Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Access groups

An Access group is a set of rules that can be configured once and then quickly applied across many Access applications. You can assign an Access group to any Access policy, and all the criteria from the selected group will apply to that application.

​​ Create a group

To create an Access group:

  1. In Zero Trust, go to Access > Access Groups.
  2. Select Add a Group.
  3. Enter a name for the group (for example, Lisbon-team).
  4. Specify as many rules as needed to define your user group. For example, the following rules define a team based in Lisbon, Portugal:
    Rule typeSelectorValue
    IncludeCountryPortugal
    RequireEmails Ending In@team.com
  5. Select Save.

Send a POST request to the /access/groups endpoint:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/groups \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{
"name": "Lisbon-team",
"include": [
{
"geo": {
"country_code": "PT"
}
}
],
"exclude": [],
"require": [
{
"email_domain": {
"domain": "team.com"
}
}
],
"is_default": false
}'

You can now select this group in the Access policy builder.

​​ Group criteria

Group criteria determine whether or not a user is a member of a particular group. Since groups are simply a collection of Access rules, they use the same rule types and selectors shown in the Access policy builder.

​​ Groups for IP-based rules

We recommend using groups to define any IP address-based rules you configure in policies. Keeping IP addresses in one place allows you to modify or remove addresses once, rather than in each policy, and reduces the potential for mistakes.

​​ Groups for country requirements

You can create an Access group that consists of countries to allow or block. Access will treat the countries in the Include rule with an OR logical operator. When building policies for an Access application, you can assign this Access group to a Require policy to require at least one of the countries inside of the group.