> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Management API Parameter Reference for Tenant Access Control List Rules

> View descriptions of all parameters for Tenant ACL endpoints in the Management API.

When you manage the Tenant Access Control List (ACL) with the [Management API](/docs/api/management/v2), the following rule parameters define the behavior of its rules.

## Signals

<ParamField path="asns" type="string[]">
  List of Autonomous System Numbers (ASNs)
</ParamField>

<ParamField path="connecting_ipv4_cidrs" type="string[]">
  List of IPv4 addresses or CIDR ranges of the infrastructure connecting directly to the Auth0 edge. Use this to match against the IP of a your reverse proxy or VPN rather than the end user IP.
</ParamField>

<ParamField path="connecting_ipv6_cidrs" type="string[]">
  List of IPv6 addresses or CIDR ranges of the infrastructure connecting directly to the Auth0 edge. Use this to match against the IP of a your reverse proxy or VPN rather than the end user IP.
</ParamField>

<ParamField path="hostnames" type="string[]">
  List of hostnames relevant to the tenant. This is matched against the Server Name Indication (SNI) of the request. Supported values include:

  , Canonical hostnames (for example, `t1.us.auth0.com`

  * Auth0 managed custom domains (for example, `auth.acmetest.org`
  * Self-managed custom domains (for example, `cd-t1…edge.tenants.us.auth0.com`

  You can use this signal to disable or restrict access to your canonical domain while allowing traffic via custom domains.
</ParamField>

<ParamField path="ipv4_cidrs" type="string[]">
  List of IPv4 addresses or CIDR ranges.
</ParamField>

<ParamField path="ipv6_cidrs" type="string[]">
  List of IPv6 addresses or CIDR ranges.
</ParamField>

<ParamField path="geo_country_codes" type="string[]">
  List of ISO 3166-1 alpha-2 country code.
</ParamField>

<ParamField path="geo_subdivision_codes" type="string[]">
  List of ISO 3166-2 subdivision code.
</ParamField>

<ParamField path="ja3_fingerprints" type="string[]">
  List of JA3 TLS Fingerprints.
</ParamField>

<ParamField path="ja4_fingerprints" type="string[]">
  List of JA4 TLS Fingerprints.
</ParamField>

<ParamField path="user_agents" type="string[]">
  List of client device or browser.
</ParamField>

## Conditions

<ParamField path="match" type="object">
  Returns successful if the provided signal and any of the provided values are equivalent.
</ParamField>

<ParamField path="not_match" type="object">
  Returns successful if the provided signal and none of the provided values are equivalent.
</ParamField>

## Actions

<ParamField path="allow" type="boolean">
  Allows traffic to pass through unaffected.
</ParamField>

<ParamField path="block" type="boolean">
  Blocks traffic from accessing specified scopes.
</ParamField>

<ParamField path="redirect" type="boolean">
  Redirects traffic to a provided location.
</ParamField>

<ParamField path="redirect_uri" type="string">
  URI to redirect traffic to.
</ParamField>

<ParamField path="log" type="boolean">
  Monitoring mode. No action is taken, but results are included in the Tenant ACL log event.
</ParamField>

## Scopes

<ParamField path="tenant">
  Enforces Tenant ACL for both `management` and `authentication` scopes.
</ParamField>

<ParamField path="management">
  Enforces Tenant ACL for requests sent to `{yourDomain}/api/v2/\*}` and `{yourDomain}/scim/\*}`.
</ParamField>

<ParamField path="dcr">
  Controls access to Dynamic Client Registration endpoint `/oidc/register`.
</ParamField>

<ParamField path="authentication">
  Enforces Tenant ACL for requests sent to anywhere not covered in `management` scope.
</ParamField>