Skip to content

Cloudflare Access — Identity-Based Policies

DodaTech 4 min read

Cloudflare Access policies define who can reach your applications based on identity, device posture, location, and authentication method, enforcing Zero Trust access at the edge.

What You Will Learn

You will learn how to build Access policy building blocks using include, exclude, and require selectors, understand policy evaluation order, and create practical policies for common team structures.

Why It Matters

Traditional IP-based allowlists are brittle and insecure. Identity-based policies let you grant access based on who the user is rather than where they connect from, enabling secure remote access without a VPN.

Real-World Use Case

A 300-person product company uses Access policies to segment internal tools: engineering gets GitHub and Jenkins, marketing gets HubSpot and Canva, finance gets QuickBooks. Each policy checks Okta group membership, WARP device posture, and requires MFA.

Policy Architecture

Access policies use a three-part selector system: include (who is allowed), exclude (who is denied), and require (what conditions must be met).

flowchart TD
    A[User Request] --> B{Include Rules}
    B -->|Matches| C{Require Rules}
    B -->|No Match| D[Deny]
    C -->|All Met| E{Exclude Rules}
    C -->|Any Missing| D
    E -->|Not Excluded| F[Allow]
    E -->|Excluded| D

Policy Building Blocks

Every Access policy consists of three selector types that work together:

Selector Purpose Example
Include Who is allowed Email domain, group, everyone
Require Conditions that must be met MFA, device posture, country
Exclude Who is explicitly denied Blocked users, contractors

Creating a Basic Policy via API

Create a policy that allows anyone from your company domain with MFA.

curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Company Access",
    "decision": "allow",
    "include": [{"email_domain": {"domain": "company.com"}}],
    "require": [{"auth_method": {"auth_method": "mfa"}}],
    "exclude": []
  }' | jq '.result.name, .result.id'

Expected output:

"Company Access"
"abc-123-def-456"

Group-Based Policy for Team Access

Use Access groups to manage team-level permissions centrally.

# Create an Access group for engineering
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/groups" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Engineering Team",
    "include": [
      {"okta": {"name": "Engineering", "id": "okta-group-id"}},
      {"email_domain": {"domain": "engineering.company.com"}}
    ],
    "require": [{"auth_method": {"auth_method": "mfa"}}]
  }' | jq '.success'

Expected output:

true

Now reference this group in policies instead of repeating individual rules.

Device Posture Policy

Require specific device posture checks before granting access.

curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Device Compliant Access",
    "decision": "allow",
    "include": [{"email_domain": {"domain": "company.com"}}],
    "require": [
      {"auth_method": {"auth_method": "mfa"}},
      {"device_posture": {"integration_uid": "int-abc", "require_disk_encryption": true}}
    ]
  }' | jq '.success'

Expected output:

true

Common Mistakes

Mistake Consequence
Using include instead of require for MFA Users without MFA can still access if they match include
Not setting exclude rules for former employees Terminated users retain access until their IdP account is disabled
Overly permissive include rules Everyone with a company email address gets access
Forgetting session duration limits Tokens never expire, creating a persistent access risk
Mixing AND and OR logic incorrectly Policies do not behave as intended

Practice Questions

  1. What is the difference between include and require selectors in an Access policy?
  2. How do Access groups simplify policy management across multiple applications?
  3. Why should exclude rules be used alongside include rules rather than as a replacement?

Challenge

Create three Access policies for a company with engineering, sales, and admin teams. Engineering and sales each have their own Okta group. Admins need access to everything. Each policy must require MFA and device posture Compliance. Verify each policy with a test API call.

Real-World Task

Your organisation has five internal applications: a CRM, a source code Repository, a documentation wiki, a monitoring dashboard, and an HR portal. Create Access policies that grant access based on department membership using Azure AD groups. Engineering gets the repo and monitoring. Sales gets the CRM. Everyone gets the wiki and HR portal. Require MFA for all applications and device posture for the source code Repository.

FAQ

What happens if a user matches both include and exclude rules?

Exclude rules take priority over include rules. If a user matches any exclude rule, they are denied access even if they match all include and require rules. This ensures that explicit denials always override grants, which is useful for blocking specific contractors or terminated users without removing them from their IdP group.

Can I create a policy that denies access without an explicit deny rule?

Yes. Access policies use a default-deny model. If a user does not match any policy's include rules, they are denied by default. You do not need to create a catch-all deny rule. This is different from firewall rules where you often need an explicit deny-all at the end.

How are multiple include selectors evaluated?

Multiple include selectors are evaluated with OR logic — matching any single selector is sufficient. Multiple require selectors are evaluated with AND logic — all selectors must match. Multiple exclude selectors are evaluated with OR logic — matching any single selector triggers the exclusion. This combination gives you fine-grained control over policy behaviour.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro