Access Control can be configured to individual accounts listed in identities but there is not concept of "user groups", "user levels" or similar.

Add an optional configuration field claims holding an array of claims. Authorization is granted if any of the claims is met (additional restrictions with ips and identities may apply on top). A claim is an object of key-value pairs that must be equal to the corresponding account claims. Keys are called claim names or attributes and values are called claim values. Examples:

Every user with name claim "group" either "group1" or "group2":

{
    "auth": true,
    "claims": [ { "group": "group1" }, { "group": "group2" } ]
}

Only user with URI https://coli-conc.gbv.de/login/users/c0c1914a-f9d6-4b92-a624-bf44118b6619 if its name is "Bob":

{
    "auth": true,
    "identities": ["https://coli-conc.gbv.de/login/users/c0c1914a-f9d6-4b92-a624-bf44118b6619"],
    "claims": [ { "name": "Bob" } ]
}

Existing field identities equals to special claim name uri, so field identities may internally be dropped in favour of claims. The last example would then be transformed to

{
    "auth": true,
    "claims": [ {
        "uri": "https://coli-conc.gbv.de/login/users/c0c1914a-f9d6-4b92-a624-bf44118b6619",
        "name": "Bob" 
    } ]
}