How to restrict access to an application

[dandanthedev]

Describe your question/
A clear and concise description of what you're trying to do.
The title basically explains it. I want to only allow access to a specific web app for me, not other people. I saw somewhere that you can do that in authentik, but i cant seem to find it.
Relevant infos
i.e. Version of other software you're using, specifics of your setup
Latest version virtualized in Portainer with NPM infront.
Screenshots
If applicable, add screenshots to help explain your problem.
Cant find it so cant send screenshots :P
Logs
Output of docker-compose logs or kubectl logs respectively

Logs shouldnt be necessairy.

Version and Deployment (please complete the following information):

• authentik version: [e.g. 2021.8.5]
• latest
• Deployment: [e.g. docker-compose, helm]
• virtualized proxmox vm with NPM infront

Additional context
Add any other context about the problem here.
I dont have anything to add

[BeryJu]

You can click on the application in the application list, then select the Policy / Group / User Bindings tab, where you can bind a user/group/policy to grant access

[Lx]

You can click on the application in the application list, then select the Policy / Group / User Bindings tab, where you can bind a user/group/policy to grant access

Sorry, but either I'm a total moron or there is no clear, intuitive way to proceed from this screen:

Do I create a binding or a policy?

The only option here that seems even remotely relevant to "permitting or denying app access to a user" is the top one, so I'll try that...well, I got asked for a name so I put "Something" and now I've apparently created a policy called "Something" and now I apparently finish after choosing a numeric order and timeout. (?????)

Please, can someone provide clear instructions for restricting access to an application as initially requested.

[BeryJu]

@Lx I agree that the UX for this specifically can be confusing; to grant access to a specific user/group you'd click on Bind existing policy where you can select a group/user to grant access

We'll improve this UX in a future release to at least make it clear that one has to click on "Bind" to bind a user/group (something like this)

[dojoca]

I think I must also be really slow on this but I just can't figure it out.

I have applications A and B.
I have and admin user and a Bob user.

Bob logs in, can see A and B.

How do I make it so Bob can only see/use B?

[nwithan8]

I think I must also be really slow on this but I just can't figure it out.

I have applications A and B. I have and admin user and a Bob user.

Bob logs in, can see A and B.

How do I make it so Bob can only see/use B?

"Applications" in the sidebar, select your application A. Click the "Policy / Group / User Bindings" tab at the top -> "Bind existing Policy / Group / User" button -> Select "User" at the top of the pop-up and select the admin user from the User dropdown, then the "Create" button.

Because there is now an explicit user added to A, any other users NOT explicitly added will not have access to A. Repeat for each app and user accordingly.

You can also do this in the reverse order, by clicking on the appropriate user in the "Users" sidebar, and editing their application access under the "Applications" tab at the top.

[bballdavis]

To tag onto this, I'm having a similar issue. I have Authentik setup behind Traefik with a middleware passing through all the major header requests and responses. The issue I'm having is very similar to OP. Once they authenticate, the have access to everything tied to traefik. With the group policy binding the apps won't show up on the authentik page which is great, but if you type in the address they now have access.

Since these are OIDC providers i was concerned that maybe that was the issue, so i setup a "ghost" app/provider as a forwardauth to see if maybe that was the problem and bound the same groups, but still the same behavoir.

Do i need to setup specific expression policies? I"m really at a loss and that I must be missing something simple.

[Zordians]

Same Problem.
And I can't select between user, group or policy, there is no pop-up or anything to choose from.

[kevinruffus]

As @Zordians mentioned, there is no option to select user or group in the most recent release, running in Docker anyway. That could be playing a part in this if something is off in the build process.

Going off what @nwithan8 mentioned, there is also no option to add or remove applications per user from the User's "page". It currently only displays what they have access to, with the only options being to edit the application or provider by following their links.

[obscenevaccine]

I just recently moved over to Authentik, and I thought I was taking crazy pills until reading this thread. Every article I've read just says "select the Group option from the binding"...which doesn't exist.

Like @Zordians, there is no option to select between policy/user/group and just defaults to the image they shared. If this needs to be opened in a new issue, I'm glad to do so.

Thanks in advance.

Edit: as an update, I have opened #19915 for this issue.