How to: Restrict Access Based on User Role
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
ClickOnce installs an application on the client computer by making a series of individual file requests. The following is the sequence of the requests:
- Deployment manifest
- Application manifest
- Each application file listed in the application manifest
The file requests made by ClickOnce will pass the identity of the logged-on user to the server if the requests are made on a Windows network. Using Windows access control lists, you can restrict access to the manifests and application files to prevent unauthorized users from deploying your applications. However, there is no practical way to restrict access to ClickOnce applications if they are exposed through the Internet to users who do not have Windows accounts on your domain.
To secure a ClickOnce publication to a specific set of users who have Windows accounts on your domain, you just need to define a Windows group, associate those users with the group, and then restrict access to the ClickOnce manifests and application files to that group.
For more information about managing access control and logging application usage, see Administering ClickOnce Deployments on MSDN.
For detailed steps to restrict access to a ClickOnce application, see Manual: Restrict Access Based on User Role.