ASP.NET role management enables you to manage authorization for your application based on groups of users, referred to as roles. By assigning users to roles, you can control access to different parts or features of your Web application based on role instead of, or in addition to, specifying authorization based on user name. For example, an employee application might have roles such as Managers, Employees, Directors, and so on, where different privileges are specified for each role.

Users can belong to more than one role. For example, if your site is a discussion forum, some users might be in the role of both Members and Moderators. You might define each role to have different privileges on the site, and a user who is in both roles would then have both sets of privileges.

To enable role management for your ASP.NET application, use the roleManager element of the system.web section in the Web.config file for your application, as shown in the following example.

<configuration>
  <connectionStrings>
    <add name="SqlServices" connectionString="Data Source=localhost;Initial Catalog=aspnetdb;Integrated Security=SSPI;" />
  </connectionStrings>

  <system.web>
    <authentication mode="Forms" >
      <forms loginUrl="login.aspx"
      name=".ASPXFORMSAUTH" />
    </authentication>

  <roleManager defaultProvider="SqlProvider" 
    enabled="true"
    cacheRolesInCookie="true"
    cookieName=".ASPROLES"
    cookieTimeout="30"
    cookiePath="/"
    cookieRequireSSL="false"
    cookieSlidingExpiration="true"
    cookieProtection="All" >
    <providers>
      <add
        name="SqlProvider"
        type="System.Web.Security.SqlRoleProvider"
        connectionStringName="SqlServices"
        applicationName="SampleApplication" />
      </providers>
    </roleManager>
  </system.web>
</configuration>

You can specify authorization rules in the configuration file for your Web application or programmatically in your code. For example, the following authorization section from a Web.config file requires users to log on (by denying anonymous users), and then allows only users in the Administrators role to have access.

<authorization>
  <deny users="?" />
  <allow roles="Administrators" />
  <deny users="*" />
</authorization>

If you use the authorization section in your application's Web.config file to specify authorization based on roles, users of your application must supply an authenticated user identity. You can authenticate users by using either Windows or Forms authentication. Anonymous users cannot be assigned to a role. Roles can be used independently of, or in conjunction with, the ASP.NET System.Web.Security.Membership classes.

To verify role membership programmatically, you can use the System.Web.Security.Roles class or the System.Web.UI.Page.User property with the Roles.IsUserInRole(string) method, or you can use the System.Web.UI.Page.User property with the System.Security.Principal.IPrincipal.IsInRole(string) method. For sample code that programmatically checks role membership, see the Example section in this topic.

The System.Web.Security.Roles class also enables you to create and delete roles and to add users to or remove users from roles.

You can store role information in several data sources.

• You can use the System.Web.Security.WindowsTokenRoleProvider class to retrieve role information based on membership in Windows groups.

• You can store role information in a SQL Server database by using the System.Web.Security.SqlRoleProvider class.

• If you have existing role information, or want to store role information in and retrieve role information from a data source other than Windows, an Authorization Store, or SQL Server, you can implement a custom role provider by creating a class that inherits the System.Web.Security.RoleProvider abstract class. For more information, see Implementing a Role Provider.

If a user's browser accepts cookies, you can store role information for that user in a cookie on the user's computer. On each page request, ASP.NET reads the role information for that user from the cookie. This can improve application performance by reducing the amount of communication required with the data source to retrieve role information. If the role information for a user is too long to store in a cookie, ASP.NET stores just the most recently used role information in the cookie and then looks up additional role information in the data source as required. If the user's browser does not support cookies or cookies are disabled, role information is not cached in a cookie.

You can improve the reliability of the role names cached in a cookie by specifying a Roles.CookieProtectionValue property when you configure ASP.NET roles. The default Roles.CookieProtectionValue is All, which encrypts role names in the cookie and validates that the cookie contents have not been altered.