How to determine a users' top-most role

Topics: General Topic, NetSqlAzMan Core
Oct 27, 2011 at 8:46 AM

In our application we have a number of defined 'core' roles in a hierarchy and also the ability for end users to descend their own roles from cores roles. This could be described as looking like this where the first 3 levels are the core role levels and the 4th level below Finance is a custom role level:

SuperUser --

                 |-- Administrator--




                                          |               |--Finance extended

                                          |               |--Finance custom



What can be seen from this is that if a user is for example in the Administrator role, they are also hierarchically in the sub roles too (Sales, Support etc). 

I'm trying to develop a method that will enable me to determine a users top most / highest security access role. The NetSqlAzmanRoleProvider doesn't quite provide this functionality and I've tried to traverse the IazManItem role items for a user but I can't seem to correctly work out how to go up the hierarchy tree to the top most role. Any pointers / sample code would be very much appreciated.

Many thanks,




Oct 27, 2011 at 9:45 AM


you can use this workaround.


If you have two Roles with the following authorizations:

= Parent Role (AllowWithDelegation)

=== Child Role 1

=== Child Role 2

And you Check the access on:

= Parent Role => result will be AllowWithDelegation

=== Child Role 1 => result will be Allow

=== Child Role 2 => result will be Allow

This … because the AllowWithDelegation permission when is inherited … becomes just Allow


Give the AllowWithDelegation permission to core roles only. When CheckAccess … consider as Core role only … roles that have AllowWithDelegation as CheckAccess result



Andrea Ferendeles
NetSqlAzMan Project Coordinator
E-mail Web

Oct 27, 2011 at 11:28 AM

Hi Andrea - thank you very much, that sounds pretty good.

I think this means I won't be able to use the NetSqlAzmanRoleProvider.AddUsersToRoles method to assign users to roles and I'll need to use the IAzManItem.CreateAuthorization method instead. Do you agree?

Oct 27, 2011 at 11:31 AM

Yup. J

Nov 2, 2011 at 5:42 PM

That approach worked very well thank you