Form Authorization not working as expected. How does it works?

Question

I have set <allow Roles="Admin" />but not set <Deny /> tag under system.web and authorization tag but it allow all user to access Admin page. I don't want to allow admin page except admin role user. Can anyone help me this regards.

Answer 1

You must check all possibilities.

1. everyone can access the site and pages by default.
2. you allow Admin.
3. everyone else is still allowed.

Set allow, then set deny.

<allow roles="Admin"/> // allow users in Admin role.
<deny users="*"/>      // deny everyone else.

See here.