# Authorization/Access Control
An authorization system determines whether an agent has access to perform a given action on a particular resource.
### ACP
ESS uses [Access Control Policy (ACP)](/security/authorization/acp.md) to define the policies that determine access to Pod’s resources.
If
*< allOf | anyOf > (*[*Matchers*](/security/authorization/acp.md#matcher-statements)*) evaluates to true, **AND***
*< allOf | anyOf | noneOf > (*[*Matchers*](/security/authorization/acp.md#matcher-statements)*) evaluates to true, **AND***
***...***
***Then***
*<**allow** (*[*AccessModes*](/security/authorization/acp.md#access-modes)*) | **deny** (*[*AccessModes*](/security/authorization/acp.md#access-modes)*) | **allow** (*[*AccessModes*](/security/authorization/acp.md#access-modes)*) **AND*** ***deny** (*[*AccessModes*](/security/authorization/acp.md#access-modes)*) >*
For more information, see [Access Control Policy (ACP)](/security/authorization/acp.md)
### Access Control Mechanisms
ESS supports:
* [Identity-Based Access](/security/authorization/identity-based-access-policies.md) , where access to Pod resources is based on agents’ identity, and optionally, the identity of their clients.\
To use identity based access, the resource must have ACPs that specify the Agents’ WebIDs (and, optionally, Client IDs).
* [Access Grants](/security/authorization/access-requests-grants.md), where access to Pod resources can be requested and granted.\
To use Access Grants, the resource must have [ACP that enables the use of Access Grants](/security/authorization/access-requests-grants.md#enable-access-grant-usage-acp).
### Authorization Services
To support authorization, ESS provides the following services:
* [Authorization Service](https://docs.inrupt.com/ess/latest/services/service-authorization/)
* [UMA Service](https://docs.inrupt.com/ess/latest/services/service-uma/)
* [Access Grant Service](https://docs.inrupt.com/ess/latest/services/service-access-grant/)
### Authorization and Clients
ESS supports the the use of [Client IDs](/reference/glossary.md#client-identifier) in client allow lists and access policies.
#### Client Allow Lists
Operators can use Client IDs in the following allow lists:
* [`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`](https://docs.inrupt.com/ess/latest/services/service-authorization/#cmdoption-authzconfig-arg-INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST)
* Specifies the [Client Matcher](https://docs.inrupt.com/guides/access-control-policies#matcher-statements) statements for a new Pod’s [initial access policies](/ess/latest/services/service-pod-management/service-pod-provision.md) . To configure this option, see [Set Initial Pod Clients Allow List](/ess/latest/installation/customize-configurations/customization-security/modify-pod-client-list.md) for an example.
* [`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`](https://docs.inrupt.com/ess/latest/services/service-authorization/#cmdoption-authzconfig-arg-INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST) .
* Determines which applications can modify the Access Control Resource (i.e., which applications can modify the Access Control Policies for Pod resources). To configure this option, see [Set Authorization Client Allow List](/ess/latest/installation/customize-configurations/customization-security/modify-authz-client-list.md) for an example.
* May also be used to initialize a new Pod’s [access policies’ client matcher statements](https://docs.inrupt.com/security/authorization#client-matchers) if [`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`](https://docs.inrupt.com/ess/latest/services/service-authorization/#cmdoption-authzconfig-arg-INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST) is unset.
* [`INRUPT_VC_CLIENT_ID_ALLOW_LIST_SOLIDACCESSREQUEST`](https://docs.inrupt.com/ess/latest/services/service-access-grant/#cmdoption-agconfig-arg-INRUPT_VC_CLIENT_ID_ALLOW_LIST_SOLIDACCESSREQUEST)
* Determines which applications can access the [/issue Endpoint](/ess/latest/services/service-access-grant/issue-endpoint.md) and the [/status Endpoint](/ess/latest/services/service-access-grant/service-access-grant-status.md) for access requests.
* [`INRUPT_VC_CLIENT_ID_ALLOW_LIST_SOLIDACCESSGRANT`](https://docs.inrupt.com/ess/latest/services/service-access-grant/#cmdoption-agconfig-arg-INRUPT_VC_CLIENT_ID_ALLOW_LIST_SOLIDACCESSGRANT)
* Determines which applications can access the [/issue Endpoint](/ess/latest/services/service-access-grant/issue-endpoint.md) and the [/status Endpoint](/ess/2.5/services/service-access-grant/service-access-grant-status.md) for access grants.
#### Client Matchers
Client IDs can be used in [Client Matcher](https://docs.inrupt.com/security/authorization#client-matchers) statements in [Access Control Policy (ACP)](/security/authorization/acp.md) policies.
For example, if [client allow list configuration for the initial policy](#authz-client-allow-list) is set, ESS creates [default ACP policies](/ess/latest/services/service-pod-management/service-pod-provision.md#initial-acp-policies) of the form:
`If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write).`
### Note
* ESS does not support the use of dynamically registered Client ID values in client allow lists and access policies.
* Inrupt does not provide support for ESS servers running [Web Access Control (WAC)](https://solid.github.io/web-access-control-spec/) in Production.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.inrupt.com/security/authorization.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.