This documentation is archived and is not being maintained.

AuthorizationStoreRoleProvider Class

Manages storage of role-membership information for an ASP.NET application in an authorization-manager policy store, either in an XML file, in an Active Directory, or on an Active Directory Application Mode server.


Namespace:  System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public class AuthorizationStoreRoleProvider : RoleProvider

The AuthorizationStoreRoleProvider type exposes the following members.

Public methodAuthorizationStoreRoleProviderInitializes a new instance of the AuthorizationStoreRoleProvider class.

Public propertyApplicationNameGets or sets the name of the authorization store application for which to store and retrieve role information. (Overrides RoleProvider.ApplicationName.)
Public propertyCacheRefreshIntervalGets the number of minutes between refreshes of the cache of the policy-store data.
Public propertyDescriptionGets a brief, friendly description suitable for display in administrative tools or other user interfaces (UIs). (Inherited from ProviderBase.)
Public propertyNameGets the friendly name used to refer to the provider during configuration. (Inherited from ProviderBase.)
Public propertyScopeNameGets or sets the scope name for the authorization store.

Public methodAddUsersToRolesAdds the specified user names to each of the specified roles. (Overrides RoleProvider.AddUsersToRoles(String[], String[]).)
Public methodCreateRoleAdds a new role to the role authorization-manager policy store. (Overrides RoleProvider.CreateRole(String).)
Public methodDeleteRoleRemoves a role from the authorization-manager policy store. (Overrides RoleProvider.DeleteRole(String, Boolean).)
Public methodEquals(Object)Determines whether the specified Object is equal to the current Object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodFindUsersInRoleThis method is not supported by the authorization store role provider. (Overrides RoleProvider.FindUsersInRole(String, String).)
Public methodGetAllRolesGets a list of all the roles for the application. (Overrides RoleProvider.GetAllRoles().)
Public methodGetHashCodeServes as a hash function for a particular type. (Inherited from Object.)
Public methodGetRolesForUserGets a list of the roles that a user is in. (Overrides RoleProvider.GetRolesForUser(String).)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Public methodGetUsersInRoleGets a list of users in the specified role. (Overrides RoleProvider.GetUsersInRole(String).)
Public methodInitializeInitializes the authorization-manager role provider with the property values specified in the ASP.NET application's configuration file. This method is not intended to be used directly from your code. (Overrides ProviderBase.Initialize(String, NameValueCollection).)
Public methodIsUserInRoleGets a value indicating whether the specified user is in the specified role. (Overrides RoleProvider.IsUserInRole(String, String).)
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodRemoveUsersFromRolesRemoves the specified user names from the specified roles. (Overrides RoleProvider.RemoveUsersFromRoles(String[], String[]).)
Public methodRoleExistsGets a value indicating whether the specified role name already exists in the authorization-manager policy store. (Overrides RoleProvider.RoleExists(String).)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)

This class is used by the Roles and RolePrincipal classes to provide role-management services for an ASP.NET application using an authorization-manager store. You can use role management to specify different levels of authorization for your application. The authorization manager can be accessed using the Microsoft Management Console.

The AuthorizationStoreRoleProvider object works with both Windows authentication and forms authentication modes.

You can configure the AuthorizationStoreRoleProvider object to use either a local XML file or an Active Directory or Active Directory Application Mode (ADAM) server. When using a local file, the connection string should look like the following example.

msxml://<path to xml file>

If the local file is stored in the directory tree of an ASP.NET Web application, you can use the tilde ("~") character to indicate the root directory. For example, to indicate that the local file is stored in the Web application's data directory, you would use a connection string similar to the following example.


Security noteSecurity Note

Storing an XML data file in the Web application directory is a potential security threat. By default, IIS will serve XML data files to the Web. To improve security when using a local data file in an ASP.NET application, you should store the data file in the App_Data directory. Files stored in the App_Data directory will not be served to the Web.

If you are using an Active Directory or ADAM server for the policy store, your connection string should be similar to the following example.


The exceptions listed in the documentation for AuthorizationStoreRoleProvider object methods are the exceptions that are raised by the AuthorizationStoreRoleProvider object. Since the provider relies on the underlying Authentication Manager runtime, a COMException exception may be thrown whenever the AuthorizationStoreRoleProvider object forwards a method call to the Authentication Manager runtime.

Security noteSecurity Note

The AuthorizationStoreRoleProvider object has the following requirements for running in partial-trust environments:

When using a file-based policy store in an ASP.NET application, the file I/O permissions granted by the current trust level determine whether read and write actions are allowed by the provider. The ASP.NET application must have read permission on the file to read data from the policy store, and must have write permission to save new information or update existing information in the policy store. The default Medium-trust policy file gives an ASP.NET application read/write permissions in its application directory. The default Low-trust policy file only gives an ASP.NET application read permission in its application directory. In addition, the process identity under which the ASP.NET application runs must have file-system permissions to read and/or write the policy file.

When using an Active Directory or ADAM server, the ASP.NET application needs unmanaged-code permission because the internal AuthorizationStoreRoleProvider object code uses COM interop.

When using the AuthorizationStoreRoleProvider object outside of ASP.NET, the calling code needs unmanaged-code permission.

The following code example shows a Web.config file set to use the AuthorizationStoreRoleProvider for role management.

    <add name="AuthorizationServices" connectionString="msxml://~\App_Data\SampleStore.xml" />


    <authentication mode="Windows" />
    <identity impersonate="true" />

    <roleManager defaultProvider="AuthorizationStoreRoleProvider" 
      cookieProtection="All" >
        <clear />
            scopeName="" />


.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.