App-level access control
App-level access control lets you restrict who can sign in to a specific application. Instead of allowing every registered user in your Logto tenant to access every app, you can create allow rules for each application based on users, user roles, organizations, or organization roles.
Use app-level access control when you want to:
- Make an internal app available only to employees or admins.
- Limit a Protected App to a selected group of users.
- Allow only specific customers or partners to access a third-party OIDC / OAuth application.
- Roll out a new application to a pilot group before opening it to everyone.
How it works
When app-level access control is disabled, all registered users in your Logto tenant can sign in to the application.
When it is enabled, a user can access the application only if they match at least one configured rule. If the user does not match any rule, Logto denies the sign-in attempt and shows an access denied page before the application receives tokens.
App-level access control is evaluated during the authorization flow and token renewal. This means:
- Users without access are blocked before they can complete sign-in for the application.
- Existing app grants are checked again when refresh tokens are used to request new tokens.
- Updating rules affects future authorization and token renewal checks, without changing the user's global Logto session.
App-level access control is separate from Role-based access control (RBAC). RBAC controls what a user can do after authentication by issuing permissions (scopes) in access tokens. App-level access control controls whether a user can access a particular application at all.
Rule types
You can configure the following allow rules:
| Rule type | What it allows |
|---|---|
| Users | Specific users can access the application. |
| User roles | Users assigned to selected user roles can access the application. |
| Organizations | All current and future members of selected organizations can access the application. |
| Organization roles | Members with selected organization roles in selected organizations can access the application. |
Rules are additive. A user only needs to match one rule to access the application.
For example, if an application has both a "Support team" user role rule and a "BigTree - Admin" organization role rule, a user can access the application if they are assigned the Support team role, or if they are an Admin in the BigTree organization.
Configure app-level access control
- Go to Console > Applications.
- Open the application you want to restrict.
- Navigate to the Rules tab.
- In Custom allow rules, click Add rules.
- Choose a rule type:
- Users
- User roles
- Organizations
- Organization roles
- Select the users, roles, organizations, or organization roles that should be allowed to access the application.
- Turn on Enable access control.
- Click Save changes.
You must configure at least one allow rule before enabling access control. This prevents accidentally enabling access control with no users allowed to access the application.
Edit or remove rules
You can update the allow list from the application's Rules tab.
- To add more rules, click Add another below the rules table.
- To remove a rule, click the delete button on the rule row and confirm the action.
- After adding or removing rules, click Save changes to apply the update.
If access control is enabled, Logto requires at least one rule to remain configured. To remove all rules, turn off Enable access control first, then save the changes.
How rule changes affect users
App-level access control does not terminate the user's global Logto session. A user may still be signed in to Logto and other applications.
For the application being restricted:
- A user who no longer matches any allow rule will be blocked the next time they go through the application's authorization flow.
- If the user already has app-related grants, Logto checks the rules again when the application uses a refresh token to request new tokens. If the user no longer has access, Logto denies the token request.
This keeps access decisions tied to the application while avoiding unnecessary disruption to unrelated applications.
Relationship with third-party app permissions
For third-party applications, app-level access control and permission management solve different problems:
- App-level access control determines whether a user is allowed to sign in to the third-party application.
- Permission management determines which user profile scopes, API resource scopes, and organization scopes the third-party application may request on the consent screen.
If both are configured, the user must pass app-level access control before they can authorize the third-party application.
Relationship with Protected App
For Protected App, app-level access control restricts who can pass the Logto authentication layer and reach the protected origin server.
Protected App authentication rules still determine which routes require authentication. App-level access control determines which authenticated Logto users are allowed to access the Protected App application.
Best practices
- Start with user role or organization role rules when possible. They are easier to maintain than long lists of individual users.
- Use organization rules when everyone in an organization should access the app.
- Use organization role rules when only specific members of an organization should access the app.
- Review access rules when users change roles, join organizations, or leave organizations.
- Keep RBAC permissions and app-level access control separate in your mental model: app-level access answers "Can this user access this app?", while RBAC answers "What can this user do after accessing APIs or organization features?"