Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Access

Groups

List Access groups
zero_trust.access.groups.list(GroupListParams**kwargs) -> SyncV4PagePaginationArray[GroupListResponse]
GET/{accounts_or_zones}/{account_or_zone_id}/access/groups
Get an Access group
zero_trust.access.groups.get(strgroup_id, GroupGetParams**kwargs) -> GroupGetResponse
GET/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}
Create an Access group
zero_trust.access.groups.create(GroupCreateParams**kwargs) -> GroupCreateResponse
POST/{accounts_or_zones}/{account_or_zone_id}/access/groups
Update an Access group
zero_trust.access.groups.update(strgroup_id, GroupUpdateParams**kwargs) -> GroupUpdateResponse
PUT/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}
Delete an Access group
zero_trust.access.groups.delete(strgroup_id, GroupDeleteParams**kwargs) -> GroupDeleteResponse
DELETE/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}
ModelsExpand Collapse
class ZeroTrustGroup:
id: Optional[str]

The unique Cloudflare-generated Id of the SCIM resource.

display_name: Optional[str]

The display name of the SCIM Group resource.

external_id: Optional[str]

The IdP-generated Id of the SCIM resource.

meta: Optional[Meta]

The metadata of the SCIM resource.

created: Optional[datetime]

The timestamp of when the SCIM resource was created.

formatdate-time
last_modified: Optional[datetime]

The timestamp of when the SCIM resource was last modified.

formatdate-time
schemas: Optional[List[str]]

The list of URIs which indicate the attributes contained within a SCIM resource.

class GroupListResponse:
id: Optional[str]

UUID.

maxLength36
exclude: Optional[List[AccessRule]]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
include: Optional[List[AccessRule]]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
is_default: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
name: Optional[str]

The name of the Access group.

require: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
class GroupGetResponse:
id: Optional[str]

UUID.

maxLength36
exclude: Optional[List[AccessRule]]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
include: Optional[List[AccessRule]]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
is_default: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
name: Optional[str]

The name of the Access group.

require: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
class GroupCreateResponse:
id: Optional[str]

UUID.

maxLength36
exclude: Optional[List[AccessRule]]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
include: Optional[List[AccessRule]]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
is_default: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
name: Optional[str]

The name of the Access group.

require: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
class GroupUpdateResponse:
id: Optional[str]

UUID.

maxLength36
exclude: Optional[List[AccessRule]]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
include: Optional[List[AccessRule]]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
is_default: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
name: Optional[str]

The name of the Access group.

require: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
class GroupDeleteResponse:
id: Optional[str]

UUID.

maxLength36