Role-Based Authorization in ASP.NET Identity

Role-Based Authorization in ASP.NET Identity

In this article, I am going to discuss Role-Based Authorization in ASP.NET Identity with Examples. Kindly take a look at our previous article, where we discussed How to Get User Roles in ASP.NET Identity.

Role-Based Authorization in ASP.NET Identity

We have seen in the Authorization Article how to restrict access to resources for non-authenticated users using the Authorize Attribute. In this article, I am going to discuss how to restrict access to resources for authenticated users based on their roles.

With an example, let us understand the need for Role Based Authorization in ASP.NET MVC Applications. Suppose we have the following User Controller, which has three action methods, and we have decorated the controller with the Authorize Attribute. That means only authenticated users can access these action methods or resources.

using System.Web.Mvc;
namespace AspNetIdentityWithNewProject.Controllers
{
    //Only Authenticated Users Can Access the Action Methods
    [Authorize]
    public class UserController : Controller
    {
        public ActionResult SomeActionMethod1()
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult EnableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult DisableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
    }
}

We have used the Authorize attribute on the controller to specify that access is restricted to authenticated users. This limitation is not enough in this use case because we don’t want all users to be able to disable or enable user accounts. For example, only users that have an Admin role should have the right to access EnableUserAccount and DisableUserAccount action methods. In order to do that, we can use the Roles property of the Authorize attribute as follows.

using System.Web.Mvc;
namespace AspNetIdentityWithNewProject.Controllers
{
    public class UserController : Controller
    {
        [Authorize]
        public ActionResult SomeActionMethod1()
        {
            // Implementation ... 
            return View();
        }

        [Authorize(Roles ="Admin")]
        public ActionResult EnableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }

        [Authorize(Roles = "Admin")]
        public ActionResult DisableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
    }
}

With the above changes in place, only the authenticated users with Admin Role can now access EnableUserAccount and DisableUserAccount action methods. On the other hand, any authenticated users can access the SomeActionMethod1. Now, if you want the Admin Role users to access the User Controller only, then you can apply the Roles property of the Authorize attribute at the controller level as follows.

using System.Web.Mvc;
namespace AspNetIdentityWithNewProject.Controllers
{
    [Authorize(Roles = "Admin")]
    public class UserController : Controller
    {
        public ActionResult SomeActionMethod1()
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult EnableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult DisableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
    }
}

It is also possible to specify multiple roles as a comma-separated list. For example, Admin and SuperAdmin can access the User Controller. Then, in that case, we need to specify both Roles separated by a comma as follows.

using System.Web.Mvc;
namespace AspNetIdentityWithNewProject.Controllers
{
    [Authorize(Roles = "Admin, SuperAdmin")]
    public class UserController : Controller
    {
        public ActionResult SomeActionMethod1()
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult EnableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult DisableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
    }
}

So, in this way, the User controller will only be accessible to users who are members of either the Admin role or the SuperAdmin role.

If you apply multiple Authorize attributes instead of the comma-separated list, the users must be members of all roles to access the controller. For example, the user must be assigned Admin and SuperAdmin roles to access the following User Controller methods.

using System.Web.Mvc;
namespace AspNetIdentityWithNewProject.Controllers
{
    [Authorize(Roles = "Admin")]
    [Authorize(Roles = "SuperAdmin")]
    public class UserController : Controller
    {
        public ActionResult SomeActionMethod1()
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult EnableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
        
        public ActionResult DisableUserAccount(string userId)
        {
            // Implementation ... 
            return View();
        }
    }
}

In this way, the User controller will require users to be members of both Admin and SuperAdmin roles. Here, in this article, I try to explain Role-Based Authorization in ASP.NET Identity with Examples. I hope you enjoy this Role-Based Authorization in ASP.NET Identity article.

Leave a Reply

Your email address will not be published. Required fields are marked *