Authorization/Access Control#

An authorization system determines whether someone has access to perform a given action on a particular resource.

ESS uses Access Control Policies (ACP) to manage authorization to resources stored in Solid Pods.

Access Policy#

Access Policy defines agents’ access to a resource. Specifically, the Access Policy allows or denies the specified Access Modes to agents based on how they match the conditions in the listed Access Rules; i.e.,

If <all | any | none > of the Access Rules are true for an agent, < allow | deny > the specified Access Modes to a resource.

A resource can have one or more Access Policies.

Access Rules#

Access Rules specify agent match conditions. Agent match conditions can be any of the following:

  • Agent is in the list of WebIDs.

  • Agent is the creator of the resource.

  • Agent has authenticated.

  • Agent has not authenticated.

  • Agent is a member of the one of listed groups.

Access Modes#

Access Modes describe the type of permissions (i.e., access) to a resource. The following Access Modes are available:

Access Mode



View data.


Add, update, and delete data.


Add data.

Pod Owner#

The Pod Owner can specify the Access Policies for the resources in the Pod. The Pod Owner can also grant access to others to specify the Access Policies for a resource. Each Pod has a single Pod Owner.

ESS manages the metadata on the Pod Owner. ESS also tracks the agent and the timestamp for resource creations and modifications.

Additional Information#

ESS also supports Web Access Control (WAC). However, you can not use both ACP and WAC on the same Pod.


ESS supports Web Access Control (WAC) for spec compatibility purposes. Inrupt does not provide support for ESS servers running WAC in Production.