If you don’t want to hard code this in web.config(s) you will need to implement a ‘Base Page’ type control.

Your base page class should inherit from System.Web.UI.Page, and would need to have a method you could call to say ‘User must be logged in’ or ‘User must be in role x’, and if the user isn’t in that role, redirect to the login page (you can get this by calling FormsAuthentication.LoginUrl).

Your actual pages should inherit from this class rather than from System.Web.UI.Page directly. Then, in something like Init, or at the top of Page_Load, call

base.UserMustBeLoggedIn(); 

or

// Replace 'AccessRole' with the name of your role base.UserMustBeInRole('AccessRole'); 

And let the base page handle this.

If you would rather have the access rights stored in a database, then you could move all the processing to the base page, and in a suitable place in the page lifecycle, check the current URL against your database table, check the users role/authentication against the requirements and redirect as required.

Note that you can create page level security in the web config like so:

<configuration>   <location path='LockedPage.aspx'>     <system.web>       <authorization>         <!-- Deny access to anonymous users -->         <deny users='?'/>       </authorization>     </system.web>   </location> </configuration> 

More information is available on MSDN: The Location Element and The Authorization Element.