How can I deny authenticated users with “Admin” or “Tenant” roles and allow the rest of the authenticated users with other roles in web.config file. A user can have more than 1 role. For example a user can be “Admin” and “Painter”. In the perfect situation my application should allow this user because he is “Painter” too. If he was only “Admin” or “Tenant” then he should be rejected.

Just curious: why would you want someone to be an Admin and not see stuff?

If you want them to be Admin of certain sections, can't you make them 'Tenant Admin' and then have an 'Admin'?

I mean, you don't want to lock yourself out right?

hmm i dont' think you want to do that. think about another scenario.

A user is a painter and an admin, thus making him a "Painter Admin." Now the same user also becomes a novice electrician. you don't want to make him an Electrician Admin though.

So in summary you want anyone in the 'Painter' role to have access but you want to deny access to all other users, in which case you'd do this:

<authorization>
<allow roles="Painter'"/>
<deny roles="*"/>
</authorization>

hmm i dont' think you want to do that. think about another scenario.

A user is a painter and an admin, thus making him a "Painter Admin." Now the same user also becomes a novice electrician. you don't want to make him an Electrician Admin though.

Can't you just make him an 'Electrician'? (Just learning stuff here myself while I'm at it). I mean, can't a person have more than one role?

Site Owner = Admin
Painter Admin = PaintAdmin
Painter = Painter
Electrician Admin = ElecAdmin
Electrician = Electrician

Tom is the Painter Admin and has picked up learning to be an electrician on the side:
Tom's roles: PaintAdmin, Electrician... ?

I would like to thank each and every one of you. I solved my problem by not having web.config and by coding in Page_Load event by checking Roles.IsUserInRole(userName, roleName)

Thank you