20

I'm interested in knowing what are the best practices for using role based security in MVC:
how to secure your actions and make them accessible by specific roles only?

Improve this question

1 Answer 1

Reset to default
24

If you setup your ASP.Net membership provider correctly, you can easily use the [Authorize]-attribute to specify access for different roles or users.

To require users to login, use:

[Authorize]
public class SomeController : Controller

// Or
[Authorize]
public ActionResult SomeAction()

To restrict access for specific roles, use:

[Authorize(Roles = "Admin, User")]
public class SomeController : Controller

// Or
[Authorize(Roles = "Admin, User")]
public ActionResult SomeAction()

And to restrict access for specific users, use:

[Authorize(Users = "Charles, Linus")]
public class SomeController : Controller

// Or
[Authorize(Users = "Charles, Linus")]
public ActionResult SomeAction()
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

What if you wish your roles/permissions to be dynamic in the DB?
@JoePhilllips Create a custom attribute, and onAuthorize handler.
I like the Authorize method decoration. Here's a follow up question: if we have an active directory group created to deal with exceptions to the rule.. e.g. a group named "MyApp_AccessDenied" .. is there a way to use that.. i.e. a negative version of the Authorize decoration... like a DenyAuthorize decoration?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.