# Access control

> Configure visibility and access permissions to control who can discover and join your sessions.

By default, the MPS SDK accepts API calls from either an Authenticated Player or a Service Account.
In some cases, you might want more control over how sessions are created or joined.
In those cases you can use [Access Control](/services/access-control.md).

## Service Account controlled sessions

In the following example, sessions can only be created and players can only join via a [Service Account](/multiplay-hosting/concepts/authentication-service-accounts.md).
Service accounts allow you to control the session by restricting write access for Players.

Creating [project policies via CLI](/services/ugs-cli-introduction.md)
with the following JSON definition will `Deny` all write access to session service APIs, except the
[Reconnect](./join-session.md#reconnect-to-a-session) and
[Tokens](./lobby-events.md) endpoints.
Note that any API that requires read access (HTTP GETs) is still accessible.

```json
{
  "statements": [
    {
      "Sid": "DenyPlayerSessionWrites",
      "Resource": "urn:ugs:lobby:/v1/*",
      "Principal": "Player",
      "Action": ["Write"],
      "Effect": "Deny"
    },
    {
      "Sid": "AllowPlayerSessionReconnect",
      "Resource": "urn:ugs:lobby:/v1/*/reconnect",
      "Principal": "Player",
      "Action": ["*"],
      "Effect": "Allow"
    },
    {
      "Sid": "AllowPlayerSessionTokens",
      "Resource": "urn:ugs:lobby:/v1/*/tokens",
      "Principal": "Player",
      "Action": ["*"],
      "Effect": "Allow"
    }
  ]
}
```

Upsert the policies with `ugs access upsert-project-policy -p <project-id> -e <env-name> <file-path>`.
Any API call that violates the policy will be rejected with a `403 - Forbidden` error.