Use Cases
Tenant Access Control List (ACL) provides the power and flexibility needed to handle a large variety of scenarios.
Block a request
Here is an example of a Tenant ACL rule that blocks incoming traffic from a specific geolocation country code.
To create this Tenant ACL rule with the Management API:
Get a Management API access token with the
create:network_aclsscope.Call the Management API Create access control list endpoint with the following body:
{ "description": "Example of blocking a request", "active": true, "priority": 2, "rule": { "action": { "block": true }, "match": { "geo_country_codes": [ "GEO_COUNTRY_CODE" ] }, "scope": "authentication" } }Was this helpful?
/
package main
import (
"context"
"log"
"github.com/auth0/go-auth0"
"github.com/auth0/go-auth0/management"
)
func main() {
mgmt, err := management.New("{yourDomain}", management.WithClientCredentials("{yourClientId}", "{yourClientSecret}"))
if err != nil {
log.Fatal(err)
}
networkACL := &management.NetworkACL{
Description: auth0.String("Example of blocking a request"),
Active: auth0.Bool(true),
Priority: auth0.Int(2),
Rule: &management.NetworkACLRule{
Action: &management.NetworkACLRuleAction{
Block: auth0.Bool(true),
},
Match: &management.NetworkACLRuleMatch{
GeoCountryCodes: &[]string{"GEO_COUNTRY_CODE"},
},
Scope: auth0.String("authentication"),
},
}
err = mgmt.NetworkACL.Create(context.Background(), networkACL)
if err != nil {
log.Fatal(err)
}
log.Println("Network ACL has been created")
}Was this helpful?
/
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of blocking a request",
active: true,
priority: 2,
rule: {
action: {
block: true,
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);Was this helpful?
/
resource "auth0_network_acl" "example_blocking_request_acl" {
description = "Example of blocking a request"
active = true
priority = 2
rule {
action {
block = true
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
scope = "authentication"
}
}Was this helpful?
/
networkACLs:
- description: Example of blocking a request
active: true
priority: 2
rule:
action:
block: true
match:
geo_country_codes:
- GEO_COUNTRY_CODE
scope: authenticationWas this helpful?
/
auth0 network-acl create \
--description "Example of blocking a request" \
--active true \
--priority 2 \
--rule '{"action":{"block":true},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"scope":"authentication"}'Was this helpful?
/
Example of a block page
Allow a request
Here is an example of a Tenant ACL rule that allows traffic only from a specific geolocation country code.
To create this Tenant ACL rule with the Management API:
Get a Management API access token with the
create:network_aclsscope.Call the Management API Create access control list endpoint with the following body:
{ "description": "Example of allowing a request", "active": true, "priority": 2, "rule": { "action": { "allow": true }, "match": { "geo_country_codes": [ "GEO_COUNTRY_CODE" ] }, "scope": "authentication" } }Was this helpful?
/
package main
import (
"context"
"log"
"github.com/auth0/go-auth0"
"github.com/auth0/go-auth0/management"
)
func main() {
mgmt, err := management.New("{yourDomain}", management.WithClientCredentials("{yourClientId}", "{yourClientSecret}"))
if err != nil {
log.Fatal(err)
}
networkACL := &management.NetworkACL{
Description: auth0.String("Example of allowing a request"),
Active: auth0.Bool(true),
Priority: auth0.Int(2),
Rule: &management.NetworkACLRule{
Action: &management.NetworkACLRuleAction{
Allow: auth0.Bool(true),
},
Match: &management.NetworkACLRuleMatch{
GeoCountryCodes: &[]string{"GEO_COUNTRY_CODE"},
},
Scope: auth0.String("authentication"),
},
}
err = mgmt.NetworkACL.Create(context.Background(), networkACL)
if err != nil {
log.Fatal(err)
}
log.Println("Network ACL has been created")
}Was this helpful?
/
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of allowing a request",
active: true,
priority: 2,
rule: {
action: {
allow: true,
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);Was this helpful?
/
resource "auth0_network_acl" "example_allowing_request_acl" {
description = "Example of allowing a request"
active = true
priority = 2
rule {
action {
allow = true
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
scope = "authentication"
}
}Was this helpful?
/
networkACLs:
- description: Example of allowing a request
active: true
priority: 2
rule:
action:
allow: true
match:
geo_country_codes:
- GEO_COUNTRY_CODE
scope: authenticationWas this helpful?
/
auth0 network-acl create \
--description "Example of allowing a request" \
--active true \
--priority 2 \
--rule '{"action":{"allow":true},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"scope":"authentication"}'Was this helpful?
/
Redirect a request
Here is an example of a Tenant ACL rule that redirects all traffic from a specific geolocation country code.
To create this Tenant ACL rule with the Management API:
Get a Management API access token with the
create:network_aclsscope.Call the Management API Create access control list endpoint with the following body:
{ "description": "Example of redirecting a request", "active": true, "priority": 2, "rule": { "action": { "redirect": true, "redirect_uri": "REDIRECT_URI" }, "match": { "geo_country_codes": [ "GEO_COUNTRY_CODE" ] }, "scope": "authentication" } }Was this helpful?
/
package main
import (
"context"
"log"
"github.com/auth0/go-auth0"
"github.com/auth0/go-auth0/management"
)
func main() {
mgmt, err := management.New("{yourDomain}", management.WithClientCredentials("{yourClientId}", "{yourClientSecret}"))
if err != nil {
log.Fatal(err)
}
networkACL := &management.NetworkACL{
Description: auth0.String("Example of redirecting a request"),
Active: auth0.Bool(true),
Priority: auth0.Int(2),
Rule: &management.NetworkACLRule{
Action: &management.NetworkACLRuleAction{
Redirect: auth0.Bool(true),
RedirectURI: auth0.String("REDIRECT_URI"),
},
Match: &management.NetworkACLRuleMatch{
GeoCountryCodes: &[]string{"GEO_COUNTRY_CODE"},
},
Scope: auth0.String("authentication"),
},
}
err = mgmt.NetworkACL.Create(context.Background(), networkACL)
if err != nil {
log.Fatal(err)
}
log.Println("Network ACL has been created")
}Was this helpful?
/
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of redirecting a request",
active: true,
priority: 2,
rule: {
action: {
redirect: true,
redirect_uri: "REDIRECT_URI",
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);Was this helpful?
/
resource "auth0_network_acl" "example_redirecting_request_acl" {
description = "Example of redirecting a request"
active = true
priority = 2
rule {
action {
redirect = true
redirect_uri = "REDIRECT_URI"
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
scope = "authentication"
}
}Was this helpful?
/
networkACLs:
- description: Example of redirecting a request
active: true
priority: 2
rule:
action:
redirect: true
redirect_uri: REDIRECT_URI
match:
geo_country_codes:
- GEO_COUNTRY_CODE
scope: authenticationWas this helpful?
/
auth0 network-acl create \
--description "Example of redirecting a request" \
--active true \
--priority 2 \
--rule '{"action":{"redirect":true,"redirect_uri":"REDIRECT_URI"},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"scope":"authentication"}'Was this helpful?
/
Complex comparisons
You can combine the match and not_match operators in a single Tenant ACL rule to enforce fine-grained access policies.
Here is an example of a Tenant ACL rule that evaluates the geo_country_code and geo_subdivision_code signals to block all traffic from a given country except for a specific state, region, or province within that country.
To create this Tenant ACL rule with the Management API:
Get a Management API access token with the
create:network_aclsscope.Call the Management API Create access control list endpoint with the following body:
{ "description": "Example of a complex comparison", "active": true, "priority": 1, "rule": { "action": { "block": true }, "match": { "geo_country_codes": [ "GEO_COUNTRY_CODE" ] }, "not_match": { "geo_subdivision_codes": [ "GEO_SUBDIVISION_CODE" ] }, "scope": "authentication" } }Was this helpful?
/
package main
import (
"context"
"log"
"github.com/auth0/go-auth0"
"github.com/auth0/go-auth0/management"
)
func main() {
mgmt, err := management.New("{yourDomain}", management.WithClientCredentials("{yourClientId}", "{yourClientSecret}"))
if err != nil {
log.Fatal(err)
}
networkACL := &management.NetworkACL{
Description: auth0.String("Example of a complex comparison"),
Active: auth0.Bool(true),
Priority: auth0.Int(1),
Rule: &management.NetworkACLRule{
Action: &management.NetworkACLRuleAction{
Block: auth0.Bool(true),
},
Match: &management.NetworkACLRuleMatch{
GeoCountryCodes: &[]string{"GEO_COUNTRY_CODE"},
},
NotMatch: &management.NetworkACLRuleMatch{
GeoSubdivisionCodes: &[]string{"GEO_SUBDIVISION_CODE"},
},
Scope: auth0.String("authentication"),
},
}
err = mgmt.NetworkACL.Create(context.Background(), networkACL)
if err != nil {
log.Fatal(err)
}
log.Println("Network ACL has been created")
}Was this helpful?
/
const createNetworkAclPayload: Management.CreateNetworkAclRequestContent = {
description: "Example of a complex comparison",
active: true,
priority: 1,
rule: {
action: {
block: true,
},
match: {
geo_country_codes: ["GEO_COUNTRY_CODE"],
},
not_match: {
geo_subdivision_codes: ["GEO_SUBDIVISION_CODE"],
},
scope: "authentication",
},
};
const createNetworkAcl = await client.networkAcls.create(createNetworkAclPayload);Was this helpful?
/
resource "auth0_network_acl" "example_complex_comparison_acl" {
description = "Example of a complex comparison"
active = true
priority = 1
rule {
action {
block = true
}
match {
geo_country_codes = ["GEO_COUNTRY_CODE"]
}
not_match {
geo_subdivision_codes = ["GEO_SUBDIVISION_CODE"]
}
scope = "authentication"
}
}Was this helpful?
/
networkACLs:
- description: Example of a complex comparison
active: true
priority: 1
rule:
action:
block: true
match:
geo_country_codes:
- GEO_COUNTRY_CODE
not_match:
geo_subdivision_codes:
- GEO_SUBDIVISION_CODE
scope: authenticationWas this helpful?
/
auth0 network-acl create \
--description "Example of a complex comparison" \
--active true \
--priority 1 \
--rule '{"action":{"block":true},"match":{"geo_country_codes":["GEO_COUNTRY_CODE"]},"not_match":{"geo_subdivision_codes":["GEO_SUBDIVISION_CODE"]},"scope":"authentication"}'Was this helpful?
/