I have "mydomain\myusername" in the database with the role Administrator. I have ran a couple of test with different configurations. The comment with the "+" is given access, whereas, the "-" is required to log on. It seems as though a user is given access if it's authorized by itself. But when a role is added in, the role takes priority and it doesn't even look at the single user.

How do I get it to work where it takes the single user or multiple users into account when a role is specified? I am using a custom [DefaultAuthorize]:Asp.net MVC4: Authorize on both controller and action and OverrideAuthorize so that the controller and the action permission don't AND together, but it doesn't cause the behavior where the Users is ignored over the Role. That behavior seems to be the default behavior of the authentication.

Edited: I just tested it some more, and the solution from the SO above doesn't really work to create the OR in controller/actions, it still requires a logon if both are specified but user is only in the controller group. It works if user is in the action group.

Edited: The only thing I see for sure is defining Roles in the Actions works as expected. Adding Roles or users in the controller create a nonsensical behavior.

So there are two issues that boggles the mind. 1. Can't seem to get rid of the AND condition when roles are specified in the controller and actions. 2. the user is ignored over role.

I am using MVC5 with windows authentication and roles.

//-[Authorize(Roles = "Publisher,Editor", Users = "mydomain\\myusername")] //this should have worked since myusername is running the test
//-[Authorize(Users = "mydomain\\myusername",Roles = "Publisher,Editor")]  //this should have worked also
//+[Authorize(Users = "mydomain\\myusername", Roles = "Administrator,Publisher,Editor")]  //this works because of Administrator
//+[Authorize(Roles = "Administrator")]
//+[Authorize(Roles = "Administrator", Users = "mydomain\\myusername")]
//+[Authorize(Roles = "Administrator,Editor", Users = "mydomain\\myusername")]
//+[Authorize(Roles = "Publisher,Administrator,Editor", Users = "mydomain\\myusername")]
[DefaultAuthorize(Roles = "Publisher,Editor")]
public class PersonEntitiesController : Controller

    //default role and override role works as long as it is in a group
    //-[Authorize(Roles = "Administrator")] doesn't work as it's AND with controller
    //when a user is grouped with a Role, the role takes priority
    //doesn't work as myusername is ignored and only looks at Publisher but user is not in gorup
    //-[OverrideAuthorize(Users = "mydomain\\myusername",Roles="Publisher")]  
    //+[OverrideAuthorize(Users = "mydomain\\myusername")] //works as long as myusername is listed by itself
    //+[OverrideAuthorize(Users = "mydomain\\myusername",Roles="Administrator")] //the group works as long as myusername is in that group
    public ActionResult Index(string sortOrder, string currentFilter, string searchString, int? page)
This is the default behavior of the Authorize attribute. The attribute verify that all the following rules pass:

  1. The user is not null, it has an identity and it's authenticated.
  2. If user's names were included, that the identity name is included on those.
  3. If roles were included, that any of the roles included is present on the identity roles.

Doing an inspection of the ASP.NET MVC's AuthorizeAttribute.IsAuthorized code confirms it:

protected virtual bool IsAuthorized(HttpActionContext actionContext)
    if (actionContext == null)
      throw Error.ArgumentNull("actionContext");
    IPrincipal user = actionContext.ControllerContext.RequestContext.Principal;
    if (user == null || user.Identity == null || !user.Identity.IsAuthenticated)
      return false;
    if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
      return false;
    if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
      return false;
    return true;

So as you suspected this behavior works as an AND, not an OR. If you want to have a different behavior, I recommend that you create a custom Authorization attribute and put your own logic on it. Just inherit from AuthorizeAttribute and override the IsAuthorized method with your custom logic.

