For each application, specify the conditions that must be met by an authenticating user to access an application. You can use application access control with all types of applications.

Note:

You can define application permissions to control access to custom-developed application features after users authenticate. Learn more in Application permissions.

Role type

Specifies that a user with an administrator role is required to access the application. The user must have one of the following roles:

  • Organization Admin
  • Environment Admin
  • Identity Data Admin
  • Client Application Developer

For more information, see Administrator Roles. If no option is selected, an administrator role is not required to access the application.

Group type

Specifies that a user must be a member of a particular group or groups to access the application. If you have two or more groups, you can specify how group access is applied:
  • Any: The user must be a member of at least one of the specified groups.
  • All: The user must be a member of all specified groups.

If no option is selected, group membership is not required to access the application. If an existing group is removed from the environment, then any members of the group might no longer have access to the application, depending on their other group memberships and how group evaluation is configured.

Application portal

Determines whether an application icon appears in the application portal if the user would see the application in the application portal based on the group membership policy.

For example, you could use this option if the SSO flow is being triggered through means other than on the application portal or because you are creating multiple application deep links (see resource links) that will be shown in the application portal rather than the actual application. For more information, see PingOne application portal.