Skip to content

[CF1] identity-based selectors #24154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 7, 2025
Merged

[CF1] identity-based selectors #24154

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
687fee4
[CF1] identity-based selectors
deadlypants1973 Aug 4, 2025
7ffc1d0
final updates
deadlypants1973 Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions src/content/docs/cloudflare-one/policies/access/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ For example, this configuration blocks every request to the application, except

Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](/cloudflare-one/policies/access/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication.

As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email, or IP).
As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email).

:::

Expand Down Expand Up @@ -133,7 +133,18 @@ To require only one country and one email ending:

When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.

Identity-based attributes are only checked when a user authenticates to Access. Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
Identity-based attributes are only checked when a user authenticates to Access. The following selectors are identity-based:
Copy link
Contributor

@jroyal jroyal Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd maybe add a comment about this being an example list of identity based rules. Just because we occasionally add rules and I can almost guarantee we are going to forget to come update this list.

Copy link
Contributor

@jroyal jroyal Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this list add anything that is not answered in the table below?

Copy link
Contributor Author

@deadlypants1973 deadlypants1973 Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jroyal it is implied that if you read 'checked at login' in the table you can deduce that these items are identity-based selectors but we do not explicitly call out our identity based selectors. also 'Everyone' is also checked at login but I do not think that is an identity-based selector?

I can:

  1. delete the list
  2. leave the the PR as just deleting the 'IP' bit above

if you think we are good as is. But I would change the word 'attributes' to 'selectors' explicity because we use 'selectors' language in docs and dash and only say attributes here somewhat randomly

Copy link
Contributor

@jroyal jroyal Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everyone is a weird one because its basically just a true. It always passes. To your point I guess this is clearer, but we will just need to make sure we update it if it changes.


- Emails
- Emails ending in
- Login Methods
- Authentication Method
- Identity provider group
- SAML Group
- OIDC Claim
- External Evaluation

Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.

| Selector | Description | Checked at login | Checked continuously<sup>1</sup> |
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- |
Expand Down