Tenant Access Control List (ACL) Use Case Examples
This article provides examples demonstrating how Tenant Access Control List (ACL) rules can provide granular control over network-level access to an Auth0 tenant.
A Tenant ACL rule evaluates incoming requests based on a conditional property and can be applied to requests targeting different scopes. The decision logic for these rules relies on a range of signals provided by Auth0, which allows for precise and flexible access control based on the origin and characteristics of incoming requests:
- Conditional Property
The rule is evaluated based on a match or not_match condition.
-
- The
matchproperty applies the rule when the specified condition is true for the request. - The
not_matchproperty applies the rule only when the condition does not match.
- The
- Scope
Rules can be applied to requests targeting different scopes, including:
-
- management
- authentication
- tenant
- Action
When a condition is met, the rule triggers an action, such as:
-
- block
- allow
- redirect
- redirect_uri
- log
- Tenant Access Control List (ACL)
These examples demonstrate how Tenant ACL rules can provide granular control over network-level access to an Auth0 tenant. For more comprehensive examples, please refer to the Use Cases.
Block Management API Access from Known Malicious IPs
- Block IP addresses (up to 10) with one rule:
{ "description": "Block Management API Access from Known Malicious IPs", "active": true, "priority": 1, "rule": { "match": { "ipv4_cidrs": [ "111.111.111.111/32", "222.222.222.222/32" ] }, "scope": "management", "action": { "block": true } } } - Allow multiple IP addresses and block any others with multiple rules:
[ { "description": "Allow known IP addresses", "active": true, "priority": 1, "rule": { "match": { "ipv4_cidrs": [ "111.111.111.111/32", "111.111.111.222/32" ] }, "scope": "management", "action": { "allow": true } } }, { "description": "Allow known IP addresses", "active": true, "priority": 2, "rule": { "match": { "ipv4_cidrs": [ "111.111.222.111/32", "111.111.222.222/32" ] }, "scope": "management", "action": { "allow": true } } }, ..., { "description": "Allow known IP addresses and block any others", "active": true, "priority": 10, "rule": { "not_match": { "ipv4_cidrs": [ "111.111.000.111/32", "111.111.000.222/32" ] }, "scope": "management", "action": { "block": true } } } ]
-
- Note that the last rule has
blockandnot_match.
- Note that the last rule has
Redirect Traffic Based on Country Location
- Redirect users from Germany to a policy page:
{ "description": "Redirect German users to policy page", "active": true, "priority": 20, "rule": { "action": { "redirect": true, "redirect_uri": "https://example.com/restrictions" }, "match": { "geo_country_codes": ["DE"] }, "scope": "tenant" } }
Rules Based on Scope
- Allow Canadian VPN access to the Management API:
{ "description": "Allow Canadian VPN access to management API", "active": true, "priority": 10, "rule": { "action": { "allow": true }, "match": { "ipv6_cidrs": ["2002:7bcd:/32"] }, "scope": "management" } } - Allow traffic from a country (e.g, France) access to the Authentication:
{ "description": "Allow access to authentication API from France", "active": true, "priority": 10, "rule": { "action": { "allow": true }, "match": { "geo_country_codes": ["FR"] }, "scope": "authentication" } } - Redirect US traffic to a US-based Auth0 tenant:
{ "description": "Redirect US users to US tenant", "active": true, "priority": 5, "rule": { "action": { "redirect": true, "redirect_uri": "https://us.example-tenant.com/login" }, "match": { "geo_country_codes": ["US"] }, "scope": "authentication" } }
