|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Understanding Role Management
Role management helps you to manage authorization, allowing you to specify the resources users in your application are allowed to access. Role management lets you treat groups of users as a unit by assigning users to roles such as manager, sales, member, and so on. In Windows, you create roles by assigning users to groups such as Administrators, Power Users, and so on.
After you have established roles, you can create access rules in your application. For example, your site might include a set of pages that you want to display only to members. Similarly, you might want to show or hide a part of a page based on whether the current user is a manager. With roles, you can establish these types of rules independent from individual application users. For example, you do not have to grant individual members of your site access to member-only pages; instead, you can grant access to the role of member and then simply add and remove users from that role as people sign up or allow their memberships to lapse.
Users can belong to more than one role. For example, if your site is a discussion forum, some users might be in the roles of both member and moderator. You might define each role to have different privileges on the site, and a user who is in both roles would then have both sets of privileges.
Even if your application has only a few users, you might still find it convenient to create roles. Roles give you flexibility to change permissions and add and remove users without having to make changes throughout the site. As you define more access rules for your application, roles become a more convenient way to apply the changes to groups of users.
Roles and Access Rules
The primary purpose of establishing roles is to provide you with an easy way to manage access rules for groups of users. You create users and then assign the users to roles (in Windows, to groups). A typical use is to then create a set of pages that you want to restrict to certain users. Often you isolate these restricted pages in a folder by themselves. Then you can use the Web Site Administration Tool to define rules that grant and deny access to restricted folders. For example, you can configure the site so that members or managers have access to the pages in the restricted folder and all other users are denied access. If an unauthorized user tries to view a restricted page, the user either sees an error or is redirected to a page that you specify.
Role Management, User Identity, and Membership
To work with roles, you must be able to identify users in your application so that you can determine whether the user is in a specific role. You can configure your application to establish user identity in two ways: Windows authentication and Forms authentication. If your application runs in a local area network (that is, in a domain-based intranet application), you can identify users using their Windows domain account name. In that case, a user's roles are the Windows groups that the user belongs to.
In Internet applications or other scenarios where it is impractical to use Windows accounts, you can use Forms authentication to establish user identity. For this task, you typically create a page where users can enter a user name and password and then you validate the user's credentials. The ASP.NET Login controls can perform much of this work for you, or you can create a login page and use theclass to establish a user identity.
Roles do not work with users who have not established an identity in your application (anonymous users).
If you use Login controls or Forms authentication to establish user identity, you can also use role management in conjunction with membership. In this scenario, you use membership to define users and passwords. You can then use role management to define roles and assign membership user IDs to those roles. However, role management does not depend on membership. As long as you have a way in your application to set user identity, you can still use role management for authorization.
Role Management API
Role management is not limited to restricting rights to pages or folders. Role management provides an API that you can use to determine programmatically whether a user is in a role. This allows you to write code to take advantage of roles and perform any application tasks based not only on who the user is but also on what roles the user is in.
If you establish user identity in your application, you can use the role-management API methods for creating roles, adding users to roles, and getting information about which users are in which roles. These methods enable you to create your own interface for managing roles.
If your application uses Windows authentication, the role management API offers fewer facilities for role management. For example, you cannot use role management to create new roles. Instead, you use Windows user and group management to create user accounts and groups and assign users to groups. Role management can then read Windows user and group information so that you can use the information for authentication.
How ASP.NET Role Management Works
To work with role management, you first enable it and optionally configure access rules that can take advantage of roles. You can then use role management functions at run time to work with the roles.
The easiest way to configure role management, define roles, add users to roles, and create access rules is to use the Web Site Administration Tool.
Role Management Configuration
To use ASP.NET role management, you enable it in your application's Web.config file using a setting such as the following:
<roleManager enabled="true" cacheRolesInCookie="true" > </roleManager>
A typical use for roles is to establish rules that allow or deny access to pages or folders. You can set up such access rules in thesection of the Web.config file. The following example allows users in the role of members to view pages in the folder called memberPages and denies access to anyone else:
<configuration> <location path="memberPages"> <system.web> <authorization> <allow roles="members" /> <deny users="*" /> </authorization> </system.web> </location> <!-- other configuration settings here --> <configuration>
For more information about setting up access rules, see ASP.NET Authorization.
You must also create roles such as manager or member and assign user IDs to the roles. If your application uses Windows authentication, you use the Windows Computer Management tool to create users and groups.
If you are using Forms authentication, the easiest way to set up users and roles is with the ASP.NET Web Site Administration Tool. If you prefer, you can perform this task programmatically by calling various role-manager methods. The following code example demonstrates how you can create the role
The following code example demonstrates how you can add the user JoeWorden individually to the role
manager, and how you can add the users JillShrader and ShaiBassli to the role
members all at once:
Working with Roles at Run Time
At run time, when users visit your site, they establish an identity, either as a Windows account name or by logging into your application. (In an Internet site, if users visit your site without logging in — that is, anonymously — they will have no user identity and therefore will not be in any role.) Information about the logged-in user is available to your application from theproperty. When roles are enabled, ASP.NET looks up the roles for the current user and adds them to the User object so that you can check them. The following code example demonstrates how you can determine whether the current user is in the role of member, and if so, it displays a button for members:
ASP.NET also creates an instance of theclass and adds it to the current request context so that you can perform role management tasks programmatically, such as determining what users are in a specific role. . The following code example demonstrates how you can get a list of the roles for the current logged-in user.
If you are using thecontrol in your application, the control will check the user's roles and can dynamically create a user interface based on the user's roles.
Caching Role Information
If a user's browser allows cookies, ASP.NET can optionally store role information in an encrypted cookie on the user's computer. On each page request, ASP.NET reads the cookie and populates the role information for that user from the cookie. This strategy minimizes the need to read role information from the database. If the user's browser does not support cookies or if cookies are disabled, role information is instead cached only for the duration of each page request.