System.Web.Security.Roles Class

Manages user membership in roles for authorization checking in an ASP.NET application. This class cannot be inherited.

See Also: Roles Members


public static class Roles


ASP.NET role management enables you to manage authorization for your application based on groups of users, referred to as roles. By assigning users to roles, you can control access to different parts or features of your Web application based on role instead of, or in addition to, specifying authorization based on user name. For example, an employee application might have roles such as Managers, Employees, Directors, and so on, where different privileges are specified for each role.

Users can belong to more than one role. For example, if your site is a discussion forum, some users might be in the role of both Members and Moderators. You might define each role to have different privileges on the site, and a user who is in both roles would then have both sets of privileges.

To enable role management for your ASP.NET application, use the roleManager element of the system.web section in the Web.config file for your application, as shown in the following example.


    <add name="SqlServices" connectionString="Data Source=localhost;Initial Catalog=aspnetdb;Integrated Security=SSPI;" />

    <authentication mode="Forms" >
      <forms loginUrl="login.aspx"
      name=".ASPXFORMSAUTH" />

  <roleManager defaultProvider="SqlProvider" 
    cookieProtection="All" >
        applicationName="SampleApplication" />

You can specify authorization rules in the configuration file for your Web application or programmatically in your code. For example, the following authorization section from a Web.config file requires users to log on (by denying anonymous users), and then allows only users in the Administrators role to have access.


  <deny users="?" />
  <allow roles="Administrators" />
  <deny users="*" />

If you use the authorization section in your application's Web.config file to specify authorization based on roles, users of your application must supply an authenticated user identity. You can authenticate users by using either Windows or Forms authentication. Anonymous users cannot be assigned to a role. Roles can be used independently of, or in conjunction with, the ASP.NET System.Web.Security.Membership classes.

To verify role membership programmatically, you can use the System.Web.Security.Roles class or the System.Web.UI.Page.User property with the Roles.IsUserInRole(string) method, or you can use the System.Web.UI.Page.User property with the System.Security.Principal.IPrincipal.IsInRole(string) method. For sample code that programmatically checks role membership, see the Example section in this topic.

The System.Web.Security.Roles class also enables you to create and delete roles and to add users to or remove users from roles.


If you have configured your application to use the System.Web.Security.WindowsTokenRoleProvider class, you cannot modify roles or role membership. The System.Web.Security.WindowsTokenRoleProvider class verifies membership in Windows security groups only. In this case, you must use Windows user account management rather than ASP.NET roles to create and delete groups and manage group membership.

You can store role information in several data sources.

If a user's browser accepts cookies, you can store role information for that user in a cookie on the user's computer. On each page request, ASP.NET reads the role information for that user from the cookie. This can improve application performance by reducing the amount of communication required with the data source to retrieve role information. If the role information for a user is too long to store in a cookie, ASP.NET stores just the most recently used role information in the cookie and then looks up additional role information in the data source as required. If the user's browser does not support cookies or cookies are disabled, role information is not cached in a cookie.

You can improve the reliability of the role names cached in a cookie by specifying a Roles.CookieProtectionValue property when you configure ASP.NET roles. The default Roles.CookieProtectionValue is All, which encrypts role names in the cookie and validates that the cookie contents have not been altered.


Namespace: System.Web.Security
Assembly: System.Web (in System.Web.dll)
Assembly Versions:
Since: .NET 2.0