Usage of Roles API to Perform Authorization in .NET

Authentication and Authorization are two major dimensions of Security. Authentication is used to identify if the person logging in is a valid user. Authorization determines which all modules and actions are accessible to a particular User. Authorization has the following classifications:

• User Based Authorization determines if a module is accessible to a particular user.
• Role Based Authorization determines if a module is accessible to a particular role.

This article will focus on Role Based Authorization and how it can be achieved using Roles API.

What is a Role?

Users can be grouped together into a common category called Roles. Few examples to roles are: administrators, supervisors, managers. Administrators will have different authorization permissions when compared to supervisors. But all administrators will have the same permissions.

In this case, instead of configuring the same permission set across all administrator users, you can group such Users into a role called administrator and define permissions to the role instead of individual Users. You can add new users or remove users from this role, based on which the corresponding permission set mapped to the User will be modified.

How to Enable Role Based Authorization in Your .NET Application?

If you want to use Role Based Authorization in your application, make the following entry in web.config file:

<roleManager enabled="true"/>

The above example contains only the property “enabled” of roleManager. In addition, roleManager includes many other properties which are mentioned below:

• ApplicationName: Name of the application which maintains the role information.
• CacheRolesInCookie: If this property is set to true, then User’s roles will be cached in cookie and fetched from the cookie during every page request.
• CookieName: Name of the Cookie in which roles of the User are cached.
• CookiePath: Path where the above mentioned cookie is placed.
• CookieProtectionValue: Indicates the value ensuring protection of the Cookie.
• CookieRequireSSL: This property is assigned with the value true if and only if the Cookie is used on an SSL Channel.
• CookieSlidingExpiration: Used to determine if the expiration date and time of the cookie will be reset in periodical intervals.
• CookieTimeout: Specifies the time limit after which the cookie will be expired.
• CreatePersistentCookie: Determines if the cookie is persistent or it is session-based.
• Domain: Indicates the domain associated with the cookie.
• Enabled: Enables role based authorization for your application when this property is set to true.
• MaxCachedResults: Indicates how many role names can be cached for the User.
• Provider: Indicates role provider associated with the application, by default.
• Providers: All the role providers supported by your application are mentioned in this property.

Here is an example which uses most of the properties of RoleManager Tag in web.config file:

<roleManager enabled ="true"
defaultProvider=" AspNetSqlRoleProvider"

How to Authorize Module for a Particular Role?

Role manager is now enabled in your application. Assume that you have created a role called Supervisor. How do you define permission for Supervisor to access files in a particular folder? You can do it by using <allow roles = “(role names comma separated)”> inside your web.config file. Here’s an example:

<location path="superviseStocks">
<allow roles="Supervisor" />
<allow users=”John”/>
<deny users="*" />

As per this example, only users with supervisor role and user named John can access files from this location.

How to Manage Roles in Your Coding?

You have to create roles, assign users to roles and manage all role based activities. How do you do that? You can perform role management in your coding using methods of System.Web.Security.Roles class which represents the Roles API. Given below are the methods provided by this class:

• CreateRole: To create a new role.
• AddUserToRole: To associate single user to single role.
• AddUsersToRole: To add multiple users to a specified role.
• AddUsersToRoles: To add multiple users to multiple roles.
• AddUserToRoles: To add a single user to multiple roles.
• DeleteCookie: To delete the cookie containing the role names cached.
• DeleteRole: To remove an existing role.
• FindUsersInRole: To list down the Users associated with a role.
• GetAllRoles: To list down all roles defined for your application.
• GetRolesForUser: To list down all the roles associated with a particular user.
• GetUsersInRole: To list down the Users associated with a role.
• IsUserInRole: To determine if the User belongs to the specified role.
• RemoveUserFromRole: To remove the user from a particular role.
• RemoveUserFromRoles: To remove the user from multiple roles that is specified.
• RemoveUsersFromRole: To remove multiple users from a particular role.
• RemoveUsersFromRoles: To remove multiple users from multiple roles specified.
• RoleExists: To check if the role exists already.

Here’s an example covering few of these methods:

public void manageRoles() {
if (!Roles.RoleExists("SupervisorRole")){
Roles.AddUserToRole("TestUser1", "SupervisorRole");
Roles.AddUserToRoles("TestUser2", new string[] { "SupervisorRole", "ManagerRole" });
Roles.AddUsersToRole( new string[] { " TestUser3", " TestUser4" }, "ManagerRole");
Roles.AddUsersFromRoles(new string[] { " TestUser4", " TestUser5" },
new string[] { "Role1", "Role2" });
Roles.RemoveUserFromRole("TestUser1", " SupervisorRole ");
new string[] { "SupervisorRole", "ManagerRole" });
Roles.RemoveUsersFromRole( new string[] { " TestUser3", " TestUser4" },
Roles.RemoveUsersFromRoles(new string[] { " TestUser4", " TestUser5" },
new string[] { "Role1", "Role2" });

if (Roles.IsUserInRole("SupervisorRole")) { /*do corresponding code*/}


Add to My Yahoo!

FREE Subscription

Subscribe to our mailing list and receive new articles
through email. Keep yourself updated with latest
developments in the industry.


Note : We never rent, trade, or sell my email lists to
anyone. We assure that your privacy is respected
and protected.

Visit .NET Programming Tutorial Homepage


Recommended Resource

|How and Why to Use Trace Option for Debugging in ASP.NET Application | How to Display Tool Tip in Your ASP.NET Web Application | How to Use “const” Class Member Modifier in C# | How to Use HTML Help Viewer in Your ASP.NET Web Application | List of Preprocessor Directives Available in C# | More about #define, #undef and Conditional Compilation Directives in C# |Understanding Different Class Member Modifiers in C# | Understanding of Diagnostic Directives and #pragma, #line, #region, #endregion Directives in C# | Usage of Roles API to Perform Authorization in .NET| What are the Different Compiler Engineering Techniques|Writing Unsafe Code in C#|

| Privacy Policy for | Disclosure | Contact |

Copyright - © 2004 - 2017 - All Rights Reserved.