Topics

All topics

Define the Access permissions

To define the access permission for the service, perform the following:

Choose who can access the service

Under Who can access the content by this service?, select one of the following:

Everyone
By selecting this option, you set the Access property to Anonymous.
This option gives permissions to anonymous and authenticated users to read the content defined by the web service and also gives permissions to authenticated users to modify the content (perform CRUD operations), based on their roles and permissions, defined in Sitefinity.
Authenticated users
This is the default value. By selecting this option, you set the Access property to Authenticated.
This option restricts anonymous users from either reading or modifying the content provided by the web service. Anonymous users will receive a 401 Unauthorized status code. Only authenticated users are allowed to view and modify the content (perform CRUD operations), based on their roles and permissions, defined in Sitefinity CMS. Authenticated users who do not have permission to manipulate data will receive a 403 Forbidden status code.
Administrators only
By selecting this option, you set the Access property to Admin.
This option allows only admin users to access the service and perform CRUD operations with the data. Authenticated users will receive a 403 Forbidden status code and anonymous users will receive a 401 Unauthorized status code.

Restrict access by domain

To restrict the user access by the domain, which the users belong to, enter their domains in the Allow users from other domains listbox.
This listbox sets the AccessControlAllowOrigin (CORS) property, also known as the CORS policy.
Enter one of the following:

Enter the comma separated list of allowed domains, one per line.
Enter *
Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted.
Leave the box empty.
If you leave the list empty, then the CORS policy will fallback to the AccessControlAllowOrigin setting in the SecurityConfig.config file. If that setting in the SecurityConfig.config file is empty, then requests only from the same domain are allowed.
IMPORTANT: In case there is a setting in the web.config file that adds a custom value for the Access-Control-Allow-Origin Header to the custom headers section, then the SecurityConfig.config file setting will conflict with the web.config setting. Thus, to avoid conflict, you need to use only one of the settings and omit the other.
For more information about custom headers, see the IIS documentation.

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Web Security for Sitefinity Administrators

The free standalone Web Security lesson teaches administrators how to protect your websites and Sitefinity instance from external threats. Learn to configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel

Configure the Types of a service