--- title: Application access control description: Use application access control to define access to PingOne applications through roles and groups. component: pingone page_id: pingone:applications:p1_application_access_control canonical_url: https://docs.pingidentity.com/pingone/applications/p1_application_access_control.html revdate: April 28, 2025 page_aliases: ["p1_config_app_access_control.adoc", "p1_audit_access_events.adoc"] section_ids: configure_app_access: Configuring application access control steps: Steps auditing-access-events: Auditing access events steps-2: Steps next-steps: Next steps --- # Application access control Use application access control to define access to applications through roles and groups. For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can define application permissions to control access to custom-developed application features after users authenticate. Learn more in [Application permissions](p1_application_permissions.html). | * Role type Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles: * Organization Admin * Environment Admin * Identity Data Admin * Client Application Developer Learn more in [Administrator Roles](../directory/p1_roles.html). If no option is selected, an administrator role is not required to access the application. * Group type Specifies that a user must be a member of a particular group or groups to access the application. If you have two or more groups, you can specify how group access is applied: * **Any**: The user must be a member of at least one of the specified groups. * **All**: The user must be a member of all specified groups. If no option is selected, group membership is not required to access the application. If an existing group is removed from the environment, then any members of the group might no longer have access to the application, depending on their other group memberships and how group evaluation is configured. * Application portal Determines whether an application icon appears in the application portal, even if the user would see the application in the application portal based on the group membership policy. For example, you could use this option if the SSO flow is being triggered through means other than on the application portal or because you're [creating multiple application deep links](p1_adding_resource_links_to_application_portal.html) that will be shown in the application portal rather than the actual application. Learn more in [Application portal](../introduction_to_pingone/p1_introduction.html#p1-app-portal). ## Configuring application access control Use application access control to define access to applications through roles and groups. For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications. ## Steps 1. In the PingOne admin console, go to **Applications > Applications** and browse or search for the application you want to configure. 2. Click the application entry to open the details panel for the application. 3. On the **Access** tab, click the **Pencil** icon. 4. For **Admin Only Access**, to specify whether an administrator role is required to access the application, select the **Must have admin role** checkbox. Available roles are: * **Organization Admin** * **Environment Admin** * **Identity Data Admin** * **Client Application Developer** Learn more in [Administrator Roles](../directory/p1_roles.html). 5. For **Group Membership Policy**, specify the groups that can access the application by searching or browsing for the group. The list is updated as you enter the search criteria. Do one or more of the following: | Option | Description | | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Add a group to the access list | On the **Groups** tab, select the checkbox for a group name to add it to the **Applied Groups** list. | | Remove a group from the access list | On the **Applied Groups** tab, clear the checkbox for the group name you want to remove. | | Require any group membership | If you apply two or more groups, select **User is a member of any applied group** to require the user to be a member of any of the applied groups to access the application. | | Require all group membership | If you apply two or more groups, select **User must be a member of all applied groups** to require the user to be a member of all applied groups to access the application. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | If you remove an existing group from the environment, then any members of the group lose access to the configured application. | 6. Click **Save**. ## Auditing access events You can use the **Audit** page to see a summary of user access events related to application access control. ## Steps 1. In the PingOne admin console, go to **Monitoring > Audit**. 2. For **Time Range**, select the desired time span. 3. For **Filter Type**, select **Event Type**. 4. For **Filter**, select one of the following: * **User Access Allowed**: The user accessed the resource successfully. * **User Access Denied**: The user was denied access to the resource. 5. Click **Run**. ## Next steps * In the **Activities** list, see the **Description** column for specific events. * In the **Details** column, click **View** to see more detailed information about the event.