Need advice for implementing User Role based access to aspx pages.

I am new to ASP.Net and have inherited a large web application that contains many pages and user roles/permissions.

Role1 = Read only access - all pages - deny access to finance & administration
Role2 = Read only access - all pages including finance - deny access to administration.
Role3 = Read/Write access - deny access to finance & admin pages

All pages are in the app's root directory and use the same master page.

The app is menu based and each area of functionality has a main page with links to more detailed pages.

The current setup is that user roles are checked in a main page's Page_Load event.
If the user role is 'access denied' - all controls are hidden and an access denied message is displayed (the message is not consistent).
If the user role is read only access - all input controls are disabled.

The problem is:
A. only the main pages of each functional area are checked to see if the user role denies access, no checks are
done on any detail pages.
B. checks for read only access and disabling of controls is performed within each individual page.

What I would like to do is programatically redirect the user to a custom 'Access Denied' page or
disable controls for read only access based on the user role in VB.Net.

I was planning to write some functions like:

Public Sub SetUserAccess(ByRef wPage as Page)
      userRole = GetRole()
      Select Case UserRole
        Case Admin
          Exit sub 'admin has access to everything
        Case Role1
          if isFinancePage(wPage) or isAdminPage(wPage)
            redirect to AccessDeniedPage
            DisablePageControls(wPage) /iterate thru the page controls and disable for read only
        Case Else
            redirect to login page if can't determine user role
        End Select
end sub

Is this a good approach given that the app's owner doesn't want major changes to the app structure?

where would be the best place to call this function from ?

What's the best way to keep track of Finance or Admin related pages? Most of the files related to Finance include the words 'Finance' or 'Accounts' so is there a way to use this rather than list each aspx file separately?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

this will help:,

main benefit is that you will be able to just use the syntax:
If User.IsInRole("SysAdmin") OrElse User.IsInRole("Moderator") Then
	' User is OK
	' Redirect to unauthorized access page
End If

Open in new window

or even use some declarative security attributes such as PrincipalPermissionAttribute:
<PrincipalPermissionAttribute(SecurityAction.Demand, Role:="Accounts")> _
Public Function Hello(ByVal strText As String)
	Return strText + " was run under permitted user:" & User.Name & vbCrLf
End Function

Open in new window

lmgreggAuthor Commented:
Thanks for the link - it did clarify role based security in ASP.Net.   Correct me if I'm wrong but:
since all the forms reside in the app root directory and there are dozens of forms that are restricted to one or more roles I think this method of authorization would become a nightmare to maintain when new forms and user roles are added to the app.

Programmatically & Imperatively
"The downside is that if you are calling a method several times from different parts of
the application, you need to repeat this logic all over the place. " 

Exactly what I'm trying to avoid.

Declaratively - looks like my best choice - I will have to do more research on this.

None of these choices seem to cover the case where a role has read only access, which is why I want to find the most efficient way to:
a) get the user role - I've already implemented this part
b) somehow keep lists of forms that are in a functional area ie Admin or Finance since there are no subdirectories in the app
c) determine whether the user role allows no access, read only access or full access

without repeating the same code in dozens of places.

lmgreggAuthor Commented:
Looks like a custom base class for the pages is what I need.


Thanks  for pointing me to 4GuysFromRolla - excellent info on that site.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lmgreggAuthor Commented:
found the answer myself from info on website provided.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.