> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Contains Tenant Access Control List reference materials, such as signals, conditions, actions, and scopes.

# Reference

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Tenant Access Control List (ACL) is an Early Access Service and currently available only to customers on an Enterprise plan with the [Attack Protection add-on](https://www.auth0.com/pricing).

  By using this feature, you agree to the applicable Free Trial Service terms described in [Okta’s Master Subscription Agreement](https://www.okta.com/agreements/) and to [Okta’s Privacy Policy](https://www.okta.com/privacy-policy/).

  To learn more about Auth0 releases, review [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages).
</Callout>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  **Tenant ACL Early Access Restrictions and Limitations**

  Restrictions

  * Customers on an Enterprise plan with the Attack Protection add-on can create up to 10 Tenant ACLs.
  * Each Tenant ACL can include up to 10 entries per source identifier (such as IPv4, CIDR, and more).

  Limitations

  * The **User Agent** identifier is not supported when using self-managed custom domains.
  * The `auth0-forwarded-for` header is not supported.

  Coming soon

  * Customers on any Enterprise plan can create up to one (1) Tenant ACL.
</Callout>

Tenant Access Control List (ACL) supports advanced customization through configuration of various settings. Refer to the tables below to learn more about the available options.

## Signals

The following table contains all the supported signals:

<table class="table">
  <thead>
    <tr>
      <th><strong>Signal</strong></th>
      <th><strong>Property</strong></th>
      <th><strong>Data type</strong></th>
      <th><strong>Description</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>IPv4 / CIDR</td>
      <td><code>ipv4\_cidrs</code></td>
      <td>array of string</td>
      <td>List of IPv4 addresses or CIDR ranges.</td>
    </tr>

    <tr>
      <td>IPv6 / CIDR</td>
      <td><code>ipv6\_cidrs</code></td>
      <td>array of string</td>
      <td>List of IPv6 addresses or CIDR ranges.</td>
    </tr>

    <tr>
      <td>Geographic country code</td>
      <td><code>geo\_country\_code</code></td>
      <td>string</td>
      <td>ISO 3166-1 alpha-2 country code.</td>
    </tr>

    <tr>
      <td>Geographic subdivision code</td>
      <td><code>geo\_subdivision\_code</code></td>
      <td>string</td>
      <td>ISO 3166-2 subdivision code.</td>
    </tr>

    <tr>
      <td>JA3/JA4 fingerprint</td>
      <td><code>ja\_fingerprint</code></td>
      <td>string</td>
      <td>TSL client fingerprint.</td>
    </tr>

    <tr>
      <td>User agent</td>
      <td><code>user\_agent</code></td>
      <td>string</td>
      <td>Client device or browser.</td>
    </tr>
  </tbody>
</table>

## Conditions

The following table contains all the supported conditions:

<table class="table">
  <thead>
    <tr>
      <th><strong>Condition</strong></th>
      <th><strong>Property</strong></th>
      <th><strong>Data type</strong></th>
      <th><strong>Description</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Match</td>
      <td><code>match</code></td>
      <td>object</td>
      <td>Returns successful if the provided signal and any of the provided values are equivalent.</td>
    </tr>

    <tr>
      <td>Does not match</td>
      <td><code>not\_match</code></td>
      <td>object</td>
      <td>Returns successful if the provided signal and none of the provided values are equivalent.</td>
    </tr>
  </tbody>
</table>

## Actions

The following table contains all the supported actions:

<table class="table">
  <thead>
    <tr>
      <th><strong>Action</strong></th>
      <th><strong>Property</strong></th>
      <th><strong>Data type</strong></th>
      <th><strong>Description</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Allow</td>
      <td><code>allow</code></td>
      <td>boolean</td>
      <td>Allows traffic to pass through unaffected.</td>
    </tr>

    <tr>
      <td>Block</td>
      <td><code>block</code></td>
      <td>boolean</td>
      <td>Blocks traffic from accessing specified scopes.</td>
    </tr>

    <tr>
      <td>Redirect</td>
      <td><code>redirect</code></td>
      <td>boolean</td>
      <td>Redirects traffic to a provided location.</td>
    </tr>

    <tr>
      <td>Redirect URI</td>
      <td><code>redirect\_uri</code></td>
      <td>string</td>
      <td>URI to redirect traffic to.</td>
    </tr>

    <tr>
      <td>Log</td>
      <td><code>log</code></td>
      <td>boolean</td>
      <td>Monitoring mode. No action is taken, but results are included in the Tenant ACL log event.</td>
    </tr>
  </tbody>
</table>

## Scopes

The following table contains all the supported scopes:

<table class="table">
  <thead>
    <tr>
      <th><strong>Scope</strong></th>
      <th><strong>Value</strong></th>
      <th><strong>Description</strong></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Tenant</td>
      <td><code>tenant</code></td>
      <td>Enforces Tenant ACL for both Management API and Authentication scopes.</td>
    </tr>

    <tr>
      <td>Management API</td>
      <td><code>management</code></td>
      <td>Enforces Tenant ACL for requests sent to `{yourDomain}/api/v2/*` and `{yourDomain}/scim/*`.</td>
    </tr>

    <tr>
      <td>Authentication</td>
      <td><code>authentication</code></td>
      <td>Enforces Tenant ACL for requests sent to anywhere not covered in Management API scope.</td>
    </tr>
  </tbody>
</table>
