This article covers the permission that controls which apps and integrations a user may access — that is, which registered clients (e.g. linked apps or integrations) the user can log in to and use.
You assign these permissions in Financial under Security → Groups → select a group → Permissions (set Allow/Deny per permission).
Determines whether the user may access a given app or integration. The permission is set per registered client — that is, per app/integration linked to the installation.
If the permission is denied, that app/integration is omitted from the user's list of available clients, and the user is not issued an access token for it. In practice the user therefore cannot log in to or use that app.
If it is allowed, the app appears among the user's available apps.
Use the permission to control which employees may use which apps and integrations — for example so that only selected roles get access to a particular integration.
Per app/integration. You allow or deny access for each registered client individually.
Blocking happens when access is issued (token), so a denied user is effectively kept out of the app.
Allow vs. Deny: An explicit Deny wins over an inherited Allow.