SuiteCRM-Core/config/packages/security.yaml

security:
  enable_authenticator_manager: true

  encoders:
    app_encoder:
      id: App\Security\LegacyPasswordEncoder
    App\Module\Users\Entity\User:
      id: App\Security\LegacyPasswordEncoder

  providers:
    app_user_provider:
      entity:
        class: App\Module\Users\Entity\User

  firewalls:
    dev:
      pattern: ^/(_(profiler|wdt)|css|images|js)/
      user_checker: App\Security\UserChecker
      security: false
    main:
      anonymous: true
      lazy: true
      user_checker: App\Security\UserChecker
      guard:
        authenticators:
          - App\Security\LoginFormAuthenticator
      json_login:
        check_path: app_login
      logout:
        path: app_logout

  # Note: Only the *first* access control that matches will be used
  access_control:
    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/session-status$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/logout$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/graphql, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/graphql/graphiql*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, roles: IS_AUTHENTICATED_FULLY }