Rule groups
A rule group is a collection of Access rules that can be configured once and then quickly applied across many Access policies. Rule groups use the same rule types and selectors shown in the Access policy builder.
To create an Access rule group:
-
In Zero Trust ↗, go to Access > Rule groups.
-
Select Add a group.
-
Enter a name for the group (for example,
Lisbon-team). -
Specify as many rules as needed to define your user group. For example, the following rules define a team based in Lisbon, Portugal:
Rule type Selector Value Include Country PortugalRequire Emails Ending In @team.com -
Select Save.
Send a POST request to the /access/groups endpoint:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/groups \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "name": "Lisbon-team", "include": [ { "geo": { "country_code": "PT" } } ], "exclude": [], "require": [ { "email_domain": { "domain": "team.com" } } ], "is_default": false}'You can now add this group to an Access policy using the Rule groups selector.
We recommend using rule groups to define any IP address-based rules you configure in policies. Keeping IP addresses in one place allows you to modify or remove addresses once, rather than in each policy, and reduces the potential for mistakes.
You can create a rule group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this rule group to a Require policy to require at least one of the countries inside of the group. For an example policy, refer to Require rules with OR operators.