Access API examples
Access users can create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:
{ "name": "allow cloudflare employees", "decision": "allow", "include": [ { "email_domain": { "domain": "cloudflare.com" } } ], "exclude": [ { "email": { "email": "notthisperson@cloudflare.com" } } ], "require": []
}
Example rule configurations
These are commonly used rule configurations.
Use a pre-existing Access group.
The request will need to present the headers for any service token created for this account.
Allow access based on the "amr" identifier.
Allow members of an Azure Group. The ID is the group UUID (`id`) in Azure.
The request will need to present a valid certificate with an expected common name.
Allow a specific country.
Allow a specific email address.
Allow an entire email domain.
Allow anyone to log in.
Allow members of a specific G Suite group.
Allow members of a specific GitHub organization.
Allow an IP range.
The request will need to present a valid certificate.
Allow members of an Okta Group.
Allow users with specific SAML attributes.
The request will need to present the correct service token headers.