# Identity-Based Access Policies

With identity-based access policies, you can:

* Define access for specific agents using their [WebIDs](https://docs.inrupt.com/reference/glossary#webid); e.g., WebID<sub>agentX</sub> and WebID<sub>agentY</sub> have **`Read`** access to a Pod resource.
* Define access for all agents using a Public agent identifier **`http://www.w3.org/ns/solid/acp#PublicAgent`**.
* Define access for all authenticated (or all unauthenticated) agents using an Authenticated agent identifier.

Additionally, you can include [Client IDs](https://docs.inrupt.com/reference/glossary#client-identifier) (in the [Client Matcher](https://docs.inrupt.com/security/acp#matchers)) to the agents’ access policy definitions. This feature allows you to decide not only **who** has access to your data but also **which applications** the agent can use to access your data. To include the Client ID in the agents’ access policy definition:

* Use the Client ID of specific clients to include them in the agents’ access definition.
* Use the Public Client ID **`http://www.w3.org/ns/solid/acp#PublicClient`** to include all clients in the agents’ access definition.

### ACP

ESS uses [Access Control Policy (ACP)](https://docs.inrupt.com/security/authorization/acp) to define the policies that determine access to Pod’s resources. For identity-based access, the resource must have an ACP that specifies:

* [Agent Matcher](https://docs.inrupt.com/security/acp#matchers) identifying the agents, and optionally, the [Client Matcher](https://docs.inrupt.com/security/acp#matchers) identifying the clients.
* The access mode(s) (**`Read`**, **`Write`**, **`Append`**) to allow/deny.

For more information on ACP, see Access Control Policy (ACP).

### Identity-Based Access Services

To support identity-based access, ESS provides the following services:

* [Authorization Service](https://docs.inrupt.com/ess/latest/services/service-authorization)
* [UMA Service](https://docs.inrupt.com/ess/latest/services/service-uma)