This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 48%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
How do I design a few applications access based on the following fields?
Can i create Custom security Attributes or Group base permission?
Application ------> App1, App2
Role ------> Contractor , engineer, PM, SalesRep
RoleID --->Con , ENG, SRP
Group --> Contractor, Engineer, Manager
Type ---> External User /Internal User
will this help to give access to App1
Only users in the engineer group only do Task2
Only users in the contractor group only do Task
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @cosy M,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you have two applications, App1 and App2, and you want to design access control for these applications based on specified fields, such as groups to which users belong.
Please correct me if I am wrong, you want UserA in the "Engineer" group to have access to perform Task2 inside the application, and UserB in the "Contractor" group to have access to perform Task1.
You can achieve this by passing the group claims in the token. You can follow the document below to add group claims to tokens for SAML applications using SSO configuration:
Once the group claim is passed in the token, you can provide access to the user based on the group to which the user belongs.
If your application is integrated in app registration, you can refer to the document below to add groups as optional claims:
https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.
Hello @cosy M,
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hello @cosy M,
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.