Skip to content

Commit 7ffc1d0

Browse files
deadlypants1973deadlypants1973
committed
final updates
1 parent 687fee4 commit 7ffc1d0

File tree

1 file changed

+20
-31
lines changed
  • src/content/docs/cloudflare-one/policies/access

1 file changed

+20
-31
lines changed

src/content/docs/cloudflare-one/policies/access/index.mdx

Lines changed: 20 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -133,39 +133,28 @@ To require only one country and one email ending:
133133

134134
When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.
135135

136-
Identity-based attributes are only checked when a user authenticates to Access. The following selectors are identity-based:
137-
138-
- Emails
139-
- Emails ending in
140-
- Login Methods
141-
- Authentication Method
142-
- Identity provider group
143-
- SAML Group
144-
- OIDC Claim
145-
- External Evaluation
146-
147136
Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
148137

149-
| Selector | Description | Checked at login | Checked continuously<sup>1</sup> |
150-
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- |
151-
| Emails | `[email protected]` |||
152-
| Emails ending in | `@company.com` |||
153-
| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. |||
154-
| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) |||
155-
| Country | Uses the IP address to determine country. |||
156-
| Everyone | Allows, denies, or bypasses access to everyone. |||
157-
| Common Name | The request will need to present a valid certificate with an expected common name. |||
158-
| Valid Certificate | The request will need to present any valid client certificate. |||
159-
| Service Token | The request will need to present the correct service token headers configured for the specific application. |||
160-
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. |||
161-
| Login Methods | Checks the identity provider used at the time of login. |||
162-
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. |||
163-
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). |||
164-
| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. |||
165-
| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. |||
166-
| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. |||
167-
| Warp | Checks that the device is connected to WARP, including the consumer version. |||
168-
| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). |||
138+
| Selector | Description | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
139+
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |
140+
| Emails | `[email protected]` ||||
141+
| Emails ending in | `@company.com` ||||
142+
| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. ||||
143+
| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) ||||
144+
| Country | Uses the IP address to determine country. ||||
145+
| Everyone | Allows, denies, or bypasses access to everyone. ||||
146+
| Common Name | The request will need to present a valid certificate with an expected common name. ||||
147+
| Valid Certificate | The request will need to present any valid client certificate. ||||
148+
| Service Token | The request will need to present the correct service token headers configured for the specific application. ||||
149+
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. ||||
150+
| Login Methods | Checks the identity provider used at the time of login. ||||
151+
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. ||||
152+
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). ||||
153+
| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. ||||
154+
| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. ||||
155+
| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. ||||
156+
| Warp | Checks that the device is connected to WARP, including the consumer version. ||||
157+
| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). ||||
169158

170159
<sup>1</sup> For SaaS applications, Access can only enforce policies at the time
171160
of initial sign on and when reissuing the SaaS session. Once the user has

0 commit comments

Comments
 (0)