Tenant Access Control List (ACL) Use Case Examples

auth0.knowledge2 · June 18, 2025, 4:20pm

Overview

This article provides examples demonstrating how Tenant Access Control List (ACL) rules can provide granular control over network-level access to an Auth0 tenant.

A Tenant Access Control List (ACL) rule evaluates incoming requests based on a conditional property and can be applied to requests targeting different scopes. The decision logic for these rules relies on a range of signals provided by Auth0, which allows for precise and flexible access control based on the origin and characteristics of incoming requests:

Conditional Property: The rule is evaluated based on a match or not_match condition.
- The match property applies the rule when the specified condition is true for the request.
- The not_match property applies the rule only when the condition does not match.
Scope: Rules can be applied to requests targeting different scopes, including:
- management
- authentication
- tenant
Action: When a condition is met, the rule triggers an action, such as:
- block
- allow
- redirect
- log

Applies To

Tenant Access Control List (ACL)

Solution

These examples are intended to demonstrate how Tenant Access Control List (ACL) rules can provide granular control over network-level access to an Auth0 tenant.

1. Block Management API Access from a Known Malicious IP

This rule blocks only traffic from the specified IP range targeting the Management API.

2. Redirect Traffic Based on Country Location

a. Redirect users from Germany to a policy page:

 {
  "description": "Redirect German users to policy page",
  "active": true,
  "priority": 20,
  "rule": {
    "action": {
      "redirect": true,
      "redirect_uri": "https://example.com/restrictions"
    },
    "match": {
      "geo_country_codes": ["DE"]
    },
    "scope": "tenant"
  }
}

3. Rules Based on Scope

a. Allow Canadian VPN access to the Management API:

 {
  "description": "Allow Canadian VPN access to management API",
  "active": true,
  "priority": 10,
  "rule": {
    "action": { "allow": true },
    "match": {
      "ipv6_cidrs": ["2002:7bcd:/32"]
    },
    "scope": "management"
  }
}

b. Allow traffic from a country (e.g, France) access to the Authentication:

{
  "description": "Allow access to authentication API from France",
  "active": true,
  "priority": 10,
  "rule": {
    "action": { "allow": true },
    "match": {
      "geo_country_codes": ["FR"]
    },
    "scope": "authentication"
  }
}

c. Redirect US traffic to a US-based Auth0 tenant:

{
  "description": "Redirect US users to US tenant",
  "active": true,
  "priority": 5,
  "rule": {
    "action": {
      "redirect": true,
      "redirect_uri": "https://us.example-tenant.com/login"
    },
    "match": {
      "geo_country_codes": ["US"]
    },
    "scope": "authentication"
  }
}

Topic		Replies	Views
Complex Multi Tenant Access Patterns Get Help auth0	4	2376	September 19, 2020
Conditional IdP per tenant Get Help multi-tenant	4	3089	January 9, 2020
I wanted to show the policy statement that comes from our application when a user logins in using Auth0 Get Help consent	23	4181	October 16, 2020
Handling RBAC for a Multi-Tenant SaaS Platform Get Help configuration , application	2	2009	January 30, 2023
Trouble understanding scopes vs permissions Get Help api , scopes , access-token , api-authorization , scope	7	9359	January 4, 2021