Allow or deny users access to web resources
You can set up access privileges for web resources with the location tag in the Web.config file. This example configuration denies access to the /sitecore path for all users except admin and webmaster:
When multiple allow and deny rules are defined, Sitecore evaluates them in the order they appear, following standard ASP.NET Core authorization behavior. More specific rules should be defined before more general ones. In particular, allow rules are evaluated before deny rules, and wildcard rules such as deny="*" apply only after earlier allow rules have been processed. This means that an explicit allow rule can grant access even when a later deny rule uses a wildcard.
Read more on the deny and allow tags in Microsoft's documentation on How To Restrict Specific Users from Gaining Access to Specified Web Resources.
You can also configure the Web.config file to use Windows ASP.NET groups and users. This is specified in Microsoft's documentation on How to implement Windows authentication and authorization in ASP.NET.
Only Core roles use the location tag by default, and each Core role is configured differently. We recommend that you audit your location tags as part of your security review process.