Hi @chen liao ,
Thanks for your question! You can create custom roles for accessing applications, or use built in roles depending on the sort of access that you want to assign. You can follow this guide for assigning users and roles directly to an app. If you have more general criteria that can apply broadly to users, you can also apply conditional access policies to grant or deny access to particular apps and resources. (Note that the use of custom roles and Conditional Access require at least a Premium P1 license.)
Let me know if this helps!