# Identity-Based Access Policies

With identity-based access policies, you can:

* Define access for specific agents using their [WebIDs](/reference/glossary.md#webid); e.g., WebID<sub>agentX</sub> and WebID<sub>agentY</sub> have **`Read`** access to a Pod resource.
* Define access for all agents using a Public agent identifier **`http://www.w3.org/ns/solid/acp#PublicAgent`**.
* Define access for all authenticated (or all unauthenticated) agents using an Authenticated agent identifier.

Additionally, you can include [Client IDs](/reference/glossary.md#client-identifier) (in the [Client Matcher](/security/authorization/acp.md#matchers)) to the agents’ access policy definitions. This feature allows you to decide not only **who** has access to your data but also **which applications** the agent can use to access your data. To include the Client ID in the agents’ access policy definition:

* Use the Client ID of specific clients to include them in the agents’ access definition.
* Use the Public Client ID **`http://www.w3.org/ns/solid/acp#PublicClient`** to include all clients in the agents’ access definition.

### ACP

ESS uses [Access Control Policy (ACP)](/security/authorization/acp.md) to define the policies that determine access to Pod’s resources. For identity-based access, the resource must have an ACP that specifies:

* [Agent Matcher](/security/authorization/acp.md#matchers) identifying the agents, and optionally, the [Client Matcher](/security/authorization/acp.md#matchers) identifying the clients.
* The access mode(s) (**`Read`**, **`Write`**, **`Append`**) to allow/deny.

For more information on ACP, see Access Control Policy (ACP).

### Identity-Based Access Services

To support identity-based access, ESS provides the following services:

* [Authorization Service](https://docs.inrupt.com/ess/latest/services/service-authorization)
* [UMA Service](https://docs.inrupt.com/ess/latest/services/service-uma)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/security/authorization/identity-based-access-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.