Role based security in .NET

Role based security needs authenticated information about the user in order to make some decisions about whether the user is authorized.

The 2 most important classes when dealing with Role based security are

  1. Identity class that represents the individual user like the individual user name
  2. Principal class that represents the roles associated with the user.

In windows, the Roles are much similar to the Windows Groups.

There are 3 types of identity

1. Windows Identity – This is the Commonly used identity class .The windows identity encapsulates the identity of the windows user .This will provide the information like name of the user, is the user authenticated etc.

We could also create our own identities and roles with Generic and Custom identity that are not tied with the windows identity and groups.

2. Generic Identity – accesses user information based on custom methods of authentication that we define and are independent of windows User / windows user groups .

3. Custom Identity – This can be defined by the application as per the needs.

The identity classes must implement IIdentity interface

In both of the above cases, correctly authenticating is left to the developers.

Remember windows user is authenticated by the windows OS. So the users with Windows Identity already come authenticated or trusted

The Principal represents the identity of the user .It represents the identity object and also the roles of the user.

There are 3 types of Principal .

1. Windows Principal represents the windows users and their roles.

2. Generic principal represents the users and roles that are not part of the windows user groups.

3. Custom principal represents the custom / application specific roles.

The Principal classes should implement IPrincipal Interface.

To get the current windows identity

WindowsIdentity objIdentity = WindowsIdentity.GetCurrent();

WindowsPrincipal objPrincipal=new WindowsPrincipal(objIdentity);


GetCurrent is a static method . It returns the current windows user.

Name will return the user name(windows user name )

We can do the same thing with the windows principal with Identity.Name.



IsInRole will return true if the user is in the specified role.

Note : The following namespace shoule be used too

using System.Security.Principal;

The Role based security can be implemented in 2 ways

1. Imperative

2. Declarative

We can perform the imperative security checks using the permission objects, we use the PrincipalPermission to achieve this .

This is used to compare the currect principal with the list of identities roles that already exists.

There are many methods of the principal permissions . Here are few frequently used one’s .

1. Demand

This will actually do the comparing .

PrincipalPermission objPermission = new PrincipalPermission("Senthil", "Developer");


Note : Namespace to be used : using System.Security.Permissions;

The Demand() method checks to see if the current user is Senthil and the role is Developer. If it doesnot match , the security exception is thrown.

The PrincipalPermission class allows security checks to be made programatically.

2. Union creates a permission from other individual permissions objects

3. Intersect creates a permission from the intersection of 2 principalpermission objects.

Declarative Role-based security is implemented using attributes .Attributes are declative tags that are attached to an element like a method etc.

The attributes are stored as metadata in the .NET Assemblies and can be extracted at the design time or at the runtime.

The attributes here specify some kind of access levels.

Here’s a sample method that has a declarative based RBS.

public void Method1()




The user of the assembly, class or member must have the permissions specified in the attribute tag.

In Rolebased security , most of the time , the security action is the Demand which does the comparision again.

PrincipalPermission and the PrincipalPermissionAttribute perform the security demands when appropriate.

Commonly used Properties / Methods

1. Identity Classes

AuthenticationType (Property)- Indicates the type of authentication used Eg: Basic, NTLM, Kerberos .

IsAuthenticated ( Property ) –  Indicates if the user is authenticated.

Name ( Property ) Stores the username

2.Principal Classes

Identity (Property) – Refers the IIdentity object associated with the IPrincipal object.

IsInRole() Method Returns true if the associated IIdentity object is in the specified role

There are other security actions like Assert , Demand , Deny , LinkDemand etc.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Leave a Reply