# Set Initial Pod Clients Allow List

The [default ACP policies for a new Pod](https://docs.inrupt.com/security/authorization/acp#initial-acp-policies) states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.

[Authorization Service](https://docs.inrupt.com/ess/2.5/services/service-authorization) uses its [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list) configuration to initialize the client matcher portion of the initial policies.

{% hint style="info" %}
**Note** [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list) only affects the initial policies during Pod creation. Once the initial policies have been created, any change to the list has no effect on existing policies.
{% endhint %}

If [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list) is unset, ESS uses the **Authorization service’s** [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_client_id_allow_list) instead. See [Set Authorization Client Allow List](https://docs.inrupt.com/ess/2.5/installation/customize-configurations/customization-security/modify-authz-client-list) for details on configuring.

## Example Customization

The following customization updates [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](https://docs.inrupt.com/ess/services/service-authorization#inrupt_authorization_default_acr_client_id_allow_list) .

1. Go to your ESS installation directory:

   ```sh
   cd ${HOME}/ess
   ```
2. Create a **`authz-default-acr-client-id-allow-list.yaml`** file with the following content:

   ```javascript
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-authorization-acp
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
             value: https://myPodApp.example.com/appid
           name: ess-authorization-acp
   ```
3. Modify the **`kustomization.yaml`** (i.e., step 3 of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure) to use **`authz-default-acr-client-id-allow-list`** .\
   Specifically, add the highlighted content to the **`kustomization.yaml`** file to the **`patches`** section:

{% hint style="info" %}
**Tip**

If the **`patches`** key does not exist in **`kustomization.yaml`** , add the key **`patches`** as well.
{% endhint %}

<pre class="language-yaml"><code class="lang-yaml"># kustomization.yaml in your ESS installation directory

# ...  Preceding content omitted for brevity 
# ...

patches:
<strong>  - path: authz-default-acr-client-id-allow-list.yaml
</strong></code></pre>

4\. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure.