Only Workspace Owner, Admin, and Editor have the permissions to create and publish applications. For details on each member’s permissions, please refer to Member Permission Management.

After creating an application, by default, the application is not open to any members. The permission option is initially set to Specific groups or members with an empty scope.

This article will introduce how to configure and manage application access permissions.

Add Access Permissions to an Application

  1. In the application editing page, click the Publish in the upper right corner.
  2. On the publishing page, under Who can access web app, select an option to assign access permissions to the application.

Set Application Access Permissions

Dify provides three access permission options. You can choose the appropriate permission according to your application scenario:

Only Members Within the Enterprise

Before selecting this permission option, please ensure that WebApp SSO settings have been enabled. For detailed configuration, please refer to Authentication Method - WebApp Configuration.

This permission allows only team members to access the application, which is usually suitable for applications intended for all internal employees. After selecting this permission, other members will be required to log in to the enterprise’s preset SSO service when accessing the online application link. They can access the application after passing authentication.

If WebApp SSO settings have already been enabled in an older version of Dify EE, after upgrading to the new version, the current web app’s access permission scope will be set to “Only members within the enterprise”.

Specific Groups or Members

Before selecting this permission option, ensure that WebApp SSO settings are enabled. For detailed configuration methods, please refer to Authentication Methods - WebApp Configuration.

This permission restricts application access to members within the team, typically suitable for applications intended for all employees within an enterprise. After selecting this permission, when other members access the online application link, they will be required to log in through the enterprise’s preset SSO service. Upon successful authentication, they can access the application.

Configuration method:

  • Allow specific groups to access

Click Add to add specific groups. All members within the group will automatically obtain access to the application. When new members are added to the group, the system will automatically grant them access; when members are removed from the group, their access will be automatically revoked.

  • Allow specific members to access

Selected members will retain access to the application even if they are later removed from the group. Unselected members in the same group will not have access.

If you select specific groups or members but have not added any groups or members, the application will be inaccessible to anyone, and you will not be able to generate an access link or obtain the embed code for the application.

Workspace Owner, Admin, and Editor have access and editing permissions for all applications within the Workspace. However, please note that if the Owner or Admin is not added to the application’s access list, they still cannot access the application via the online link.

This option allows anyone with the internet link to access the application, which is usually suitable for public demo applications, customer-facing services, or public resources.

Accessing Applications

Team members can view and browse all available applications within the enterprise on the Explorer. Depending on the application’s permission configuration, members may be required to log in via SSO authentication before they can access certain applications.

Other Application Publishing Options

After configuring application permissions, you can also use the following features in the application publishing panel:

Embed in Website

Obtain the embed code to embed the application into other websites.

FAQ

Do I need to republish the application for permission changes to take effect?

No. Permission changes take effect immediately and do not require republishing the application. However, please note that members who have already obtained access may not be immediately affected in their current session; the new permission settings may take effect after the session expires.

How to ensure that only specific members can access my application?

You can select the Specific groups or members and then add the members you want to grant access to.

How to check who has access to my application?

You can view the list of groups and members who currently have access to the application under the Who can access web app on the application’s publishing page.

Will adjusting application access permissions affect API invocation?

No. The application’s API access permissions are independently controlled by the API Key and are unrelated to the web application’s access permissions.

As long as the API Key remains valid and is not leaked, you can continue to invoke the application via API. Changing the web application’s access permission settings will not affect the permissions of existing API Keys.