|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Role Management Providers
Role management services use the provider model to separate the functionality of role management — the API — from the data store that contains role information. The .NET Framework includes the following providers that maintain role information in different data stores:
SQL Server. Role information is stored in a SQL Server database. The SQL provider is suitable for medium to large Internet applications. This is the default provider.
Windows (WindowsToken). Role information is based on Windows accounts (users and groups). The Windows provider is useful only if your application runs on a network where all users have domain accounts.
Authorization Manager (AzMan). Role information is managed using an Authorization Manager XML file or a directory-based policy store.
You specify a provider by setting the defaultProvider attribute when you configure role management in your application's Web.config file. For example, to specify the role provider instance with the name "SQL," make the following entry in the roleManager Element (ASP.NET Settings Schema) of the configuration file:
<roleManager defaultProvider="SQL" enabled="true" cacheRolesInCookie="true" > </roleManager>
Roles can use the same database that you use for membership services and the user profile. However, you still have the option of specifying a different provider for each of these services. For information on configuring the role-management database, see Creating and Configuring the Application Services Database for SQL Server.
If you specify the WindowsTokenRoleProvider provider, you must also configure the application to use Windows authentication with an entry in the Web.config file like the following:
<authentication mode="Windows" />
The WindowsTokenRoleProvider provider does not support most of the management functions of the role management API. For example, if you use the WindowsTokenRoleProvider provider, you cannot create groups or add users to groups using role management. Instead, you must perform those functions in Windows.
You can also create a custom role-management provider, which allows you to define your own storage for role information or use an existing role-information store. The general strategy is to create a class that inherits the RoleProvider abstract class. The RoleProvider class identifies the methods that your provider defines (which are essentially the same as those in the Roles class).
After you have a custom role provider, you can configure your application to use that provider in the same way that you configure the application to use one of the providers supplied with the .NET Framework. The role management system will then automatically invoke your custom provider and call its methods.
For more information, see Implementing a Role Provider.