# Set Authorization Client Allow List

The [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization) uses its [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_client_id_allow_list) option to specify which applications can access [Access Control Resources (ACRs)](https://docs.inrupt.com/security/authorization/acp#access-to-acrs) . Only the clients associated with the [Client IDs](https://docs.inrupt.com/security/authentication#client-identifier-client-id) in the list can modify the ACRs (i.e., modify access policies for resources).

{% hint style="danger" %}
**Disambiguation**\
Both [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization) and [Pod Storage Service](https://docs.inrupt.com/ess/2.5/services/service-pod-management/service-pod-storage) have an **`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`** setting.

<mark style="color:red;">**Only**</mark> the [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization) setting affects which clients are allowed.

The [Pod Storage Service](https://docs.inrupt.com/ess/2.5/services/service-pod-management/service-pod-storage) is for [Discovery](https://docs.inrupt.com/ess/services/service-pod-management/service-pod-storage#discovery) purposes only. As such, the [setting](https://docs.inrupt.com/ess/services/service-pod-management/service-pod-storage#inrupt_authorization_client_id_allow_list) in [Pod Storage Service](https://docs.inrupt.com/ess/2.5/services/service-pod-management/service-pod-storage) should reflect the values set in the Authorization Service’s.
{% endhint %}

{% hint style="info" %}
ESS also uses the [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization)'s [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_client_id_allow_list) to create the [initial ACP policies for a new Pod](https://docs.inrupt.com/security/authorization/acp#initial-acp-policies).

ESS uses the [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization)'s [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list) , if set, for the initial policies. But if [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list) is unset, ESS uses the [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization)'s [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_client_id_allow_list) instead.

To set [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list), see [Set Initial Pod Clients Allow List](https://docs.inrupt.com/ess/2.5/installation/customize-configurations/customization-security/modify-pod-client-list).
{% endhint %}

## Example Customization

The following customization updates:

* [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_client_id_allow_list) for [Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization) and
* the corresponding [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-pod-management/service-pod-storage#inrupt_authorization_client_id_allow_list) for [Pod Storage Service](https://docs.inrupt.com/ess/2.5/services/service-pod-management/service-pod-storage) (for [Discovery](https://docs.inrupt.com/ess/services/service-pod-management/service-pod-storage#discovery) only).

1. Go to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
2. Create a **`authz-client-id-allow-list.yaml`** file with the following content:

   ```javascript
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-authorization-acp
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
             value: https://myApp.example.com/appid
           name: ess-authorization-acp
   ```
3. Create a **`podconfig-client-id-allow-list.yaml`** file with the following content:

   ```javascript
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-pod-storage
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
             value: https://myApp.example.com/appid
           name: ess-pod-storage
   ```
4. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure) to use **`authz-client-id-allow-list.yaml`** and **`podconfig-client-id-allow-list.yaml`** .\
   Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section:

{% hint style="info" %}
**Tip**

If the **`patches`** key does not exist in **`kustomization.yaml`** , add the key **`patches`** as well.
{% endhint %}

```
<pre class="language-yaml"><code class="lang-yaml">
# kustomization.yaml in your ESS installation directory
# ...  Preceding content omitted for brevity 
# ...
patches:
<strong>  - path: authz-client-id-allow-list.yaml
  - path: podconfig-client-id-allow-list.yaml
</strong>
</code></pre>
```

5. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure.