I'd like to write a custom role provider for my application, which has existing users and roles tables. I'm looking for a reference on that, which:

  • doesn't require machine.config changes (I see this a lot in custom role architectures),
  • supports master pages that may be applied to child pages that require different rights.
+2  A: 

The configuration of rights and the provider itself can be defined in web.config. To apply the rights to different child pages, you simply lock down the content pages via the Location.System.Web.Authorization node in web.config (more info here).

To create a custom provider, you simply inherit from the (System.Web.Security)RoleProvider abstract class and implement the methods you need (typicaly IsUserInRole, GetUsersInRole, and GetRolesForUser, though my memory's a bit foggy at the moment as to what Asp.Net calls out of the box to do role based authorization, so you you might want to implement them all). More Info here.

Once that's done, you register which provider to use in web.config:

    <roleManager enabled="true"
        <add name="YourRoleProviderHere"
          type="YourRoleProviderHere, YourRoleProviderAssembly"
          description="Your totally awesome role provider"

That will set your app up to use your role provider, and with virtually no work, you're up and running. All the standard authorization methods still work (User.IsInRole) and you're integrated with Asp.Net.

Rob Rodi
Do I have to use the built-in login controls on my site or can I shim the roles stuff into existing code?

You could try also to use HttpModule: - Modify the code in the example app so that the request would know which page is to be requested - obviously you would need the following DbTables structure: - This link will give you a good start

Now this rough create table statements would give you the following set :

  • each user will have one or more UserRoles
  • each Page will be configurable to be accessed per UserRole

Some DDL SQL around the idea:

    [UserId] [int] IDENTITY(1,1) NOT NULL,
    [FirstName] [varchar](100) NOT NULL,
    [SecondName] [varchar](100) NULL,
    [LastName] [varchar](100) NOT NULL,
    [DomainName] [varchar](100) NOT NULL,
    [UserRoleId] [int] NOT NULL,
    [Password] [nvarchar](100) NOT NULL


 CREATE TABLE [dbo].[UserRole](
    [UsersRoleId] [int] IDENTITY(1,1) NOT NULL,
    [RoleId] [int] NOT NULL,
    [UserId] [int] NOT NULL

 CREATE TABLE [ga].[Roles](
    [RoleId] [int] IDENTITY(1,1) NOT NULL,
    [RoleName] [varchar](50) NOT NULL,
    [RoleDefinition] [varchar](1000) NULL


 CREATE TABLE [dbo].[Page](
[PageId] [int] IDENTITY(1,1) NOT NULL,
[PageName] [varchar](200) NOT NULL,
[PageDescription] [varchar](max) NOT NULL,
[PageTitle] [varchar](50) NOT NULL


CREATE TABLE [dbo].[PagePerUserRole](
    [PageForRoleId] [int] IDENTITY(1,1) NOT NULL,
    [UserRoleId] [int] NOT NULL,
    [PageId] [int] NOT NULL


OR CustomBaseClass

basically the same but would check whether the use has access on some very early event of the page life cycle - such as OnInit

The latter is more unorthodox way - yet I have written an app using complicating authentication mechanism ( using 3 -rd software system ) and it seems to work for a while in production ; )