> ## Documentation Index
> Fetch the complete documentation index at: https://doc.lucidworks.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Role-based Access
export const LwTemplate = ({title = "Key questions to get you started", icon = "sparkles", cta = "Powered by Agent Studio", linkHref = "https://lucidworks.com/demo/?utm_source=docs&utm_medium=referral&utm_campaign=docs_cta_ai"}) => {
const [isLoaded, setIsLoaded] = useState(false);
useEffect(() => {
const timer = setTimeout(() => {
setIsLoaded(true);
}, 500);
return () => clearTimeout(timer);
}, []);
return
{isLoaded && `
}} />}
Powered by Lucidworks Agent Studio
;
};
[old doc.lw link]: https//doc.lucidworks.com/app-studio/4.2/3161
[localhost link]: http://localhost:3000/docs/5/app-studio/reference/modules/security/role-based-access
[mintlify link]: https://doc.lucidworks.com/docs/5/app-studio/reference/modules/security/role-based-access
**Since 4.2.0**
In many cases, you might want to restrict access to your application, or parts of your application, to specific groups of users. To enable this option, you must add the file `conf/security/access.conf` to your application’s configuration tree.
Use the following configuration parameters:
```yaml wrap theme={"dark"}
allow: role-with-access-1,role-with-access-2
deny: role-without-access-1,role-without-access-2
pattern: regex-of-uris-to-intercept
```
These configuration parameters are:
* `allow`: A comma-separated list of roles that should be granted access. When not specified or set to a wildcard ('\*'), Appkit defaults to allowing access to all roles.
* `deny`: A comma-separated list of roles that should be denied access.
* `pattern`: A regular expression defining the pattern of URIs that should be intercepted for checking access. This defaults to .\* (all paths are checked).
## Example
Let us assume you have a user directory containing two user, `user` and `admin`, where only the latter has an `ADMIN` role. For example, you can define this using a simple `spring-security.xml` configuration with a static list of users like so:
```xml wrap theme={"dark"}
```
To configure role-based access, you add `conf/security/access.conf` to the application with this configuration:
```yaml wrap theme={"dark"}
allow: ADMIN
pattern: (/)|(/twigkit/api/.*)
```
This says that for all requests to `/` (root page) and the API service we apply role-based authorization rules. The former is strictly not necessary, just leads to better UX for users denied access.
To validate this setup, first log in as `user` and get denied access, as shown in the application logs:
```bash theme={"dark"}
TRACE t.s.SecurityFilterExecutionModule - Filtering with [twigkit.security.filter.RoleBasedAuthorizationFilter]
TRACE t.s.f.InterceptAuthorizationFilter - Filtering request to / - comparing against access pattern (/)|(/twigkit/api/.*)
TRACE t.s.f.RoleBasedAuthorizationFilter - User 'user' is DENIED access to protected resource
ERROR t.s.SecurityFilterExecutionModule - Authorization chain failed - returning 403
```
Subsequently, log in as `admin` and get access to the app, as shown in the logs:
```bash theme={"dark"}
TRACE t.s.SecurityFilterExecutionModule - Filtering with [twigkit.security.filter.RoleBasedAuthorizationFilter]
TRACE t.s.f.InterceptAuthorizationFilter - Filtering request to / - comparing against access pattern (/)|(/twigkit/api/.*)
TRACE t.s.f.RoleBasedAuthorizationFilter - User 'admin' is GRANTED access to protected resource
```