Role-Based Authorization (C#)

Azure RBAC

What is Azure role-based access control (Azure RBAC)? | Microsoft Docs

ASP.NET Core 5.0

Role-based authorization in ASP.NET Core | Microsoft Docs

[Authorize(Roles = "Administrator")]
public class AdministrationController : Controller
{
}

[Authorize(Roles = "HRManager,Finance")]
public class SalaryController : Controller
{
}

[Authorize(Roles = "PowerUser")]
[Authorize(Roles = "ControlPanelUser")]
public class ControlPanelController : Controller
{
}

[Authorize(Roles = "Administrator, PowerUser")]
public class ControlPanelController : Controller
{
public ActionResult SetTime()
{
}

[Authorize(Roles = "Administrator")]
public ActionResult ShutDown()
{
}
}

[Authorize(Roles = "Administrator, PowerUser")]
public class ControlPanelController : Controller
{
public ActionResult SetTime()
{
}

[Authorize(Roles = "Administrator")]
public ActionResult ShutDown()
{
}
}

[Authorize]
public class ControlPanelController : Controller
{
public ActionResult SetTime()
{
}

[AllowAnonymous]
public ActionResult Login()
{
}
}

Policy based role checks

[Authorize(Policy = "RequireAdministratorRole")]
public class UpdateModel : PageModel
{
    public ActionResult OnPost()
    {
    }
}

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllersWithViews();
    services.AddRazorPages();

    services.AddAuthorization(options =>
    {
        options.AddPolicy("RequireAdministratorRole",
            policy => policy.RequireRole("Administrator"));
     });
}

[Authorize(Policy = "RequireAdministratorRole")]
public IActionResult Shutdown()
{
    return View();
}

If you want to specify multiple allowed roles in a requirement then you can specify them as parameters to the RequireRole method:

options.AddPolicy("ElevatedRights", policy =>
    policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator"));

ASP.NET Framework 4.x

Role-Based Authorization (C#) | Microsoft Docs

Security: User roles, accounts, and permissions - IBM Documentation

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
[PrincipalPermission(SecurityAction.Demand, Role = "Supervisors")]
protected void UserGrid_RowUpdating(object sender, GridViewUpdateEventArgs e)
{
     ...
}

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
protected void UserGrid_RowDeleting(object sender, GridViewDeleteEventArgs e)
{
     ...
}

<?xml version="1.0"?>

<configuration>
     <system.web>
          <authorization>
               <allow roles="Administrators" />
               <deny users="*"/>
          </authorization>

     </system.web>

     <!-- Allow all users to visit RoleBasedAuthorization.aspx -->
     <location path="RoleBasedAuthorization.aspx">
          <system.web>
               <authorization>
                    <allow users="*" />

               </authorization>
          </system.web>
     </location>
</configuration>

The ASP.NET Pipeline Events for an Authenticated User When Using Forms Authentication and the Roles Framework

The ASP.NET Pipeline Events for an Authenticated User When Using Forms Authentication and the Roles Framework

Workflow:

The User's Role Information Can Be Stored in a Cookie to Improve Performance

Workflow for Determining What Template to Render

The LoginView Control's Workflow for Determining What Template to Render

Security model

The following figure illustrates the security model in Platform Conductor:Workflow illustrating security in Platform Conductor