ASP.NET provides a useful “Role Management” capability,
which allows developers to map users into logical “Roles” that can then be used
to better control end-user capabilities and authorization access. For
example, as a developer I could create a role called “managers” for my web
application, and then limit access to portions of the site to only those users
within the “managers” role (note: I will be posting additional recipes in the
future that discuss how to fully use the Role Management authorization and
capabilities features more).
When using Windows Authentication, ASP.NET allows developers
to create and populate roles from multiple sources. For example, a
developer could setup the built-in ASP.NET 2.0 SqlRoleProvider to map Windows
users to custom application roles that are store within a database. This
approach is very useful for scenarios where there might be application-specific
role mappings that don’t make sense to push into a centralized Active Directory
tree/store.
ASP.NET also makes it easy to access central Windows and
Active Directory group mappings from within an application as well. For
example, if there is a Windows group on the Active Directory network called
“DOMAIN\managers”, an ASP.NET application could lookup whether the current
Windows authenticated user visiting the ASP.NET site belongs to this group by writing
code like this:
If User.IsInRole("DOMAIN\managers") Then
Label1.Text = User.Identity.Name & " is a manager"
Else
Label1.Text = User.Identity.Name & " is not a manager"
End If
Note that the role/group look-up is done via the
“User.IsInRole(rolename)” method that is a peer of the User.Identity.Name
property.