in contrast to Authentication implies, "What resources are accessible to the users". This means that once the user logs in (or hasn't logged in), we need to restrict users to access resources on our website according to his/her roles that we'd provide him/her.
Authentication:
on the other hands confirms the identity of the user on the basis of a pair of Username and Password.
Example of how to implement Authorization:
Authorization logic is defined in the web.config file under <System.Web> tag:
1. <authorization>
2. <allow roles="Administrators" />
3. <deny users="*" />
4. </authorization>
The above code would mean that just allow the users whose role in the database is defined to be "Administrators" and deny access to any other user.
1. <authorization>
2.
3. <allow roles="Administrators"/>
4. <deny roles="Supervisors"/>
5. <deny roles="Employees"/>
6. <deny users="*"/>
7. <deny users="?"/>
8.
9. </authorization>
The above code would mean that just allow the users who's role in the database is defined to be "Administrators, Supervisors , Employees " and deny access to any other users and anonymous users as well. ‘?’ refers to Anonymous users.
NOTE: Remember that permissions are validated from top to bottom, and if ASP.NET doesn't find any explicit denial, then it will grant access by default.