An authorization system determines whether an agent has access to perform a given action on a particular resource.
ESS uses Access Control Policy (ACP)  to define the policies that determine access to Pod’s resources.
- < allOf | anyOf > (Matcher(s)) evaluates to true, AND< allOf | anyOf | noneOf > (Matcher(s)) evaluates to true, AND…
<allow (AccessMode(s)) | deny (AccessMode(s)) | allow (AccessMode(s)) AND deny (AccessMode(s)) >
For more information, see Access Control Policy (ACP).
Access Control Mechanisms#
Identity-Based Access, where access to Pod resources is based on agents’ identity, and optionally, the identity of their clients.
To use identity based access, the resource must have ACPs that specify the Agents’ WebIDs (and, optionally, Client IDs). For details, see Identity-Based ACPs.
Access Grants, where access to Pod resources can be requested and granted.
To use access grants, the resource must have ACP that enables the use of access grants. For details, see Access Grants ACPs.
To support authorization, ESS provides the following services:
Authorization and Clients#
ESS supports the the use of Client IDs in client allow lists and access policies. 
Client Allow Lists#
Operators can use Client IDs in the following allow lists:
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST(New in version 2.1).
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LISTis used to initialize a Pod’s default access policies, specifically the policies’ client matcher. To configure this option, see Set Initial Pod Clients Allow List for an example.
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LISTdetermines which applications can modify the Access Control Resource (i.e., which applications can modify the Access Control Policies for Pod resources). To configure this option, see Set Authorization Client Allow List for an example.
This list may also used to initialize a Pod’s access policies if
INRUPT_VC_CLIENT_ID_ALLOW_LISTdetermines which applications can access the /issue Endpoint and the /status Endpoint.
Client IDs can be used in Client Matcher statements in Access Control Policy (ACP) policies.
For example, if client allow list configuration for the initial policy is set, ESS creates default ACP policies of the form:
If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write).