Section 2 of 6

Role-Based Authorization

🎯 What You'll Learn

What are roles
Creating roles
Assigning users to roles
[Authorize(Roles)] attribute
Checking roles in code

What are Roles?

Roles group users with similar permissions. Common roles include Admin, Manager, User, etc.

Creating Roles

Create Roles with RoleManager C#

public class SeedData
{
    public static async Task InitializeAsync(RoleManager<IdentityRole> roleManager)
    {
        string[] roles = { "Admin", "Manager", "User" };

        foreach (var role in roles)
        {
            if (!await roleManager.RoleExistsAsync(role))
            {
                await roleManager.CreateAsync(new IdentityRole(role));
            }
        }
    }
}

Assigning Users to Roles

Add User to Role C#

await _userManager.AddToRoleAsync(user, "Admin");

// Add to multiple roles
await _userManager.AddToRolesAsync(user, new[] { "Manager", "User" });

[Authorize(Roles)] Attribute

Single Role

Require Admin Role C#

[Authorize(Roles = "Admin")]
public class AdminController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
}

Multiple Roles (OR)

Require Admin OR Manager C#

[Authorize(Roles = "Admin,Manager")]
public IActionResult Dashboard()
{
    return View();
}

Multiple Roles (AND)

Require Admin AND Manager C#

[Authorize(Roles = "Admin")]
[Authorize(Roles = "Manager")]
public IActionResult SuperAdmin()
{
    return View();
}

Checking Roles in Code

Check User Role C#

if (User.IsInRole("Admin"))
{
    // Admin-specific logic
}

In Views HTML

@if (User.IsInRole("Admin"))
{
    <a href="/admin">Admin Panel</a>
}

InvenTrack Example

ProductsController.cs C#

public class ProductsController : Controller
{
    [Authorize]
    public IActionResult Index()
    {
        return View(); // All authenticated users
    }

    [Authorize(Roles = "Admin,Manager")]
    public IActionResult Create()
    {
        return View(); // Admin or Manager only
    }

    [Authorize(Roles = "Admin")]
    public async Task<IActionResult> Delete(int id)
    {
        // Admin only
        var product = await _context.Products.FindAsync(id);
        _context.Products.Remove(product!);
        await _context.SaveChangesAsync();
        return RedirectToAction("Index");
    }
}

Key Takeaways

Roles: Group users with similar permissions
RoleManager: Create and manage roles
AddToRoleAsync(): Assign user to role
[Authorize(Roles)]: Require specific role(s)
Comma-separated: OR logic (Admin,Manager)
Multiple attributes: AND logic
User.IsInRole(): Check role in code/views