Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Tenant ACL uses a deterministic engine to evaluate incoming requests. To determine if an action (allow, block, or redirect) should be taken, the engine follows these evaluation steps:
  1. Evaluation order (priority)
  2. Condition matching (signal)
  3. Match termination with monitoring mode exception

Evaluation order

The Tenant ACL evaluates rules in ascending order based on their priority number. Evaluation starts at the lowest number, priority 0, and proceeds sequentially. If two rules could both match a request, the one with the lower priority number will trigger first.

Condition Matching

For a single rule to trigger its action, it must satisfy the matching logic. This logic determines how the engine treats multiple values and multiple signal types:
Logic TypeBehaviorDescriptionExample
Signal MatchingORWithin a specific signal, a request must match at least one entry in the list to satisfy that signal requirement.If ipv4_cidrs contains multiple IP CIDRs, at least one of them must match.
Multiple SignalsANDIf a rule contains multiple different signal types, the request must match all provided signal types. As an exception, if a rule contains both ipv4_cidrs and ipv6_cidrs, only one is required to match.If a rule has both ipv4_cidrs and asn, both must match.
Any signal types not provided in a rule are ignored and do not impact the rule’s evaluation logic.

Match Termination

Tenant ACL applies the first match. Once a rule’s conditions are fully met, the behavior depends on whether the rule is in monitoring mode or not.
BehaviorMonitoring mode disabledMonitoring mode enabled
LoggingAn acls_summary log event is triggered.An acls_summary log event is triggered.
ExecuationThe rule’s defined action is executed immediately.The rule’s defined action is not executed.
EvaluationEvaluation terminates. No subsequent or lower priority Tenant ACL rules are evaluated.Evaluation continues to the next rule in the priority list.