You can use WindowsPrincipal class to access WindowsIdentity object through the Identity property. You need this when your project is based on Windows authentication and you use in your code User property which returns an IPrincipal object as instance of the WindowsPrincipal class. The class implements four overloads of IsInRole() that all check whether the user is in a specified Windows user group:
– IsInRole(string) is used to accept the name of the checked Windows user group.
– IsInRole(int) expects an integer Role Identified (RID) that refers to a user group.
– IsInRole(WindowsBuiltInRole) expects a member of the WindowsBuiltInRole enumeration ( see the table bellow )
– IsInRole(SecurityIdentifier) expects the specified security identifier (SID) which belongs to the Windows user group.
You can use the next code lines to test if the user is in a predefined Windows role:
using System.Security.Principal;
// …. Other code is skipped
if (Request.IsAuthenticated)
{
lblInfoText.Text = “<b>Name: </b>” + User.Identity.Name;
if (User is WindowsPrincipal)
{
// You must cast the User object to a WindowsPrincipal to access this Windows-specific functionality.
// This cast will not work with forms authentication enabled and with the roles API enabled
WindowsPrincipal principal = (WindowsPrincipal)User;
lblInfoText.Text += “<br><b>System Operator? </b>”;
lblInfoText.Text += principal.IsInRole(WindowsBuiltInRole.SystemOperator).ToString();
}
}
The next picture shows the result:
Testing group membership in C#
The next table lists possible values for the WindowsBuiltInRole enumeration:
|
Role |
Description |
| AccountOperator | Users with the special responsibility of managing the user accounts on a computer or domain. |
| Administrator | Users with complete and unrestricted access to the computer or domain. |
| BackupOperator | Users who can override certain security restrictions only as part of backing up or restoring operations. |
| Guest | Like the User role but even more restrictive. |
| PowerUser | Similar to Administrator but with some restrictions. |
| PrintOperator | Like a User but with additional privileges for taking control of a printer. |
| Replicator | Like a User but with additional privileges to support file replication in a domain. |
| SystemOperator | Similar to Administrator but with some restrictions. Generally, system operators manage a particular computer. |
| User | Users are restricted accounts that are prevented from making system-wide changes. |