ASP.NET Identity Architecture Getting Started Setting up ASP.NET Identity Customizing ASP.NET Identity models Add user Update user Delete user Change / Reset a user's password Password policy Username and email policy Login Remember me Get current logged in user id Logout Lockout a user account Lockout a user account after several failed login attempts Authorization Roles management Add role Update role Delete role Assign a user to a role Get a user's roles Role-based authorization
Role-based authorization in ASP.NET Identity

Introduction


We've seen in the Authorization section, how to restrict access to resources for non-authenticated users.

In this section, i'm going to show you how to restrict access to resources for authenticated users based on their roles.

Authorization


Let's suppose we have the following account controller : 

[Authorize]
public class AccountController : Controller
{
    public ActionResult EnableAccount(string userId)
    {
        // Implementation ...
        return View();
    }

    public ActionResult DisableAccount(string userId)
    {
        // Implementation ...
        return View();
    }
}

We've used the Authorize attribute on the controller to specify that access is restricted to authenticated users. This limitation is not enough in this use case because we don't want any user to be able to disable or enable user accounts. For example, only users that have an Admin role should have the right to access these features.

In order to do that, we can use the Roles property of the Authorize attribute : 

[Authorize(Roles = "Admin")]
public class AccountController : Controller
{
    public ActionResult EnableAccount(string userId)
    {
        // Implementation ...
        return View();
    }

    public ActionResult DisableAccount(string userId)
    {
        // Implementation ...
        return View();
    }
}

This way, only users who are members of the Admin role can have access to the account controller.

We can also specify multiple roles as a comma seperated list : 

[Authorize(Roles = "Admin, Manager")]
public class AccountController : Controller
{
    public ActionResult EnableAccount(string userId)
    {
        // Implementation ...
        return View();
    }

    public ActionResult DisableAccount(string userId)
    {
        // Implementation ...
        return View();
    }
}

This way, the account controller will only be accessible to users who are members of either the Admin role or the Manager role.

If you apply multiple Authorize attributes instead of the comma seperated list, then the users must be members of all roles in order to access the controller. 

[Authorize(Roles = "Admin")]
[Authorize(Roles = "Manager")]
public class AccountController : Controller
{
    public ActionResult EnableAccount(string userId)
    {
        // Implementation ...
        return View();
    }

    public ActionResult DisableAccount(string userId)
    {
        // Implementation ...
        return View();
    }
}

This way, the account controller will require users to be members of both the Admin role and the Manager role.



About

DotNet tutorials is a website for beginners and professionals of the .NET framework. This website contains articles and solutions for different technical problems.

Contacts

Phone: +33 675572397
Email: abdrahmanbayan@gmail.com
2020 © DotNet Tutorials By Abderrahmane BAYANE