# Set Initial Pod Clients Allow List

The [default ACP policies for a new Pod](/security/authorization/acp.md#initial-acp-policies) states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.

[Authorization Service](/ess/2.4/services/service-authorization.md) uses its [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list) configuration to initialize the client matcher portion of the initial policies.

{% hint style="info" %}
**Note** [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list) only affects the initial policies during Pod creation. Once the initial policies have been created, any change to the list has no effect on existing policies.
{% endhint %}

If [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list) is unset, ESS uses the **Authorization service’s** [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_client_id_allow_list) instead. See [Set Authorization Client Allow List](/ess/2.4/installation/customize-configurations/customization-security/modify-authz-client-list.md) for details on configuring.

## Example Customization

The following customization updates [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](/ess/2.4/services/service-authorization.md#inrupt_authorization_default_acr_client_id_allow_list) .

1. Go to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
2. Create a **`authz-default-acr-client-id-allow-list.yaml`** file with the following content:

   ```javascript
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-authorization-acp
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
             value: https://myPodApp.example.com/appid
           name: ess-authorization-acp
   ```
3. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure) to use **`authz-default-acr-client-id-allow-list`** .\
   Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section:

{% hint style="info" %}
**Tip**

If the **`patches`** key does not exist in **`kustomization.yaml`** , add the key **`patches`** as well.
{% endhint %}

<pre class="language-yaml"><code class="lang-yaml"># kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...

patches:
<strong>  - path: authz-default-acr-client-id-allow-list.yaml
</strong></code></pre>

4\. Continue with the rest of the [Applying Your Customizations](/ess/2.4/installation/customize-configurations.md) procedure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/ess/2.4/installation/customize-configurations/customization-security/modify-pod-client-list.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.