Access Control Rules

Configure IP, CIDR, and FQDN rules with precedence-based resolution for fine-grained access control.

How Access Rules Work

Access rules determine whether a license check is allowed or denied based on the client's network identity. Rules can be applied at three scopes:

  1. Global — applies to all licenses across your organization
  2. Product — applies to all licenses of a specific product
  3. License — applies to a single license

Rule Types

  • IP Address — a single IPv4 or IPv6 address (e.g., 192.168.1.100)
  • CIDR Block — a subnet range (e.g., 10.0.0.0/8)
  • FQDN — a fully qualified domain name (e.g., app.example.com)

Each rule can be set to either allow (whitelist) or block (blacklist).

Precedence Order

Rules are resolved in strict precedence order. The first matching rule wins:

  1. License-level rules (highest priority)
  2. Product-level rules
  3. Global rules (lowest priority)

Within each scope, block rules take precedence over allow rules. This means a license-level block will override a product-level allow.

Default Behavior

If no rules match, the system applies the default policy. By default, all access is denied unless an allow rule explicitly permits it. You can change the default policy in organization settings if you prefer an allow-by-default approach.

Examples

Scenario: You want to allow access only from your corporate VPN subnet and block a specific IP.

  • Global rule: Block 203.0.113.50
  • Global rule: Allow 10.99.0.0/16

All license checks from within the VPN subnet will pass. The blocked IP will be denied even if it falls within the allowed subnet (block wins at same scope).