Manage access

Access in Firezone is default-deny: a Resource is unreachable until a Policy grants access to it. Granting someone access always follows the same shape:

  1. Put the users in a Group. Groups are synced from your identity provider or managed manually in the admin portal.
  2. Define the Resource you want to expose — a DNS name, IP, or CIDR range, optionally restricted to specific ports and protocols.
  3. Create a Policy linking the Group to the Resource. Go to Policies → New Policy, then select the Group and Resource it applies to.
  4. (Optional) Add conditions to restrict when and from where access is allowed, such as by client location, IP range, or time of day. Conditions are available on Team and Enterprise plans.

To revoke access, remove or disable the Policy that granted it.

Common workflows

The recipes below apply this workflow to common secure-access scenarios. Each assumes you have a Firezone account and at least one Site created. If you haven't done that, go here to sign up for an account and create a Site.

These are just a few ways Firezone can help your organization achieve zero trust access. If you have a use case you'd like to see covered here, please let us know!


Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026