Role based access control with ASP.NET identity

0
votes

In the old days when we use asp.net membership, we can use web.config to control the access based on role like

<configuration>
      <system.web>
         <authorization>
            <deny users="*"/>
            <allow roles="RoleA"/>
         </authorization>
      </system.web>
</configuration>

or use the "security trimming" to limit the menu items in asp:Menu control (with a sitemap datasource).

now we have the ASP.NET identity, what is the best practice to achieve the similar effect? Thank you.

2
asp.netasp.net-identity

2 Answers

1
votes

Add attribute to your controller class i.e

  [Authorize(Roles = "Admin")]
   public class SettingsController : Controller
    {

    }
1
votes

You can still use the authorization section in web.config to protect parts of your application using roles. ASP.NET Identity can be used to add roles to users and once a user is added to the role you can protect using the authorization section as you did before.