The Application access section of Control Panel allows appropriate administrators to control the scope of access for users and groups to specific tools within Foundry.
A common usage pattern for limiting application access is to prevent distraction or confusion for users within Foundry that operate within either custom applications or with a narrow set of curated analyses and other resources. Limiting the scope of applications available to this group of users can streamline their Foundry experience.
Another common pattern is to use application access to give a platform administration team or a group of advanced users early access to Beta applications while restricting their availability to the broader user base.
This can even go as far as removing access to almost all Foundry applications. In this case a user will only have access to consumer-facing applications, such as Slate and Workshop.
Application access is not a security feature; it only simplifies the frontend user experience for users that do not need to view certain applications. Refer to the Security documentation for guidance on how to properly permission off functionality.
To view and configure the Application access section in Control Panel, a user needs the Manage application access workflow, which is granted by the User experience administrator role. Roles are administered in the Organization permissions tab in Control Panel.
Changing an application access configuration will generate a change request in Approvals. These can be viewed in the Approvals inbox in Control Panel with the request type Application access change requests. A historical record of all changes made will be kept. Requested changes will be self-approved and applied automatically.
By default, Foundry users have access to most parts of the Foundry platform. With Application access it's possible to flexibly tailor the Foundry experience for different groups.
The most restrictive configuration is to remove Foundry platform access entirely. There are two options for restricting access to the Foundry Platform: an allowlist or a blocklist. Everyone except members of groups restricts access for users who are in at least one of the groups specified. Only members of groups restricts access for users who are not in any of the groups specified. Users with restricted access to the Foundry platform will only have access to consumer-facing applications built in Slate or Workshop to which they have explicitly been granted resource-level access. For these users the Foundry sidebar will be hidden and they will be prevented from navigating to any other parts of Foundry. Note that application access operates at the application level; these controls do not differentiate between read and write access.
To limit which users are able to access the Foundry platform as a whole:
Note that a user account with the User experience administrator role must remain in at least one group that retains Foundry platform access because otherwise it will lose access to Control Panel and no longer be able to administer these settings.
The scope of the Foundry platform can be restricted on a per-application basis. Users without access to an application will not be able to discover it from the sidebar or Application Portal. Additionally, they will see a 403 "Permission denied" error message when attempting to access an application through a URL to which they do not have access.
All applications are grouped by category and lifecycle stage, and sorted alphabetically.
Select Manage to bring up a dialog for configuring access to one single application. To configure the same access setting for multiple applications, toggle Manage multiple applications at the top of the page and make a selection of applications to update.
In this case, the manage dialog shows all selected applications with their current lifecycle stage and access setting.
Note that Control Panel cannot be disabled completely. At least one group that you are a member of needs to have access because otherwise you would no longer be able to administer these settings.
Applications follow the development lifecycle. When an application transitions from one lifecycle stage to the next, the same set of users maintain access, with the following exceptions:
To highlight significant lifecycle stage updates, some applications are displayed at the top of the page until their settings are confirmed or updated:
Note that all application lifecycle stages will be announced two weeks in advance in the Announcements section of the documentation. Addresses configured in the Platform administration and User support contact information will also be emailed about these changes.