So today I was working on a project where I needed to allow for certain users to access a site but no one else. Seems simple enough but logic goes out the window with this.

I had this which made sense to me. Deny everyone first, then add the roles that I wanted to have access:

<system.web>
   <authorization>
      <deny users=”*” />
      <allow roles=”Role 1″ />
      <allow roles=”Role 2″ />
      <allow roles=”Role 3″ />
      <allow roles=”Role 4″ />
      <allow roles=”Role 5″ />
      <allow roles=”Role 6″ />
   </authorization>
</system.web>

Turns out that you have to allow the users first and then deny everyone. So next time I come across this, I will throw logic out the window and get it done faster. This one is the one that works:

<system.web>
   <authorization>
      <allow roles=”Role 1″ />
      <allow roles=”Role 2″ />
      <allow roles=”Role 3″ />
      <allow roles=”Role 4″ />
      <allow roles=”Role 5″ />
      <allow roles=”Role 6″ />
      <deny users=”*” />
   </authorization>
</system.web>