The applications data model includes optional accessControl properties that, when set, specify the conditions that must be met by an authenticating actor to access the application. The application properties that control application access are:

Application access control for OpenID Connect applications

When accessControl properties are set for an application, the authenticating actor must meet the requirements specified in the application’s accessControl properties to get a token.

To implement role-based application access control:

  1. Set the accessControl.role.type property value to ADMIN_USERS_ONLY.

  2. Ensure that the authenticating actor has at least one assigned administrator role.

If the actor has an assigned administrator role, a token is issued that allows access to the application.

To implement group-based application access control:

  1. Set the accessControl.group.type and accessControl.group.groups properties. (If you set one of the application’s access control group properties, you must set the other.)

  2. Set the property value for the accessControl.group.type. The options are ANY_GROUP and ALL_GROUPS.

  3. Set the accessControl.group.groups property value to list the group IDs to which an actor must belong. For information about obtaining group IDs, see Groups.

If the actor belongs to at least one group (for the ANY_GROUP type), or all groups (for the ALL_GROUPS type), a token is issued that allows access to the application.

Application access control for SAML applications

When accessControl properties are set for a SAML application, the authenticating actor must meet the requirements specified in the application’s accessControl properties to get an assertion. The steps to define the accessControl properties for role-based and group-based conditions are the same as for OIDC applications. If the authenticating actor meets the the application’s access control conditions, an assertion is created. If the conditions are not met, a sign-on attempt returns an authorization failed error.