter a user is authenticated, authorization rules are applied to control what the user can do. Access is typically granted or denied based on whether:
Each of these concepts is the same as in an ASP.NET Core MVC or Razor Pages app. For more information on ASP.NET Core security, see the articles under ASP.NET Core Security and Identity. AuthorizeView componentThe AuthorizeView component selectively displays UI content depending on whether the user is authorized. This approach is useful when you only need to display data for the user and don't need to use the user's identity in procedural logic. The component exposes a
You can also supply different content for display if the user isn't authorized:
The content of A default event handler for an authorized element, such as the Authorization conditions, such as roles or policies that control UI options or access, are covered in the Authorization section. If authorization conditions aren't specified, AuthorizeView uses a default policy and treats:
The AuthorizeView component can be used in the Apps created from a Blazor project template that include authentication use a
The following example is from the Blazor Server project template and uses ASP.NET Core Identity endpoints in the
Role-based and policy-based authorizationThe AuthorizeView component supports role-based or policy-based authorization. For role-based authorization, use the Roles parameter:
For more information, including configuration guidance, see Role-based authorization in ASP.NET Core. For policy-based authorization, use the Policy parameter:
Claims-based authorization is a special case of policy-based authorization. For example, you can define a policy that requires users to have a certain claim. For more information, see Policy-based authorization in ASP.NET Core. These APIs can be used in either Blazor Server or Blazor WebAssembly apps. If neither Roles nor Policy is specified, AuthorizeView uses the default policy. Content displayed during asynchronous authenticationBlazor allows for authentication state to be determined asynchronously. The primary scenario for this approach is in Blazor WebAssembly apps that make a request to an external endpoint for authentication. While authentication is in progress, AuthorizeView displays no content by default. To display content while authentication occurs, use the
This approach isn't normally applicable to Blazor Server apps. Blazor Server apps know the authentication state as soon as the state is established. Authorizing content can be provided in a Blazor Server app's AuthorizeView component, but the content is never displayed. [Authorize] attributeThe
Important Only use The
For policy-based authorization, use the Policy parameter:
If neither Roles
nor Policy is specified,
Resource authorizationTo authorize users for resources, pass the request's route data to the Resource parameter of AuthorizeRouteView. In the Router.Found content for a requested route in the
For more information on how authorization state data is passed and used in procedural logic, see the Expose the authentication state as a cascading parameter section. When the AuthorizeRouteView receives the route data for the resource, authorization policies have access to RouteData.PageType and RouteData.RouteValues that permit custom logic to make authorization decisions. In the following example, an
In either
The preceding example is an oversimplified authorization policy, merely used to demonstrate the concept with a working example. For more information on creating and configuring authorization policies, see Policy-based authorization in ASP.NET Core. In the following
Customize unauthorized content with the Router componentThe Router component, in conjunction with the AuthorizeRouteView component, allows the app to specify custom content if:
In the
The content of If the
Procedural logicIf the app is required to check authorization rules as part of procedural logic, use a cascaded parameter of type
Troubleshoot errorsCommon errors:
It's likely that the project wasn't created using a Blazor Server template with authentication enabled. Wrap a
The
CascadingAuthenticationState supplies the Additional resources
Security scenarios differ between Blazor Server and Blazor WebAssembly apps. Because Blazor Server apps run on the server, authorization checks are able to determine:
Blazor WebAssembly apps run on the client. Authorization is only used to determine which UI options to show. Since client-side checks can be modified or bypassed by a user, a Blazor WebAssembly app can't enforce authorization access rules. Razor Pages authorization conventions don't apply to routable Razor components. If a non-routable Razor component is embedded in a page, the page's authorization conventions indirectly affect the Razor component along with the rest of the page's content. ASP.NET Core Identity is designed to work in the context of HTTP request and response communication, which generally isn't the Blazor app client-server communication model. ASP.NET Core apps that use ASP.NET Core Identity for user management should use Razor Pages instead of Razor components for Identity-related UI, such as user registration, login, logout, and other user management tasks. ASP.NET Core abstractions, such as SignInManager<TUser> and UserManager<TUser>, aren't supported in Razor components. For more information on using ASP.NET Core Identity with Blazor, see Scaffold ASP.NET Core Identity into a Blazor Server app. AuthenticationBlazor uses the existing ASP.NET Core authentication mechanisms to establish the user's identity. The exact mechanism depends on how the Blazor app is hosted, Blazor WebAssembly or Blazor Server. Blazor WebAssembly authenticationIn Blazor WebAssembly apps, authentication checks can be bypassed because all client-side code can be modified by users. The same is true for all client-side app technologies, including JavaScript SPA frameworks or native apps for any operating system. Add the following:
To handle authentication, use of a built-in or custom AuthenticationStateProvider service is covered in the following sections. For more information on creating apps and configuration, see Secure ASP.NET Core Blazor WebAssembly. Blazor Server authenticationBlazor Server apps operate over a real-time connection that's created using SignalR. Authentication in SignalR-based apps is handled when the connection is established. Authentication can be based on a cookie or some other bearer token. The built-in
AuthenticationStateProvider service for Blazor Server apps obtains authentication state data from ASP.NET Core's For more information on creating apps and configuration, see Secure ASP.NET Core Blazor Server apps. AuthenticationStateProvider serviceAuthenticationStateProvider is the underlying service used by the AuthorizeView component and CascadingAuthenticationState component to get the authentication state. You don't typically use
AuthenticationStateProvider directly. Use the The AuthenticationStateProvider service can provide the current user's ClaimsPrincipal data, as shown in the following example:
If For more information on dependency injection (DI) and services, see ASP.NET Core Blazor dependency injection and Dependency injection in ASP.NET Core. For information on how to implement a custom AuthenticationStateProvider in Blazor Server apps, see Secure ASP.NET Core Blazor Server apps. Expose the authentication state as a cascading parameterIf authentication state data is required for procedural logic, such as when performing an action triggered by the user, obtain the authentication state data by defining a cascading parameter of type
If Set up the
Note With the release of ASP.NET Core 5.0.1 and for any additional 5.x releases, the In a Blazor WebAssembly App, add services for options and authorization to
In a Blazor Server app, services for options and authorization are already present, so no further action is required. AuthorizationAfter a user is authenticated, authorization rules are applied to control what the user can do. Access is typically granted or denied based on whether:
Each of these concepts is the same as in an ASP.NET Core MVC or Razor Pages app. For more information on ASP.NET Core security, see the articles under ASP.NET Core Security and Identity. AuthorizeView componentThe AuthorizeView component selectively displays UI content depending on whether the user is authorized. This approach is useful when you only need to display data for the user and don't need to use the user's identity in procedural logic. The component exposes a
You can also supply different content for display if the user isn't authorized:
The content of A default event handler for an authorized element, such as the Authorization conditions, such as roles or policies that control UI options or access, are covered in the Authorization section. If authorization conditions aren't specified, AuthorizeView uses a default policy and treats:
The AuthorizeView component can be used in the Apps created from a Blazor project template that include authentication use a
The following example is from the Blazor Server project template and uses ASP.NET Core Identity endpoints in the
Role-based and policy-based authorizationThe AuthorizeView component supports role-based or policy-based authorization. For role-based authorization, use the Roles parameter:
For more information, including configuration guidance, see Role-based authorization in ASP.NET Core. For policy-based authorization, use the Policy parameter:
Claims-based authorization is a special case of policy-based authorization. For example, you can define a policy that requires users to have a certain claim. For more information, see Policy-based authorization in ASP.NET Core. These APIs can be used in either Blazor Server or Blazor WebAssembly apps. If neither Roles nor Policy is specified, AuthorizeView uses the default policy. Content displayed during asynchronous authenticationBlazor allows for authentication state to be determined asynchronously. The primary scenario for this approach is in Blazor WebAssembly apps that make a request to an external endpoint for authentication. While authentication is in progress, AuthorizeView displays no content by default. To display content while authentication occurs, use the
This approach isn't normally applicable to Blazor Server apps. Blazor Server apps know the authentication state as soon as the state is established. Authorizing content can be provided in a Blazor Server app's AuthorizeView component, but the content is never displayed. [Authorize] attributeThe
Important Only use The
For policy-based authorization, use the Policy parameter:
If neither Roles
nor Policy is specified,
Resource authorizationTo authorize users for resources, pass the request's route data to the Resource parameter of AuthorizeRouteView. In the Router.Found content for a requested route in the
For more information on how authorization state data is passed and used in procedural logic, see the Expose the authentication state as a cascading parameter section. When the AuthorizeRouteView receives the route data for the resource, authorization policies have access to RouteData.PageType and RouteData.RouteValues that permit custom logic to make authorization decisions. In the following example, an
In either
The preceding example is an oversimplified authorization policy, merely used to demonstrate the concept with a working example. For more information on creating and configuring authorization policies, see Policy-based authorization in ASP.NET Core. In the following
Customize unauthorized content with the Router componentThe Router component, in conjunction with the AuthorizeRouteView component, allows the app to specify custom content if:
In the
Note With the release of ASP.NET Core 5.0.1 and for any additional 5.x releases, the The content of If the
Procedural logicIf the app is required to check authorization rules as part of procedural logic, use a cascaded parameter of type
Troubleshoot errorsCommon errors:
It's likely that the project wasn't created using a Blazor Server template with authentication enabled. Wrap a
Note With the release of ASP.NET Core 5.0.1 and for any additional 5.x releases, the The
CascadingAuthenticationState supplies the Additional resources
Security scenarios differ between Blazor Server and Blazor WebAssembly apps. Because Blazor Server apps run on the server, authorization checks are able to determine:
Blazor WebAssembly apps run on the client. Authorization is only used to determine which UI options to show. Since client-side checks can be modified or bypassed by a user, a Blazor WebAssembly app can't enforce authorization access rules. Razor Pages authorization conventions don't apply to routable Razor components. If a non-routable Razor component is embedded in a page, the page's authorization conventions indirectly affect the Razor component along with the rest of the page's content. ASP.NET Core Identity is designed to work in the context of HTTP request and response communication, which generally isn't the Blazor app client-server communication model. ASP.NET Core apps that use ASP.NET Core Identity for user management should use Razor Pages instead of Razor components for Identity-related UI, such as user registration, login, logout, and other user management tasks. ASP.NET Core abstractions, such as SignInManager<TUser> and UserManager<TUser>, aren't supported in Razor components. For more information on using ASP.NET Core Identity with Blazor, see Scaffold ASP.NET Core Identity into a Blazor Server app. AuthenticationBlazor uses the existing ASP.NET Core authentication mechanisms to establish the user's identity. The exact mechanism depends on how the Blazor app is hosted, Blazor WebAssembly or Blazor Server. Blazor WebAssembly authenticationIn Blazor WebAssembly apps, authentication checks can be bypassed because all client-side code can be modified by users. The same is true for all client-side app technologies, including JavaScript SPA frameworks or native apps for any operating system. Add the following:
To handle authentication, use of a built-in or custom AuthenticationStateProvider service is covered in the following sections. For more information on creating apps and configuration, see Secure ASP.NET Core Blazor WebAssembly. Blazor Server authenticationBlazor Server apps operate over a real-time connection that's created using SignalR. Authentication in SignalR-based apps is handled when the connection is established. Authentication can be based on a cookie or some other bearer token. The built-in
AuthenticationStateProvider service for Blazor Server apps obtains authentication state data from ASP.NET Core's For more information on creating apps and configuration, see Secure ASP.NET Core Blazor Server apps. AuthenticationStateProvider serviceAuthenticationStateProvider is the underlying service used by the AuthorizeView component and CascadingAuthenticationState component to get the authentication state. You don't typically use
AuthenticationStateProvider directly. Use the The AuthenticationStateProvider service can provide the current user's ClaimsPrincipal data, as shown in the following example:
If For more information on dependency injection (DI) and services, see ASP.NET Core Blazor dependency injection and Dependency injection in ASP.NET Core. For information on how to implement a custom AuthenticationStateProvider in Blazor Server apps, see Secure ASP.NET Core Blazor Server apps. Expose the authentication state as a cascading parameterIf authentication state data is required for procedural logic, such as when performing an action triggered by the user, obtain the authentication state data by defining a cascading parameter of type
If Set up the
In a Blazor WebAssembly App, add services for options and authorization to
In a Blazor Server app, services for options and authorization are already present, so no further action is required. AuthorizationAfter a user is authenticated, authorization rules are applied to control what the user can do. Access is typically granted or denied based on whether:
Each of these concepts is the same as in an ASP.NET Core MVC or Razor Pages app. For more information on ASP.NET Core security, see the articles under ASP.NET Core Security and Identity. AuthorizeView componentThe AuthorizeView component selectively displays UI content depending on whether the user is authorized. This approach is useful when you only need to display data for the user and don't need to use the user's identity in procedural logic. The component exposes a
You can also supply different content for display if the user isn't authorized:
The content of A default event handler for an authorized element, such as the Authorization conditions, such as roles or policies that control UI options or access, are covered in the Authorization section. If authorization conditions aren't specified, AuthorizeView uses a default policy and treats:
The AuthorizeView component can be used in the Apps created from a Blazor project template that include authentication use a
The following example is from the Blazor Server project template and uses ASP.NET Core Identity endpoints in the
Role-based and policy-based authorizationThe AuthorizeView component supports role-based or policy-based authorization. For role-based authorization, use the Roles parameter:
For more information, including configuration guidance, see Role-based authorization in ASP.NET Core. For policy-based authorization, use the Policy parameter:
Claims-based authorization is a special case of policy-based authorization. For example, you can define a policy that requires users to have a certain claim. For more information, see Policy-based authorization in ASP.NET Core. These APIs can be used in either Blazor Server or Blazor WebAssembly apps. If neither Roles nor Policy is specified, AuthorizeView uses the default policy. Content displayed during asynchronous authenticationBlazor allows for authentication state to be determined asynchronously. The primary scenario for this approach is in Blazor WebAssembly apps that make a request to an external endpoint for authentication. While authentication is in progress, AuthorizeView displays no content by default. To display content while authentication occurs, use the
This approach isn't normally applicable to Blazor Server apps. Blazor Server apps know the authentication state as soon as the state is established. Authorizing content can be provided in a Blazor Server app's AuthorizeView component, but the content is never displayed. [Authorize] attributeThe
Important Only use The
For policy-based authorization, use the Policy parameter:
If neither Roles
nor Policy is specified,
Customize unauthorized content with the Router componentThe Router component, in conjunction with the AuthorizeRouteView component, allows the app to specify custom content if:
In the
The content of If the
Procedural logicIf the app is required to check authorization rules as part of procedural logic, use a cascaded parameter of type
Troubleshoot errorsCommon errors:
It's likely that the project wasn't created using a Blazor Server template with authentication enabled. Wrap a
The
CascadingAuthenticationState supplies the Additional resources
Security scenarios differ between Blazor Server and Blazor WebAssembly apps. Because Blazor Server apps run on the server, authorization checks are able to determine:
Blazor WebAssembly apps run on the client. Authorization is only used to determine which UI options to show. Since client-side checks can be modified or bypassed by a user, a Blazor WebAssembly app can't enforce authorization access rules. Razor Pages authorization conventions don't apply to routable Razor components. If a non-routable Razor component is embedded in a page, the page's authorization conventions indirectly affect the Razor component along with the rest of the page's content. ASP.NET Core Identity is designed to work in the context of HTTP request and response communication, which generally isn't the Blazor app client-server communication model. ASP.NET Core apps that use ASP.NET Core Identity for user management should use Razor Pages instead of Razor components for Identity-related UI, such as user registration, login, logout, and other user management tasks. ASP.NET Core abstractions, such as SignInManager<TUser> and UserManager<TUser>, aren't supported in Razor components. For more information on using ASP.NET Core Identity with Blazor, see Scaffold ASP.NET Core Identity into a Blazor Server app. AuthenticationBlazor uses the existing ASP.NET Core authentication mechanisms to establish the user's identity. The exact mechanism depends on how the Blazor app is hosted, Blazor WebAssembly or Blazor Server. Blazor WebAssembly authenticationIn Blazor WebAssembly apps, authentication checks can be bypassed because all client-side code can be modified by users. The same is true for all client-side app technologies, including JavaScript SPA frameworks or native apps for any operating system. Add the following:
To handle authentication, use of a built-in or custom AuthenticationStateProvider service is covered in the following sections. For more information on creating apps and configuration, see Secure ASP.NET Core Blazor WebAssembly. Blazor Server authenticationBlazor Server apps operate over a real-time connection that's created using SignalR. Authentication in SignalR-based apps is handled when the connection is established. Authentication can be based on a cookie or some other bearer token. The built-in
AuthenticationStateProvider service for Blazor Server apps obtains authentication state data from ASP.NET Core's For more information on creating apps and configuration, see Secure ASP.NET Core Blazor Server apps. AuthenticationStateProvider serviceAuthenticationStateProvider is the underlying service used by the AuthorizeView component and CascadingAuthenticationState component to get the authentication state. You don't typically use
AuthenticationStateProvider directly. Use the The AuthenticationStateProvider service can provide the current user's ClaimsPrincipal data, as shown in the following example:
If For more information on dependency injection (DI) and services, see ASP.NET Core Blazor dependency injection and Dependency injection in ASP.NET Core. For information on how to implement a custom AuthenticationStateProvider in Blazor Server apps, see Secure ASP.NET Core Blazor Server apps. Expose the authentication state as a cascading parameterIf authentication state data is required for procedural logic, such as when performing an action triggered by the user, obtain the authentication state data by defining a cascading parameter of type
If Set up the
In a Blazor WebAssembly App, add services for options and authorization to
In a Blazor Server app, services for options and authorization are already present, so no further action is required. AuthorizationAfter a user is authenticated, authorization rules are applied to control what the user can do. Access is typically granted or denied based on whether:
Each of these concepts is the same as in an ASP.NET Core MVC or Razor Pages app. For more information on ASP.NET Core security, see the articles under ASP.NET Core Security and Identity. AuthorizeView componentThe AuthorizeView component selectively displays UI content depending on whether the user is authorized. This approach is useful when you only need to display data for the user and don't need to use the user's identity in procedural logic. The component exposes a
You can also supply different content for display if the user isn't authorized:
The content of A default event handler for an authorized element, such as the Authorization conditions, such as roles or policies that control UI options or access, are covered in the Authorization section. If authorization conditions aren't specified, AuthorizeView uses a default policy and treats:
The AuthorizeView component can be used in the Apps created from a Blazor project template that include authentication use a
The following example is from the Blazor Server project template and uses ASP.NET Core Identity endpoints in the
Role-based and policy-based authorizationThe AuthorizeView component supports role-based or policy-based authorization. For role-based authorization, use the Roles parameter:
For more information, including configuration guidance, see Role-based authorization in ASP.NET Core. For policy-based authorization, use the Policy parameter:
Claims-based authorization is a special case of policy-based authorization. For example, you can define a policy that requires users to have a certain claim. For more information, see Policy-based authorization in ASP.NET Core. These APIs can be used in either Blazor Server or Blazor WebAssembly apps. If neither Roles nor Policy is specified, AuthorizeView uses the default policy. Content displayed during asynchronous authenticationBlazor allows for authentication state to be determined asynchronously. The primary scenario for this approach is in Blazor WebAssembly apps that make a request to an external endpoint for authentication. While authentication is in progress, AuthorizeView displays no content by default. To display content while authentication occurs, use the
This approach isn't normally applicable to Blazor Server apps. Blazor Server apps know the authentication state as soon as the state is established. Authorizing content can be provided in a Blazor Server app's AuthorizeView component, but the content is never displayed. [Authorize] attributeThe
Important Only use The
For policy-based authorization, use the Policy parameter:
If neither Roles
nor Policy is specified,
Resource authorizationTo authorize users for resources, pass the request's route data to the Resource parameter of AuthorizeRouteView. In the Router.Found content for a requested route in the
For more information on how authorization state data is passed and used in procedural logic, see the Expose the authentication state as a cascading parameter section. When the AuthorizeRouteView receives the route data for the resource, authorization policies have access to RouteData.PageType and RouteData.RouteValues that permit custom logic to make authorization decisions. In the following example, an
In either
The preceding example is an oversimplified authorization policy, merely used to demonstrate the concept with a working example. For more information on creating and configuring authorization policies, see Policy-based authorization in ASP.NET Core. In the following
Customize unauthorized content with the Router componentThe Router component, in conjunction with the AuthorizeRouteView component, allows the app to specify custom content if:
In the
The content of If the
Procedural logicIf the app is required to check authorization rules as part of procedural logic, use a cascaded parameter of type
Troubleshoot errorsCommon errors:
It's likely that the project wasn't created using a Blazor Server template with authentication enabled. Wrap a
The
CascadingAuthenticationState supplies the Additional resources
FeedbackSubmit and view feedback for What are the 3 types of access control?There are three core types of IP access control: discretionary, managed, and role-based. Discretionary access control is extremely flexible and nonrestrictive compared to its alternatives. This is because access rights are specified by users.
What access control method is based on an identity?Identity-Based Access Control (IBAC)
IBAC is a simplified security method that dictates whether the person using is permitted or denied to a given electronic resource based on their individual visual or biometric identity.
What is access control and types of access control?Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization. There are two types of access control: physical and logical.
What are the four 4 main access control model?Currently, there are four primary types of access control models: mandatory access control (MAC), role-based access control (RBAC), discretionary access control (DAC), and rule-based access control (RBAC).
In which type of access control system would access to data be determined by a subject clearance?Mandatory Access Control (MAC) is system-enforced access control based on a subject's clearance and an object's labels.
Which type of access controls can be roleThe answer is non- discretionary. Role-based access control and task-based access control are known Mandatory Access controls (or non-discretionary controls), which match information to roles or tasks, not individual users.
|