This documentation is archived and is not being maintained.

Role-Based Security Checks

Once you have defined identity and principal objects, you can perform security checks against them in one of the following ways:

  • Using imperative security checks.

  • Using declarative security checks.

  • Directly accessing the Principal object.

Managed code can use imperative or declarative security checks to determine whether a particular principal object is a member of a known role, has a known identity, or represents a known identity acting in a role. To cause the security check to occur using imperative or declarative security, a security demand for an appropriately constructed PrincipalPermission object must be made. During the security check, the common language runtime examines the caller's principal object to determine whether its identity and role match those represented by the PrincipalPermission being demanded. If the principal object does not match, a SecurityException is thrown. (Only the principal object of the current thread is examined; the PrincipalPermission class does not cause a stack walk as with code access permission.)

Additionally, you can access the values of the principal object directly and perform checks without a PrincipalPermission object. In this case, you simply read the values of the current thread's principal or use the IsInRole method perform authorization.