---
title: Control access to applications through roles and groups
description: The applications data model includes optional accessControl properties that, when set, specify the conditions that must be met by an authenticating actor to access the application. The application properties that control application access are:
component: pingone-api
page_id: pingone-api:foundations:pingone-roles-scopes-and-permissions/control-access-to-applications-through-roles-and-groups
canonical_url: https://developer.pingidentity.com/pingone-api/foundations/pingone-roles-scopes-and-permissions/control-access-to-applications-through-roles-and-groups.html
section_ids:
  application-access-control-for-openid-connect-applications: Application access control for OpenID Connect applications
  application-access-control-for-saml-applications: Application access control for SAML applications
---

# Control access to applications through roles and groups

The applications data model includes optional `accessControl` properties that, when set, specify the conditions that must be met by an authenticating actor to access the application. The application properties that control application access are:

* `accessControl.role.type`

  This property specifies that an administrator role is required to access the application. When set, the only option for this property is `ADMIN_USERS_ONLY`, which means that the actor must be assigned at least one or more of the following administrator roles: Organization Admin, Environment Admin, Identity Data Admin, or Client Application Developer. For more information about roles, refer to [Roles](../../platform/roles.html) in the *PingOne Platform APIs*. If this property is not set, access to the application is not restricted by administrator roles.

* `accessControl.group.type`

  This property specifies that the actor must be associated with a particular group (or groups) to access the application. When set, this property can be set to `ANY_GROUP`, which means that the actor must be a member of at least one group specified in the `accessControl.group.groups` property. This property can also be set to `ALL_GROUPS`, which means that the actor must belong to all groups specified in the `accessControl.group.groups` property. If this property is not set, access to the application is not restricted by groups.

* `accessControl.group.groups`

  This property specifies a list of one or more groups that control access to the application. If there is more than one group, then the actor must belong to at least one group (if `ANY_GROUP` is the value of `accessControl.group.type`) or all groups (if `ALL_GROUPS` is the value of `accessControl.group.type`). If this property is not set, access to the application is not restricted by groups.

## Application access control for OpenID Connect applications

When `accessControl` properties are set for an application, the authenticating actor must meet the requirements specified in the application's `accessControl` properties to get a token.

To implement role-based application access control:

1. Set the `accessControl.role.type` property value to `ADMIN_USERS_ONLY`.

2. Ensure that the authenticating actor has at least one assigned administrator role.

If the actor has an assigned administrator role, a token is issued that allows access to the application.

To implement group-based application access control:

1. Set the `accessControl.group.type` and `accessControl.group.groups` properties. (If you set one of the application's access control group properties, you must set the other.)

2. Set the property value for the `accessControl.group.type`. The options are `ANY_GROUP` and `ALL_GROUPS`.

3. Set the `accessControl.group.groups` property value to list the group IDs to which an actor must belong. For information about obtaining group IDs, refer to [Groups](../../platform/groups.html) in the *PingOne Platform APIs*.

If the actor belongs to at least one group (for the `ANY_GROUP` type), or all groups (for the `ALL_GROUPS` type), a token is issued that allows access to the application.

|   |                                                                                                                                                                                                                                                                                                                                                               |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For OIDC applications, if the `grant_type` is either `authorization_code` or `implicit`, then the application's `accessControl` conditions are evaluated to determine whether the user can be issued a token. If the user already has an access token, application access conditions are not evaluated to refresh token or to token introspection operations. |

## Application access control for SAML applications

When `accessControl` properties are set for a SAML application, the authenticating actor must meet the requirements specified in the application's `accessControl` properties to get an assertion. The steps to define the `accessControl` properties for role-based and group-based conditions are the same as for OIDC applications. If the authenticating actor meets the the application's access control conditions, an assertion is created. If the conditions are not met, a sign-on attempt returns an authorization failed error.