---
title: Configure an application authorization policy
description: Configure Advanced Identity Cloud authorization policies for custom or SSO applications to control who can authenticate to the application
component: pingoneaic
page_id: pingoneaic:app-management:configure-app-authorization-policy
canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/configure-app-authorization-policy.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
keywords: ["Application Management", "Setup &amp; Configuration"]
section_ids:
  benefits-authorization-policy: Benefits of application authorization policies
  use-cases-authorization-policy: Example use cases
  add-authorization-policy: Add an authorization policy to an application
  manage-authorization-policy: Manage an authorization policy
  policy-condition-builder: Policy condition builder
  policy_condition_builder_elements: Policy condition builder elements
  example_policy: Example policy
  next_steps: Next steps
---

# Configure an application authorization policy

Use application authorization policies to control who can sign on to OpenID Connect (OIDC) and SAML applications in Advanced Identity Cloud. When you add a policy to an application, only users who meet the policy's conditions can authenticate. During sign-on, the [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) in the authentication journey evaluates the policy to determine whether to grant access.

|   |                                                                                                                                                                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The application policy builder supports a simplified set of policy conditions. If you need conditions or constructs that aren't available in the application UI, use the [AM native admin console](../am-authorization/policy-sets-ui.html). When using the AM native admin console, you must add custom policies to the `Customer Application Policy Set`. |

## Benefits of application authorization policies

Configuring an application authorization policy provides the following benefits:

* **Stronger security**: Enforce granular access control by restricting access based on user, group, application, and environmental conditions.

* **Simplified maintenance**: Add, edit, activate, and deactivate policies directly from the application UI without modifying the authentication journey for routine policy changes.

* **Reusable journeys**: Use a single authentication journey for multiple applications, where each application has its own distinct authorization policy to control access.

* **Separation of duties**: Allow a tenant administrator to build a reusable authentication journey, while an application owner manages access to their specific application by configuring the application's authorization policy.

### Example use cases

* **Group-scoped HR portal**: An OIDC application for payroll is restricted to members of the `HR-Staff` group. If an employee is removed from the group, they lose access automatically with no need to update the journey or the application's SSO configuration.

* **High-risk app**: An application containing sensitive data is restricted to users who have authenticated with multi-factor authentication (MFA) and are using a trusted device.

* **Contractor access**: Contractors are allowed to authenticate, but only during working hours and only from an approved IP address.

## Add an authorization policy to an application

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications and select the application.

2. Click the Sign On tab.

3. In the Access Policy section, click [icon: add, set=material, size=inline] Create a Policy.

4. In the Add Access Policy modal, choose the policy type:

   * User-based Access: Restrict access to the application based on user attributes and application membership.

   * Group-based Access: Restrict access to the application based on group membership.

   * Environmental: Restrict access to the application based on environmental conditions, such as IP address or a date range.

   * Custom: Build a policy using the supported conditions, groups, and comparators to restrict access.

5. Click Next.

6. [Build the policy](#policy-condition-builder) and click Save.

## Manage an authorization policy

After you save a policy, you can manage it from the Access Policy section of the application's Sign On tab. Click the Ellipsis ([icon: more_horiz, set=material, size=inline]) icon to the right of the policy to:

* Edit the policy's conditions.

* Activate or Deactivate the policy. When a policy is deactivated, it isn't evaluated during sign-on.

* Delete the policy.

## Policy condition builder

The policy condition builder lets you construct policies based on user, group, and environmental conditions.

You can use the policy condition builder to:

* Add one or more conditions.

* Group conditions together.

* Choose how values are compared.

* Combine conditions into a policy that is evaluated when the authentication journey runs.

### Policy condition builder elements

| Element    | Purpose                                                                                                                                                                            |
| ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Condition  | A single rule to evaluate, such as group membership, role value, application assignment, IP range, or another supported user or environment attribute.                             |
| Group      | A logical grouping of conditions that are evaluated together.                                                                                                                      |
| Comparator | Defines how the selected value is checked. For example equals, contains, starts with, or ends with, depending on the condition type.                                               |
| Value      | The user, group, attribute value, IP range, date, or other input that the condition evaluates against. The available value field depends on the selected condition and comparator. |

### Example policy

This example shows how to create a policy that grants access to the application only if the user is in the `Finance` group and has application membership. The example assumes that you have a `Finance` [group set up in Advanced Identity Cloud](../idm-objects/manage-groups.html#create-a-group).

1. In the Advanced Identity Cloud admin console, go to Applications and select the application.

2. Click the Sign On tab.

3. In the Access Policy section, click [icon: add, set=material, size=inline] Create a Policy.

4. In the Add Access Policy modal, select Custom and click Next.

5. Select All to restrict access to users who meet all the criteria.

6. For the first condition, select User Group Membership as the condition type, equals as the comparator, and the finance group (for example, Finance) as the value.

7. Click [icon: add, set=material, size=inline] then Add Condition.

8. For the second condition, select User Application Membership.

   ![Add access policy modal with the first condition added and the user application membership condition being added.](_images/add-access-policy.png)

9. Click Save to save the policy. The policy is automatically activated and added to the application.

Only users who are in the `Finance` group and have access to the application can sign on to the application. Users who don't meet both criteria are denied access.

## Next steps

* [icon: check-square-o, set=fa][Application management](applications.html)

* [icon: check-square-o, set=fa][App catalog](app-catalog.html)

* [icon: check-square-o, set=fa][Register an application](register-an-application.html) or [Register a custom or SSO application](register-a-custom-application.html)

* [icon: check-square-o, set=fa][Configure an application authorization policy](configure-app-authorization-policy.html)

* [icon: square-o, set=fa]*[Manage end users and roles](manage-users-and-roles.html)*

* [icon: square-o, set=fa][Manage application registrations](manage-app-status.html)
