Allow or deny users access to web resources
You can set up access privileges for web resources with the
location tag in the
Web.config file. This example configuration denies access to the
/sitecore path for all users except
<location path="sitecore"> <system.web> <authorization> <deny users="*"/> <allow users="admin, webmaster"/> </authorization> </system.web> </location>
Read more on the
allow tags in Microsoft's documentation on How To Restrict Specific Users from Gaining Access to Specified Web Resources.
You can also configure the
Web.config file to use Windows ASP.NET groups and users. This is specified in Microsoft's documentation on How to implement Windows authentication and authorization in ASP.NET.
Only Core roles use the
location tag by default, and each Core role is configured differently. We recommend that you audit your
location tags as part of your security review process.