ASP.NET MVC Authorize user with many roles


I need to authorize a Controller in my ASP.NET MVC application to users which have two roles. I am using Authorize attribute like this:

[Authorize(Roles = "Producer, Editor")]

But this allows Producers and Editors to the controller. I want only to allow users having both roles, not just one of them.

How could i achive this?


As the question states, when multiple roles are given in a single Authorize() call they are applied such that if the user belongs to any of the roles listed they will be granted access; like a logical OR operator.

Alternatively, to achieve the effect of a logical AND operator you can apply the Authorize attribute multiple times. Eg..

[Authorize(Roles = "Producer")]
[Authorize(Roles = "Editor")]
public ActionResult Details(int id) {
    // Only available to users who are Producers AND Editors

For the example above, the action body is accessible only to users who belong to the Producer and the Editor roles.

Rudi points out in the comments this lets you create some reasonably complex access rules without needing to implement a custom AuthorizeAttribute. For example, in the code below users can execute the action if they are both: a) in the Enabled role and b) in either the Editor or Admin roles.

[Authorize(Roles = "Enabled")]
[Authorize(Roles = "Editor,Admin")]
public ActionResult Details(int id) {
    // Only available to users who are Enabled AND either an Admin OR an Editor

I'm not sure which version brought this in but it works in at least MVC 4 and 5.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at


Login to comment


ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)

Custom user authorization based with roles in mvc

How to add a simple user roles - ASP.NET MVC C#

user roles and permission in mvc MVC - Authorize controller for one user/role but all users for one action

Adding custom roles to windows roles in ASP.NET MVC 5

Dynamically add roles to authorize attribute for controller in ASP.NET 5

How to create a Custom Authorize Attribute by comparing User Id stored in table with Current User Id in MVC 5?

How to authorize user who logged in using external login in Asp.Net MVC

ASP.Net MVC List of User and their Roles

`[Authorize(Roles = "admin")]` Infinite loop ASP.NET MVC and Azure Active Directory B2C

How [Authorize] attribute get to know that the user is authenticate in ASP.NET MVC, is it by using authentication token?

Asp.Net Core Identity - Authorize attribute with roles and caching?

How to structure a .NET Core MVC project for multiple user roles?

ASP.Net MVC SimpleMembershipProvider and using Roles

ASP .Net MVC 4 Authorize and AllowAnonymous

How to check user is in many roles in identity

Adding roles in the create user view ASP Identity MVC

Multiple User Roles in Authorize

ASP.NET (MVC) Users, Roles and Users in Roles

Custom Authorize Attribute on mvc

ASP.NET MVC Blacklist for Roles/Users

ASP.Net MVC 5 how to use Authorize Attribute with multiple login (Multiple user table)

Asp.Net MVC authorize a custom user which extends ApplicationUser

ASP.NET MVC Displaying a user's roles as comma separated string

Many to many relation MVC ASP.NET

How to handle many to many same table (User) in ASP.Net MVC 5 - Fluent API

Generic Authorize Attribute multiple Roles ASP.NET Core Core MVC Roles and Authorization

TOP Ranking