> ## Documentation Index
> Fetch the complete documentation index at: https://doc.lucidworks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Role-based Access

export const LwTemplate = ({title = "Key questions to get you started", icon = "sparkles", cta = "Powered by Agent Studio", linkHref = "https://lucidworks.com/demo/?utm_source=docs&utm_medium=referral&utm_campaign=docs_cta_ai"}) => {
  const [isLoaded, setIsLoaded] = useState(false);
  useEffect(() => {
    const timer = setTimeout(() => {
      setIsLoaded(true);
    }, 500);
    return () => clearTimeout(timer);
  }, []);
  return <div className="lw-template-container">
      <Card title={title} icon={icon}>
        {isLoaded && <span dangerouslySetInnerHTML={{
    __html: `<lw-template id="a029c1a9-28be-427e-b0e1-5d918920246a"></lw-template
            >`
  }} />}
        <Link href={linkHref} className="agent-studio-link text-left text-gray-600 gap-2 dark:text-gray-400 text-sm font-medium flex flex-row items-center hover:text-primary dark:hover:text-primary-light group-hover:text-primary group-hover:dark:text-primary-light">Powered by Lucidworks Agent Studio</Link>
      </Card>
    </div>;
};

[localhost link]: http://localhost:3000/docs/4/app-studio/reference/modules/security/role-based-access

[old doc.lw link]: https//doc.lucidworks.com/app-studio/4.2/3161

[mintlify link]: https://doc.lucidworks.com/docs/4/app-studio/reference/modules/security/role-based-access

In many cases, you might want to restrict access to your application, or parts of your application, to specific groups of users. To enable this option, you must add the file `conf/security/access.conf` to your application’s configuration tree.

Use the following configuration parameters:

```yml wrap  theme={"dark"}
allow: role-with-access-1,role-with-access-2
deny: role-without-access-1,role-without-access-2
pattern: regex-of-uris-to-intercept
```

These configuration parameters are:

* `allow`: A comma-separated list of roles that should be granted access. When not specified or set to a wildcard ('\*'), Appkit defaults to allowing access to all roles.
* `deny`: A comma-separated list of roles that should be denied access.
* `pattern`: A regular expression defining the pattern of URIs that should be intercepted for checking access. This defaults to .\* (all paths are checked).

<LwTemplate />

## Example

Let us assume you have a user directory containing two user, `user` and `admin`, where only the latter has an `ADMIN` role. For example, you can define this using a simple `spring-security.xml` configuration with a static list of users like so:

```xml wrap  theme={"dark"}
<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="user" authorities="USER"/>
            <user name="admin" password="admin" authorities="USER,ADMIN"/>
        </user-service>
    </authentication-provider>
</authentication-manager>
```

To configure role-based access, you add `conf/security/access.conf` to the application with this configuration:

```yml wrap  theme={"dark"}
allow: ADMIN
pattern: (/)|(/twigkit/api/.*)
```

This says that for all requests to `/` (root page) and the API service we apply role-based authorization rules. The former is strictly not necessary, just leads to better UX for users denied access.

To validate this setup, first log in as `user` and get denied access, as shown in the application logs:

```bash wrap  theme={"dark"}
TRACE t.s.SecurityFilterExecutionModule - Filtering with [twigkit.security.filter.RoleBasedAuthorisationFilter]
TRACE t.s.f.InterceptAuthorisationFilter - Filtering request to / - comparing against access pattern (/)|(/twigkit/api/.*)
TRACE t.s.f.RoleBasedAuthorisationFilter - User 'user' is DENIED access to protected resource
ERROR t.s.SecurityFilterExecutionModule - Authorization chain failed - returning 403
```

Subsequently, log in as `admin` and get access to the app, as shown in the logs:

```bash wrap  theme={"dark"}
TRACE t.s.SecurityFilterExecutionModule - Filtering with [twigkit.security.filter.RoleBasedAuthorisationFilter]
TRACE t.s.f.InterceptAuthorisationFilter - Filtering request to / - comparing against access pattern (/)|(/twigkit/api/.*)
TRACE t.s.f.RoleBasedAuthorisationFilter - User 'admin' is GRANTED access to protected resource
```
