> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to exclude resources from being managed when using the Auth0 Deploy CLI.

# Exclude Resources From Management

In some cases, you may find it useful to exclude resources from being managed. This could be because your tenant has a large number of a particular resource and it’s operationally burdensome to manage them, or your development workflow only pertains to a specific subset of resources and you’d like to omit all other resources for performance. Regardless, there are several options available for excluding resources when using the Deploy CLI.

## Exclude entire resources by type

For more complex tenants, you may find yourself wanting to omit entire resource types. For example:

* Enterprise tenant with thousands of organizations, where managing all would be operationally burdensome.
* CI/CD process only focuses on managing roles, and you want to exclude all others.
* Feature development pertains to hook, and you want to temporarily exclude all others to optimize performance.

This type of exclusion is expressed by passing an array of resource names into either the `AUTH0_EXCLUDED` or `AUTH0_INCLUDED_ONLY` configuration properties. The `AUTH0_EXCLUDED` configuration property excludes only the resource types provided to it. Inversely, the `AUTH0_INCLUDED_ONLY` property excludes all properties except the ones defined. Exclusion works bi-directionally, that is, both when export from Auth0 and importing to Auth0, regardless if resource configuration files exist or not.

All supported resource values for exclusion: `actions`, `attackProtection`, `branding`, `clientGrants`, `clients`, `connections`, `customDomains`, `databases`, `emailProvider`, `emailTemplates`, `guardianFactorProviders`, `guardianFactorTemplates`, `guardianFactors`, `guardianPhoneFactorMessageTypes`, `guardianPhoneFactorSelectedProvider`, `guardianPolicies`, `logStreams`, `migrations`, `organizations`, `pages`, `prompts`, `resourceServers`, `roles`, `tenant`, `triggers`.

### Exclusion example

The following example shows how to exclude `clients`, `connections`, `databases`, and `organizations` from being managed by the Deploy CLI.

```json lines theme={null}
{
  "AUTH0_DOMAIN": "example-site.us.auth0.com",
  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
  "AUTH0_EXCLUDED": ["clients", "connections", "databases", "organizations"]
}
```

### Inclusion example

The following example shows how to specify to only manage `actions`, `clients` and `connections` by the Deploy CLI.

```json lines theme={null}
{
  "AUTH0_DOMAIN": "example-site.us.auth0.com",
  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
  "AUTH0_INCLUDED_ONLY": ["actions", "clients", "connections"]
}
```

## Exclude single resources by ID

Some resource types support exclusions of the individual resource by ID. This is useful if you work in a multi-environment context and wish to omit a production-specific resource from your lower-level environments.

This method is supported for rules, clients, databases, connections and <Tooltip tip="Resource Server: Server hosting protected resources. Resource servers accept and respond to protected resource requests." cta="View Glossary" href="/docs/glossary?term=resource+servers">resource servers</Tooltip> with the `AUTH0_EXCLUDED_RULES`, `AUTH0_EXCLUDED_CLIENTS`, `AUTH0_EXCLUDED_DATABASES`, `AUTH0_EXCLUDED_CONNECTIONS`, `AUTH0_EXCLUDED_RESOURCE_SERVERS` configuration values respectively.

### Example

```json lines theme={null}
{
  "AUTH0_DOMAIN": "example-site.us.auth0.com",
  "AUTH0_CLIENT_ID": "<YOUR_AUTH0_CLIENT_ID>",
  "AUTH0_EXCLUDED_CLIENTS": ["Your Application Name"],
  "AUTH0_EXCLUDED_CONNECTIONS": ["con_O1H3KyRMFP1IWRq3", "con_9avEYuj19ihqKBOs"]
}
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Excluding resources by ID is being considered for deprecation in future major versions. See the [resource exclusion proposal](https://github.com/auth0/auth0-deploy-cli/blob/6381ce6efa8cd59e7a5c8d37e8915b0989d677b9/docs/excluding-from-management.md?plain=1#L51) for more details.
</Callout>

## Omission and empty states

In addition to excluding resources, which forcefully ignore configurations bi-directionally, the Auth0 Deploy  CLI supports two similar concepts: omission and empty states.

### Omission

Resource configuration that is absent, either intentionally or unintentionally, will be skipped during import. For example, if your resource configuration were deleted, it would be skipped during import and would not alter the state of the remote tenant.

There is no concept of omission for exporting. Unless specifically excluded, all your tenant configurations will be written to resource configuration files.

#### Example

```yaml lines theme={null}
roles: # roles configuration is not omitted
  - name: Admin
    description: Can read and write things
    permissions: []
  - name: Reader
    description: Can only read things
    permissions: []
# The omission of all other configurations means they'll be skipped over
```

### Empty

Resource configuration that is explicitly defined as empty. For set-based configurations like hooks, organizations, and actions, setting these configurations to an empty set expresses an intentional emptying of those resources. This would signal a deletion, so long as the AUTH0\_ALLOW\_DELETE deletion configuration property is enabled. To learn more about this property, read [Configure the Deploy CLI](/docs/deploy-monitor/deploy-cli-tool/configure-the-deploy-cli).

For non-set-based resource configuration like tenant and branding, the concept of emptiness does not apply, and will not trigger any deletions or removals.

#### Example of emptiness

```yaml lines theme={null}
hooks: [] # Empty hooks
connections: [] # Empty connections
tenant: {} # Effectively a no-op, emptiness does not apply to non-set resource config
```