diff --git a/internal/authorization/const.go b/internal/authorization/const.go
index 91947253434b4..56f1272bbba5b 100644
--- a/internal/authorization/const.go
+++ b/internal/authorization/const.go
@@ -19,6 +19,9 @@ const (
 
 	// Denied denied level.
 	Denied
+
+	// System follow system's level
+	System
 )
 
 const (
@@ -32,6 +35,7 @@ const (
 	twoFactor = "two_factor"
 	deny      = "deny"
 	public    = "public"
+	system    = "system"
 )
 
 const (
diff --git a/internal/authorization/ts_app_authorizer.go b/internal/authorization/ts_app_authorizer.go
index 2fc8b15c86028..3cd468f958e42 100644
--- a/internal/authorization/ts_app_authorizer.go
+++ b/internal/authorization/ts_app_authorizer.go
@@ -346,6 +346,9 @@ func (t *TsAuthorizer) addDesktopRules(ctx context.Context, username, domain str
 		userAuth.desktopPolicy = NewLevel(policy)
 	}
 
+	// apps follow system level
+	userAuth.appDefaultPolicy = userAuth.defaultPolicy
+
 	position := len(rules)
 
 	// if !userAuth.userIsIniting {
@@ -513,6 +516,15 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 			continue
 		}
 
+		getLevel := func(policy string) Level {
+			switch policy {
+			case system:
+				return userAuth.appDefaultPolicy
+			default:
+				return NewLevel(policy)
+			}
+		}
+
 		if policy.SubPolicies != nil {
 			for _, sp := range policy.SubPolicies {
 				// t.log.Debugf("add app %s rules %s on resource %s", app.Spec.Name, sp.Policy, sp.URI)
@@ -527,7 +539,7 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 
 				rule := &AccessControlRule{
 					Position:      position,
-					Policy:        NewLevel(sp.Policy),
+					Policy:        getLevel(sp.Policy),
 					OneTimeValid:  sp.OneTime,
 					ValidDuration: time.Duration(sp.Duration) * time.Second,
 				}
@@ -545,7 +557,7 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
 		othersResources := []regexp.Regexp{*othersExp}
 
 		if entrance.AuthLevel != "public" {
-			defaulPolicy = NewLevel(policy.DefaultPolicy)
+			defaulPolicy = getLevel(policy.DefaultPolicy)
 		}
 
 		ruleOthers := &AccessControlRule{
diff --git a/internal/authorization/util.go b/internal/authorization/util.go
index e953887fbffb4..05cec571e9dad 100644
--- a/internal/authorization/util.go
+++ b/internal/authorization/util.go
@@ -24,6 +24,8 @@ func NewLevel(policy string) Level {
 		return TwoFactor
 	case deny:
 		return Denied
+	case system:
+		return System
 	}
 	// By default the deny policy applies.
 	return Denied