Topics

All topics

Define the Access permissions

To define the access permission for the service, perform the following:

Choose who can access the service

Under Who can access the content by this service?, select one of the following:

  • Everyone
    By selecting this option, you set the Access property to Anonymous.
    This option gives permissions to anonymous and authenticated users to read the content defined by the web service and also gives permissions to authenticated users to modify the content (perform CRUD operations), based on their roles and permissions, defined in Sitefinity.
  • Authenticated users
    This is the default value. By selecting this option, you set the Access property to Authenticated
    This option restricts anonymous users from either reading or modifying the content provided by the web service. Anonymous users will receive a 401 Unauthorized status code. Only authenticated users are allowed to view and modify the content (perform CRUD operations), based on their roles and permissions, defined in Sitefinity CMS. Authenticated users who do not have permission to manipulate data will receive a 403 Forbidden status code.
  • Administrators only
    By selecting this option, you set the Access property to Admin.
    This option allows only admin users to access the service and perform CRUD operations with the data. Authenticated users will receive a 403 Forbidden status code and anonymous users will receive a 401 Unauthorized status code.

Restrict access by domain

To restrict the user access by the domain, which the users belong to, select Allow users from specific domains only. 
This checkbox sets the AccessControlAllowOrigin (CORS) property, also known as the CORS policy. By default, CORS is enabled and using this setting.
Enter one of the following:

  • Enter the comma separated list of allowed domains, one per line.
  • Enter *
    Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted.
  • Leave the box empty.
    If you do not select the checkbox or leave the list empty, then the CORS policy will fallback to the AccessControlAllowOrigin setting in the SecurityConfig.config file. If that setting in the SecurityConfig.config file is empty, then requests only from the same domain are allowed.
    IMPORTANT: In case there is a setting in the web.config file that adds a custom value for the Access-Control-Allow-Origin Header to the custom headers section, then the SecurityConfig.config file setting will conflict with the web.config setting. Thus, to avoid conflict, you need to use only one of the settings and omit the other.
    For more information about custom headers, see the IIS documentation.
NEW TO SITEFINITY?

Want to learn more?

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Next article

Configure the Types of a service