# Authorization

These sections show you how to configure the authorization of AxoConsole with different authentication backends.

You can configure authorization in the `spec.pomerium.policy` section of the AxoConsole manifest. In on-premise deployments, the manifest is in the `/var/lib/rancher/k3s/server/manifests/axoflow.yaml` file.

You can list individual email addresses and user groups to have read and write (using the keys under `spec.pomerium.policy`) and read-only (using the keys under `spec.pomerium.policy.readOnly`) access to AxoConsole. Which key to use depends on the authentication backend configured for AxoConsole:

  * `emails`: Email addresses used with static passwords and [GitHub](../../../docs/axoflow/deploy/onprem/authentication/github/index.md) authentication.

With GitHub authentication, use the primary GitHub email addresses of your users, otherwise the authorization will fail.

  * `claim/groups`: LDAP groups used with [LDAP](../../../docs/axoflow/deploy/onprem/authentication/ldap/index.md) authentication. For example:
```
 policy:
            emails: []
            domains: []
            groups: []
            claim/groups:
              - managers
            readOnly:
              emails: []
              domains: []
              groups: []
              claim/groups:
                - employee
        
```