Authorizing live site actions via roles

After you integrate Kentico membership into your MVC live site project and set up authentication, you can use roles to restrict access to your site’s functionality or content.

Restricting access to site content using roles

Add the Authorize attribute from the System.Web.Mvc namespace to your controller classes or action methods. Set the attribute’s Roles property and identify the required Kentico roles using their Role name(not the display name).


        // Allows the "RestrictedPage" action only for signed in users who belong to the "KenticoRole" role
        [Authorize(Roles = "KenticoRole")]
        public ActionResult RestrictedPage()
            return View();

The standard MVC framework behavior applies if an unauthorized user tries to access an action or controller – the application returns a 401 Unauthorized HTTP status code, causing a redirect to your site’s sign-in page if one is configured.

When determining whether a user is a member of a Kentico role on an MVC site, the following conditions apply:

  • The role must be assigned to the user for the given MVC site or as a global role. Roles assigned for other sites in the Kentico system are not recognized.

    Kentico matches sites to MVC applications based on the Presentation URL or Domain name set for sites in the Sites application.

  • Roles limited by the Valid to setting are not recognized by MVC applications after their expiration date.

  • Roles assigned indirectly through memberships are also valid and recognized by MVC applications.


  • When a user’s roles are modified in Kentico, the changes apply only after the user signs out and in again on the MVC site.
  • The Authorize attribute does NOT reflect Kentico permission settings for roles (for example page-level permissions). The only relevant factor is whether a user belongs to the specified roles.
  • The Privilege level set for users in Kentico does NOT affect the Authorize attribute on MVC sites. This means administrators cannot bypass role requirements like they do in the Kentico administration interface and on Portal Engine sites.

Restricting access to entire sites using authorization

If you wish to enforce authorization over the entire MVC site (e.g., for Intranet purposes), you need to implement the authorization pipeline in a way that does not conflict with internal system logic. Otherwise, you may encounter issues with both page and form builder functionality and other Kentico features.

Use the following approach:

  1. Create a base controller class that inherits from System.Web.Mvc.Controller and decorate it with the Authorize attribute. In the attribute’s Roles parameter, specify the roles that should have access to the restricted content.

     using System.Web.Mvc;
     [Authorize(Roles = "IntranetUser")]
     public class BaseController : Controller
  2. Derive all custom controllers used on your site from this base controller. This secures your website and ensures no internal Kentico logic gets disrupted.

     using System.Web.Mvc;
     public class HomeController : BaseController

    You can allow access for users in different roles by placing additional Authorize attributes over the derived controllers. Authorize attributes placed over the derived controllers override the one inherited from the base controller. Use this approach to, for example, open sections of the site only to users in certain roles.

     [Authorize(Roles = "IntranetAdministrator")]
     public class AccountsOverviewController : BaseController

Visiting any portion of the site now prompts users for their authentication credentials. If they do not meet the authorization criteria, the are prevented from accessing the secured content.

To allow anonymous users access to sections of the site (landing pages, etc.), decorate the corresponding controller or action with the AllowAnonymous attribute.