<deny> Element (Policy)

  • Article

Denies access to a Web service.

<policies> Element
  <policy> Element (Policy)
    <authorization> Element

<deny user role />

Attributes and Elements

Attributes

Attribute Description

user

Required attribute. Specifies a user name that is denied access. The format is DOMAIN\user for Windows accounts. When authorization is done on X.509 certificates, the format is the certificate's subject distinguished name, such as CN=WSE2QuickStartClient. An asterisk (*) indicates that all users are denied access that reach this authorization rule. See the Remarks section for more details on how authorization rules are applied.

role

Required attribute. Specifies a role that is denied access. The role can be a local or domain group, such as BUILTIN\Administrators or COHOWINERY4\Distiller.

Child Elements

None

Parent Elements

Element Description

<authorization> Element

Specifies the users or roles that are authorized and denied access to a Web service.

Remarks

For the <deny> element you can use either the user or role attribute, or both.

An <authorization> Element can have zero or more <allow> Element (Policy) and <deny> Element (Policy) child elements. These child elements are an ordered list of authorization rules from top to bottom. The sender is authorized based on the first rule that applies to the sender. If an <authorization> element exists and no rules apply to a sender, access is denied.

Example

The following code example defines a policy assertion named kerberosAuthenticationKerberosProtection that specifies that the user COHOWINERY\Enologist and the users in the WineMaker role are authorized access to the Web services to which this policy is applied. All other users are denied access to the Web service.

<policies>
  <extensions>
    <extension name="kerberosSecurity"
               type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos"
               type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="authorization"
               type="Microsoft.Web.Services3.Design.AuthorizationAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="kerberosAuthenticationKerberosProtection">
    <authorization>
      <allow user="COHOWINERY\Enologist" />
      <allow role="WineMaker" />
      <deny user="*" />
    </authorization>
    <kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
      <token>
        <kerberos targetPrincipal="host/grapes@cohowinery.com" impersonationLevel="Identification" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Reference

<authorization> Element
<allow> Element (Policy)