Feature Delegation

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the Feature Delegation feature page to configure the delegation state of IIS Manager features for sites and applications on your Web server.

Related scenarios

In this document

Feature Delegation Overview

When you configure the delegation state of a feature from IIS Manager, you specify whether the feature's related configuration section is locked or unlocked in the server-level configuration files (ApplicationHost.config and root Web.config) for IIS 8. When you lock a feature, configuration can only be read from and written to the server-level configuration file for that feature. However, you can unlock a feature when you want to read from or write to lower-level configuration files, such as a Web.config file in your site or application.

Note

When you configure delegation state for features in IIS Manager, you control only the configuration sections and the corresponding levels at which settings can be set in the configuration files.

You can use Web.config files to read and save configuration settings for any or all features in your sites and applications. You can then easily copy configuration from one computer to another. For example, you might develop an application on a development or test computer and specify application features to write to Web.config. This lets you package all the application's content easily, including its configuration file, and transfer it to another computer.

Important

If you develop a site or an application for a production environment, ask someone who is an administrator on the production computer whether the features that you configure in the site's or application's Web.config can be unlocked in the production environment. If the feature you configure in Web.config is locked in the production environment, it will cause run-time errors because your chosen configuration is invalid.

Feature Delegation pairs with the IIS Manager Users and IIS Manager Permissions features to enable non-administrative users to view and configure delegated features in their sites or applications by using IIS Manager. The delegation state of a feature determines whether users can configure the feature in their sites and applications. For example, if you want to let users configure data connection strings, select Connection Strings from the list on the Feature Delegation page, and then click Read/Write from the Actions pane or the right-click menu.

The Feature Delegation page affects all sites and applications on the Web server. The Feature Delegation settings that you configure at the server level are for all sites on the server; the settings that you configure at the site level are for all applications in that site. If you want to configure delegation states for features in a specific site or application, use the Custom Site Delegation and Custom Application Delegation pages.

Warning

If you have configured delegation states for features and you want to change those states later, review how the features have been delegated at lower levels in the configuration. Make sure that you understand how the changes affect those features at the lower levels. For example, suppose that you configure a feature to be Read Only for sites, and a user at the site level configured a more restrictive setting by removing delegation for that feature. If you reconfigure the feature to be Read/Write at the parent level, you might inadvertently change the state that the user set. As a best practice, use a test computer to test how changes to the delegation states affect your environment before you change the production environment.

UI Elements for Feature Delegation

The following tables describe the UI elements that are available on the feature page and in the Actions pane.

Feature Page Elements

Element Name

Description

Name

Displays the name of the UI feature in IIS Manager. Select a feature and then click the delegation state that you want from the Actions pane or from the right-click menu.

Delegation

Displays the delegation state of the UI feature at lower levels.

Actions Pane Elements

The following table describes the delegation options available for IIS 8 features in IIS Manager and how the delegation options affect the configuration files and user interface (UI). These features are configuration-based features. If you extend IIS Manager to include third-party features, your delegation states might differ from this table if they are user-specified delegation states. Additionally, individual features that you configure on the Feature Delegation page might be protocol-specific and not applicable to all sites and applications.

Delegation Option

Description for Windows Vista operating systems

Description for Windows Server 2008 operating systems

Read/Write

When you select Read/Write for a feature, you unlock the feature's related configuration sections in the server-level configuration file. Configuration changes for that feature will then be read from and written to Web.config files in sites or applications.

When you select Read/Write for a feature, you unlock the feature's related configuration sections in the server-level configuration file. Configuration changes for that feature will then be read from and written to Web.config files in sites or applications.

Additionally, configuring a feature to be Read/Write enables nonadministrative users to see and configure the feature in IIS Manager for sites or applications to which they are allowed to connect.

Read Only

When you select Read Only for a feature, you lock the feature's related configuration sections in the server-level configuration file. Configuration cannot be written to Web.config files in sites or applications.

Note

If you set configuration settings for a feature in a Web.config file, but the feature is Read Only, you will receive an error if you try to configure the feature at the site or application level, and you will receive runtime errors in your sites and applications.

When you select Read Only for a feature, you lock the feature's related configuration sections in the server-level configuration file. Configuration cannot be written to Web.config files in sites or applications.

Additionally, nonadministrative users cannot configure the feature in IIS Manager for their sites or applications, but they can see the feature as Read Only in IIS Manager to see how the feature is configured in the server-level configuration file.

Note

If you set configuration settings for a feature in a Web.config file, but the feature is Read Only, you will receive an error if you try to configure the feature at the site or application level, and you will receive run-time errors in your sites and applications.

Not Delegated

When you select Not Delegated for a feature, you lock the feature's related configuration sections in the server-level configuration file. Configuration cannot be read from and written to Web.config files in sites or applications.

When you select Not Delegated for a feature, you lock the feature's related configuration sections in the server-level configuration file. Configuration cannot be read from and written to Web.config files in sites or applications.

Additionally, nonadministrative users will not see the feature in IIS Manager and they will not be able to configure the feature at the site and application levels.

Reset to Inherited

When you select Reset to Inherited for a feature, the feature inherits the delegation state that is set at the parent level.

When you select Reset to Inherited for a feature, the feature inherits the delegation state that is set at the parent level.

Configuration Read/Write

When you select Configuration Read/Write for a feature, you unlock the feature's configuration sections in the server-level configuration file. Configuration changes for that feature will then be read from and written to Web.config files in sites or applications. This option is available only for features, such as .NET Users and .NET Roles, that have configuration in both a configuration file and a database.

Note

This setting does not affect the database permissions.

When you select Configuration Read/Write for a feature, you unlock the feature's configuration sections in the server-level configuration file. Configuration changes for that feature will then be read from and written to Web.config files in sites or applications. This option is available only for features, such as .NET Users and .NET Roles, that have configuration in both a configuration file and a database.

Note

This setting does not affect the database permissions.

Configuration Read Only

When you select Configuration Read Only for a feature, you lock the feature's configuration sections in the server-level configuration file. Configuration cannot be written to Web.config files in sites or applications; however, the application can continue to write to the database. This option is available only for features, such as .NET Users and .NET Roles, that have configuration in both a configuration file and a database.

Note

This setting does not affect the database permissions.

When you select Configuration Read Only for a feature, you lock the feature's configuration sections in the server-level configuration file. Configuration cannot be written to Web.config files in sites or applications; however, the application can continue to write to the database. This option is available only for features, such as .NET Users and .NET Roles, that have configuration in both a configuration file and a database.

Note

This setting does not affect the database permissions.

Reset All Delegation

Resets the delegation states of all the features to states set at the parent level. At the server level, this sets the delegation states to the states as specified in the overrideModeDefault settings in the server-level configuration file.

Resets the delegation states of all the features to states set at the parent level. At the server level, this sets the delegation states to the states as specified in the overrideModeDefault settings in the server-level configuration file.

Custom Site Delegation or Custom Application Delegation

Not available.

Opens the Custom Site Delegation feature page or the Custom Application Delegation feature page in which you can configure custom delegation states for an individual site or application.

Custom Site or Application Delegation

Use the Custom Site Delegation and Custom Application Delegation feature pages to configure the default delegation state of IIS Manager features for a specific site or application on your web server. The delegation state of a feature determines whether nonadministrative users who have been granted permission to a site or application can configure the feature in that site or application. For example, you can configure the delegation state of a feature, such as Connection Strings, as Read/Write when you want to allow users to configure that feature in their site or application.

The features that you configure on this page affect only the site or application that you select from the Sites or Applications drop-down lists. You can use Copy Delegation to open the dialog box and select additional sites or applications, or both, if you want to apply the same delegation states of features to other sites and applications. You can also configure the default delegation state of features for all sites and applications on the Web server by using the Feature Delegation page.

Warning

If you have configured delegation states for features and you want to change those states later, review how the features have been delegated at lower levels in your configuration to make sure that you understand how the changes affect those features at the lower levels. For example, if you originally configured a feature to be Read Only for sites, and a user at the site level configured a more restrictive setting by removing delegation for that feature, you might inadvertently change the state that was set by the user if you configure the feature to be Read/Write at the parent level. As a best practice, use a test computer to test how changes to the delegation states affect your environment before you make changes to a production environment.

Sort the list by clicking one of the feature page column headings or select a value from the Group by drop-down list to group similar items.

Feature Page Elements

Element Name

Description

Sites or Applications

Select the site or application for which you want to configure the delegation state of UI features.

Note

To configure custom delegation for a site, you must be connected to a server in IIS Manager. To configure custom delegation for an application, you must be connected to a site in IIS Manager.

Copy Delegation

Click Copy Delegation to open the Copy Delegation dialog box and copy the custom delegation states to other sites or applications.

Name

Displays the name of the UI feature in IIS Manager. Select a feature and then click the delegation state that you want from the Actions pane or from the right-click menu.

Delegation

Displays the delegation state of the UI feature at lower levels.

Actions Pane Elements

The following table describes the delegation options available for IIS 8 features in IIS Manager and how the delegation options affect the configuration files and user interface (UI). These features are configuration-based features. If you extend IIS Manager to include third-party features, your delegation states might differ from this table if they are user-specified delegation states.

Element Name

Description

Read/Write

Enables nonadministrative users for a site or application to see and configure the selected feature at the site and application levels by using IIS Manager.

Read Only

Enables nonadministrative users for a site or application to see, but not configure, the selected feature at the site and application levels by using IIS Manager.

Configuration Read/Write

Enables nonadministrative users for a site or application to see and configure the selected feature at the site and application levels by using IIS Manager. This option is available only for features, such as .NET Users and .NET Roles, that have configuration in both a configuration file and a database.

Note

This setting does not affect the database permissions.

Configuration Read Only

Enables nonadministrative users for a site or application to see, but not configure, the selected feature at the site and application levels by using IIS Manager. This option is available only for features, such as .NET Users and .NET Roles, that have configuration in both a configuration file and a database.

Note

This setting does not affect the database permissions.

Not Delegated

Removes the selected feature from being delegated. This feature is not displayed in IIS Manager and cannot be configured by nonadministrative users at the site and application levels.

Reset to Inherited

Resets the selected feature to the delegation state specified at the parent level.

Reset All Delegation

Resets the delegation states of all the features to the delegation states specified at the parent level.

Default Delegation

Opens the Feature Delegation page in which you can configure default delegation states for sites or applications.

Copy Delegation Dialog Box

Use the Copy Delegation dialog box to select sites and applications to which you want to copy custom delegation states for features in IIS Manager. You can copy custom delegation states from one site to another when you are connected to a server in IIS Manager, and copy custom delegation states from one application to another when you are connected to a site in IIS Manager.

Element Name

Description

Site_name or application_name

Select the check box next to the sites or applications to which you want to apply the custom delegation state that you have configured on the Custom Site Delegation or Custom Application Delegation page.