Creating and enabling a role

Learning Resources

Creating and enabling a role

ASP.NET version 2.0 provides a new role manager feature that includes a roles management API that allows you to create and delete roles and assign and remove users from roles. The role manager stores its data in an underlying data store that it accesses through an appropriate role provider for that data store.

The main benefits of using role manager are that it allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. Therefore, if your role store were to change tomorrow, you would only need to change the configuration settings to make your code work.

Supplied role providers include:

  • SqlRoleProvider. This is used where the role store is kept in SQL Server.
  • WindowsTokenRoleProvider. This is a read-only provider that retrieves role information for a Windows user account based on the account's Windows security group membership. You cannot create, add to, or delete roles with this provider.
  • AuthorizationStoreRoleProvider. This is used if your application uses Authorization Manager (AzMan). It uses an AzMan policy store in an XML file, in Active Directory, or in Active Directory Application Mode (ADAM) as its role store. It is typically used in an intranet or extranet scenario where Windows authentication and Active Directory is used for authentication.

To perform role management, your ASP.NET application must be able to identify and authenticate its users in some way. For example, it might use Windows authentication or Forms authentication.

This How To shows you how to set up and configure a role store and a role provider and use role-based authorization in your ASP.NET applications. Additionally, it demonstrates some of the basic roles API calls available to work with roles programmatically.
Summary of Steps

Step 1. Configure your role store.
Step 2. Configure your role provider in Web.config.
Step 3. Create and assign roles.
Step 4. Perform role-based authorization.

Configure your role store.
Using SqlRoleProvider
If you want to store roles in SQL Server, you use the SqlRoleProvider. By default, roles are stored in a database named Aspnetdb in a SQL Express database instance in the \app_data folder beneath your application's virtual directory root folder. You can also configure the SqlRoleProvider to use a local or remote instance of SQL Server.

To use a SQL Express database role store in the Website \app_data folder

You do not have to create or configure this database. The first time you perform an operation that uses the role management API, ASP.NET automatically creates a database named Aspnetdb, configures it, and sets appropriate permissions on it.

ASP.NET configures the SQL Express database with a database login for the default accounts used to run ASP.NET applications (Network Service on Windows Server 2003 and ASPNET on Windows 2000) and grants them full access to the Aspnetdb database.

If you have configured ASP.NET to run using a custom service account, you must create a SQL login for that account, and add the login to the aspnet_Roles_FullAccess role in the Aspnetdb database.

Configure your role provider in Web.config.
Using SqlRoleProvider
To use the role store in the default SQL Express instance in a database in your Web site's \app_dir folder, add the following configuration to your application's Web.config file.


This configuration enables role management and causes your application to use the default provider named AspNetSqlRoleProvider defined in the Machine.config file. This uses the local SQL Express instance.

To use a role store in SQL Server, add a connection string to point to your role database and add a role provider definition in the Web.config file, as shown here.

             connectionString="Data Source=sqlinstance;
                          Initial Catalog=aspnetdb;Integrated Security=SSPI;">


         applicationName="MyApplication" />

Create and Assign Roles
In this step, you create roles for your application and assign users to those roles. There are several methods you can use to create and assign roles. Using them depends on how your application authenticates its users and which role provider it uses. The various methods for creating and assigning users to roles include:

At development time, you can use the ASP.NET configuration tool.
If you are using the AuthorizationStoreRoleProvider, you can use the AzMan administrator Microsoft Management Console (MMC) snap-in.
You can create roles programmatically by using either the role management APIs or, if you are using the SqlRoleProvider, by executing SQL scripts to add them to the database directly.
If you are using the WindowsTokenRoleProvider, you use the Windows Computer Management tool or Active Directory Users and Computers to create Windows groups which are used as roles.


 For Support