Click here to Skip to main content
14,238,485 members

A Secure Role-based Windows Form

Rate this:
3.40 (7 votes)
Please Sign up or sign in to vote.
3.40 (7 votes)
30 Sep 2009CPOL
This article describes how to implement Role-based Windows Form security. The solution includes a "SecureBaseForm" which allows/denies access to an inheriting Form and may fire the UserIsAllowed or UserIsDenied events.



This Role-based secure base form allows you to implement security on Windows Forms without the necessity to rewrite the basic security handling for each form within your application or project.


As I was in need to restrict access to several forms or to several parts of forms, I was searching for a base form which could deliver this functionality. However, the ones that I came across where limited in their functionality, and therefore I had to look at other ways to achieve this goal. First, I set-up the basic requirements that were needed within this base form:

  1. The base form should not conflict when used in design mode (although basic, there are some issues that need to be considered).
  2. The base form should take the required roles for the form and the user principal (IPrincipal) as parameters in order to validate the access to the form.
  3. The base form should:
    1. Open the form when one of the User-roles is in the Form roles.
    2. Not open the form when none of the User-roles is in the Form roles.
    3. Allow to raise an event when the user is allowed.
    4. Allow to raise an event when the user is denied (this overtakes the second option as the form, in this case, needs to be opened).
  4. Give a validated list of roles that are within the User-Roles and the Form-Roles.

In search for the correct approach

During the search over the internet, I came across this article: Simplified implementation without title, which forms the basic idea for this implementation. However, although simplified, this person describes the approach to take correctly, whereby my interest to use the same skeleton. When testing this approach, I came across one issue: when the form is initialized from the Main method (program.cs), the "Show" or "ShowDialog" methods are not called and will need another means of initialization. Luckily, I came across this article explaining how to approach the issue: Application Architecture in Windows Forms 2.0. The flaw that I cam across with this approach is that it will silently run within the background when the main window is never made visible, but it is a start.

static void Main() 
    // Create and show the main form modelessly
    MainForm form = new MainForm(); 

    // Run the application only when the Form has been created.
    if( form.Created )

Using the code

Creating the form based on the SecureBaseForm and implementing the security parameters:

public class Form1 : SecureBaseForm
    public void Form1(IPrincipal userPrincipal) : 
        base( new string[] { "UserRole1", "UserRole2" }, userPrincipal )
        //    Capture the principal here in case it is needed in a second Form

In the above example, the form user will be allowed when within the user principal either "UserRole1" or the "UserRole2" role is contained. With this example, we can also show the implementation when the user has access to the form, but you want to disable certain features based on one of the roles:

// Form1 has the event handling "Form1_UserIsAllowed" defined
private void Form1_UserIsAllowed(object sender, EventArgs e)
    button1.Enabled = this.ValidatedUserRoles.Contains("UserRole1");
    button2.Enabled = this.ValidatedUserRoles.Contains("UserRole3");

Whether the user has the role "UserRole1" or "UserRole2" defined, the appropriate button(s) will be enabled. This same event handling is embedded for "UserIsDenied".

Points of interest

I never was so pleased with implementing security as there will always be weak spots and you have to follow the various forums and alike to keep uptodate. Nevertheless, I think this is a nice approach which will allow my future applications to have a hurdle less.

May you want to comment, please do so...


  • Version 1.00 (30 September, 2009) - Hopefully, something can be done on UserControls as well (keep your eyes open).


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Arjo Kalisvaart
Software Developer (Senior)
Netherlands Netherlands
No Biography provided

Comments and Discussions

QuestionComplettaion of this code Pin
Member 122638092-May-18 3:00
memberMember 122638092-May-18 3:00 
Questioncomplete project? Pin
v.zabavnik5-Jan-10 23:46
memberv.zabavnik5-Jan-10 23:46 
AnswerRe: complete project? Pin
Arjo Kalisvaart6-Jan-10 0:57
professionalArjo Kalisvaart6-Jan-10 0:57 
GeneralRe: complete project? Pin
nagham_4ng21-Aug-11 20:59
membernagham_4ng21-Aug-11 20:59 
GeneralRe: complete project? Pin
Arjo Kalisvaart22-Aug-11 9:21
professionalArjo Kalisvaart22-Aug-11 9:21 
GeneralUsing attributes to assign roles Pin
Asher Barak19-Nov-09 3:51
professionalAsher Barak19-Nov-09 3:51 
NewsTest Project is incomplete [modified] Pin
Arjo Kalisvaart2-Oct-09 2:06
professionalArjo Kalisvaart2-Oct-09 2:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Posted 30 Sep 2009


36 bookmarked