Allow or deny users access to web resources
You can set up access privileges for web resources with the location
tag in the Web.config
file. This example configuration denies access to the /sitecore
path for all users except admin
and webmaster
:
<location path="sitecore">
<system.web>
<authorization>
<deny users="*"/>
<allow users="admin, webmaster"/>
</authorization>
</system.web>
</location>
Read more on the deny
and allow
tags in Microsoft's documentation on How To Restrict Specific Users from Gaining Access to Specified Web Resources.
You can also configure the Web.config
file to use Windows ASP.NET groups and users. This is specified in Microsoft's documentation on How to implement Windows authentication and authorization in ASP.NET.
Only Core roles use the location
tag by default, and each Core role is configured differently. We recommend that you audit your location
tags as part of your security review process.