Access Control Rules
Configure IP, CIDR, and FQDN rules with precedence-based resolution for fine-grained access control.
How Access Rules Work
Access rules determine whether a license check is allowed or denied based on the client's network identity. Rules can be applied at three scopes:
- Global — applies to all licenses across your organization
- Product — applies to all licenses of a specific product
- License — applies to a single license
Rule Types
- IP Address — a single IPv4 or IPv6 address (e.g.,
192.168.1.100) - CIDR Block — a subnet range (e.g.,
10.0.0.0/8) - FQDN — a fully qualified domain name (e.g.,
app.example.com)
Each rule can be set to either allow (whitelist) or block (blacklist).
Precedence Order
Rules are resolved in strict precedence order. The first matching rule wins:
- License-level rules (highest priority)
- Product-level rules
- Global rules (lowest priority)
Within each scope, block rules take precedence over allow rules. This means a license-level block will override a product-level allow.
Default Behavior
If no rules match, the system applies the default policy. By default, all access is denied unless an allow rule explicitly permits it. You can change the default policy in organization settings if you prefer an allow-by-default approach.
Examples
Scenario: You want to allow access only from your corporate VPN subnet and block a specific IP.
- Global rule: Block
203.0.113.50 - Global rule: Allow
10.99.0.0/16
All license checks from within the VPN subnet will pass. The blocked IP will be denied even if it falls within the allowed subnet (block wins at same scope).