allow Element for authorization (ASP.NET Settings Schema)

Article
12/21/2012

Adds an authorization rule that allows access to a resource to the mapping of authorization rules.

configuration Element (General Settings Schema)
  system.web Element (ASP.NET Settings Schema)
    authorization Element (ASP.NET Settings Schema)
      allow Element for authorization (ASP.NET Settings Schema)

<allow 
   users="comma-separated list of users"
   roles="comma-separated list of roles"
   verbs="comma-separated list of verbs"
/>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute	Description
users	Required String attribute. A comma-separated list of user names that are allowed access to the resource. A question mark (?) indicates that anonymous users are granted access to the resource. An asterisk (*) indicates that all users are granted access to the resource.
roles	Required String attribute. A comma-separated list of roles that are granted access to the resource.
verbs	Optional String attribute. A comma-separated list of HTTP transmission methods that are granted access to the resource. Verbs that are registered to ASP.NET are GET, HEAD, POST, and DEBUG.

users

Required String attribute.

A comma-separated list of user names that are allowed access to the resource. A question mark (?) indicates that anonymous users are granted access to the resource. An asterisk (*) indicates that all users are granted access to the resource.

roles

Required String attribute.

A comma-separated list of roles that are granted access to the resource.

verbs

Optional String attribute.

A comma-separated list of HTTP transmission methods that are granted access to the resource.

Verbs that are registered to ASP.NET are GET, HEAD, POST, and DEBUG.

Child Elements

None.

Parent Elements

Element	Description
configuration	Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications.
system.web	Specifies the root element for the ASP.NET configuration settings in a configuration file and contains configuration elements that configure ASP.NET Web applications and control how the applications behave.
authorization	Configures the authorization for a Web application. The authorization tag controls client access to URL resources. This element can be declared at any level (machine, site, application, subdirectory, or page).

Remarks

The allow element adds an authorization rule that allows access to a resource to the mapping of authorization rules that are stored in the authorization element.

The authorization element configures the authorization for a Web application, by controlling client access to URL resources. For the required attributes, you can use either the users or roles attribute or both.

The default authorization rule is <allow users="*"/>. Thus, by default, access is allowed unless configured otherwise.

In order to facilitate deployment, the period (.) shortcut notation for the current computer is supported. This allows you to prefix each user or role with a period and a backslash (.\) sequence, as shown in the following code example:

At run time the period-backslash sequences are substituted with "localmachinename\" sequences. The substitution is done only if a Windows identity is being used with the request. This is to avoid conflicts when the period-backslash sequences are used in arbitrary roles with custom principals.

Because the authorization element does not represent a collection, there are no clear or remove child elements. To programmatically clear the mappings of authorization rules, use the Clear() or Remove method.

Default Configuration

The following default authorization element is configured in the root Web.config file in the .NET Framework version 2.0 and configured in the Machine.config file in the .NET Framework versions 1.1 and 1.0.

<authorization>
   <allow users="*" />
</authorization>

Example

The following code example demonstrates how to deny access to all user accounts and allows access to all members of the role admins.

<configuration>
  <system.web>
    <authorization>
      <allow roles="admins"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</configuration>

Element Information

Configuration section handler	AuthorizationSection
Configuration member	AuthorizationRuleCollection
Configurable locations	Machine.config Root-level Web.config Application-level Web.config Virtual or physical directory–level Web.config
Requirements	Microsoft Internet Information Services (IIS) version 5.0, 5.1, or 6.0 The .NET Framework version 1.0, 1.1, or 2.0 Microsoft Visual Studio 2003 or Visual Studio 2005

allow Element for authorization (ASP.NET Settings Schema)

Attributes and Elements

Attributes

Child Elements

Parent Elements

Remarks

Default Configuration

Example

Element Information

See Also

Tasks

Reference

Concepts

Other Resources

Additional resources