Tenant Access Control List

Tenant Access Control List (ACL) allows you to manage traffic to your Auth0 services with configurable rules. It helps you protect your tenant and conserve your rate limits against potential threats, such as denial-of-service (DoS) attacks, and ensures that only legitimate users access your applications. 

When your tenant or Management API receives a request, Tenant ACL processes that request and then determines how to respond based on the rules you have configured.

For example, you could create a Tenant ACL rule that blocks any traffic coming from a specific IP address from accessing your tenant.

Rules are the building blocks of the Tenant ACL feature. A rule is composed of the following elements:

• Signal: The signal is an identifying piece of information that is provided by the incoming request, such as IP address, geolocation, or user agent.

• Condition: The condition is the combination of an operator (such as match) and a set of values (such as a list of IP addresses).

• Action: The action is the directive that your rule executes if criteria are met, such as allow, block, or redirect.

• Scope: The scope indicates which sets of endpoints that the rule is enforced for, including the Authentication API, Management API, or your entire tenant.

• Priority: The priority defines the order in which the rule runs relative to other rules.

It’s important to determine the correct priority of your rules, because there is strict execution logic you must follow:

• Evaluation order: Tenant ACL evaluates rules in numerical order, with smaller numbers executing first. For example, a rule with priority 1 runs before priority 2, and priority 3 runs before priority 4.

• Match termination: If a rule’s conditions are met, Tenant ACL performs the rule’s action immediately and does not evaluate subsequent rules and lists.​

• Monitoring mode exception: If a rule's conditions are met but it’s in monitoring mode, Tenant ACL performs no action and skips to the next rule.

Careful assignment of priorities allows you to create granular access control policies tailored specific to your needs.

When a rule is in monitoring mode, Tenant ACL evaluates that rule as it normally would and emits a tenant log event, but does not execute the rule’s action and does not terminate evaluation of subsequent rules and lists.

Monitoring mode is the best way to test how your Tenant ACL rule would affect incoming traffic without interfering with your current Tenant ACL configuration.

You can toggle monitoring mode for a rule by updating the action object. To learn more, read Configure Rules.

A log event (acls_summary) is created every 10 minutes for each Tenant ACL rule with details of how that rule is affecting traffic.

The acls_summary log event type contains the following fields:

• Configure Rules
• Use Cases
• Reference