Asp.Net Conditional URL Role Authentication

Question

I want to restrict access to a particular url unless the user is a member of 2 different roles. In this case I only want to grant access to this url if the user is in both the Reporting AND Archiving role. Is there a way to do this in ASP.net?

<location path="testpage.aspx">
<system.web>
  <authorization>
    <allow roles="Reporting, Archiving"/>
    <deny users="*"/>
  </authorization>
</system.web>

I want something like this:

<location path="testpage.aspx">
<system.web>
  <authorization>
    <allow roles="Reporting & Archiving"/>
    <deny users="*"/>
  </authorization>
</system.web>

Answer 1

You could create a SQL function which, given a particular user ID, page URL, and list of allowed roles (XML), returns a bit indicating whether access is granted to that URL, and subsequently use that to set a flag which would determine whether to show that as a valid choice in a javascript or DHTML menu or whatever.

Answer 2

You can implement custom Role Provider. Then you can define new "fake" role ReportingAndArchiving and check if the user belongs to Reporting and Archiving role inside the IsUserInRole method when ReportingAndArchiving role is requested.

Answer 3

It's kind of ugly, but you can inherit from the role provider you're currently using (SqlRoleProvider, WindowsTokenRoleProvider, AuthorizationStoreRoleProvider), override GetRolesForUser, call the base implementation to get the roles, and combine them as necessary there. Then obviously put your custom role provider in your web.config in the <roleManager> configuration section.

You'd only need to override the one method (and maybe GetUsersInRole) and combine them as necessary.

public override string[] GetRolesForUser( string username ) {
    List<string> roles = new List<string>( base.GetRolesForUser(username) );
    if( roles.Contains("Reporting") && roles.Contains("Archiving") ) {
        roles.Add("ReportingAndArchiving");
    }
    return roles.ToArray();
}