## Create an Access group `zero_trust.access.groups.create(GroupCreateParams**kwargs) -> GroupCreateResponse` **post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Creates a new Access group. ### Parameters - `include: Iterable[AccessRuleParam]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: str` The name of the Access group. - `account_id: Optional[str]` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: Optional[str]` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `exclude: Optional[Iterable[AccessRuleParam]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[bool]` Whether this is the default group - `require: Optional[Iterable[AccessRuleParam]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Returns - `class GroupCreateResponse: …` - `id: Optional[str]` UUID. - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `is_default: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `name: Optional[str]` The name of the Access group. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) group = client.zero_trust.access.groups.create( include=[{ "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } }], name="Allow devs", account_id="account_id", ) print(group.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ```