--- title: Simple Authorization author: rick-anderson description: keywords: ASP.NET Core, ms.author: riande manager: wpickett ms.date: 10/14/2016 ms.topic: article ms.assetid: 391bcaad-205f-43e4-badc-fa592d6f79f3 ms.technology: aspnet ms.prod: asp.net-core uid: security/authorization/simple --- # Simple Authorization Authorization in MVC is controlled through the `AuthorizeAttribute` attribute and its various parameters. At its simplest applying the `AuthorizeAttribute` attribute to a controller or action limits access to the controller or action to any authenticated user. For example, the following code limits access to the `AccountController` to any authenticated user. ```csharp [Authorize] public class AccountController : Controller { public ActionResult Login() { } public ActionResult Logout() { } } ``` If you want to apply authorization to an action rather than the controller simply apply the `AuthorizeAttribute` attribute to the action itself; ```csharp public class AccountController : Controller { public ActionResult Login() { } [Authorize] public ActionResult Logout() { } } ``` Now only authenticated users can access the logout function. You can also use the `AllowAnonymousAttribute` attribute to allow access by non-authenticated users to individual actions; for example ```csharp [Authorize] public class AccountController : Controller { [AllowAnonymous] public ActionResult Login() { } public ActionResult Logout() { } } ``` This would allow only authenticated users to the `AccountController`, except for the `Login` action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status. >[!WARNING] > `[AllowAnonymous]` bypasses all authorization statements. If you apply combine `[AllowAnonymous]` and any `[Authorize]` attribute then the Authorize attributes will always be ignored. For example if you apply `[AllowAnonymous]` at the controller level any `[Authorize]` attributes on the same controller, or on any action within it will be ignored.