## Restricting domain and IP addresses for individual user accounts

User account admins can control access to login and signup by specifying which IP addresses are permitted or blocked.

After [embedding the self-service portal](/ciam/guides/admin-portal/intro), your users can enable an allowlist to permit only specific IPs or a denylist to block certain IPs while allowing all others.

### Restricting IPs via the Self-Service Portal

You can restrict access to your application based on IP addresses. IP restrictions apply to sign-up and logging in, meaning users accessing from a blocked IP will be denied access.

1. Log in to your application and in the Admin Portal navigate to the **Security** tab.
![restrict-ip-self-service-1](/assets/restrict-ip-self-service-1.a5204ba70e172506a56391eacea9429f7168788b96e8d51d8120d013597445b3.8d25b62c.png)
2. Scroll down to the **Restriction** section and click **Manage**.
![restrict-ip-self-service-2](/assets/restrict-ip-self-service-2.f72dd72e4817282e8caf4c43c6844d5d2cae1826fcd0dc9236d6b3b777dcd0f3.8d25b62c.png)
3. Enable **IP Address Restriction** by toggling the switch.
![restrict-ip-self-service-3](/assets/restrict-ip-self-service-3.519d7c5aa102eaec48ed934a9f4572cedd1caf2921b84e594becbe713e9a895c.8d25b62c.png)
4. Click **Add my IP** to add your own IP address to the list.
![restrict-ip-self-service-4](/assets/restrict-ip-self-service-4.bf752f894467e2389eec5113ff89f2cd5a8fba6429eaadc52f925e80308a0161.8d25b62c.png)
5. Select a restriction method from the dropdown menu: **Allow only** or **Deny only**.
![restrict-ip-self-service-5](/assets/restrict-ip-self-service-5.847c33fc17ea437f2d4d05fbc2aa980af493533705dde1d09e5362733b3a6af9.8d25b62c.png)
6. Enter a description for the IP address in the **IP Description** field.
![restrict-ip-self-service-6](/assets/restrict-ip-self-service-6.a0e51bdea4b8ff37387c0dae6783c3b3319798a54d1b13e33f6178eb33e07416.8d25b62c.png)
7. Enter the IP address in the **IP Address** field.
![restrict-ip-self-service-7](/assets/restrict-ip-self-service-7.e0569cb8381baaf1e7343762ce88e655333e42f1ce5e9cd2d6b7a8322de9c783.8d25b62c.png)
8. Click **Add**.
![restrict-ip-self-service-8](/assets/restrict-ip-self-service-8.4efc09efda622099f8b579929f9d285fccae80fd7b1f04caf40904e536b2902e.8d25b62c.png)
9. To delete an IP address from the list, click the three dots next to the IP address you want to remove.
![restrict-ip-self-service-9](/assets/restrict-ip-self-service-9.37b364daeb0eb80af50a8a84496e8a2d340ffb4f27f2654b4bac40a64736eb1d.8d25b62c.png)
10. Click **Delete**.
11. Confirm the deletion by clicking **Delete** again.


![restrict-ip-self-service-10](/assets/restrict-ip-self-service-10.a3f177333f944b44b4a0f22d97756093a4b737a4046f64bf33a780aff3fc0962.8d25b62c.png)

### Restricting Domains via the Self-Service Portal

To enhance security, you can restrict access based on domains. Domain restrictions apply to sign-up and invitation, meaning users with a blocked domain cannot register or be invited, but already activated users remain unaffected.

1. Log in to your application and in the Admin Portal navigate to the **Security** tab.
![restrict-ip-self-service-1](/assets/restrict-ip-self-service-1.a5204ba70e172506a56391eacea9429f7168788b96e8d51d8120d013597445b3.8d25b62c.png)
2. Scroll down to the **Restriction** section and click **Manage**.
![restrict-ip-self-service-2](/assets/restrict-ip-self-service-2.f72dd72e4817282e8caf4c43c6844d5d2cae1826fcd0dc9236d6b3b777dcd0f3.8d25b62c.png)
3. Click the **Domain** tab and enable **Domain restriction** by toggling the switch.
![restrict-domain-self-service-1](/assets/restrict-domain-self-service-1.3f04b2b4462b87c7ef2eb3c567fc70355a6254ea86d564dc82b05126e31e4d85.8d25b62c.png)
4. Select a restriction method from the dropdown menu: **Allow only** or **Deny only**.
![restrict-domain-self-service-2](/assets/restrict-domain-self-service-2.0df6804d2087feb6a74b179fc8f2b8d7c2d04819ecbd065a62bf47723a21dea8.8d25b62c.png)
5. Enter the domain you want to restrict in the list.
![restrict-domain-self-service-3](/assets/restrict-domain-self-service-3.8969a5c92a460c234a7d47c49ab67f67827ca47ccd0da11e3b66e7321e7c1db4.8d25b62c.png)
6. Click the **green plus button** to add the domain.
![restrict-domain-self-service-4](/assets/restrict-domain-self-service-4.8245f8abb2a9e779f861589ff0b8b4ddc4124862d7796e49e17915b64728e906.8d25b62c.png)
7. To delete a domain from the list, click the **X** icon next to the domain you want to remove.
8. To block all public domain emails, toggle the **Block all public domain emails** switch on.
![restrict-domain-self-service-5](/assets/restrict-domain-self-service-5.5a22d2ec8bba6143be00b656b815602cdd01a03f0238b868010770b32c2dc493.8d25b62c.png)