Limiting access to specific urls

I’m using pomerium with keycloak to restrict access to some apps, as of today every account in keycloack had the right to access any app behind pomerium so I use the routes like this :

But now I need to filter the access to a list of apps for a restricted list of users, and I’m not able to use the domain part because every account use it’s own mail domain.
Any idea how I can archive this ? can somebody provide me a full example ? I’m new to pomerium and keycloack …


You may use PPL to just enumerate the email addresses of persons who should have access to each individual route.

from: https://drawio.xx
to: http://docker:3402
      - user: 
      - user:

that seem’s to be a nice solution, but I need it in the other way:
by default every authenticated user and for email1, email2 restrict the access.

If I can do that via keycloak group or roles it will be even better.

You probably may achieve that by combination of allow and deny PPL rules.

a user will have access to a route if at least one allow rule matches and no deny rules match.

if Keycloack propagates groups to the identity token, then you should be able to build rules using claim/ criteria in PPL.