Access Levels

A key feature of any software application is the authentication and authorization control of users. In the Asp.Net Unique Architecture framework, you as a webmaster can plan user activity. This is done by the user management module. You can easily divide their activities by defining the roles and assigning users to these roles. Management of these activities is done by granting access permissions to these users. With these permissions you can specify which user has access to which part of the site. In simpler terms, it can be determined which user has access to which parts and which parts are out of access to him. This module makes users feel secure. Asp.Net Unique Architecture framework has high power and security. Security is the key part of any software. In the AUA framework, the security team of Hilton Software Group has been able to ensure the highest level of security by trying and reviewing similar products, which does not have much overhead in terms of performance. An important and interesting point in the AUA framework is Authentication and Authorization, which can be easily expanded and controlled to the smallest level of actions. There are different models of Authentication and Authorization in the AUA framework, which can help easily specify the access level in the controller and action.

1. WebApiAuthorize: Using this attribute, you can specify access levels for the action and controller.
2. AllowLoggedInAuthorization: The user just needs to log in.
3. OnlyLocalActionAuthorize: This attribute is for actions and controllers that only need to be called locally on the server.
4. AllowAnonymousAuthorize: Any user can have unlimited access to this action and controller.
5. IpWebApiAuthorize: Using the IpWebApiAuthorize attribute, access to a range of IPs can be restricted.
6. OnlyHasAccessTokenAuthorization: The user only needs to have access to the token.


To use the WebApiAuthorize attribute, you must add an item for each control or action in EUserAccess. In the database in the UserAccess table we add the name, access number, description and URL. To use the WebApiAuthorize attribute, just type it on the controller or action. For example, access to the following action is limited to users who have AppUser = 1 access.
The WebApiAuthorize Input can have several access levels such that if the user has one of the accesses, he has access to that resource. The title of the pages is loaded for the page by default according to the description in the UserAccess table.

User Access in youtube More videos

User Access in youtube More videos


There is access for users who have just logged in and have access to their activated or unexpired token.


This is used when an operation should be performed locally and usually for a limited number of times, for example, when sending a series of data to another server.


This is available to all users of the site. In other words, there exists no control over its access, for actions like Login.


When IP access is restricted and does not require the Login, only one IP range can be accessed; for example, servers within a network that can see each other do not need to login and get tokens, and any request from these servers is recognized as valid. This is useful for sending data between subsystems.


This type of access is used when the user only needs to have a token with the correct structure and the expiration time is not considered. For example, the LogOut action is of this type. To release the resources, all you have to do is to send the token and release the resources, and there is no need for other controls on the access token.

The following diagram is the AUA default authentication structure .

How to use WebApiAuthorize

To use WebApiAuthorize, you need to add an item for each control or action in EUserAccess enum. In the database inside the UserAccess table we added the name, access number , description and URL.

public enum EUserAccess
    [Description("User Management")]
    AppUser = 1,

    [Description("Access level management")]
    UserAccess = 2,

    [Description("Role management")]
    UserRole = 3,       

    [Description("Role-level access management")]
    UserRoleAccess = 4,

Then you need to write it for the controller or action. For example, the following action is accessible only for users who have access to AppUser = 1.

public async Task<IActionResult> _Insert(AppUserDto appUserDto)
    await _appUserService.InsertAsync(appUserDto);
    return RedirectToAction("Index");

Also you can use the following structure, which is simpler.

Access Levels in youtube More videos

Access Levels in youtube More videos