Reference
Tenant Access Control List (ACL) is an Early Access Service and currently available only to customers on an Enterprise plan with the Attack Protection add-on.
By using this feature, you agree to the applicable Free Trial Service terms described in Okta’s Master Subscription Agreement and to Okta’s Privacy Policy.
To learn more about Auth0 releases, review Product Release Stages.
Tenant ACL Early Access Restrictions and Limitations
Restrictions
Customers on an Enterprise plan with the Attack Protection add-on can create up to 10 Tenant ACLs.
Each Tenant ACL can include up to 10 entries per source identifier (such as IPv4, CIDR, and more).
Limitations
The User Agent identifier is not supported when using self-managed custom domains.
The
auth0-forwarded-forheader is not supported.
Coming soon
Customers on any Enterprise plan can create up to one (1) Tenant ACL.
Tenant Access Control List (ACL) supports advanced customization through configuration of various settings. Refer to the tables below to learn more about the available options.
Signals
The following table contains all the supported signals:
| Signal | Property | Data type | Description |
|---|---|---|---|
| IPv4 / CIDR | ipv4_cidr |
string | Individual IPv4 address or CIDR range. |
| IPv6 / CIDR | ipv6_cidr |
string | Individual IPv6 address or CIDR range. |
| Geographic country code | geo_country_code |
string | ISO 3166-1 alpha-2 country code. |
| Geographic subdivision code | geo_subdivision_code |
string | ISO 3166-2 subdivision code. |
| Anonymous proxy | anonymous_proxy |
string | Proxy server that hides the user's IP address. |
| JA3/JA4 fingerprint | ja_fingerprint |
string | TSL client fingerprint. |
| User agent | user_agent |
string | Client device or browser. |
Conditions
The following table contains all the supported conditions:
| Condition | Property | Data type | Description |
|---|---|---|---|
| Match | match |
object | Returns successful if the provided signal and any of the provided values are equivalent. |
| Does not match | not_match |
object | Returns successful if the provided signal and none of the provided values are equivalent. |
Actions
The following table contains all the supported actions:
| Action | Property | Data type | Description |
|---|---|---|---|
| Allow | allow |
boolean | Allows traffic to pass through unaffected. |
| Block | block |
boolean | Blocks traffic from accessing specified scopes. |
| Redirect | redirect |
boolean | Redirects traffic to a provided location. |
| Redirect URI | redirect_uri |
string | URI to redirect traffic to. |
| Log | log |
boolean | Monitoring mode. No action is taken, but results are included in the Tenant ACL log event. |
Scopes
The following table contains all the supported scopes:
| Scope | Value | Description |
|---|---|---|
| Tenant | tenant |
Enforces Tenant ACL for both Management API and Authentication scopes. |
| Management API | management |
Enforces Tenant ACL for requests sent to {yourDomain}/api/v2/* and {yourDomain}/scim/*. |
| Authentication | authentication |
Enforces Tenant ACL for requests sent to anywhere not covered in Management API scope. |