Using ASP.Net Web Site Administration Tool for Security Setup

Microsoft Visual Studio has a built-in ASP.Net Website Administration Tool that helps you set up and

edit users, roles, and permissions for your web site or application with minimal code writing. Assuming

that you already have a website and now need to implement security for it, this article will show you

how you can use ASP.Net Website Administration tool to implement this task.

We used this tool for our social media marketing product development, but for the purpose of this

article, I created another test application called WebApplication1 that has all the default folders and files

and just added one extra folder called “Admin.” See below.

The first step is to identify what database to use and application services (membership, roles, etc.) to

add to your application. By default, the Web Site Administration Tool configures and uses a local Microsoft

SQL Server Standard Edition database in the App_Data folder for the Web site. If you, however, do not have a

database defined in the App_Data folder, one easy way to add it is discussed in this article:

Adding Membership and Roles to your MVC or ASP.Net Web Site – Application Services,

http://computerscribe.com/blogs/BlogPost?id=11

Note that if you use Visual Studio 2010 and .Net framework 4.0, the membership configuration is

automatically added to your web.config and you just need to modify the database connection string.

To fire up the Website Administration Tool, go to Visual Studio, select your project and click on Project -

> ASP.Net Configuration. The page that opens up looks like this

Figure 1 – ASP.Net Web Site Administration Tool

The first step that I recommend is to test your database connection. Click on Provider Configuration and

either select a single provider (first link) or different providers (second link). For my case, I need only one

provider, so I click the first link. This will take me to the second page where I can click on “Test” to

validate my database connection. Once you have successfully established a database connection, you’re

ready for security setup.

If you want to work with roles (recommended), you first need to enable and create new roles. The steps

to create new roles are straightforward so I will not discuss them here. For my test, I created two roles:

Admin and User.

Once roles were created, you are ready to create users. Note: to create users, you do not need to have

roles. However, I find that setting up access rules is easier with roles than with users. Again, the steps

for creating users are self-explanatory so I just went ahead and created two users: Admin1 and User1

without showing you how it’s been done.

The final step in the Security tab is to set up access rules. This is the place where you set permissions to

the whole site or individual folders for roles and users. For example, if I want to give everyone access to

the Account folder, I can select the folder, and make sure “All users” and “Allow” are selected as shown

below.

Figure 2 – Setting up Access Rules for the Account folder

For the Admin folder, I want to give access only to the Admin role. To do this, I select the folder, choose

“Admin” role, select “Allow” and click “OK”. See Figure 3 below. Note: every time you click “OK”, you will

be taken back to the previous page and to add a new rule, you have to click on “Create access rules”

again. I found this annoying and confusing at first, so I wanted to point it out.

Figure 3 – Allowing Access to the Admin folder for Admin Role

What I also need to do is to deny access from everyone else, so I choose “All users” and “Deny” and click

“OK”

Figure 4 – Denying Access to the Admin folder for all other users

Now we’re ready for testing. Press F5 to start the debugger. You can log in as either the user or admin

role and see that you have no problem accessing the Account folder. If you, however, log in as “User1”

and try to go to the Admin folder (by typing http://locahost/WebApplication1/Admin in the address

bar), you’d be kicked back to the log in page because you don’t have permission for this folder. Now if

you switch to “Admin1”, you are not redirected to the login page and can access the folder. See Figure 5

below.

Figure 5 – Admin Role can access the Admin page in the Admin folder

Setting up access rules for individual pages in the application or for controls (e.g. links, textboxes,

dropdown list, gridview, etc.) on the pages cannot be done via this tool and is beyond the scope of this

article, so I’ll leave it to you for your own exploration.