[ASP.NET Membership] Role-Based Security

After a user is authenticated, you can determine what the user can do in your web application. It is called authorization. You can set the rules to each user. But managing permissions per user can be catastrophic when the number of users grows. The solution is the roles. Roles are similar with the groups in the WIndows System. You define roles, set the rules to the roles and one or more roles are mapped to each user.  

1. Creating and Assigning Roles using WSAT

The WSAT (Web Site Administration Tool) provides the feature to manage roles. In most development environment, this tool will meet your needs.

2. Managing Roles Programatically

In professional web applications, you might want to provide admin pages for web site administrators. To manage roles and users prgramatically, you need to use the “System.Web.Security.Roles” class.

The “Roles” class provides static methods to create and manage roles.

– Static Methods: Manage Roles –

  • CreateRole(string roleName): adds a new role to the data source
  • DeleteRole(string roleName): removes a role from the data source
  • GetAllRoles(): gets a list of all the roles for the application
  • RoleExists(string roleName): gets a value indicating whether the specified role name already exists

– Static Methods: Add Users to Roles  –

  • AddUserToRole(string username, string roleName)
  • AddUserToRoles(string username, string[] roleNames)
  • AddUsersToRole(string[] usernames, string roleName)
  • AddUsersToRoles(string[] usernames, string[] roleNames)

– Static Methods: Remove Users from Roles  –

  • RemoveUserFromRole(string username, string roleName)
  • RemoveUserFromRoles(string usernme, string[] roleNames)
  • RemoveUsersFromRole(string[] usernames, string roleName)
  • RemoveUsersFromRoles(string[] usernames, string[] roleNames)

– Static Methods: Checks whether users are in roles  –

  • FindUsersInRole(string roleName, string usernameToMatch): gets a list of users in a specified role where the user name contains the specified user name to match
  • GetRolesForUser(), GetRolesForUser(string username): gets a list of the roles that the currently logged-on user or the specified user is in
  • GetUsersInRole(string roleName): gets a list of users in the specified role
  • IsUserInRole(string roleName), IsUserInRole(string userName, string roleName): gets a value indicating whether the currently logged-on user or the specified user is in the specified role

3. Restricting Access Based on Roles

When you check user’s roles in a web page, you do not need to use the “Role” class. The “Page.User.IsInRole(rolename)”  tests whether the authenticated user is in a specified role.

protected void Page_Load(object sender, EventArgs e)
  if (User.Identity.IsAuthenticated)
    lblInfo.Text = "Hello, " + User.Identity.Name;
    if (User.IsInRole("Customers"))
    lblInfo.Text += "<br /> You are a customer.";
    if (User.IsInRole("Managers"))
      lblInfo.Text += "<br /> You are a manager. ";
      lblInfo.Text = "You are not logged in yet.";

4. LoginView Control

The “LoginView” control is like the MultiView control but the user does not choose which view is displayed. The “LoginView” control can have 2 Templates:

  • AnonymousTemplate: for anonymous users
  • LoggedInTemplate: for authenticated users

But the real power of this control is from the another element “RoleGroups“. You can show different content depending on the user’s roles.

Note that a user can belong to multiple roles but only one template can be shown at a time. When a user matches multiple RoleGroups, the first matched template will be displayed.

<asp:LoginView ID="LoginView1" runat="server">
    You are not logged in yet. Please log in.
    <asp:RoleGroup Roles="Managers">
        You are a manager.
    <asp:RoleGroup Roles="Customers">
        You are a customer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s