Securing User Interface Controls

All MM .NET WPF, Windows Forms,and Web Form controls have a ControlID property that can contain a Globally Unique Identifier (GUID). If this property is empty, it indicates the control is not secure. If you assign a GUID to this property, it uniquely identifies the control as being secure.


Note: Before following the steps in this topic, you must first enable security in your application as described in the Help topic Enabling user Security in a Windows Forms Application or Enabling User Security in a Web Forms Application.

To assign GUIDs to user interface controls, follow these steps:

  1. If working with WPF, if you haven't already done so, copy your app.config file to the project's bin\Debug folder. This is required because Expression Blend see this as the default folder and uses the app.config file to read the security database settings.

  2. Open the Window or Web Form in design mode, and select the control you want to secure.


    Note: When working with WPF controls, you MUST use Expression Blend to set the Control ID. Unfortunately, a bug in Visual Studio prevents a custom editor from being launched on an attached property.



    Note: As shown in the above figure, if the control has an associated label, you should select both the label and the control so they have the same security control ID. This is important because user interface controls for which a user has "No Access" are not visible at run time. Giving both the control and its associated label the same ControlID value ensures they are both invisible at run time.


  3. Go to the Properties Window and select the ControlID property. If the control is not currently specified as a secure control, the property value looks like this in Expression Blend:

    And like this in Visual Studio:

  4. If using Expression Blend for WPF, to make the control secure, click the small down arrow to the right of the Control ID text box (if using Visual Studio for Windows Forms or ASP.NET, click the ellipses button [...]. This launches the Security Control ID dialog:

  5. To generate a new security control ID, click the Generate button. This generates a new Globally Unique Identifier (GUID) which is displayed in the Control ID text box:

  6. Enter a description of the secure control in the Description text box. It's usually best to specify the name of the form as well as a description of the control. For example:

    This description is displayed in the Security Setup Form when end-users specify security on the control at run time. See the Help topic End-User Security Setup for Controls for details.

  7. Click the Save button to save changes. The security information entered in this dialog is stored in your application's Security table. For details, see the Help topic Security Tables.

  8. When working in ASP.NET, if you have not already done so, set the form's RequiresSecurity property to True (if you are using MM .NET authentication).


Note: If you set the ControlID property of a UI control but have not set up user authentication (for example, by setting the form's RequiresSecurity property), then you will see the following exception at run time: "Security error: User has not been authenticated. Make sure the form's RequiresSecurity property is True".

Deleting Security Control IDs

To delete an existing security control id, click the Delete button in the Security Control ID dialog:

When you click the Delete button, the following message box appears. Click Yes to delete the control ID from the Security table and all related tables:

Click the Save button to save the empty ID to the ControlID property of the user interface control:

See also:
Securing Windows Forms Menus

© (c) 2026 Oak Leaf Enterprises, Inc., 1996-2026 • Updated: 04/26/18
Comment or report problem with topic