Allowing or denying users access to web resources

Abstract

How to deny or allow users access to resources in the Sitecore web root folder.

You can set up access privileges for web resources with the location tag in the Web.config file. This example configuration denies access to the /sitecore path for all users except admin and webmaster:

<location path="sitecore">
  <system.web>
    <authorization>
      <deny users="*"/>
      <allow users="admin, webmaster"/>
    </authorization>
  </system.web>
</location>

Read more on the deny and allow tags in Microsoft's documentation on How To Restrict Specific Users from Gaining Access to Specified Web Resources.

You can also configure the Web.config file to use Windows ASP.NET groups and users. This is specified in Microsoft's documentation on How to implement Windows authentication and authorization in ASP.NET.

Note

Only Core roles use the location tag by default, and each Core role is configured differently. We recommend that you audit your location tags as part of your security review process.