Views: 8417
Number of votes: 3
Average rating:

Virtual Roles and access control in EPiServer

In some scenarios in EPiServer you may need to create your own logic for accessing specific pages.
This can be done in several ways, but one of them is to implement your own Virtual Role. EPiServer default includes a set of virtual roles which are being used frequently.

Let’s say you have an open webportal in your company, no need to log in. And one department in the company, located in another part of the world, should see a set of pages (and its children), while the rest of the company should not. This department has specific IP addresses so we can recognize a request from this specific department from the IP address.

One solution would be to create a virtual role that compares the request IP to a set of pre-defined IP ranges (e.g from a config file). Let’s call this role “Employee”. you have to register it in web.config like this (added to the bottom after the default roles):

<virtualRoles replacePrincipal="true">
<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer" />
<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
<add name="Employee" type="YourType, YourAssembly" />

Then you have to create the implementation of the class. Inherit from the EPiServer.Security.VirtualRoleProviderBaseclass. Here is a class that compares the requests IP address:

public class EmployeeRole : EPiServer.Security.VirtualRoleProviderBase
        public override bool IsInVirtualRole(IPrincipal principal, object context)
            var clientIpAddress = HttpContext.Current.Request.UserHostAddress;
            var validAddresses = new System.Xml.XmlDocument();
            var isequal = validAddresses.SelectNodes("//IPSet/ip").Cast().Any(node =&gt; IsInRange(clientIpAddress, node));
            return isequal;
        }   private static bool IsInRange(string clientIpAddress, XmlNode node)
            byte[] clientIP = IPAddress.Parse(clientIpAddress).GetAddressBytes();
            byte[] mask = IPAddress.Parse(node.Attributes["mask"].Value).GetAddressBytes();
            byte[] ip = IPAddress.Parse(node.Attributes["address"].Value).GetAddressBytes();
            bool isequal = true;
            for (int i = 0; i &lt; ip.Length; i++)
                if ((clientIP[i] &amp; mask[i]) != ip[i])
                    isequal = false;
            return isequal;

There you are finished creating your role!
But how do you assign this role read-rights to a specific page and its subpages? Do it in edit mode. But first, you have to create a new group with the same name as the role you just created. EPi will then automatically associate this group with your created Virtual Role.
After this, you can just add access rights for the group “Employee” to the pages in EPi you want.

Nov 30, 2010

Arild Henrichsen
( By Arild Henrichsen, 1/3/2011 9:33:28 AM)

Just used the same technique in a Norwegian government agency project I was working on, quick and easy to implement.
Allan Thraen previously blogged about this:
(source code for sample Virtual Roles can be found at

Please login to comment.