# Set Authorization Client Allow List
The [Authorization Service](/ess/2.4/services/service-authorization.md) uses its [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_client_id_allow_list) option to specify which applications can access [Access Control Resources (ACRs)](/security/authorization/acp.md#access-to-acrs) . Only the clients associated with the [Client IDs](/security/authentication.md#client-identifier-client-id) in the list can modify the ACRs (i.e., modify access policies for resources).
{% hint style="danger" %}
**Disambiguation**\
Both [Authorization Service](/ess/2.4/services/service-authorization.md) and [Pod Storage Service](/ess/2.4/services/service-pod-management/service-pod-storage.md) have an **`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`** setting.
**Only** the [Authorization Service](/ess/2.4/services/service-authorization.md) setting affects which clients are allowed.
The [Pod Storage Service](/ess/2.4/services/service-pod-management/service-pod-storage.md) is for [Discovery](/ess/2.4/services/service-pod-management/service-pod-storage.md#discovery) purposes only. As such, the [`setting`](/ess/2.4/services/service-pod-management/service-pod-storage.md#inrupt_authorization_client_id_allow_list) in [Pod Storage Service](/ess/2.4/services/service-pod-management/service-pod-storage.md) should reflect the values set in the Authorization Service’s.
{% endhint %}
{% hint style="info" %}
ESS also uses the [Authorization Service](/ess/2.4/services/service-authorization.md)'s [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_client_id_allow_list) to create the [initial ACP policies for a new Pod](/security/authorization/acp.md#initial-acp-policies) .
ESS uses the [Authorization Service](/ess/2.4/services/service-authorization.md)'s [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list) , if set, for the initial policies. But if [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list) is unset, ESS uses the [Authorization Service](/ess/2.4/services/service-authorization.md)'s [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_client_id_allow_list) instead.
To set [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list), see [Set Initial Pod Clients Allow List](/ess/2.4/installation/customize-configurations/customization-security/modify-pod-client-list.md).
{% endhint %}
## Example Customization
The following customization updates:
* [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_client_id_allow_list) for [Authorization Service](/ess/2.4/services/service-authorization.md) and
* the corresponding [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-pod-management/service-pod-storage.md#inrupt_authorization_client_id_allow_list) for [Pod Storage Service](/ess/2.4/services/service-pod-management/service-pod-storage.md) (for [Discovery](/ess/2.4/services/service-pod-management/service-pod-storage.md#discovery) only).
1. Go to your ESS installation directory:
```sh
cd ${HOME}/ess
```
2. Create a **`authz-client-id-allow-list.yaml`** file with the following content:
```javascript
apiVersion: apps/v1
kind: Deployment
metadata:
name: ess-authorization-acp
spec:
template:
spec:
containers:
- env:
- name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
value: https://myApp.example.com/appid
name: ess-authorization-acp
```
3. Create a **`podconfig-client-id-allow-list.yaml`** file with the following content:
```javascript
apiVersion: apps/v1
kind: Deployment
metadata:
name: ess-pod-storage
spec:
template:
spec:
containers:
- env:
- name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
value: https://myApp.example.com/appid
name: ess-pod-storage
```
4. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure) to use **`authz-client-id-allow-list.yaml`** and **`podconfig-client-id-allow-list.yaml`** .\
Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section:
{% hint style="info" %}
**Tip**
If the **`patches`** key does not exist in **`kustomization.yaml`** , add the key **`patches`** as well.
{% endhint %}
```
# kustomization.yaml in your ESS installation directory
# ... Preceding content omitted for brevity
# ...
patches:
- path: authz-client-id-allow-list.yaml
- path: podconfig-client-id-allow-list.yaml
```
5. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.inrupt.com/ess/2.4/installation/customize-configurations/customization-security/modify-authz-client-list.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.