Martin Helgesen
Nov 30, 2010
(3 votes)

Virtual Roles and access control in EPiServer

In some scenarios in EPiServer you may need to create your own logic for accessing specific pages.
This can be done in several ways, but one of them is to implement your own Virtual Role. EPiServer default includes a set of virtual roles which are being used frequently.

Let’s say you have an open webportal in your company, no need to log in. And one department in the company, located in another part of the world, should see a set of pages (and its children), while the rest of the company should not. This department has specific IP addresses so we can recognize a request from this specific department from the IP address.

One solution would be to create a virtual role that compares the request IP to a set of pre-defined IP ranges (e.g from a config file). Let’s call this role “Employee”. you have to register it in web.config like this (added to the bottom after the default roles):

<virtualRoles replacePrincipal="true">
<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer" />
<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
<add name="Employee" type="YourType, YourAssembly" />

Then you have to create the implementation of the class. Inherit from the EPiServer.Security.VirtualRoleProviderBaseclass. Here is a class that compares the requests IP address:

public class EmployeeRole : EPiServer.Security.VirtualRoleProviderBase
        public override bool IsInVirtualRole(IPrincipal principal, object context)
            var clientIpAddress = HttpContext.Current.Request.UserHostAddress;
            var validAddresses = new System.Xml.XmlDocument();
            var isequal = validAddresses.SelectNodes("//IPSet/ip").Cast().Any(node =&gt; IsInRange(clientIpAddress, node));
            return isequal;
        }   private static bool IsInRange(string clientIpAddress, XmlNode node)
            byte[] clientIP = IPAddress.Parse(clientIpAddress).GetAddressBytes();
            byte[] mask = IPAddress.Parse(node.Attributes["mask"].Value).GetAddressBytes();
            byte[] ip = IPAddress.Parse(node.Attributes["address"].Value).GetAddressBytes();
            bool isequal = true;
            for (int i = 0; i &lt; ip.Length; i++)
                if ((clientIP[i] &amp; mask[i]) != ip[i])
                    isequal = false;
            return isequal;

There you are finished creating your role!
But how do you assign this role read-rights to a specific page and its subpages? Do it in edit mode. But first, you have to create a new group with the same name as the role you just created. EPi will then automatically associate this group with your created Virtual Role.
After this, you can just add access rights for the group “Employee” to the pages in EPi you want.

Nov 30, 2010


Arild Henrichsen
Arild Henrichsen Jan 3, 2011 09:33 AM

Just used the same technique in a Norwegian government agency project I was working on, quick and easy to implement.
Allan Thraen previously blogged about this:
(source code for sample Virtual Roles can be found at

Please login to comment.
Latest blogs
Zombie Properties want to Eat Your Brains

It’s a story as old as time. You work hard to build a great site. You have all the right properties – with descriptive names – that the content...

Joe Mayberry | Mar 29, 2023 | Syndicated blog

Optimizely finally releases new and improved list properties!

For years, the Generic PropertyList has been widely used, despite it being unsupported. Today a better option is released!

Tomas Hensrud Gulla | Mar 28, 2023 | Syndicated blog

Official List property support

Introduction Until now users were able to store list properties in three ways: Store simple types (int, string, DateTime, double) as native...

Bartosz Sekula | Mar 28, 2023

New dashboard implemented in CMS UI 12.18.0

As part of the CMS UI 12.18.0 release , a new dashboard has been added as a ‘one stop shop’ to enable editors to access all of their content items,...

Matthew Slim | Mar 28, 2023