Once a requesting client has been authenticated,
the server must then determine whether this user is allowed to access
the resources it is requesting. This process is known as
authorization. You have already seen an example
of authorization in Example 19-4 and Example 19-5, in the
<authorization> sections in
web.config. The details of authorization will
now be explained. There are two ways of authorizing users: file
authorization and URL authorization.
Any Windows operating system that supports NTFS (this includes Windows 2000, Windows XP, and Windows 2003) uses a security system based on Access Control Lists (ACLs). ACLs control access to any specific file or directory based on the requesting user’s membership in a Windows Domain or Active Directory and the group(s) to which that user belongs. You have seen users and groups in Figure 19-3.
You will only be able to use file authorization if the hard drive(s) containing the resources are formatted using NTFS.
If all the legitimate users of a web application are known to have Windows user accounts, then you can use file authorization to authorize a user’s access to a resource. Each user is assigned to an appropriate group and that group is given the necessary permissions, using the Computer Management console, to use the application.
For further information on the minimum file access rights required by a web application, see the Microsoft Knowledge Base Article Q187506, “List of NTFS Permissions ...