Martin Helgesen
Nov 30, 2010
  9846
(3 votes)

Virtual Roles and access control in EPiServer

In some scenarios in EPiServer you may need to create your own logic for accessing specific pages.
This can be done in several ways, but one of them is to implement your own Virtual Role. EPiServer default includes a set of virtual roles which are being used frequently.

Let’s say you have an open webportal in your company, no need to log in. And one department in the company, located in another part of the world, should see a set of pages (and its children), while the rest of the company should not. This department has specific IP addresses so we can recognize a request from this specific department from the IP address.

One solution would be to create a virtual role that compares the request IP to a set of pre-defined IP ranges (e.g from a config file). Let’s call this role “Employee”. you have to register it in web.config like this (added to the bottom after the default roles):

<virtualRoles replacePrincipal="true">
<providers>
<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer" />
<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
<add name="Employee" type="YourType, YourAssembly" />
</providers>
</virtualRoles>

Then you have to create the implementation of the class. Inherit from the EPiServer.Security.VirtualRoleProviderBaseclass. Here is a class that compares the requests IP address:

public class EmployeeRole : EPiServer.Security.VirtualRoleProviderBase
    {
        public override bool IsInVirtualRole(IPrincipal principal, object context)
        {
            var clientIpAddress = HttpContext.Current.Request.UserHostAddress;
            var validAddresses = new System.Xml.XmlDocument();
            validAddresses.Load(System.Web.HttpContext.Current.Server.MapPath("/ipaddresses.config"));
            var isequal = validAddresses.SelectNodes("//IPSet/ip").Cast().Any(node =&gt; IsInRange(clientIpAddress, node));
            return isequal;
        }   private static bool IsInRange(string clientIpAddress, XmlNode node)
        {
            byte[] clientIP = IPAddress.Parse(clientIpAddress).GetAddressBytes();
            byte[] mask = IPAddress.Parse(node.Attributes["mask"].Value).GetAddressBytes();
            byte[] ip = IPAddress.Parse(node.Attributes["address"].Value).GetAddressBytes();
            bool isequal = true;
            for (int i = 0; i &lt; ip.Length; i++)
                if ((clientIP[i] &amp; mask[i]) != ip[i])
                {
                    isequal = false;
                    break;
                }
            return isequal;
        }
    }

There you are finished creating your role!
But how do you assign this role read-rights to a specific page and its subpages? Do it in edit mode. But first, you have to create a new group with the same name as the role you just created. EPi will then automatically associate this group with your created Virtual Role.
After this, you can just add access rights for the group “Employee” to the pages in EPi you want.

Nov 30, 2010

Comments

Arild Henrichsen
Arild Henrichsen Jan 3, 2011 09:33 AM

Just used the same technique in a Norwegian government agency project I was working on, quick and easy to implement.
Allan Thraen previously blogged about this:
http://labs.episerver.com/en/Blogs/Allan/Dates/2009/9/I-am-virtually-in-the-role-dude/
http://labs.episerver.com/en/Blogs/Allan/Dates/2010/1/Virtual-Roles-and-Visitor-Segmentation/
(source code for sample Virtual Roles can be found at http://virtualroles.codeplex.com/)

Please login to comment.
Latest blogs
Enhance Your Writing with Suggestions

Are you tired of staring at a blank screen, struggling to find the right words? The Epicweb.Optimizely.AIAssistant Addon is here to revolutionize...

Luc Gosso (MVP) | May 31, 2023 | Syndicated blog

Content Graph - Letting GraphQL do all the hard work for you

Background As we have seen before, setting up Content Graph on the CMS side is pretty easy. However, when it comes to the “head” part of the setup,...

Kunal Shetye | May 26, 2023 | Syndicated blog

Improved headless functionality in Customized Commerce

Did you know that with the release of Content Delivery Commerce API 3.7 we have massively improved the out of the box headless capabilities of...

Marcus Hoffmann | May 25, 2023

Boost Your Productivity with the AI Assistant Addon for Optimizely Content Cloud

In today's fast-paced digital world, efficiency and convenience are paramount. That's why we're excited to introduce the Optimizely AI-Assistant...

Luc Gosso (MVP) | May 25, 2023 | Syndicated blog