Allow or deny users access to web resources

Current version: 9.3

You can set up access privileges for web resources with the location tag in the Web.config file. This example configuration denies access to the /sitecore path for all users except admin and webmaster:

<location path="sitecore">
      <deny users="*"/>
      <allow users="admin, webmaster"/>

Read more on the deny and allow tags in Microsoft's documentation on How To Restrict Specific Users from Gaining Access to Specified Web Resources.

You can also configure the Web.config file to use Windows ASP.NET groups and users. This is specified in Microsoft's documentation on How to implement Windows authentication and authorization in ASP.NET.


Only Core roles use the location tag by default, and each Core role is configured differently. We recommend that you audit your location tags as part of your security review process.

Do you have some feedback for us?

If you have suggestions for improving this article,