> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Rule Evaluation for the Tenant Access Control List

> Learn how the Tenant ACL's deterministic engine evaluates rule matches and execution.

Tenant ACL uses a deterministic engine to evaluate incoming requests. To determine if an action (allow, block, or redirect) should be taken, the engine follows these evaluation steps:

1. Evaluation order (priority)

2. Condition matching (signal)

3. Match termination with monitoring mode exception

## Evaluation order

The Tenant ACL evaluates rules in ascending order based on their priority number. Evaluation starts at the lowest number, priority 0, and proceeds sequentially.

If two rules could both match a request, the one with the lower priority number will trigger first.

## Condition Matching

For a single rule to trigger its action, it must satisfy the matching logic. This logic determines how the engine treats multiple values and multiple signal types:

| Logic Type       | Behavior | Description                                                                                                                                                                                                  | Example                                                                      |
| ---------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------- |
| Signal Matching  | OR       | Within a specific signal, a request must match at least one entry in the list to satisfy that signal requirement.                                                                                            | If `ipv4_cidrs` contains multiple IP CIDRs, at least one of them must match. |
| Multiple Signals | AND      | If a rule contains multiple different signal types, the request must match all provided signal types. As an exception, if a rule contains both `ipv4_cidrs` and `ipv6_cidrs`, only one is required to match. | If a rule has both `ipv4_cidrs` and `asn`, both must match.                  |

Any signal types not provided in a rule are ignored and do not impact the rule's evaluation logic.

## Match Termination

Tenant ACL applies the first match. Once a rule's conditions are fully met, the behavior depends on whether the rule is in [monitoring mode](./enable-monitoring-mode) or not.

| Behavior       | Monitoring mode disabled                                                               | Monitoring mode enabled                                     |
| -------------- | -------------------------------------------------------------------------------------- | ----------------------------------------------------------- |
| **Logging**    | An `acls_summary` log event is triggered.                                              | An `acls_summary` log event is triggered.                   |
| **Execuation** | The rule's defined action is executed immediately.                                     | The rule's defined action is not executed.                  |
| **Evaluation** | Evaluation terminates. No subsequent or lower priority Tenant ACL rules are evaluated. | Evaluation continues to the next rule in the priority list. |