Security Trimming and Site Navigation Service in ASP.Net 2.0

The new Site Navigation Service and Navigation Controls in ASP.Net 2.0 easily reduces at least a hundred lines of code to create a menu driven Web Application.  However, there is one cool feature that is often overlooked with the new Site Navigation Service which is Security Trimming.



When Security Trimming is enabled the standard SiteMapProvider class invokes the “IsAccessibleToUser” method to determine if the authenticated user has the authorization to view the Web Page as defined in the Site Map.  Therefore, if the authenticated user does have the required authorization the menu item will appear in the Menu or the Tree View Control, on the other hand if the User is anonymous or is not authorized then the Menu Item will no longer be present in the Menu or Tree View Control.



For this work with the default SiteMap Provider three parameters must be configured:

  • securityTrimmingEnable attribute must be set to true

  • roles attribute defined in within the Site Map.

  • <authorization> section within the web.config must be present.


Security Trimming Enabled


Below is an example of how to enable the Security Trimming in the Web config:


<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <add name="XmlSiteMapProvider"
        description="Default SiteMap provider."
        type="System.Web.XmlSiteMapProvider "
        securityTrimmingEnabled="true" />


Roles defined in SiteMap:

Next you will need to modify your Site Map and add the role which is allowed to view the Web URL in the siteMapNode as indicated below:

<siteMap xmlns="" >
<siteMapNode url="~/default.aspx" title="Home" description="Home Page">
<siteMapNode url="~/reports/" title="Reports" description="Reports">
<siteMapNode url="~/reports/setup/report.aspx" title="Setup" description="Setup Report" roles="ReportManager" />
<siteMapNode url="~/reports/show/default.aspx" title="View Reports" description="View Reports" roles="User" />


For the scenario defined above, I suggest creating a separate folder names “reports” in your Web Application and adding a web config file with the <authorization> section defined in the web config.  Under the <authorization> section define the roles or user that are allowed or not allowed to view the Web Pages in this folder.



      <allow roles="ReportManager/>

       <allow roles="Users"/>

       <deny users="*"/>



This can be created manually or established with the ASP.Net Web Configuration tool under the Security tab by clicking on the “create access rules” link.