# VBForums CodeBank > CodeBank - ASP / ASP.NET / MVC / Web API >  Restrict Access to your website using ASP.Net Membership Provider

## gep13

*NOTE:* The attached sample application was written in Visual Studio 2008 Team System Edition
*NOTE:* Due to the size of the database that was created, I have scripted the database as an SQL File, which you should be able to restore from.

When you use the built in ASP.Net Providers (i.e. Membership, Roles and Profile) you have the ability to make use of the built in controls within the Framework, such as Login, LoginView, CreateUserWizards etc.  

If you use the Menu control, in conjunction with the Roles allocated to a user, then you can limit access to particular areas of your site.

For instance, within the web.config file, you could put the following entries within the configuration node:



```
  <location path="Entry">
    <system.web>
      <authorization>
        <allow roles="Operator,StoreKeeper"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="Update">
    <system.web>
      <authorization>
        <allow roles="Operator"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="View">
    <system.web>
      <authorization>
        <allow roles="Operator,Manager,StoreKeeper"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
```

The above means that access to a folder named Entry in the root of the website is restricted to all users apart from members of the Operator and StoreKeeper role.

Access to a folder called Update in the root of the website is restricted to all users apart from members of the Operator Role.

Access to a folder called View in the root of the website is restricted to all users apart from members of the Operator, Manager and StoreKeeper role.

In addition to the above, it is also possible to restrict access to a particular page of the website, not just pages within a directory.  This can be achieved as follows:



```
  <location path="AddEditPost.aspx">
      <system.web>
        <authorization>
            <allow roles="Administrators,Editors,Moderators,Posters" /> 
            <deny users="*"/>
        </authorization>
      </system.web>
  </location>
```

Here, access to the AddEditPost.aspx page is restricted to everyone except from members of the Administrators, Editors, Moderators and Posters role.

It is possible to place individual web.config files into each of the above folders and restrict the access in each of these configuration files, or, you can place all your location nodes in the main web.config file of your application (this is the approach that I have taken in the attached sample.

In order to complete this technique, entries need to be made in the web.sitemap as follows:



```
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
  <siteMapNode url="Default.aspx" title="Home">
    <siteMapNode title="Entry" url="Entry/Entry.aspx" description="Entry">
      <siteMapNode url="Entry/EntryMaterialMaster.aspx" title="Material Master" description="Material Master" />
      <siteMapNode url="Entry/EntryVendorMaster.aspx" title="Vendor Master" description="Vendor Master" />
      <siteMapNode url="Entry/EntryLocationMaster.aspx" title="Location Master" description="Location Master" />
      <siteMapNode url="Entry/EntryStoreMaster.aspx" title="Store Master" description="Store Master" />
      <siteMapNode url="Entry/EntryRackMaster.aspx" title="Rack Master" description="Rack Master" />
      <siteMapNode url="Entry/EntryTransactions.aspx" title="Transactions" description="Transactions" />
    siteMapNode>
    <siteMapNode title="Update" url="Update/Update.aspx" description="Update">
      <siteMapNode url="Update/UpdateMaterialMaster.aspx" title="Material Master" description="Material Master" />
      <siteMapNode url="Update/UpdateVendorMaster.aspx" title="Vendor Master" description="Vendor Master" />
      <siteMapNode url="Update/UpdatePriceMaster.aspx" title="Price Master" description="Price Master" />
      <siteMapNode url="Update/UpdateLocationMaster.aspx" title="Location Master" description="Location Master" />
      <siteMapNode url="Update/UpdateStoreMaster.aspx" title="Store Master" description="Store Master" />
      <siteMapNode url="Update/UpdateRackMaster.aspx" title="Rack Master" description="Rack Master" />
      <siteMapNode url="Update/UpdateTransactions.aspx" title="Transactions" description="Transactions" />
    siteMapNode>
    <siteMapNode title="View" url="View/View.aspx" description="View">
      <siteMapNode url="View/ViewMaterialMaster.aspx" title="Material Master" description="Material Master" />
      <siteMapNode url="View/ViewVendorMaster.aspx" title="Vendor Master" description="Vendor Master" />
      <siteMapNode url="View/ViewPriceMaster.aspx" title="Price Master" description="Price Master" />
      <siteMapNode url="View/ViewLocationMaster.aspx" title="Location Master" description="Location Master" />
      <siteMapNode url="View/ViewStoreMaster.aspx" title="Store Master" description="Store Master" />
      <siteMapNode url="View/ViewRackMaster.aspx" title="Rack Master" description="Rack Master" />
      <siteMapNode url="View/ViewReports.aspx" title="Reports" description="Reports" />
    </siteMapNode>
  </siteMapNode>
</siteMap>
```

With this in place, any menu on your website, which uses the web.sitemap as it's datasource will dynamically change which nodes are visible based on the roles of the currently logged in user.

Attached to this thread is a complete (basic) sample which shows this in operation.  You should be able to log into the website using the following credentials:

*UserName* *Password*
manage       manage1#
operate       operate1#
store          store1#

The "manage" user is a member of the Manager Role, the "operate" user a member of the Operator Role, and the "store" user a member of the StoreKeeper Role.

Things to watch out for in the sample application is the configuration element in the web.config for the XmlSiteMapProvider, namely:



```
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
      <providers>
        <add name="XmlSiteMapProvider" description="SiteMap provider which reads in .sitemap XML files." type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" siteMapFile="web.sitemap" securityTrimmingEnabled="true"/>
      </providers>
    </siteMap>
```

Here I have enabled the securityTrimmingEnabled property.  Basically what this does it tells the siteMapProvider to not show any nodes that the currently logged in user does not have access to.  If this property were left as false, then the user would be able to see all nodes, it is just that when they clicked on them they would be redirected to the login page.  To me, this isn't very intuitive.  If the user doesn't have access to a page, then they shouldn't see a link to it.

Let me know if you have any question about the above.

Gary

----------


## blakemckenna

Gary,

I'm assuming the Username/Password values you provided are what is to be used in your application. If so, I tried all 3 of them and they didn't seem to work. Am I missing anything?

Thanks,

----------


## gep13

Hey Blake,

Yes, the usernames and passwords in the post are the ones that I used in the sample project that was attached.

In order to use those though, you are going to have to restore the database from the back up of the SQL that I added to the project, since I wasn't able to upload the whole database (see the second note).

If you don't want to do that, you will be able to recreate these users in your own database using the Web Administration section.

Let me know if you are having problems.

Gary

----------


## nikam_007

hi.
i have created GUI using radio buttons like 
read      write      deny
i want to update sitemaps roles according to it
as i use asp/c# 
c# Code:
public void UpdateSiteMapXML(string SiteMapFileName)
    {
         XNamespace siteNM = "http://schemas.microsoft.com/AspNet/SiteMap-File-1.0";
        XElement[] XE = new XElement[20];
         XmlDocument xdoc = LoadSiteMapXml(SiteMapFileName);
         if (xdoc.DocumentElement.ChildNodes[0].HasChildNodes)
        {
            int i = 0;
            foreach (XmlElement childNodesEnumerator in xdoc.DocumentElement.ChildNodes[0].ChildNodes)
            {
                 if (childNodesEnumerator.Attributes["roles"].Value.Contains(RoleName) || childNodesEnumerator.Attributes["roles"].Value.Contains("*"))
                {
                     XE[i] = new XElement(siteNM + "siteMapNode", new XAttribute("title", childNodesEnumerator.Attributes["title"].Value), new XAttribute("url", childNodesEnumerator.Attributes["url"].Value), new XAttribute("roles", childNodesEnumerator.Attributes["roles"].Value));
                }
                else
                {
                     XE[i] = new XElement(siteNM + "siteMapNode", new XAttribute("title", childNodesEnumerator.Attributes["title"].Value), new XAttribute("url", childNodesEnumerator.Attributes["url"].Value), new XAttribute("roles", childNodesEnumerator.Attributes["roles"].Value + "," + RoleName));
                }
                 int j = 0;
                XElement[] XE1 = new XElement[50];
                foreach (XmlElement childNodesEnumerator1 in childNodesEnumerator.ChildNodes)
                {
                     foreach (GridViewRow objRI in rptHOMainManu.Rows)
                    {
                        GridView objRepeater = (GridView)objRI.FindControl("rptHOSubManu");
                        if (objRepeater != null)
                        {
                            foreach (GridViewRow objRI1 in objRepeater.Rows)
                            {
                                Label hypTitle = (Label)objRI1.FindControl("hypTitle");
                                //RadioButtonList BtnOptions = (RadioButtonList)objRI1.FindControl("BtnOptions");
                                RadioButton RadioBtnAllow = (RadioButton)objRI1.FindControl("RadioBtnAllow");
                                RadioButton RadioBtnDeny = (RadioButton)objRI1.FindControl("RadioBtnDeny");
                                RadioButton RadioBtnWrite = (RadioButton)objRI1.FindControl("RadioBtnWrite");
                                RadioButton RadioBtnDelete = (RadioButton)objRI1.FindControl("RadioBtnDelete");
                                RadioButton RadioBtnRead = (RadioButton)objRI1.FindControl("RadioBtnRead");
                                //HiddenField HFOption = (HiddenField)objRI1.FindControl("HFOption");
                                if (hypTitle != null)
                                {
                                     if (RadioBtnDelete.Checked)
                                    {
                                        if (childNodesEnumerator1.Attributes["title"].Value == hypTitle.Text)
                                        {
                                             if (childNodesEnumerator1.Attributes["roles"].Value.Contains(RoleName) || childNodesEnumerator1.Attributes["roles"].Value.Contains("*"))
                                            {
                                                 XE1[j] = new XElement(siteNM + "siteMapNode", new XAttribute("title", childNodesEnumerator1.Attributes["title"].Value), new XAttribute("url", childNodesEnumerator1.Attributes["url"].Value), new XAttribute("roles", childNodesEnumerator1.Attributes["roles"].Value));
                                            }
                                            else
                                            {
                                                 XE1[j] = new XElement(siteNM + "siteMapNode", new XAttribute("title", childNodesEnumerator1.Attributes["title"].Value), new XAttribute("url", childNodesEnumerator1.Attributes["url"].Value), new XAttribute("roles", childNodesEnumerator1.Attributes["roles"].Value + "," + RoleName));
                                            }
                                            j++;
                                        }
                                    } 
 }
                            }
                        }
                       
                    }
                    
                    
                }
                XE[i].Add(XE1);
                i++;
            }
        }
 XDocument xDoc = new XDocument(
                new XDeclaration("1.0", "UTF-8", null),
                new XElement(siteNM + "siteMap",
                    new XElement(siteNM + "siteMapNode", new XAttribute("title", SiteMapFileName), new XAttribute("url", ""), new XAttribute("roles", "*"),
                        XE
                        )
 ));
        xDoc.Save(Server.MapPath(SiteMapFileName));      
    }
code was as above want to update .sitemap nodes as i used grid for radio buttons and checking every radio button and updating node according it
plz help...
i have wested so much time on it.........

thanx in advance......

----------


## gep13

Hello,

For this type of request, you might want to think about storing the sitemap nodes in a database, rather than in the web.config file, as I have done.

You can find information about this here:

http://weblogs.asp.net/scottgu/archi...11/435108.aspx

I hope that helps!!

Gary

----------

