Before you start

To configure a Tenant ACL rule, you need a Management API access token with the following scopes:
  • create:network_acls
  • update:network_acls
  • read:network_acls
  • delete:network_acls
Tenant Access Control List (ACL) is an Early Access Service and currently available only to customers on an Enterprise plan with the Attack Protection add-on.By using this feature, you agree to the applicable Free Trial Service terms described in Okta’s Master Subscription Agreement and to Okta’s Privacy Policy.To learn more about Auth0 releases, review Product Release Stages.
Tenant ACL Early Access Restrictions and LimitationsRestrictions
  • Customers on an Enterprise plan with the Attack Protection add-on can create up to 10 Tenant ACLs.
  • Each Tenant ACL can include up to 10 entries per source identifier (such as IPv4, CIDR, and more).
Limitations
  • The User Agent identifier is not supported when using self-managed custom domains.
  • The auth0-forwarded-for header is not supported.
Coming soon
  • Customers on any Enterprise plan can create up to one (1) Tenant ACL.
You can configure Tenant Access Control List (ACL) rules with the Auth0 .

Create a rule

You can create a Tenant ACL rule with the Management API Create access control list endpoint.

Parameters

ParameterData typeDescription
descriptionstringDescribes the purpose or functionality of the rule.
activebooleanEnables or disables the rule.
prioritynumberNumerical value that determines the order in which the rule is evaluated. Lower values indicate higher priority.
ruleobjectContains the conditions and actions of the rule.
actionobjectContains the action the rule performs.
matchobjectDefines the conditions that the incoming reuqest must fulfill.
not_matchobjectDefines the conditions that the incoming request must not fulfill.
scopestringService or context in which the rule is enforced.

Example

Here’s an example of a Tenant ACL rule that blocks all incoming traffic from the United States. 
{
  "description": "Block all traffic from the United States",
  "active": true,
  "priority": 1,
  "rule": {
    "action": {
      "block": true,
    },
    "match": {
      "geo_country_codes": ["US"]
    },
    "scope": "authentication"
  }
}

Enable monitoring mode for a rule

You can enable monitoring mode for a Tenant ACL rule with the Management API Update access control list endpoint. Add the log property to the rule.action object and set its value to true. 
curl --request PUT \
  --url 'https://{yourDomain}/api/v2/network-acls/ACL_ID' \
  --header 'authorization: Bearer MANAGEMENT_API_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
  "description": "Logging mode enabled",
  "active": true,
  “priority”: 1,
  "rule": {
    "action": { "log": true },
    "match": { "geo_country_codes": ["GEO_COUNTRY_CODE"] },
    "scope": "tenant"
  }
}'