Console
    Contact Us Start free

    Access level attributes

    Access levels define various attributes that are used to filter requests made to certain resources. The following table lists the attributes supported by access levels and provides additional details about each attribute.

    When you create or modify an access level using the gcloud command-line tool, you must format the attributes in YAML. This table includes the YAML syntax for each attribute, and the valid values. Links to the REST and RPC reference information for each attribute are also included.

    For more information about access levels and YAML, refer to the example YAML for an access level .

    You can include the following attributes in your access level:

    Attributes

    IP subnetworks

    Description

    Checks whether a request is coming from one or more IPv4 and/or IPv6 CIDR blocks that you specify.

    When you specify more than one IP subnetwork, the values you enter are combined using an OR operator when the condition is evaluated. The request has to match any one of the values that you specify in order for the condition to evaluate to true.

    YAML
    ipSubnetworks
    Valid values
    A list of one or more IPv4 and/or IPv6 CIDR blocks.
    API reference

    Regions

    Description

    Checks whether a request originated from a specific region. Regions are identified by the corresponding ISO 3166-1 alpha-2 codes .

    When you specify more than one region, the values you enter are ORd when the condition is evaluated. Users are granted access if they are in one of the regions that you specify.
    YAML regions
    Valid values A list of one or more ISO 3166-1 alpha-2 codes .
    API reference None

    Access level dependency

    Description

    Checks whether a request meets the criteria of one or more access levels.

    YAML
    requiredAccessLevels
    Valid values

    A list of one or more existing access levels formatted as:

    accessPolicies/ POLICY-NAME /accessLevels/ LEVEL-NAME

    Where:

    • POLICY-NAME is the numeric name of your Organization's access policy.
    • LEVEL-NAME is the name of the access level that you want to add as a dependency.
      API reference

      Principals

      Description

      Checks whether a request is coming from a specific user or service account.

      This attribute can only be included in conditions when creating or modifying an access level using the gcloud command-line tool or the Access Context Manager API. If you created an access level using Google Cloud console, either of the methods previously mentioned can be used to add principals to that access level.

      YAML
      members
      Valid values

      A list of one or more user or service accounts, formatted as:

      • user: EMAIL
      • serviceAccount: EMAIL

      Where:

      • EMAIL is the email that corresponds to the user or service account that you want to include in the access level.

      Groups are not supported.

      API reference

      Device policy

      Requirements

      To use the device policy attributes with mobile devices, you must configure MDM for your organization .

      To use the device policy attributes with other devices, Endpoint Verification must be enabled.

      Description

      A device policy is a collection of attributes that are used to filter requests based on information about the device where the request originated.

      For example, device policy attributes are used in conjunction with Identity-Aware Proxy to support Context-Aware Access.

      YAML
      devicePolicy
      Valid values

      devicePolicy is a list of one or more device policy attributes. The following attributes are supported:

      Only certain device policy attributes can be used with mobile devices. The Supports mobile devices row identifies whether an attribute can be used with mobile devices.

      API reference
      Device policy attributes
      Require screen lock
      Description

      Checks if a device has screen lock enabled.

      Supports mobile devices
      Yes
      YAML
      requireScreenlock
      Valid values
      • true
      • false

      If omitted, defaults to false .

      API reference
      Storage encryption
      Description
      Checks whether the device is encrypted, not encrypted, or does not support storage encryption.
      Supports mobile devices

      Yes

      YAML
      allowedEncryptionStatuses
      Valid values

      One or more of the following values:

      • ENCRYPTION_UNSUPPORTED
      • ENCRYPTED
      • UNENCRYPTED
      API reference
      Require admin approval
      Description
      Checks whether the device has been approved by a an administrator.
      Supports mobile devices
      Yes
      YAML
      requireAdminApproval
      Valid values
      • true
      • false

        • If omitted, defaults to false .

      API reference
      None
      Require corp owned device
      Description
      Checks whether the device is owned by your enterprise.
      Supports mobile devices
      Yes
      YAML
      requireCorpOwned
      Valid values
      • true
      • false

        • If omitted, defaults to false .

      API reference
      None
      OS policy
      Description

      Checks whether a device is using a specified operating system. Additionally, you can specify a minimum version of an OS that a device must be using.

      If you create a Chrome OS policy, you can also specify that it must be a verified Chrome OS .

      When you select more than one operating system, the values you select are ORd when the condition is evaluated. Users are granted access if they have one of the operating systems that you specify.

      Supports mobile devices
      Yes
      YAML
      osConstraints
      Valid values

      osConstraints is a list that must include one or more instances of osType . osType can be paired with an instance of minimumVersion , but minimumVersion is not required.

      • osType must include a list of one or more of the following values:

        • DESKTOP_MAC
        • DESKTOP_WINDOWS
        • DESKTOP_CHROME_OS
        • DESKTOP_LINUX
        • IOS
        • ANDROID

      • minimumVersion is optional. If used, it must be included with osType .

        minimumVersion must include a minimum version formatted as MAJOR.MINOR.PATCH .

        For example: 10.5.301.

      • If you specify DESKTOP_CHROME_OS for osType , you can optionally include requireVerifiedChromeOs .

        Valid values for requireVerifiedChromeOs are:

        • true
        • false

      • If you specify IOS or ANDROID for osType , you can optionally include any device policy attribute that supports mobile devices.

      API reference
      Design a Mobile Site
      View Site in Mobile | Classic
      Share by: