Authorize using roles
Xperience by Kentico integrates with ASP.NET Identity role management to provide member role functionality. Member roles allow you to categorize registered members and restrict access, assign benefits, or run any custom logic based on role membership.
Roles are represented by the ApplicationRole class, which maps to the MemberRoleInfo object in the Xperience database. The system supports creating, assigning, and querying roles through standard ASP.NET Identity APIs.
Enable role management
To use member roles, register the role store and role manager when configuring ASP.NET Identity in Program.cs:
// Adds and configures ASP.NET Identity for the application
builder.Services.AddIdentity<ApplicationUser, ApplicationRole>(options =>
{
})
.AddUserStore<ApplicationUserStore<ApplicationUser>>()
.AddRoleStore<ApplicationRoleStore<ApplicationRole>>()
.AddUserManager<UserManager<ApplicationUser>>()
.AddRoleManager<RoleManager<ApplicationRole>>()
.AddSignInManager<SignInManager<ApplicationUser>>();
The key additions for role management are:
ApplicationRole– the Xperience implementation ofIdentityRole<int>, representing a member role withName,DisplayName, andDescriptionproperties.ApplicationRoleStore<ApplicationRole>– the Xperience role store that persists role data to the CMS_MemberRole database table.RoleManager<ApplicationRole>– the standard ASP.NET Identity role manager for CRUD operations on roles.
For more details on the overall Identity configuration, see Registration and authentication.
Manage roles
You can manage member roles using either the ASP.NET Identity RoleManager or the Xperience IInfoProvider<MemberRoleInfo> API.
Manage roles with RoleManager
Use RoleManager<ApplicationRole> for standard Identity-based role operations:
// Creates, finds, updates, and deletes roles using RoleManager
public async Task ManageRolesWithRoleManager()
{
// Creates a new role
ApplicationRole role = new ApplicationRole
{
Name = "Premium",
DisplayName = "Premium Member",
Description = "Members with premium access"
};
IdentityResult createResult = await roleManager.CreateAsync(role);
// Finds a role by name
ApplicationRole? foundRole = await roleManager.FindByNameAsync("Premium");
if (foundRole != null)
{
// Updates the role
foundRole.Description = "Updated premium member description";
IdentityResult updateResult = await roleManager.UpdateAsync(foundRole);
// Deletes the role
IdentityResult deleteResult = await roleManager.DeleteAsync(foundRole);
}
}
Manage roles with IInfoProvider
For more direct database-level access, use IInfoProvider<MemberRoleInfo>:
// Creates, retrieves, and deletes roles using IInfoProvider<MemberRoleInfo>
public void ManageRolesWithProvider()
{
// Creates a new role
MemberRoleInfo roleInfo = new MemberRoleInfo
{
MemberRoleName = "Premium",
MemberRoleDisplayName = "Premium Member",
MemberRoleDescription = "Members with premium access"
};
memberRoleProvider.Set(roleInfo);
// Retrieves a role by code name
MemberRoleInfo? retrievedRole = memberRoleProvider.Get("Premium");
// Retrieves all roles
IEnumerable<MemberRoleInfo> allRoles = memberRoleProvider.Get()
.GetEnumerableTypedResult();
// Deletes a role
if (retrievedRole != null)
{
memberRoleProvider.Delete(retrievedRole);
}
}
You can also manage roles through the administration in the Members application under the Member Roles tab.
Assign roles to members
Use the UserManager<ApplicationUser> methods to assign and manage role membership:
// Assigns and removes roles from members using UserManager
public async Task ManageUserRoles(ApplicationUser user)
{
// Assigns the "Premium" role to the member
IdentityResult addResult = await userManager.AddToRoleAsync(user, "Premium");
// Gets all roles assigned to the member
IList<string> roles = await userManager.GetRolesAsync(user);
// Checks if the member has a specific role
bool isPremium = await userManager.IsInRoleAsync(user, "Premium");
// Removes the "Premium" role from the member
IdentityResult removeResult = await userManager.RemoveFromRoleAsync(user, "Premium");
}
Role assignments are stored as binding objects (MemberRoleMemberInfo) in the CMS_MemberRoleMember database table.
Extend ApplicationRole
You can extend ApplicationRole with custom properties, following the same pattern as extending ApplicationUser (see Add fields to member objects).
ApplicationRole extends IdentityRole<int> and maps to CMS.Membership.MemberRoleInfo objects stored in the Xperience database. When saving or retrieving role data through ASP.NET Identity’s RoleManager, Xperience transfers data between ApplicationRole and MemberRoleInfo using the MapFromMemberRoleInfo and MapToMemberRoleInfo methods. This lets you expose custom role fields as strongly-typed properties on your extended role class.
ApplicationRoleStore<TRole> implements IRoleStore<TRole> and provides the CRUD operations that RoleManager uses to create, update, delete, and look up member roles in the Xperience database.
Override the MapFromMemberRoleInfo and MapToMemberRoleInfo methods to map custom fields:
// Extends the default Kentico.Membership.ApplicationRole object
public class ExtendedApplicationRole : ApplicationRole
{
// Custom property that corresponds to a custom field added to MemberRoleInfo
public int MaxDownloads { get; set; }
// Maps data from MemberRoleInfo to the extended role object
// Called when retrieving roles via RoleManager<ExtendedApplicationRole>
public override void MapFromMemberRoleInfo(MemberRoleInfo source)
{
// Calls the base class implementation
base.MapFromMemberRoleInfo(source);
// Maps the custom 'MaxDownloads' property
MaxDownloads = source.GetValue("MemberRoleMaxDownloads", 0);
}
// Maps data from the extended role object back to MemberRoleInfo
// Called when creating or updating roles via RoleManager<ExtendedApplicationRole>
public override void MapToMemberRoleInfo(MemberRoleInfo target)
{
// Calls the base class implementation
base.MapToMemberRoleInfo(target);
// Sets the value of the custom field in MemberRoleInfo
target.SetValue("MemberRoleMaxDownloads", MaxDownloads);
}
}
To use the extended role class, substitute ApplicationRole with your extended class in the Identity configuration:
builder.Services.AddIdentity<ApplicationUser, ExtendedApplicationRole>(options =>
{
// ...
})
.AddUserStore<ApplicationUserStore<ApplicationUser>>()
.AddRoleStore<ApplicationRoleStore<ExtendedApplicationRole>>()
.AddUserManager<UserManager<ApplicationUser>>()
.AddRoleManager<RoleManager<ExtendedApplicationRole>>()
.AddSignInManager<SignInManager<ApplicationUser>>();
Authorize with roles
Use the standard ASP.NET [Authorize] attribute with the Roles parameter to restrict access to controllers or actions based on member roles:
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
// Only members with the "Premium" role can access this controller
[Authorize(Roles = "Premium")]
public class PremiumContentController : Controller
{
public IActionResult Index()
{
return View();
}
}
For more advanced authorization scenarios, see ASP.NET Core role-based authorization and Secure custom endpoints.
Integrate custom authorization logic
Xperience’s built-in content security pipeline — the HasAccess method, ContentItemIsSecured property, and the secured-item filtering in ContentRetriever — evaluates only the three-tier access model (public, authenticated, role-restricted) described on Secure content items. The pipeline does not expose extension points for injecting additional authorization rules.
If your application requires authorization logic beyond the built-in model, apply those checks after Xperience’s content security evaluation resolves. In practice this means working at the controller or business-service layer:
- Retrieve content and let the built-in pipeline handle the standard access evaluation (e.g., via
HasAccess). - Apply your own authorization rules on the already-evaluated results.
Remarks
Changing role assignments for signed-in members
When you add or remove roles for a member who is already signed in, the change is not reflected immediately. The member can continue using the role information stored in their current authentication cookie until the next revalidation event. This means role-based access can remain granted or unavailable for up to 30 minutes by default.
If you need role changes to take effect immediately, configure SecurityStampValidatorOptions as described in Registration and authentication.
Page preview mode
Role-restricted content is accessible when previewing pages in the administration or through Page Builder. Preview mode bypasses role checks, allowing editors to view content regardless of role assignments.