Cloudflare Access Application Policies

Hi all

I was testing out the applications in Access and wanted to set up OTP to access one of my docker instances on my home server. I wanted access to only myself and partner so set up an access group with had INCLUDE and our two emails. I then assigned the group to the application as INCLUDE.

As a test, I requested a OTP via another email I have not on that list and the code was sent and I was able to login. I changed the group to REQUIRE which is all I want but the policy still needs me to have at least one INCLUDE.

I don’t understand why having only INCLUDES effectively makes the policy null. I would think that you should have at least one REQUIRE rather than INCLUDE?


Can you share what your policy is?

Hi @Cyb3r-Jak3 I think I saw why, cause my group had INCLUDE the emails and INCLUDE country. reading the Access Pages, if AT LEAST ONE of those conditions is met (as INCLUDE acts as an OR operator) then they are good to login.

I have now changed it such that my group is INCLUDES emails and nothing more. and the application has ALLOW for INCLUDES Access Group and no more.

Now I’m having an issue where my email doesn’t receive the notification!