This project is read-only.

How to Perform Role-Based Authorization

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Roles-based authorization is used to group users into groups (roles) and then set permissions on the role rather than on individual users. This eases management by allowing you to administer a smaller set of roles rather than a larger set of users.

The following are the different option for creating role-based authorization based on your authentication choice:
  • If you are using Windows or Basic authentication, you can use Windows groups for role-based authorization
  • If you are using Username authentication, you can use ASPNET roles for role-based authorization
  • If you are using certificate authentication, you can map certificates to Windows groups for role-based authorization

The following example configures the service to enable the SQL Role provider for using ASPNET roles.
  1. Configure the SQL Role provider
    <!-- Configure the Sql Role Provider -->
    <roleManager enabled ="true" 
                 defaultProvider ="SqlRoleProvider" >
        <add name ="SqlRoleProvider" 
    <!-- Configure role based authorization to use the Role Provider -->
    <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
                          roleProviderName ="SqlRoleProvider" />
  1. Include a PrincipalPermission attribute in the service method that specifies the required authorization access role required.
    [PrincipalPermission(SecurityAction.Demand, Role = "Registered Users")]
    public double Multiply(double n1, double n2)
         double result = n1 * n2;
         return result;
  1. The following code shows how to do the authorization check in code:
if (Roles.IsUserInRole(@"accounting"))
//authorization failed

  1. The following client connection supplies a username and password to call the method.
      // Set credentials to Alice
      client.ClientCredentials.UserName.UserName = "Alice";
      client.ClientCredentials.UserName.Password = "ecilA-123";

      // Call the Add service operation.
      double value1 = 100.00D;
      double value2 = 15.99D;
      double result = client.Multiply(value1, value2);

Additional Resources

Last edited Jun 13, 2008 at 7:13 PM by prashantbansode, version 1


No comments yet.