Authorizing live site actions via roles

After you integrate Kentico membership into your MVC live site project and set up authentication, you can use roles to restrict access to your site's functionality or content.

Add the Authorize attribute from the System.Web.Mvc namespace to your controller classes or action methods. Set the attribute's Roles property and identify the required Kentico roles using their Role name (not the display name).

        // Allows the "RestrictedPage" action only for signed in users who belong to the "KenticoRole" role
        [Authorize(Roles = "KenticoRole")]
        public ActionResult RestrictedPage()
            return View();

The standard MVC framework behavior applies if an unauthorized user tries to access an action or controller – the application returns a 401 Unauthorized HTTP status code, causing a redirect to your site's sign-in page if one is configured.

When determining whether a user is a member of a Kentico role on an MVC site, the following conditions apply:

  • The role must be assigned to the user for the given MVC site or as a global role. Roles assigned for other sites in the Kentico system are not recognized.

    Kentico matches sites to MVC applications based on the Presentation URL or Domain name set for sites in the Sites application.

  • Roles limited by the Valid to setting are not recognized by MVC applications after their expiration date.
  • Roles assigned indirectly through memberships are also valid and recognized by MVC applications.


  • When a user's roles are modified in Kentico, the changes apply only after the user signs out and in again on the MVC site.
  • The Authorize attribute does NOT reflect Kentico permission settings for roles (for example page-level permissions). The only relevant factor is whether a user belongs to the specified roles.
  • The Privilege level set for users in Kentico does NOT affect the Authorize attribute on MVC sites. This means administrators cannot bypass role requirements like they do in the Kentico administration interface and on Portal Engine sites.

Was this page helpful?