Stay organized with collectionsSave and categorize content based on your preferences.
This document shows how administrators can assign the device-based access levels
to control access to applications. These applications includeGoogle Workspaceresources and the
applications that are protected byIdentity-Aware Proxyon
Google Cloud (also known as IAP-secured resources).
Before you begin
To complete the tasks on this page, you must have one of the following roles:
The way you assign device-based access levels depends on whether you are
using Google Workspace or Google Cloud resources:
Google Workspace
As an administrator, you can assign one or more access levels for the apps
by using Context-Aware Access from the Google Admin console. If you select
multiple access levels, devices must satisfy the conditions only inoneof the access levels to be granted access to the app.
Assign access levels for Google Workspace applications
from the Google Workspace Admin console:
From the Admin console Home page, go toSecurity>Context-Aware Access.
In theOrganizational unitssection, select your organizational unit
or group.
Select the app for which you want to assign an access level, and clickAssign.
You see a list of all access levels. Access levels are a shared resource
between Google Workspace, Cloud Identity, and Google Cloud so you
might see access levels that you didn't create in the list.
Select one or more access levels for the app.
To apply the access levels to users on desktop and mobile apps (and
on the browser), selectApply to Google desktop and mobile apps.
This checkbox applies to built-in apps only.
ClickSave.
The access level name displays in the assigned access levels list next to
the app.
Google Cloud
You assign an access level to an IAP-secured resource by
updating its IAM policy.
For instructions, seeApply an access level for IAP-secured resourcesin the Chrome Enterprise Premium documentation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAdministrators can assign device-based access levels to control access to Google Workspace resources and IAP-secured applications on Google Cloud.\u003c/p\u003e\n"],["\u003cp\u003eAccess levels for Google Workspace apps are assigned via the Context-Aware Access feature in the Google Admin console, where multiple access levels can be selected.\u003c/p\u003e\n"],["\u003cp\u003eTo access Google Workspace apps, a device only needs to meet the conditions of one of the assigned access levels, unless a combined access level with multiple required conditions is created.\u003c/p\u003e\n"],["\u003cp\u003eAccess levels for IAP-secured resources on Google Cloud are assigned by updating the resource's IAM policy, as detailed in the Chrome Enterprise Premium documentation.\u003c/p\u003e\n"],["\u003cp\u003eTo complete the tasks described in this content, you need to be an "Access Context Manager Admin" or "Access Context Manager Editor".\u003c/p\u003e\n"]]],[],null,["# Assign device-based access levels\n\nThis document shows how administrators can assign the device-based access levels\nto control access to applications. These applications include\n[Google Workspace](https://workspace.google.com/) resources and the\napplications that are protected by\n[Identity-Aware Proxy](/iap/docs/concepts-overview) on\nGoogle Cloud (also known as IAP-secured resources).\n\nBefore you begin\n----------------\n\nTo complete the tasks on this page, you must have one of the following roles:\n\n- Access Context Manager Admin (`roles/accesscontextmanager.policyAdmin`)\n- Access Context Manager Editor (`roles/accesscontextmanager.policyEditor`)\n\nAssign device-based access levels on resources\n----------------------------------------------\n\nThe way you assign device-based access levels depends on whether you are\nusing Google Workspace or Google Cloud resources: \n\n### Google Workspace\n\nAs an administrator, you can assign one or more access levels for the apps\nby using Context-Aware Access from the Google Admin console. If you select\nmultiple access levels, devices must satisfy the conditions only in\n**one** of the access levels to be granted access to the app.\n| **Note:** If you want user devices to satisfy conditions in more than one access level (a logical AND of access levels), create an access level with all the required conditions.\n\n\nAssign access levels for Google Workspace applications\nfrom the Google Workspace Admin console:\n\n1. From the Admin console Home page, go to **Security \\\u003e Context-Aware Access**.\n\n [Go to Context-Aware Access](https://admin.google.com/u/1/ac/security/context-aware)\n2. Click **Assign access levels**.\n\n You see a list of apps.\n3. In the **Organizational units** section, select your organizational unit or group.\n4. Select the app for which you want to assign an access level, and click **Assign**.\n\n You see a list of all access levels. Access levels are a shared resource\n between Google Workspace, Cloud Identity, and Google Cloud so you\n might see access levels that you didn't create in the list.\n5. Select one or more access levels for the app.\n6. To apply the access levels to users on desktop and mobile apps (and on the browser), select **Apply to Google desktop and mobile apps**. This checkbox applies to built-in apps only.\n7. Click **Save**. The access level name displays in the assigned access levels list next to the app.\n\n\u003cbr /\u003e\n\n### Google Cloud\n\nYou assign an access level to an IAP-secured resource by\nupdating its IAM policy.\nFor instructions, see\n[Apply an access level for IAP-secured resources](/chrome-enterprise-premium/docs/access-levels#applying_an_access_level)\nin the Chrome Enterprise Premium documentation.\n\nWhat's next\n-----------\n\n- [Manage access levels](/access-context-manager/docs/manage-access-levels)"]]
