<authorization> Element

Article
10/23/2006

Configures ASP.NET authorization support. The <authorization> tag controls client access to URL resources. This element can be declared at any level (machine, site, application, subdirectory, or page).

<configuration>
<system.web>
** <authorization>**

<authorization>
   <allow users="comma-separated list of users"
          roles="comma-separated list of roles"
          verbs="comma-separated list of verbs"/>

   <deny users="comma-separated list of users"
         roles="comma-separated list of roles"
         verbs="comma-separated list of verbs"/>
</authorization>

Subtags

Subtag	Description
<allow>	Allows access to a resource based on the following: users: A comma-separated list of user names that are granted access to the resource. A question mark (?) allows anonymous users; an asterisk () allows all users. roles: A comma-separated list of roles that are granted access to the resource. verbs*: A comma-separated list of HTTP transmission methods that are granted access to the resource. Verbs registered to ASP.NET are GET, HEAD, POST, and DEBUG.
<deny>	Denies access to a resource based on the following: users: A comma-separated list of user names that are denied access to the resource. A question mark (?) indicates that anonymous users are denied access; an asterisk () indicates that all users are denied access. roles: A comma-separated list of roles that are denied access to the resource. verbs*: A comma-separated list of HTTP transmission methods that are denied access to the resource. Verbs registered to ASP.NET are GET, HEAD, POST, and DEBUG.

<allow>

Allows access to a resource based on the following:

users: A comma-separated list of user names that are granted access to the resource. A question mark (?) allows anonymous users; an asterisk (*) allows all users.

roles: A comma-separated list of roles that are granted access to the resource.

verbs: A comma-separated list of HTTP transmission methods that are granted access to the resource. Verbs registered to ASP.NET are GET, HEAD, POST, and DEBUG.

<deny>

Denies access to a resource based on the following:

users: A comma-separated list of user names that are denied access to the resource. A question mark (?) indicates that anonymous users are denied access; an asterisk (*) indicates that all users are denied access.

roles: A comma-separated list of roles that are denied access to the resource.

verbs: A comma-separated list of HTTP transmission methods that are denied access to the resource. Verbs registered to ASP.NET are GET, HEAD, POST, and DEBUG.

Remarks

At run time, the authorization module iterates through the <allow> and <deny> tags until it finds the first access rule that fits a particular user. It then grants or denies access to a URL resource depending on whether the first access rule found is an <allow> or a <deny> rule. The default authorization rule in the Machine.config file is <allow users="*"/> so, by default, access is allowed unless configured otherwise.

Example

The following example allows access to all members of the Admins role and denies access to all users.

<configuration>
   <system.web>
      <authorization>
         <allow roles="Admins"/>
         <deny users="*"/>
      </authorization>
   </system.web>
</configuration>

Requirements

Contained Within: <system.web>

Web Platform: IIS 5.0, IIS 5.1, IIS 6.0

Configuration File: Machine.config, Web.config

Configuration Section Handler: System.Web.Configuration.AuthorizationConfigHandler

<authorization> Element

Subtags

Remarks

Example

Requirements

See Also

Additional resources