# Access Requests and Grants

Inrupt’s Enterprise Solid Server (ESS) provides support for Access Request and Grants. With Access Requests and Grants:

* An [agent](https://docs.inrupt.com/reference/glossary#agent) can request access to [Resources](https://docs.inrupt.com/reference/glossary#resource) hosted on a [Pod](https://docs.inrupt.com/reference/glossary#pods). This Access Request includes the specific [access mode](https://docs.inrupt.com/reference/glossary#access-modes) (e.g., read, write, append) being requested, the Resources to access, the Purpose for which the data will be used, and other optional fields.
* The owner of the requested Resources (i.e., individuals with Control access to the requested Resources) can review the Access Request and either approve the Access Request, resulting in an Access Grant, or deny the Access Request, resulting in an Access Denial.
* If the requesting agent has an Access Grant, the requesting agent can exchange the Access Grant for an access token in order to access the Resources.

## Enable Use of Access Grants

ESS uses [Access Control Policy (ACP)](https://docs.inrupt.com/security/authorization/acp) to define policies that determine access to Pod resources. To be able to use Access Grants for a Resource, the Resource must have a policy that enables the use of Access Grants.

{% hint style="warning" %}
The policy only *enables* the use of Access Grants on the Resource for the access modes specified in the policy. To determine the access for an agent who is using an Access Grant, ESS uses the *intersection* of:

* The allowed access specified by the resource’s ACP, and
* The granted access specified in the Access Grant for that Resource.

For example:

* A Resource has a policy that enables the use of Access Grants for **`Read`** access.
* A requesting agent has received an Access Grant for that resource that allows **`Read`** and **`Write`** access.

Then:

* The requesting agent can use the Access Grant to **`Read`** the resource **only**.
* The requesting agent **cannot** use the Access Grant to **`Write`** the resource, even though the Access Grant specifies both **`Read`** and **`Write`** access.
  {% endhint %}

ESS enables the use of Access Grants by default. Specifically, when ESS creates a **new** Pod, ESS creates default policies that enable the use of Access Grants for that Pod.

## **`inrupt-client-accessgrant`**

To handle Access Requests and Grants, Inrupt’s Java Client Library provides the **`inrupt-client-accessgrant`** module. See [installation](https://docs.inrupt.com/sdk/java-sdk/installation "mention").

The **`inrupt-client-accessgrant`** provides:

<table data-header-hidden><thead><tr><th width="193.1484375"></th><th></th></tr></thead><tbody><tr><td><a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantClient.html">AccessGrantClient</a></td><td><a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantClient.html">AccessGrantClient</a> can interact with the <a href="https://docs.inrupt.com/ess/latest/services/service-access-grant/">ESS Access Grant Service</a>; specifically, <a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantClient.html">AccessGrantClient</a> can be used to create/verify/query/fetch Access Requests and Grants.</td></tr><tr><td><a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantSession.html">AccessGrantSession</a></td><td><a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantSession.html">AccessGrantSession</a> allows for the use of Access Grants to interact with Resources; specifically, using an <a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/accessgrant/AccessGrantSession.html">AccessGrantSession</a>, <a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/solid/SolidClient.html">SolidClient</a>/<a href="https://api.docs.inrupt.com/docs/developer-tools/api/java/inrupt-client/latest/com/inrupt/client/solid/SolidSyncClient.html">SolidSyncClient</a> can access Resources using the Access Grants.</td></tr></tbody></table>