Configure Rules
Before you start
Tenant Access Control List (ACL) is an Early Access Service and currently available only to customers on an Enterprise plan with the Attack Protection add-on.
By using this feature, you agree to the applicable Free Trial Service terms described in Okta’s Master Subscription Agreement and to Okta’s Privacy Policy.
To learn more about Auth0 releases, review Product Release Stages.
Tenant ACL Early Access Restrictions and Limitations
Restrictions
Customers on an Enterprise plan with the Attack Protection add-on can create up to 10 Tenant ACLs.
Each Tenant ACL can include up to 10 entries per source identifier (such as IPv4, CIDR, and more).
Limitations
The User Agent identifier is not supported when using self-managed custom domains.
The
auth0-forwarded-forheader is not supported.
Coming soon
Customers on any Enterprise plan can create up to one (1) Tenant ACL.
You can configure Tenant Access Control List (ACL) rules with the Auth0 Management API.
Create a rule
You can create a Tenant ACL rule with the Management API Create access control list endpoint.
Parameters
| Parameter | Data type | Description |
|---|---|---|
description |
string | Describes the purpose or functionality of the rule. |
active |
boolean | Enables or disables the rule. |
priority |
number | Numerical vaalue that determines the order in which the rule is evaluated. Lower values indicate higher priority. |
rule |
object | Contains the conditions and actions of the rule. |
action |
object | Contains the action the rule performs. |
match |
object | Defines the conditions that the incoming reuqest must fulfill. |
not_match |
object | Defines the conditions that the incoming request must not fulfill. |
scope |
string | Service or context in which the rule is enforced. |
Example
Here’s an example of a Tenant ACL rule that blocks all incoming traffic from the United States.
{
"description": "Block all traffic from the United States",
"active": true,
"priority": 1,
"rule": {
"action": {
"block": true,
},
"match": {
"geo_country_codes": ["US"]
},
"scope": "authentication"
}
}Was this helpful?
/
Enable monitoring mode for a rule
You can enable monitoring mode for a Tenant ACL rule with the Management API Update access control list endpoint.
Add the log property to the rule.action object and set its value to true.
curl --request PUT \
--url 'https://{yourDomain}/api/v2/network-acls/ACL_ID' \
--header 'authorization: Bearer MANAGEMENT_API_TOKEN' \
--header 'content-type: application/json' \
--data '{
"description": "Logging mode enabled",
"active": true,
“priority”: 1,
"rule": {
"action": { "log": true },
"match": { "geo_country_codes": ["GEO_COUNTRY_CODE"] },
"scope": "tenant"
}
}'Was this helpful?
/
var client = new RestClient("https://{yourDomain}/api/v2/network-acls/ACL_ID");
var request = new RestRequest(Method.PUT);
request.AddHeader("content-type", "application/json");
request.AddHeader("authorization", "Bearer MANAGEMENT_API_TOKEN");
request.AddParameter("application/json", "{\n \"description\": \"Logging mode enabled\",\n \"active\": true,\n “priority”: 1,\n \"rule\": {\n \"action\": { \"log\": true },\n \"match\": { \"geo_country_codes\": [\"GEO_COUNTRY_CODE\"] },\n \"scope\": \"tenant\"\n }\n}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Was this helpful?
/
package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/api/v2/network-acls/ACL_ID"
payload := strings.NewReader("{\n \"description\": \"Logging mode enabled\",\n \"active\": true,\n “priority”: 1,\n \"rule\": {\n \"action\": { \"log\": true },\n \"match\": { \"geo_country_codes\": [\"GEO_COUNTRY_CODE\"] },\n \"scope\": \"tenant\"\n }\n}")
req, _ := http.NewRequest("PUT", url, payload)
req.Header.Add("content-type", "application/json")
req.Header.Add("authorization", "Bearer MANAGEMENT_API_TOKEN")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}Was this helpful?
/
HttpResponse<String> response = Unirest.put("https://{yourDomain}/api/v2/network-acls/ACL_ID")
.header("content-type", "application/json")
.header("authorization", "Bearer MANAGEMENT_API_TOKEN")
.body("{\n \"description\": \"Logging mode enabled\",\n \"active\": true,\n “priority”: 1,\n \"rule\": {\n \"action\": { \"log\": true },\n \"match\": { \"geo_country_codes\": [\"GEO_COUNTRY_CODE\"] },\n \"scope\": \"tenant\"\n }\n}")
.asString();Was this helpful?
/
var axios = require("axios").default;
var options = {
method: 'PUT',
url: 'https://{yourDomain}/api/v2/network-acls/ACL_ID',
headers: {
'content-type': 'application/json',
authorization: 'Bearer MANAGEMENT_API_TOKEN'
},
data: '{\n "description": "Logging mode enabled",\n "active": true,\n “priority”: 1,\n "rule": {\n "action": { "log": true },\n "match": { "geo_country_codes": ["GEO_COUNTRY_CODE"] },\n "scope": "tenant"\n }\n}'
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});Was this helpful?
/
#import <Foundation/Foundation.h>
NSDictionary *headers = @{ @"content-type": @"application/json",
@"authorization": @"Bearer MANAGEMENT_API_TOKEN" };
NSData *postData = [[NSData alloc] initWithData:[@"{
"description": "Logging mode enabled",
"active": true,
“priority”: 1,
"rule": {
"action": { "log": true },
"match": { "geo_country_codes": ["GEO_COUNTRY_CODE"] },
"scope": "tenant"
}
}" dataUsingEncoding:NSUTF8StringEncoding]];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/network-acls/ACL_ID"]
cachePolicy:NSURLRequestUseProtocolCachePolicy
timeoutInterval:10.0];
[request setHTTPMethod:@"PUT"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];
NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
if (error) {
NSLog(@"%@", error);
} else {
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
NSLog(@"%@", httpResponse);
}
}];
[dataTask resume];Was this helpful?
/
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/api/v2/network-acls/ACL_ID",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "PUT",
CURLOPT_POSTFIELDS => "{\n \"description\": \"Logging mode enabled\",\n \"active\": true,\n “priority”: 1,\n \"rule\": {\n \"action\": { \"log\": true },\n \"match\": { \"geo_country_codes\": [\"GEO_COUNTRY_CODE\"] },\n \"scope\": \"tenant\"\n }\n}",
CURLOPT_HTTPHEADER => [
"authorization: Bearer MANAGEMENT_API_TOKEN",
"content-type: application/json"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}Was this helpful?
/
import http.client
conn = http.client.HTTPSConnection("")
payload = "{\n \"description\": \"Logging mode enabled\",\n \"active\": true,\n “priority”: 1,\n \"rule\": {\n \"action\": { \"log\": true },\n \"match\": { \"geo_country_codes\": [\"GEO_COUNTRY_CODE\"] },\n \"scope\": \"tenant\"\n }\n}"
headers = {
'content-type': "application/json",
'authorization': "Bearer MANAGEMENT_API_TOKEN"
}
conn.request("PUT", "/{yourDomain}/api/v2/network-acls/ACL_ID", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))Was this helpful?
/
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/api/v2/network-acls/ACL_ID")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Put.new(url)
request["content-type"] = 'application/json'
request["authorization"] = 'Bearer MANAGEMENT_API_TOKEN'
request.body = "{\n \"description\": \"Logging mode enabled\",\n \"active\": true,\n “priority”: 1,\n \"rule\": {\n \"action\": { \"log\": true },\n \"match\": { \"geo_country_codes\": [\"GEO_COUNTRY_CODE\"] },\n \"scope\": \"tenant\"\n }\n}"
response = http.request(request)
puts response.read_bodyWas this helpful?
/
import Foundation
let headers = [
"content-type": "application/json",
"authorization": "Bearer MANAGEMENT_API_TOKEN"
]
let postData = NSData(data: "{
"description": "Logging mode enabled",
"active": true,
“priority”: 1,
"rule": {
"action": { "log": true },
"match": { "geo_country_codes": ["GEO_COUNTRY_CODE"] },
"scope": "tenant"
}
}".data(using: String.Encoding.utf8)!)
let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/network-acls/ACL_ID")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "PUT"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()Was this helpful?
/