Custom Role Provider for MVC

In previous article I explain how to create Custom Membership Provider to authorize user and protect controls and pages. But what if you want to show or protect some area, controller or page for specific group of users? For example allow access to Admin Panel only for admins.

In .Net Framework for this purpose is Role Provider. But again, it uses own DB for store user roles. So let's create and configure Custom Role Provider which will use our DB or any other storage. As before we should overwrite class from .NET:

For the minimum functionality we need implement and overwrite two functions GetRolesForUser and IsUserInRole. First one is used to gel list of all user roles (or groups):

public override string[] GetRolesForUser(string username)
        {
            using (DatabaseEntities db = new DatabaseEntities())
            {
                User user = db.Users.FirstOrDefault(u => u.UserName.Equals(username, StringComparison.CurrentCultureIgnoreCase) || u.Email.Equals(username, StringComparison.CurrentCultureIgnoreCase));

                var roles = from ur in user.UserRoles
                            from r in db.Roles
                            where ur.RoleId == r.Id
                            select r.Name;
                if (roles != null)
                    return roles.ToArray();
                else
                    return new string[] {}; ;
            }
        }

As you can see I locate user in my DB by username parameter of the function (in my case it’s can be user name or email) and create the string list of user roles.

Second function is to check if user in the role (or group):

public override bool IsUserInRole(string username, string roleName)
        {
            using (DatabaseEntities db = new DatabaseEntities())
            {
                User user = db.Users.FirstOrDefault(u => u.UserName.Equals(username, StringComparison.CurrentCultureIgnoreCase) || u.Email.Equals(username, StringComparison.CurrentCultureIgnoreCase));

                var roles = from ur in user.UserRoles
                            from r in db.Roles
                            where ur.RoleId == r.Id
                            select r.Name;
                if (user != null)
                    return roles.Any(r => r.Equals(roleName, StringComparison.CurrentCultureIgnoreCase));
                else
                    return false;
            }
        }

Then we need to configure in web.config file solution to use created role provider:

<system.web>
    ...
    <rolemanager cacherolesincookie="true" defaultprovider="KitsulaRoleProvider" enabled="true">
        <providers>
            <clear />
            <add name="KitsulaRoleProvider" type="Kitsula.Security.KitsulaRoleProvider" />
        </providers>
    </rolemanager>
    ...
   </system.web>

Now you can protect controllers, actions, pages for specific group of user which are in specified roles by set Authorize attribute:

using System;
using System.Web.Mvc;

namespace Kitsula.Areas.Admin.Controllers
{
    [Authorize(Roles = "Administrators")]
    public class HomeController : Controller
    {
        //
        // GET: /Admin/Home/

        public ActionResult Index()
        {
            return View();
        }

    }
}

Tags: ASP .NET, MVC, web.config, .Net Authorization

Nov 7, 2010

Comments

Rich

01 April 2012 | 22:56 -05:00

I've done a lot of searching for a great simple example of a custom role provider. This is perfect. Thanks!

Scorpion

17 April 2012 | 08:45 +07:00

Thank for your share!

greg

25 April 2012 | 22:23 -04:00

For IsUserInRole(), since you've implemented GetRolesForUser() already, you can simply use the one line:

return this.GetRolesForUser(username).Contains(roleName);

Igor

25 April 2012 | 22:40 -04:00

Good advice, Greg.

Thank you.

Jeff

28 June 2012 | 18:58 -05:00

This was really helpful for me in a recent project. Thanks for posting!

ripu

16 August 2012 | 17:46 +05:45

could you please send this solution in zip file

David

24 August 2012 | 15:29 -04:00

Why implement this yourself? Why not use NetSqlAzMan? I hear it is really good.

fgfgf

21 December 2013 | 13:08 +05:30

Thanks

Kay

29 January 2014 | 14:16 -06:00

I get the configuration error with <add name = "Kitsularoleprovider" type

<rolemanager cacherolesincookie="true" defaultprovider="KitsulaRoleProvider" enabled="true">

<providers>

<clear />

<add name="KitsulaRoleProvider" type="Kitsula.Security.KitsulaRoleProvider" />

</providers>

</rolemanager>

Brandon

06 February 2014 | 09:46 -06:00

Kay, try camel-casing the values (they're pasted here all lower-case)

Mehdi

07 February 2014 | 01:28 +05:00

Thanks, but please can you tell how do I implement dynamic custom roles instead of hardcoding them on the controller?

You have hardcoded the role "Administrator". But in my case the roles are defined in the database and accessibility level is also defined in the database.

For example, in your case the HomeController : Controller has the role defined Administrator. If tomorrow I have another role Manager and it also needs the access to HomeController : Controller , how could this be achieved without modifying the code??

I know I can implement customer Authorize Attribute and overload the AuthorizeCore. But can this be achieved with custom role provider??

Thanks!

Igor Kitsula

06 February 2014 | 16:04 -05:00

Mehdi,

Authorize attribute parameters/values has to be compile ready. You can override behavior of this attribute, but it will not resolve your problem. Standard .NET authorization supports only 2 layers authorization: users and roles. What you are asking is third layer - group of roles or group of actions. This behavior supported by NetSqlAzMan out of the box, or you can implement it by yourself. I can give you an idea: assign for every action its own name (by this every action will have its own role name), then link all desired "action roles" into "user role" and finally assign(link) "user roles" to users (or vice versa)

andy

17 August 2014 | 16:39 +01:00

Great turorial, but how do you popluated these tables now? I have a view where i create a user and his/her role but not sure how to entery intop database? Ihave three tables, user, userInRole and userRoles.... Any help would be appriciated

maddy

18 March 2015 | 12:15 +05:30

there are other exmaples on mvc4all.com

Prashant J

09 June 2015 | 15:21 +05:30

Great example help me a lottttttt

Thanx 4 sharing......

Deepthi G

27 August 2015 | 15:18 -05:00

It is very Clear. Thanks!

Can i use it for windows authentication too?

Igor

29 August 2015 | 21:55 -04:00

I'm sure you can.

imi Khan

03 October 2015 | 02:14 +05:00

this is great.. and simple.. thanx man!

luis

20 January 2016 | 13:22 +00:00

How I can use Active Directory Authentication and SQL Role Manager?

Bhanu

27 January 2016 | 14:39 -06:00

Thank you for your post. Precisely what i was looking for.

Iman Sobhaniyan

31 January 2015 | 13:57 +03:30

Thank you for your Post. It is perfect.

09 March 2016 | 15:09 -05:00

A lifesaver!

Mehdi

18 April 2016 | 21:46 +04:30

How to show and hide part of view pages

Rich

20 May 2016 | 09:50 -04:00

This was really helpfu.

Nas

30 November 2016 | 12:06 +00:00

Its an awesome article.

Madhava

23 December 2016 | 19:38 +05:30

Dear Igor,

Kindly clear my issue. I have an actionmethod with authorized role say "Administartor". Now I want to call IsUserInRole(). This method takes userId and role name. I'll able to get userId but how can i get Role to pass to IsUserInRole.

Regards

Madhava Reddy

Igor

23 December 2016 | 12:23 -05:00

Hi Madhava,

Role(s) will be taken from Authorize attribute. In you case, please try [Authorize(Roles = "Administrator")]

If you want to get user's roles in code use Roles.GetRolesForUser() (System.Web.Security namespace) - for current user, or Roles.GetRolesForUser(String) if not targeting the currently logged in user.

Regards,
Igor

Ronny

01 March 2017 | 14:19 +02:00

Hi, I tried using this code but I am getting an error that reads "Could not load type 'Kitsula.Security.KitsulaRoleProvider'." when trying to rebuild my project

Igor

01 March 2017 | 09:09 -05:00

Make sure that namespace in config file and in your class with role provider implementation is the same.

Peter

10 August 2018 | 10:19 +10:00

Thank you very much for the excellent article Igor. Very very helpful.

I notice when I implemented in Visual Studio 2015 i got a message 'The element System.Web has invalid child element rolemanager'. It needs capitalisation:

Dwayne B

16 October 2018 | 08:35 -05:00

Awesome, it would be cool if you would have links to the "previous" and "next" articles in the chain. Great job.

mno

22 January 2019 | 10:23 +08:00

Thanks for sharing! It is still useful after NINE years.

Zaf

13 January 2020 | 09:51 +03:00

thnk u save my life after 5 hours

hamedsa

06 February 2022 | 15:38 +03:30

I have done All the work u said in this article right. but in my case after annotating a controller to athorize a defined role that is in my user dafiend database i get access denied . in my case i have a table for roles and role name is defined as roleName and my roles are defrent from administrator.

Igor Kitsula - Developer

A Programmer Reference

Custom Role Provider for MVC

Comments

Join the discussion