Groups

List Access groups

client.zeroTrust.access.groups.list(?, ?): V4PagePaginationArray<GroupListResponse { id, exclude, include, 3 more } >

GET/{accounts_or_zones}/{account_or_zone_id}/access/groups

Get an Access group

client.zeroTrust.access.groups.get(, ?, ?): GroupGetResponse { id, exclude, include, 3 more }

GET/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}

Create an Access group

client.zeroTrust.access.groups.create(, ?): GroupCreateResponse { id, exclude, include, 3 more }

POST/{accounts_or_zones}/{account_or_zone_id}/access/groups

Update an Access group

client.zeroTrust.access.groups.update(, , ?): GroupUpdateResponse { id, exclude, include, 3 more }

PUT/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}

Delete an Access group

client.zeroTrust.access.groups.delete(, ?, ?): GroupDeleteResponse { id }

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}

ModelsExpand Collapse

ZeroTrustGroup { id, displayName, externalId, 2 more }

id?: string

The unique Cloudflare-generated Id of the SCIM resource.

displayName?: string

The display name of the SCIM Group resource.

externalId?: string

The IdP-generated Id of the SCIM resource.

meta?: Meta { created, lastModified }

The metadata of the SCIM resource.

created?: string

The timestamp of when the SCIM resource was created.

formatdate-time

lastModified?: string

The timestamp of when the SCIM resource was last modified.

formatdate-time

schemas?: Array<string>

The list of URIs which indicate the attributes contained within a SCIM resource.

GroupListResponse { id, exclude, include, 3 more }

id?: string

UUID.

maxLength36

exclude?: Array<AccessRule>

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

include?: Array<AccessRule>

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

is_default?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

name?: string

The name of the Access group.

require?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

GroupGetResponse { id, exclude, include, 3 more }

id?: string

UUID.

maxLength36

exclude?: Array<AccessRule>

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

include?: Array<AccessRule>

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

is_default?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

name?: string

The name of the Access group.

require?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

GroupCreateResponse { id, exclude, include, 3 more }

id?: string

UUID.

maxLength36

exclude?: Array<AccessRule>

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

include?: Array<AccessRule>

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

is_default?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

name?: string

The name of the Access group.

require?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

GroupUpdateResponse { id, exclude, include, 3 more }

id?: string

UUID.

maxLength36

exclude?: Array<AccessRule>

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

include?: Array<AccessRule>

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

is_default?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

name?: string

The name of the Access group.

require?: Array<AccessRule>

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: Group { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AuthContext { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: AuthMethod { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: AzureAD { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: Certificate

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: CommonName { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: Geo { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: DevicePosture { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: EmailDomain { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: EmailList { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: Email { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { github-organization }

Matches a Github organization. Requires a Github identity provider.

"github-organization": GitHubOrganization { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team?: string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: LoginMethod { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: IPList { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: IP { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: Okta { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: SAML { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: OIDC { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: ServiceToken { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: LinkedAppToken { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: UserRiskScore { user_risk_score }

user_risk_score: Array<"low" | "medium" | "high" | "unscored">

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

GroupDeleteResponse { id }

id?: string

UUID.

maxLength36