Access Policies#

With authentication mechanism based on access policies, you can define access policies that determine access to Pod resources. For example:

  • Define access for specific agents using their WebIDs; e.g., WebIDagentX and WebIDagentY have Read access to a Pod resource.

  • Define access for all agents using a Public agent identifier

  • Define access for all authenticated (or all unauthenticated) agents using an Authenticated agent identifier.

Additionally, you can include client identifiers to the agents’ access policy definitions. This feature allows you to decide not only who has access to your data but also which applications the agent can use to access your data. To include the client identifier in the agents’ access policy definition:

  • Use the clients’ identifiers to include specific clients in the agents’ access definition.

  • Use the Public client identifier to include all clients in the agents’ access definition.


ESS uses Access Control Policy (ACP) to define the policies that determine access to Pod’s resources.

< allOf | anyOf > (Matcher(s)) evaluates to true, AND
< allOf | anyOf | noneOf > (Matcher(s)) evaluates to true, AND

<allow (AccessMode(s)) | deny (AccessMode(s)) | allow (AccessMode(s)) AND deny (AccessMode(s)) >

For details, see Access Control Policy (ACP).

See also:


Inrupt does not provide support for ESS servers running Web Access Control (WAC) in Production. 1

Identity-Based Access Services#

To support access policy based authorization, ESS provides the following services:


The Access Control Policy (ACP) and Web Access Control (WAC) specifications are in Draft status. Features based on draft specifications are subject to change.