Identity-Based Access Policies#

With identity-based access policies, you can:

  • Define access for specific agents using their WebIDs; e.g., WebIDagentX and WebIDagentY have Read access to a Pod resource.

  • Define access for all agents using a Public agent identifier

  • Define access for all authenticated (or all unauthenticated) agents using an Authenticated agent identifier.

Additionally, you can include Client IDs (in the Client Matcher) to the agents’ access policy definitions. This feature allows you to decide not only who has access to your data but also which applications the agent can use to access your data. To include the Client ID in the agents’ access policy definition:

  • Use the Client ID of specific clients to include them in the agents’ access definition.

  • Use the Public Client ID to include all clients in the agents’ access definition.


ESS uses Access Control Policy (ACP) to define the policies that determine access to Pod’s resources. For identity-based access, the resource must have an Access Control Policy (ACP) that specifies:

  • Agent Matcher identifying the agents, and optionally, the Client Matcher identifying the clients.

  • The access mode(s) (Read, Write, Append) to allow/deny.

For more information on ACP, see Access Control Policy (ACP).

Identity-Based Access Services#

To support identity-based access, ESS provides the following services: