At the top of theAccess Context Managerpage, clickNew.
In theNew Access Levelpane:
In theAccess level titlebox, enter a title for the access level.
The title must be at most 50 characters, start with a letter, and can
contain only numbers, letters, underscores, and spaces.
FollowingCreate Conditions in, selectAdvanced Mode.
In theConditionssection, enter the expressions for your custom
access level. The condition must resolve to a single boolean value.
For examples and more information about Common Expression Language
(CEL) support and custom access levels, see theCustom access level
specification.
LEVEL_NAMEis a unique name for the access level. It must
begin with a letter and include only letters, numbers, and
underscores. The name can be a maximum of 50 characters.
TITLEis the short, human-readable title for the access
level.
FILEis a .yaml file that contains your CEL expression
formatted as a single key-value pair:expression: "CEL_EXPRESSION".
For examples and more information about Common Expression Language (CEL)
support and custom access levels, see theCustom access level specification.
DESCRIPTION(optional) is a human-readable description of the
access level.
POLICY_NAMEis the numeric name of your organization's
access policy.
When you use thegcloudcommand-line tool to create a custom access level, you must provide
a .yaml file for thecustom-level-specoption. The .yaml file defines
a CEL expression that resolves to a single boolean value. The .yaml file
must contain a single key-value pair formatted asexpression: "CEL_EXPRESSION". The value forexpressionmust
be a string.
Example YAML file
expression:"device.encryption_status == DeviceEncryptionStatus.ENCRYPTED && (origin.region_code in ['US'] || device.is_admin_approved_device)"
Example command
gcloudaccess-context-managerlevelscreateCustom_Trust\--custom-level-spec=customspec.yaml\--description="Custom access level for corp."\--title="Custom Trust Level"\--policy=1521580097614100
For thecustomfield, create an object that includes the CEL expressions
for your custom access level. The complete expression must resolve to a
boolean value. Thetitleanddescriptionfields are optional.
Example
{"name":"example_custom_level","title":"Example custom level","description":"An example custom access level.","custom":{"expr":{"expression":"device.is_corp_owned == true || (device.os_type != OsType.OS_UNSPECIFIED && device.is_admin_approved_device == true)","title":"Check for known devices","description":"Permits requests from corp-owned devices and admin-approved devices with a known OS."}}}
For theaccess_levelfield, include an instance ofAccessLevel.
Fields
name
Type
string
Description
Required.
The resource name for the access level. ThePOLICY_IDis the numeric name of your
Organization's access policy. TheSHORT_NAMEmust begin with a letter, and
include only letters, numbers, and underscores.
Format:
accessPolicies/policy_id/accessLevels/short_name
title
Type
string
Description
A human-readable label for the access level. Access levels
must have unique names.
description
Type
string
Description
A description of the access level.
custom
Type
string
Description
The CEL expressions for your custom access level. The
complete expression must resolve to a boolean value.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis feature to create custom access levels is only available with a paid enterprise security subscription, which you can sign up for if interested.\u003c/p\u003e\n"],["\u003cp\u003eCustom access levels are created using Common Expression Language (CEL) expressions, and after they are created can be managed like basic access levels.\u003c/p\u003e\n"],["\u003cp\u003eCustom access levels can be created in the Google Cloud console by entering a title, selecting Advanced Mode, and entering CEL expressions.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud\u003c/code\u003e command-line tool allows for the creation of custom access levels using a \u003ccode\u003e.yaml\u003c/code\u003e file containing a single CEL expression.\u003c/p\u003e\n"],["\u003cp\u003eCustom access levels can also be created using REST and RPC methods by including an instance of the \u003ccode\u003eAccessLevel\u003c/code\u003e object, with the CEL expression, in the request.\u003c/p\u003e\n"]]],[],null,["# Creating a custom access level\n\n| **Note:** This feature is available only as part of a paid enterprise security subscription. You can [sign up](https://go.chronicle.security/beyondcorp-upgrade) if interested.\n\nAfter a custom access level is created, it can\nbe [managed in the same manner as basic access levels](/access-context-manager/docs/manage-access-levels).\n\nFor details about building Common Expression Language (CEL) expressions for\ncustom access levels, refer to the\n[custom access level specification](/access-context-manager/docs/custom-access-level-spec). \n\n### Console\n\nTo create a custom access level:\n\n1. Open the **Access Context Manager** page in the Google Cloud console.\n\n [Open the Access Context Manager page](https://console.cloud.google.com/security/access-level)\n2. If you are prompted, select your organization.\n\n3. At the top of the **Access Context Manager** page, click **New**.\n\n4. In the **New Access Level** pane:\n\n 1. In the **Access level title** box, enter a title for the access level.\n The title must be at most 50 characters, start with a letter, and can\n contain only numbers, letters, underscores, and spaces.\n\n 2. Following **Create Conditions in** , select **Advanced Mode**.\n\n 3. In the **Conditions** section, enter the expressions for your custom\n access level. The condition must resolve to a single boolean value.\n\n For examples and more information about Common Expression Language\n (CEL) support and custom access levels, see the [Custom access level\n specification](/access-context-manager/docs/custom-access-level-spec).\n 4. Click **Save**.\n\n### gcloud\n\n### Before you begin\n\n- If it doesn't exist yet, [create an access policy](/access-context-manager/docs/create-access-policy) for your organization.\n\nTo create a custom access level using the `gcloud` command-line tool, use the\n[`gcloud access-context-manager levels create`](/sdk/gcloud/reference/access-context-manager/levels/create) command. \n\n```bash\ngcloud access-context-manager levels create LEVEL_NAME \\\n --title=TITLE \\\n --custom-level-spec=FILE \\\n --description=DESCRIPTION \\\n --policy=POLICY_NAME\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003eLEVEL_NAME\u003c/var\u003e is a unique name for the access level. It must\n begin with a letter and include only letters, numbers, and\n underscores. The name can be a maximum of 50 characters.\n\n- \u003cvar translate=\"no\"\u003eTITLE\u003c/var\u003e is the short, human-readable title for the access\n level.\n\n- \u003cvar translate=\"no\"\u003eFILE\u003c/var\u003e is a .yaml file that contains your CEL expression\n formatted as a single key-value pair:\n `expression: \"`\u003cvar translate=\"no\"\u003eCEL_EXPRESSION\u003c/var\u003e`\"`.\n\n For examples and more information about Common Expression Language (CEL)\n support and custom access levels, see the\n [Custom access level specification](/access-context-manager/docs/custom-access-level-spec).\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e (optional) is a human-readable description of the\n access level.\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e is the numeric name of your organization's\n access policy.\n\nOptionally, you can include any of the\n[`gcloud`-wide flags](/sdk/gcloud/reference).\n\n### `custom-level-spec` YAML file\n\nWhen you use the `gcloud` command-line tool to create a custom access level, you must provide\na .yaml file for the `custom-level-spec` option. The .yaml file defines\na CEL expression that resolves to a single boolean value. The .yaml file\nmust contain a single key-value pair formatted as\n`expression: \"`\u003cvar translate=\"no\"\u003eCEL_EXPRESSION\u003c/var\u003e`\"`. The value for `expression` must\nbe a string.\n\n#### Example YAML file\n\n expression: \"device.encryption_status == DeviceEncryptionStatus.ENCRYPTED && (origin.region_code in ['US'] || device.is_admin_approved_device)\"\n\n### Example command\n\n gcloud access-context-manager levels create Custom_Trust \\\n --custom-level-spec=customspec.yaml \\\n --description=\"Custom access level for corp.\" \\\n --title=\"Custom Trust Level\" \\\n --policy=1521580097614100\n\n### REST\n\n### Before you begin\n\n- If it doesn't exist yet, [create an access policy](/access-context-manager/docs/create-access-policy) for your organization.\n\nTo create a custom access level, use the\n[`accessPolicies.accessLevels.create`](/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels/create)\nmethod.\n\nRequest body\n------------\n\nIn the request body for the call, include an instance of the `AccessLevel`\nobject. \n\n {\n \"name\": string,\n \"title\": string,\n \"description\": string,\n \"custom\": {\n \"expr\": {\n \"expression\": string,\n \"title\": string,\n \"description\": string\n }\n }\n }\n\nFor the `custom` field, create an object that includes the CEL expressions\nfor your custom access level. The complete expression must resolve to a\nboolean value. The `title` and `description` fields are optional.\n\n### Example\n\n {\n \"name\": \"example_custom_level\",\n \"title\": \"Example custom level\",\n \"description\": \"An example custom access level.\",\n \"custom\": {\n \"expr\": {\n \"expression\": \"device.is_corp_owned == true || (device.os_type != OsType.OS_UNSPECIFIED && device.is_admin_approved_device == true)\",\n \"title\": \"Check for known devices\",\n \"description\": \"Permits requests from corp-owned devices and admin-approved devices with a known OS.\"\n }\n }\n }\n\n### RPC\n\n### Before you begin\n\n- If it doesn't exist yet, [create an access policy](/access-context-manager/docs/create-access-policy) for your organization.\n\nTo create a custom access level, call\n[`CreateAccessLevel`](/access-context-manager/docs/reference/rpc/google.identity.accesscontextmanager.v1#accesscontextmanager).\n\nFor the `access_level` field, include an instance of `AccessLevel`."]]
