Skip to content

[CF1] identity-based selectors #24154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 7, 2025
Merged

[CF1] identity-based selectors #24154

merged 2 commits into from
Aug 7, 2025

Conversation

deadlypants1973
Copy link
Contributor

Summary

PCX-18417

Screenshots (optional)

Documentation checklist

  • The documentation style guide has been adhered to.
  • If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
  • Files which have changed name or location have been allocated redirects.

@deadlypants1973 deadlypants1973 requested review from kennyj42, ranbel and a team as code owners August 4, 2025 17:38
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 4, 2025

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/cloudflare-one/policies/access/ @kennyj42, @ranbel, @cloudflare/pcx-technical-writing

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 4, 2025
edited
Loading

Preview URL: https://7ffc1d0a.preview.developers.cloudflare.com
Preview Branch URL: https://kate-fixes-bypasscallout.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/cloudflare-one/policies/access/ https://kate-fixes-bypasscallout.preview.developers.cloudflare.com/cloudflare-one/policies/access/

jroyal
jroyal reviewed Aug 4, 2025
View reviewed changes
src/content/docs/cloudflare-one/policies/access/index.mdx Outdated
@@ -133,7 +133,18 @@ To require only one country and one email ending:

When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.

Identity-based attributes are only checked when a user authenticates to Access. Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
Identity-based attributes are only checked when a user authenticates to Access. The following selectors are identity-based:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd maybe add a comment about this being an example list of identity based rules. Just because we occasionally add rules and I can almost guarantee we are going to forget to come update this list.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this list add anything that is not answered in the table below?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jroyal it is implied that if you read 'checked at login' in the table you can deduce that these items are identity-based selectors but we do not explicitly call out our identity based selectors. also 'Everyone' is also checked at login but I do not think that is an identity-based selector?

I can:

  1. delete the list
  2. leave the the PR as just deleting the 'IP' bit above

if you think we are good as is. But I would change the word 'attributes' to 'selectors' explicity because we use 'selectors' language in docs and dash and only say attributes here somewhat randomly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everyone is a weird one because its basically just a true. It always passes. To your point I guess this is clearer, but we will just need to make sure we update it if it changes.

@deadlypants1973 deadlypants1973 merged commit 1fcea74 into production Aug 7, 2025
8 checks passed
@deadlypants1973 deadlypants1973 deleted the kate/fixes-bypasscallout branch August 7, 2025 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jroyal jroyal jroyal approved these changes

@Maddy-Cloudflare Maddy-Cloudflare Maddy-Cloudflare approved these changes

@kennyj42 kennyj42 Awaiting requested review from kennyj42 kennyj42 is a code owner

@ranbel ranbel Awaiting requested review from ranbel ranbel is a code owner

Assignees

@kennyj42 kennyj42

@ranbel ranbel

Labels
product:cloudflare-one size/s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@deadlypants1973 @jroyal @Maddy-Cloudflare @kennyj42 @ranbel