Principle:Langgenius Dify Access Control
| Knowledge Sources | Dify |
|---|---|
| Domains | Frontend, Security, Access Control |
| Last Updated | 2026-02-12 07:00 GMT |
Overview
Access Control is the principle of fine-grained access restriction for shared web apps, using mechanisms such as whitelists, user groups, and permission levels to control who can interact with published applications.
Description
While Dify supports publicly shared web applications, many use cases require restricting access to specific audiences. The Access Control principle defines how the platform enforces authorization rules on shared applications, supporting multiple access control mechanisms including email whitelists, SSO group restrictions, password protection, and IP-based filtering. These controls allow application builders to share their AI applications with specific teams, organizations, or user groups without making them fully public.
In the frontend, access control manifests through authentication gates that intercept requests to shared web apps and enforce the configured restrictions. When a user attempts to access a protected web app, the system checks their identity against the access control list and either grants access or presents an appropriate challenge (login form, password prompt, or access denied page). The web app context carries the access control configuration so that the rendering pipeline can make authorization decisions before loading the application interface.
This principle is essential for enterprise deployments where AI applications may contain sensitive capabilities or proprietary logic. Without fine-grained access control, organizations cannot safely deploy internal AI tools through the sharing mechanism. The access control layer bridges the gap between the convenience of web-based sharing and the security requirements of enterprise environments.
Usage
Use this principle when:
- Implementing authentication gates for shared web applications
- Adding new access control mechanisms such as SAML groups or API key validation
- Building admin interfaces for managing web app access permissions
Theoretical Basis
This principle is grounded in Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) from information security. It applies the Defense in Depth strategy by layering access control at the application sharing boundary, complementing backend authorization checks. The principle also follows the Principle of Least Privilege, ensuring that shared applications are only accessible to explicitly authorized users.