Authorization Tab, ASP.NET Configuration Settings Dialog Box
The Authorization tab of the ASP.NET Configuration Settings dialog box lets you manage authorization rules for the current Web site directory based on user accounts and roles. You can create user accounts and roles by using Microsoft Windows authentication or ASP.NET Forms authentication (ASP.NET membership). You can add, edit, or remove rules for the current Web site directory. Rules are applied to the current subdirectory and all child subdirectories of the current URL unless otherwise overwritten by a configuration file setting in the child subdirectory.
Inherited rules from the Machine.config configuration file and any parent virtual directory also appear, but cannot be edited. To change the effect of inherited rules, you can create new settings at the Web site level. Application settings are always stored as strings.
The settings that you make on the Authorization tab apply to the Web site that you selected before displaying the Properties dialog box.
Configuration settings can be inherited. Settings can be defined in the Machine.config file, which acts as the base configuration for all Web sites on the server. For more information about ASP.NET configuration files, see.
In Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.
IIS Manager appears.
Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties.
The Web Site Properties dialog box appears.
Click the ASP.NET tab, and then click Edit Configuration.
The ASP.NET Configuration Settings dialog box appears.
Click the Authorization tab.
Using the Authorization tab, you can do the following:
View authorization rules that are defined in all inherited configuration files, including the Machine.config file.
Add, edit, and remove authorization rules for the current Web site directory.
Authorization rules are applied in order, from top to bottom. In some cases, you might have to create multiple rules for the same folder in order to establish the correct permissions. For example, you might create a rule that denies access to anonymous user accounts and a second rule that denies access to user accounts in the role of Guest. That way, only users who are logged on (users who are not anonymous) and in another group (not Guest) can gain access the folder.
The Web.config settings that are managed through the Security tab are the <authorization>, <roleManager>, and <authentication> sections.
The following excerpt from a Web.config file restricts access to a subdirectory of the Web site. Access to the restricted subdirectory is allowed for administrators and for the user named John, and is denied for anonymous users.
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <allow roles="administrators" /> <allow users="John"/> <deny users="?" /> </authorization> </system.web> </configuration>
- Inherited authorization rules
Lists the inherited authorization rules that are defined in the Machine.config file or any parent virtual directory, as defined in. Inherited settings are italic and inherited settings that you have overridden are bold.
- Local authorization rules
Lists the authorization rules that are applied to the current Web site directory and to all its child directories.
Click to open theto create a new rule.
Click to open theto edit the selected rule.
Click to delete the selected row from Local authorization rules.