Skip to content
Cloudflare Docs

Manage Access policies

Access policies define the users who can log in to your Access applications. You can create, edit, or delete policies at any time and reuse policies across multiple applications.

Create a policy

To create a reusable Access policy:

  1. In Zero Trust, go to Access > Policies.
  2. Select Add a policy.
  3. Enter a Policy name.
  4. Choose an Action for the policy.
  5. Choose a Session duration for the policy.
  6. Configure as many Rules as needed.
  7. (Optional) Configure additional settings for users who match this policy:
  8. Select Save.

You can now add this policy to an Access application.

Edit a policy

To make changes to an existing Access policy:

  1. In Zero Trust, go to Access > Policies.
  2. Locate the policy you want to update and select Configure.
  3. Once you have made the necessary changes, select Save.

The updated policy is now in effect for all associated Access applications.

Delete a policy

To delete a reusable Access policy:

  1. In Zero Trust, go to Access > Policies and locate the policy you want to delete.
  2. If the policy is used by an application, remove the policy from all associated applications.
  3. Select Delete.
  4. A pop-up message will ask you to confirm your decision to delete the policy. Select Delete.

Test your policies

You can test your policies against an existing user identity to see if they would be granted access. For the policy tester to work, the user must have logged into the App Launcher or any other Access application at some point in time.

To check if a user has access to an application:

  1. In Zero Trust, go to Access > Applications.
  2. Locate the application you want to test and select Configure.
  3. Go to the Policies tab and select Test policies.
  4. Enter the user's email address and select Test policies.

The policy tester reports the following information:

  • Whether the user is allowed or denied access to the application based on all configured policies.
  • The user's identity from their most recent Access login attempt.
  • Whether the user matches individual Allow, Block, or Bypass policies.

Legacy policies

Legacy policies are scoped to a specific application and cannot be added to newly created Access applications.

Migrate to reusable policies

To migrate legacy policies to reusable policies:

  1. Create a reusable policy that will replace the legacy policy.
  2. Go to the Access application associated with the legacy policy.
  3. Add the reusable policy to the application and remove the legacy policy.
  4. Repeat these steps for each legacy policy. If you have duplicate legacy policies, you can replace them with a single reuseable policy.

Convert a legacy policy

You can use the API to convert a legacy policy into a reusable policy. To convert a legacy policy, make a PUT request with an empty request body:

Terminal window
curl --request PUT \
https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies/{policy_id}/make_reusable \
--header "Authorization: Bearer <API_TOKEN>"

The policy is now removed from the applications endpoint (/access/apps/{app_id}/policies) and managed using the reusable policies endpoints(/access/policies/{policy_id}).