Configuring Access Groups

Access Groups

Access Groups allow you to define a set of users to which an application policy can be applied. You can reuse Access groups to quickly create policies that apply to the same set of users.

For example, suppose you have an internal application secured behind Access. You want to restrict permissions to that application to only the engineering team. You can configure an Access Group to only include members of your engineering team by individually adding their email addresses or adding groups from your IdP. You can also create a group based on IP ranges, which is an effective way to manage IP whitelisting in one place.

Access Groups also enable quick policy reuse by allowing you to create new policies that apply to groups you define once.

Access Groups

Group Membership Rules

Access Group Membership Rules are the criteria to determine whether a user is a member of a particular group.

Membership Rule Types

Membership Rule Types define the criteria to include or exclude a team member from an Access Group.

  • Email - ex: [email protected]
  • Email Ending in -
  • IP Address - Supports IPv4 and IPv6 addresses. ex:
  • Everyone - Applies to everyone. Use Everyone filter if you want allow, deny or bypass access to everyone.
  • Identity Provider Groups - You can use user groups configured with your Identity Provider or LDAP with Access.
    • You will see the IdP group option only if you use an identity provider that passes groups via SAML or OAuth Scope.

Configure Membership Rules

Rules for Access Groups follow the same logic as rules for Access Policies.

Using Groups for IP-based Rules

We recommend using Access Groups to define any IP address-based rules that you configure in any policies. Keeping IP addresses in one place allows you to modify or remove addresses once, rather than in each policy, reducing the potential for something to be missed.

If you are adding more than one IP address or range to an Access Group, be sure to use an Include rule, otherwise the policy that uses that Access Group will attempt to require traffic to originate from all ranges.