<deny> Element

Specifies that access to a resource is denied.


<deny users="comma-separated list of users"
      roles="comma-separated list of roles"/>

Optional Attributes

Attribute Description
Users A comma-separated list of user names that are denied access to the resource. A question mark (?) denies anonymous users and an asterisk (*) indicates that all users are denied access.
Roles A comma-separated list of roles that are denied access.


At run time, the authorization module iterates through the <allow> and <deny> tags until it finds the first access rule that fits a particular user. It then grants or denies access to a URL resource depending on whether the first access rule found is an <allow> or a <deny> rule. The default authorization rule in the Machine.config file is <allow users="*"/> so, by default, access is allowed unless configured otherwise.


The following example allows access to all members of the Admins role and denies access to all users.

         <allow roles="Admins"/>
         <deny users="*"/>


Contained Within: <system.web>

Web Platform: IIS 5.0, IIS 5.1, IIS 6.0

Configuration File: Machine.config, Web.config

Configuration Section Handler: System.Web.Configuration.CustomErrorsConfigHandler

See Also

<authorization> Element | ASP.NET Configuration | ASP.NET Settings Schema