Access groups
An Access group is a set of rules that can be configured once and then quickly applied across many Access applications. You can assign an Access group to any Access policy, and all the criteria from the selected group will apply to that application.
Create a group
To create an Access group:
- In Zero Trust, go to Access > Access Groups.
- Select Add a Group.
- Enter a name for the group (for example,
Lisbon-team
). - Specify as many rules as needed to define your user group. For example, the following rules define a team based in Lisbon, Portugal:
Rule type Selector Value Include Country Portugal
Require Emails Ending In @team.com
- Select Save.
Send a POST
request to the /access/groups
endpoint:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/groups \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "name": "Lisbon-team", "include": [ { "geo": { "country_code": "PT" } } ], "exclude": [], "require": [ { "email_domain": { "domain": "team.com" } } ], "is_default": false}'
You can now select this group in the Access policy builder.
Group criteria
Group criteria determine whether or not a user is a member of a particular group. Since groups are simply a collection of Access rules, they use the same rule types and selectors shown in the Access policy builder.
Groups for IP-based rules
We recommend using groups to define any IP address-based rules you configure in policies. Keeping IP addresses in one place allows you to modify or remove addresses once, rather than in each policy, and reduces the potential for mistakes.
Groups for country requirements
You can create an Access group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this Access group to a Require policy to require at least one of the countries inside of the group.