Authentication – Assigning Permissions to Roles
October 26th, 2009 | 
Author: 
Now that we’ve assigned roles to our users, we need to assign permissions to the roles.
The easiest way to do this is through the web.config file, which will allow us to control which pages the roles can access.
But how do we control items beyond pages? For that we’ll need to do a bit of “role your own” coding.
If all you need is to control page access, you just need to put some entries in your web.config file. While you can control access to one page at a time, I find that segmenting the groups of pages that each role will need access to into their own directories the easiest way of dealing with page access.
If you do this, all you need is a web.config file in the directory that looks something like
<?xml version="1.0" encoding="utf-8"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <system.web> <authorization> <allow roles="role1,role2" /> <deny users="*" /> </authorization> </system.web> </configuration>
If you need to protect the root of your application, you’ll need a section similar to the “authorization” section in the existing web.config file.
You can get more elaborate if you want to, but the above code snippet will handle 99% of the situations you’ll run into where you need role based authentication. If you need to just control access to a directory so that it can only be accessed by any authenticated user, regardless of the role they are in, you would remove the <allow roles…> line and change the <deny users=”*” /> line to <deny users = “?” />. The * represents ALL users. The ? represents all users who are not authenticated.
If you need finer grain control and you want it to be dynamic, you’ll need to create a table or a set of tables that define those further permissions. The table might have the following columns:
- RoleName – Same role name that is registered with .NET authentication
- PageName – The page they are accessing
- Columns that represent the various permissions (Add, View, Edit, etc…)
If you need this kind of system, I would recommend that you take a look at DotNetNuke’s code and see how they implemented this.
Other post in forms authentication
- WordPress w/ Forms Authentication on IIS6 - May 21st, 2008
- Setting Up Your Forms Based Authentication Database - September 14th, 2009
- Forms Authentication – Creating Users - September 21st, 2009
- Forms Authentication – Managing Users - September 28th, 2009
- Forms Authentication – Manual Authentication - October 5th, 2009
- Determine The Role of a User in ASP.NET - October 13th, 2009
- ASP.NET Assigning a Role to a User - October 19th, 2009
- Authentication - Assigning Permissions to Roles - October 26th, 2009
- The Google Appliance and Forms Authentication - August 4th, 2010
Related Post
Posted in forms authentication | 
Tags: allow, asp.net, authentication, deny, permissions, rols, users, web.config
Another option would to create base pages that handle the security for each section, in the case that your directory structure does not mirror your permissions hierarchy.