Use declarative security to show a Security trimmed navigation Menu along with enforcing role based security for your website

Hi All,

Here is what we are trying to achieve in this article.

  • Provide side-wide security without writing a single line of code
  • Show navigation menus to the user, which automatically hide the options which the user doesn’t have access to (also called Security Trimming)
  • Use declarative syntax in web.config to tighten your security so that even if the user knows a particular URL, he cannot get to it, unless he is explicitly granted access to the URL.

Background :-
I have this hierarchy of folders



|—AdminPage.aspx (Only admins should have access to this page, and the menu control shouldn’t show this option)

I am using a ASP:Menu control and I want all logged in users to be able to see all menu options except the AdminPage link, but I want the administrator to be able to see every single menu option.

Here is a snapshot of the relevant tags from my web.config file —————————————————————-

<!–In this case my Roles are stored in an XML file, your roles can reside in SQL Server or AD or ADAM, it doesn’t matter–>

<add name=AzManPolicyStore connectionString=msxml://C:/Azman.xml />

<!–Here is how we enable the role manager. In this case the built in ASP.Net website config tool will automatically read and write Roles and their membership info in the file mentioned above. i.e Azman.xml–>

<roleManager enabled=true defaultProvider=RoleManagerProvider>


<add name=RoleManagerProvider

type=System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a






<!– To make security trimming and declarative security work, we need to follow the pessimistic approach. i.e first we will deny everyone access to our website–>


<deny users=*/>


<!– Then we selectively start permitting users and or Roles access to folders/files–>

<location path=UserManagement>



<allow roles=“Administrators, Managers, Users”/>




<!– Deny access to everyone except Admin on the Admin only page–>

<location path=UserManagement/AdminPage.aspx”>




<deny users=*/>

<allow roles=“Administrators”/>




Here is the excerpt from my Default.aspx page, which has the menu control ———————————–
<asp:Menu ID=Menu1 runat=server DataSourceID=SiteMapDataSource1



<!–Note that I am explicitly mentioning Sitemapprovider=”” attribute, although if I dont mention it, it should pick up the default provider. But this is what made the security trimming work for me. If you don’t do this, the Security trimming in menus will not work !! –>


<asp:SiteMapDataSource ID=SiteMapDataSource1 runat=server SiteMapProvider=XmlSiteMapProvider />



Here is my Web.Sitemap file—————————–


<?xml version=1.0 encoding=utf-8 ?>

<siteMap xmlns=>

<siteMapNode url=~/Default.aspx title=Home description=“”>

<siteMapNode url=~/UserManagement/Default.aspx title=Manage security settings description=“”/>

<siteMapNode url=~/UserManagement/ChangePass.aspx title=Change your password description=“”/>

<siteMapNode url=~/UserManagement/AdminPage.aspx title=Admin Only Functions description=“”/>






Thats it. Just by following these simple steps, you will have rock solid security for your website. And you don’t have to write a single line of code too.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s