Hi everyone 
We are trying to create a role that should only be allowed to authenticate via the API, not via the Directus App (Studio). We configured the following:
Only the Administrator role has a policy where app_access = true
All other roles (including the “FO” role) have policies with app_access = false
No individual user policies override this
Verified directly in the database (directus_policies table and role-policy relations)
Tested with new users who only belong to the “FO” role
However, despite all policies having app_access = false for that role, users assigned to that role can still successfully log into the Directus App interface.
We also cleared active sessions (directus_sessions) and tested in private/incognito browser windows. Still the same behavior.
Expected Behavior
Users in roles where app_access = false should be restricted to API access only, and should not be able to log into the Studio UI.
Actual Behavior
Users with app_access = false can still access the Studio UI.
Environment Details
-
Directus version: (latest)
-
Database: PostgreSQL
-
Setup: On-prem deployment
-
We confirmed via pgAdmin that access control configuration is correct on DB level
Question(s)
-
Is there any other configuration besides
app_access(in policies) that can still allow login to the App UI? -
Is there a known bug where
app_access: falsedoes not block Studio access? -
Is there something additional required in the role configuration or server restart/cache clearing?
Any help or clarification would be greatly appreciated! 
Thanks in advance!