The Authorization tab of the ASP.NET Configuration Settings dialog box lets you manage authorization rules for the current Web site directory based on user accounts and roles. You can create user accounts and roles by using Microsoft Windows authentication or ASP.NET Forms authentication (ASP.NET membership). You can add, edit, or remove rules for the current Web site directory. Rules are applied to the current subdirectory and all child subdirectories of the current URL unless otherwise overwritten by a configuration file setting in the child subdirectory.

Inherited rules from the Machine.config configuration file and any parent virtual directory also appear, but cannot be edited. To change the effect of inherited rules, you can create new settings at the Web site level. Application settings are always stored as strings.

The settings that you make on the Authorization tab apply to the Web site that you selected before displaying the Properties dialog box.

NoteNote

Configuration settings can be inherited. Settings can be defined in the Machine.config file, which acts as the base configuration for all Web sites on the server. For more information about ASP.NET configuration files, see ASP.NET Configuration File Hierarchy and Inheritance.

To open the Authorization dialog box
  1. In Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.

    IIS Manager appears.

  2. Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties.

    The Web Site Properties dialog box appears.

  3. Click the ASP.NET tab, and then click Edit Configuration.

  4. The ASP.NET Configuration Settings dialog box appears.

  5. Click the Authorization tab.

Tasks

Using the Authorization tab, you can do the following:

  • View authorization rules that are defined in all inherited configuration files, including the Machine.config file.

  • Add, edit, and remove authorization rules for the current Web site directory.

Rule Precedence

Authorization rules are applied in order, from top to bottom. In some cases, you might have to create multiple rules for the same folder in order to establish the correct permissions. For example, you might create a rule that denies access to anonymous user accounts and a second rule that denies access to user accounts in the role of Guest. That way, only users who are logged on (users who are not anonymous) and in another group (not Guest) can gain access the folder.

Web.config Settings

The Web.config settings that are managed through the Security tab are the <authorization>, <roleManager>, and <authentication> sections.

The following excerpt from a Web.config file restricts access to a subdirectory of the Web site. Access to the restricted subdirectory is allowed for administrators and for the user named John, and is denied for anonymous users.

 CopyCode imageCopy Code
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="administrators" />
            <allow users="John"/>
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

UI Elements

Inherited authorization rules

Lists the inherited authorization rules that are defined in the Machine.config file or any parent virtual directory, as defined in ASP.NET Configuration File Hierarchy and Inheritance. Inherited settings are italic and inherited settings that you have overridden are bold.

Local authorization rules

Lists the authorization rules that are applied to the current Web site directory and to all its child directories.

Add

Click to open the Edit Rule Dialog Box to create a new rule.

Edit

Click to open the Edit Rule Dialog Box to edit the selected rule.

Remove

Click to delete the selected row from Local authorization rules.

See Also

Tasks

How to: Access ASP.NET Configuration Settings Programmatically

Reference

Authentication Tab, ASP.NET Configuration Settings Dialog Box
Locations Tab, ASP.NET Configuration Settings Dialog Box
connectionStrings Element (ASP.NET Settings Schema)
appSettings Element (General Settings Schema)

Concepts

ASP.NET Configuration Overview

Other Resources

MMC Snap-In for ASP.NET