Authorization Tab, ASP.NET Configuration Settings Dialog Box
The Authorization tab of the ASP.NET Configuration Settings dialog box lets you manage authorization rules for the current Web site directory based on user accounts and roles. You can create user accounts and roles by using Microsoft Windows authentication or ASP.NET Forms authentication (ASP.NET membership). You can add, edit, or remove rules for the current Web site directory. Rules are applied to the current subdirectory and all child subdirectories of the current URL unless otherwise overwritten by a configuration file setting in the child subdirectory.
The MMC snap-in for ASP.NET works with IIS 6.0 or earlier. The IIS 7.0 administration tool includes the functionality of the ASP.NET MMC tool. For more information, see ASP.NET and IIS Configuration.
Inherited rules from the Machine.config configuration file and any parent virtual directory also appear, but cannot be edited. To change the effect of inherited rules, you can create new settings at the Web site level. Application settings are always stored as strings.
The settings that you make on the Authorization tab apply to the Web site that you selected before displaying the Properties dialog box.
Configuration settings can be inherited. Settings can be defined in the Machine.config file, which acts as the base configuration for all Web sites on the server. For more information about ASP.NET configuration files, see ASP.NET Configuration File Hierarchy and Inheritance.
For information about ASP.NET Configuration Settings, see ASP.NET Configuration Overview
To open the Authorization dialog box
In Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.
IIS Manager appears.
Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties.
The Web Site Properties dialog box appears.
Click the ASP.NET tab, and then click Edit Configuration.
The ASP.NET Configuration Settings dialog box appears.
Click the Authorization tab.
Authorization rules are applied in order, from top to bottom. In some cases, you might have to create multiple rules for the same folder in order to establish the correct permissions. For example, you might create a rule that denies access to anonymous user accounts and a second rule that denies access to user accounts in the role of Guest. That way, only users who are logged on (users who are not anonymous) and in another group (not Guest) can gain access the folder.
The Web.config settings that are managed through the Security tab are the authorization, roleManager, and authentication sections.
The following excerpt from a Web.config file restricts access to a subdirectory of the Web site. Access to the restricted subdirectory is allowed for administrators and for the user named John, and is denied for anonymous users.
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <allow roles="administrators" /> <allow users="John"/> <deny users="?" /> </authorization> </system.web> </configuration>