Skip to content
API reference

Login access policy

Open in ChatGPT Open in Claude

A login access policy controls who can log in to your Coralogix team — on top of, not in place of, password or SSO authentication. It has two tabs, each an independent allow list:

  • IP access — only the IPv4 addresses and ranges you list can log in to the team.
  • Domain access — only users whose email address uses a listed domain can log in to the team.

Each list is opt-in: while a list is empty, that check allows everyone. Add the first entry to start enforcing it. Each team has its own IP access and domain access lists.

When to use a login access policy

Two common scenarios:

  • Lock the team to corporate networks. Only sessions originating from your office network or VPN reach the team.
  • Restrict access to company email domains. Only addresses on the domains you list — for example, acme.com and acme-eng.com — can authenticate, so personal accounts and lookalike domains cannot be added to the team.

The two tabs are independent, so you can roll the controls out one at a time — for example, restrict by email domain first while you collect the IP ranges you want to allow.

Ready to get started?

Open Settings and select Login access policy, then add your first allowed address on the IP access tab.

What you need

  • A role with the TEAM-IP-ACCESS:MANAGE permission to manage IP access, the DOMAIN-RESTRICTIONS:MANAGE permission to manage domain access, or both. The Platform Admin and TeamAdmin roles include these by default.
  • The IP address or range, or the email domain, you want to allow.

IP access

The IP access tab lists the IPv4 addresses and CIDR (Classless Inter-Domain Routing) ranges allowed to log in to the team. While the list is empty, the team allows all connections. Once you add the first entry, the team accepts logins only from a listed address or range.

Add an allowed IP address

  1. Open Settings, select Login access policy, and open the IP access tab.
  2. Select Add IP address to open the Add allowed IP address dialog.
  3. In IP address, enter a single IPv4 address or a CIDR range — for example, 192.168.1.1 or 10.0.0.0/24.
  4. (Optional) In Name, enter a label such as the office or network name.
  5. Leave Active on to enforce the entry as soon as you add it, or turn it off to add the entry without enforcing it yet. When inactive, the IP address is not enforced.
  6. Select Add IP address.

Warning

Adding or activating a range that does not include your current IP address can lock you out of the team. Coralogix warns you before you confirm, and stops you from activating a rule that would cut off your own access.

Manage IP entries

The IP access table shows each entry's IP, Name, and Active state. From the row toolbar you can:

  • Deactivate or Activate — stop or resume enforcing an entry without deleting it. You can also flip the per-row toggle in the Active column.
  • Delete — remove an entry. Removing the last entry allows connections from everywhere again.
  • Download — export the current list as a CSV.

The Coralogix Support Team row controls access for Coralogix Customer Success over its VPN. Turn it off to block that access.

Import IP addresses from a CSV

Select Upload CSV to replace the entire IP allow list from a file.

  • Columns: ip_address (required), name, enabled (true or false — controls the Active toggle). Use one entry per row.
  • Each value can be a single IPv4 address or a CIDR range.
  • Importing replaces all existing entries — review the preview before you apply it.
  • Select Download template to start from the expected format.

Domain access

Limited access

Domain access is currently available to selected teams. Speak to Coralogix Customer Support for access.

The Domain access tab lists the email domains allowed to log in to the team. While the list is empty, the team allows all email domains. Once you add the first domain, only users whose email address uses a listed domain can log in.

The table shows each domain's Domain, Name, Source, Added on, Added By, and Affected users. Domains added through cluster configuration or the API appear as read-only and are tagged accordingly.

Add an allowed domain

  1. Open the Domain access tab.
  2. Select Add domain.
  3. In Domain, enter the domain — for example, acme.com.
  4. (Optional) In Name, enter a label such as the company name.
  5. Select Add domain.

Warning

Removing the domain that matches your own email address blocks your access to the team. Coralogix warns you before you delete your own domain.

Import domains from a CSV

Select Upload CSV to replace the manually configured domain list from a file.

  • Columns: domain (required), name. Use one entry per row.
  • Read-only domains from cluster configuration are not affected by the import.

How the two lists work together

IP access and domain access are evaluated independently. An empty list never blocks anyone — it allows all IP addresses, or all email domains, for that check. When both lists have entries, a user must satisfy both to log in: connect from an allowed IP address and use an allowed email domain.

Limitations

  • IP access supports IPv4 addresses and IPv4 CIDR ranges only. IPv6 is not supported.
  • In CIDR notation, host bits must be zero — for example, use 10.0.0.0/24, not 10.0.0.5/24.
  • Importing a CSV replaces the entire list for that tab. It is not additive.
  • Domains added through cluster configuration are read-only in the UI; you cannot edit or delete them there.
  • A domain name can be at most 255 characters.

Permissions

PermissionDescription
TEAM-IP-ACCESS:MANAGEConfigure and modify the team's IP access list.
TEAM-IP-ACCESS:READCONFIGView the team's IP access list.
DOMAIN-RESTRICTIONS:MANAGEConfigure and modify the team's allowed login domains.
DOMAIN-RESTRICTIONS:READView the team's allowed login domains.

API

You can manage IP access programmatically with the IP Access API, which supports bulk creation and CIDR notation. See the IP Access reference.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Multi-SAML for SSO
Next SCIM