In my setup the web.config in the managnment folder does not seem to overide the main web.config - I created an Admin role but any user of the site can get into the folder

Any ideas where I can troubleshoot?

Thanks in Advance

This makes no sense.

By design, a web.config in a specific directory will override the root web.config

http://www.codeproject.com/aspnet/multipleWebConfig.asp

How is your secondary web.config setup? Do you have your authorization setup correctly in the second file?

        <authorization>
            <allow roles="administrators" />
            <allow users="Admin"/>
            <deny users="?" />
        </authorization>

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

I created a user 'cf' which is assigned to no role - so this user should not be able to properly login - right? Well this user can actually do everything the admin can.

My web.config looks like

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <system.web>
        <authorization>
            <allow roles="admin" />
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

Using the application admin tool Under "manage access rules"
Permission-- Users and Roles --- Delete
Allow------- admin --- Delete
Deny-------- [anonymous] --- Delete

To me it looks like the " <deny users="?" />" in the web.config is being interpreted as anonymous - which should not be part of the problem since my user is not a

Or..
Perhaps it has something to do with the fact that This is a real sql server- not sql express? At first roles were not enabled in the MS membership settings - at that time any user could get in the folder - now I enalbed roles and created the admin role - nd still same problem

Ok so If I create a role called "regular" and assign a user this sole role - then in the mangment folder's web.config set

            <allow roles="admin" />
            <deny roles="regular" />

The login will come up again when I enter the correct credentials - this makes sense since its setup to explicitly deny the 'regular' role - but if I remove the deny roles line - I would expect the same behavior though it would be implicit, since the only allowed role is 'admin' - am I wrong? It apparently seems so - it looks like the 'allow roles' does not really have an effect since my user is in the 'regular' role and can still access the pages in the folder - unless I specifically deny the 'regular' role

sorry for repeating myself I'm just trying to get my point across

Just trying to get an idea of how this works,thanks for your input

The role mechanism reads from top to bottom and exits on the first role or user that matches. If you don't explicitly block things, users can still access the pages. So, you need to change it to this:

<allow roles="admin" />
<deny users="*" />

Although it seems you're blocking *all* users (due to the *), the admin role can still log in....

Imar

Thanks for the explanation - I'm happy to find out this is the way it works vs the way ntfs permissions work