ASP.NET Core Identity Role Based Authorization

Back to: ASP.NET Core Identity Tutorials

ASP.NET Core Identity Role-Based Authorization

In this article, I will discuss ASP.NET Core Identity Role-Based Authorization. Please read our previous article discussing How to Add or Remove Users from Roles in ASP.NET Core Identity. Authentication is the process of identifying who the user is. Authorization is the process of identifying what the user can and cannot do. Authentication and Authorization in ASP.NET Core is controlled through the Authorize Attribute.

Role-Based Authorization in ASP.NET Core

Role-based Authorization in ASP.NET Core Identity allows us to control access to different parts of our application based on the roles assigned to a user. It is useful for restricting access to certain functionalities only to users who have been granted specific roles. The following are the key concepts to implement Role-Based Authorization in ASP.NET Core Application:

Creating Roles:

In ASP.NET Core Identity, roles are typically defined as a set of named roles, such as Admin, User, Sales, Moderator, etc. These roles represent different levels of access or permissions within the application.

Roles can be defined in your application in various ways, such as through the database seeding process or an admin panel. We have already discussed creating roles using the Admin Panel using the RoleManager service. In our Roles Management article, we have also discussed how to Create, Update, and Delete Roles in ASP.NET Core Identity.

Assigning Roles to Users:

Users can be assigned to one or more roles. This assignment determines what resources, pages, or action methods the user can access. For example, an Admin might have access to all resources, pages, or action methods, whereas a User might have limited access.

Once roles are created, we can assign them to users. This is usually done when a user is created or through some form of user management or role management interface. We have already discussed assigning roles to users using the Admin Panel using the UserManager and RoleManager services. In our Role Membership article, we discussed how to add or Remove users from a given role using the ASP.NET Core Identity.

Using Role-Based Authorization in ASP.NET Core Web Application:

When a user tries to access a resource, ASP.NET Core Identity performs a role check. This is done using the Role-Based Authorization attributes. For example, the [Authorize(Roles = “Admin”)] attribute on a controller or action method ensures that only users with the Admin role can access that part of the application. You can specify multiple roles as a comma-separated list or apply multiple Authorize attributes to your controllers or action methods.

Example to Understand Role-Based Authorization in ASP.NET Core Identity:

Please make sure to have the following three roles in the AspNetRoles table.

Role-Based Authorization in ASP.NET Core

Our requirement is that users of the Admin role can access the actions in the AdministrationController. In that case, we need to decorate the AdministrationController with the Authorize attribute by specifying the Roles as Admin as follows:

[Authorize(Roles = "Admin")]
public class AdministrationController : Controller
{
}

Multiple Roles Example

Multiple roles can also be specified by separating them with a comma as follows. Here, you can see we have specified the Admin or Moderator roles using the Authorize Attribute. Now, the action methods of the Administration Controller are accessible only to those users who are members of either the Admin or Moderator role.

[Authorize(Roles = "Admin,Moderator")]
public class AdministrationController : Controller
{
}

Multiple Instances of Authorize Attribute

It is also possible to use the Authorize Attribute multiple times to specify different roles, as shown in the example below. In this case, users must be members of both the Admin and Moderator roles to access the actions in this controller.

[Authorize(Roles = "Admin")]
[Authorize(Roles = "Moderator")]
public class AdministrationController : Controller
{
}

Let us decorate the AdministrationController with the following attribute: We want it to be accessed by users with an Admin role. With the following Attribute in AdministrationController, only the users with Admin roles can access the action methods of the Administration Controller.

[Authorize(Roles = “Admin”)]

Role-Based Authorization Check on a Controller Action

For a better understanding, please modify the Home Controller as follows. Now, members of the Admin or Moderator roles can access the Privacy action method, but only members of the Admin role can access the SecureMethod. Anyone, including anonymous users, can access the action Index and NonSecureMethod, as these two methods are decorated with the AllowAnonymous attribute.

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace ASPNETCoreIdentityDemo.Controllers
{
    [Authorize(Roles = "Admin,Moderator")]
    public class HomeController : Controller
    {
        [AllowAnonymous]
        public IActionResult Index()
        {
            return View();
        }

        [Authorize(Roles = "Admin")]
        public IActionResult SecureMethod()
        {
            return View();
        }

        public IActionResult Privacy()
        {
            return View();
        }

        [AllowAnonymous]
        public IActionResult NonSecureMethod()
        {
            return View();
        }
    }
}

With the above changes, run the application and test the functionality, and it should work as expected.

When Would We Use ASP.NET Core Identity Role-Based Authorization?

The following are some scenarios where role-based authorization is useful:

Access Control Management: When your application has distinct user roles (like Admin, User, Editor, Moderator, etc.), and each role has specific permissions or access levels. For example, Admins can access and modify all data, Editors can only modify content, and Users can only view content.
Simplifying Code for Permission Checks: Role-based authorization simplifies the code by allowing you to annotate controllers or actions with roles. This is easier to manage compared to having complex if-else statements throughout your code to check for permissions.
Security Compliance: To comply with security standards and regulations that require strict access control measures. Role-based authorization helps ensure that only authorized personnel can access sensitive information or perform critical operations.
Complex Business Logic: When different user roles are associated with distinct permissions and responsibilities. For example, in an e-commerce application, you might have roles like Admin, Seller, and Buyer, each with specific permissions and access requirements.

In the next article, I will discuss How to Show or Hide Navigation Menus Based on User Roles in ASP.NET Core Identity. In this article, I explain ASP.NET Core Identity Role-Based Authorization. I hope you enjoy this article, ASP.NET Core Identity Role Based Authorization.

Dot Net Tutorials

About the Author: Pranaya Rout

Pranaya Rout has published more than 3,000 articles in his 11-year career. Pranaya Rout has very good experience with Microsoft Technologies, Including C#, VB, ASP.NET MVC, ASP.NET Web API, EF, EF Core, ADO.NET, LINQ, SQL Server, MYSQL, Oracle, ASP.NET Core, Cloud Computing, Microservices, Design Patterns and still learning new technologies.