Group rules vs Group policy for application

I tried configuring group rules in my application. I only see option to add Groups to applications via Identity > “User Group Names” or “User Group IDs”. I’m not sure why but the dropdown is not populated with existing “User Group Names” to choose from to prevent miss-typing.

The docs state the following:

I also get pre-populated list based on my existing group names if i try to make a rule within a group, but not if i try to make a rule from the application side.

Notice the pre-populated group selection options based on groups that are already setup. Is it intentional that this pre-population doesn’t work in Policies for applications?

The inconsistency is a little confusing to me and makes me wounder if I’m setting things up properly.

User group names and group IDs are for groups from your IDP. Based on your first screenshot you appear to be configuring a gateway rule.

The only Groups I’m aware of in Zero Trust are Access groups. Access groups are used in Access policies (which is what your second screenshot appears to show).

These 2 places point to the same rules for me:

  • Access > Applications > [Application Name] > Configure > Add a policy
  • Gateway > Firewall policies > Network > Add a policy > (but shows all app policies)

If “Groups” in these 2 places are based on Identity Provider, how do i configure Groups when I’m using One-TIme pin for authentication? Can “Access groups” be used to control access to applications?

Also, why doesn’t it throw any errors if I type a group name that doesn’t exist?

In an Access policy the groups are displayed at the top:

Gateway is not Access. The applications and access methods in Gateway don’t use Cloudflare Access, they use Gateway (and the Warp client) for allow/deny decisions.

You don’t.

Because Group Name or Group ID from an IdP is evaluated at authentication time based on the display name or ID of the group being used. Cloudflare has no knowledge of the groups in the IdP, it’s data provided by the IdP at the time of authentication.

In an Access policy the groups are displayed at the top

This is only true with SaaS apps Access policy. Assign a group prompt doesn’t show up for self-hosted apps. That is where some of my confusion is.

That makes sense.

The applications and access methods in Gateway don’t use Cloudflare Access, they use Gateway (and the Warp client)

This is confusing. The applications in gateway doesn’t use Cloudflare Access, but they use Gateway, which includes Network policies that after being created can be found in Access > Applications > [Self-Hosted App Name] > Configure > [Policy].

The warp client is aware of the user (email) trying to authenticate to use the Self-Hosted app. But I don’t see a way to create a Group that includes all emails and then apply that Group to a Policy for Self-Hosted apps. This is strange considering Gateway and Warp are aware of the authenticated user Id and email via My Team > Users.

I need to be able to control access using the Cloudflare configured user data instead of giving all users access to all self-hosted apps. Currently I only see one way to control access (by user email for example) to applications (Self-Hosted) that depend on the warp client : Manually enter the email address of each user in each apps policy.

via Access > Applications > [Self-Hosted App Name] > Configure
via Gateway > Firewall policies > Network > Add a policy > [Self-Hosted App Policy Name] > Configure.

If I already have Groups configured that have all those email addresses, it seems like it would be more logical to simply assign an existing group to an apps policy. What am I missing in available configuration?

Not in my dashboard. They show up in Gateway | Firewall Policies | Network.

Access Groups are available when creating an Access policy. Go to an existing Access application and click add policy, select the Access Groups you want to use and add them.

Access groups aren’t available for network policies. There are multiple reasons for that from an architecture perspective, but the simplest is explanation is the internet isn’t the World Wide Web.