Assign Permissions (Claims) to a User

New to Okta and trying to figure out how to secure a .NET Core Web API using OIDC and policy based authorization.

I would like to have each endpoint protected by a policy that checks for the appropriate claims.
For example, a ReadTransactions policy would apply to all users with the read-transactions claim, ManageTransactions would apply to all users with the read-transactions and write-transactions claim.

I am struggling with how to assign a user these claims. I have read through the docs about scopes and claims and have created a “Permissions” scope and have added the claims.

Since different users will have a different permissions, how do I associate and individual user with a set of permissions?

Bear in mind that my understanding of how OIDC works could be off (likely is).

For this scenario I would suggest first creating two groups, one for read and one for manage transactions.

Next create two scopes, maybe transaction:read and transaction:manage on the authorization server you plan to use.

On the same authorization server create a new access policy. Assign the policy to your application and then create two rules. One for read and one for manage. Within the rule you can specify the grant types it applies too, groups/users, scopes. Assign each rule to its corresponding group created earlier. Note have the most restrictive rule at the top.

On protected API resource when the access token is validated, verify that needed scope is contained within the scope claims.

A detailed description of creating an access policy can be found here