IT-SHOP - Access

To gain access to the ITShop all the user has to be is active, if they are inactive it will not allow them to authenticate. 

This can be changed, there is a dynamic role on the IT Shop "Identity & Access Lifecycle". This dynamic rule determines who gets access to this shop. You could create a second IT Shop for just this set of users you want or change the dynamic rule for the default IT Shop to only allow users based on ADSGroup membership.

Sorry, I haven't been clear enough. What I would like to do is to prevent some users to login into the web portal itself.
I achieved it (since I'm using a role based auth module) removing all the memberships to the default AERoles, but I do not like this way. 

My suggestion would still work. You would have to update the dynamic rule to exclude those users. It sounds as if it is based on ADSGroup membership?

Hi,

There is a control in the web.config called: authorization > allow users / deny users.

I haven't done it myself but I do recall being told a long time ago that you can use these controls to restrict access by AD group membership.

I'll see if I can find the syntax but no promises.

HTH, Barry.

I found this but it's from 2015 ..... might be out of date:

            <authorization>               

<remove users="*" roles="" verbs="" />               

<add accessType="Allow" users="" roles="TheDomain\TheGroup" />           

</authorization>

This might be more syntactically correct:

      <authorization>

        <allow roles="BUILTIN\Administrators" />

        <deny users="*" />

      </authorization>

Great! Thanks Barry!