Documented in App descriptor.

We allow controlling access to apps by configuring the roles that are permitted to use it.

You can configure multiple roles, the user needs to have at least one of them. If no roles are configured the user has access.