Edit a Local URL Authorization Rule (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

You can edit local URL authorization rules. When you change a URL authorization rule, you can change the users, roles, or verbs.

You cannot change the mode of the rule. For example, to change a Deny rule to an Allow rule, you must delete the Deny rule and create a new Allow rule with the same users, roles, and verbs. You also cannot edit inherited rules.


Editing a configuration setting changes the setting at the local level and for any child levels that inherit the setting.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see URL Authorization Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

To edit a local URL authorization rule

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authorization Rules.

  3. On the Authorization Rules page, select the URL authorization rule you want to change, and then click Edit in the Actions pane.

  4. In the Edit AllowAuthorization Rule or Edit Deny Authorization Rule dialog box, change one or more of the following settings:

    • All users.

    • All anonymous users.

    • Specified roles or user groups. Type the name of the role or user group in the text box.

    • Specified users. Type the user ID in the text box.

  5. Check Apply this rule to specific verbs, or change the list of HTTP verbs for this content, or clear Apply this rule to specific verbs if you do not want to specify verbs.

  6. Click OK.

Command Line

To change an authorization rule, use the following syntax:

appcmd set config /section:authorization /[accessType='Deny',roles='string',users='string',verbs='string'].accessType | roles | users | verbs:string

The variable .accessType | roles | users | verbs string is any single attribute you want to change followed by the new value. You can add multiple strings by using a comma to separate each unique value. For example, to change a Deny rule for all users to an Allow rule for all users, type the following at the command prompt, and then press ENTER:

appcmd set config /section:authorization /[accessType='Deny',users='*'].accessType:Allow

To change a Deny rule for anonymous users to Deny only to User1 and User2, type the following at the command prompt, and then press ENTER:

appcmd set config /section:authorization /[accessType='Deny',users='?'].users:User1,User2

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:

<add> under <authorization>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • AuthorizationSection class

  • AuthorizationRule class

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Configuring URL Authorization Rules in IIS 7