## List Access reusable policies `zero_trust.access.policies.list(PolicyListParams**kwargs) -> SyncV4PagePaginationArray[PolicyListResponse]` **get** `/accounts/{account_id}/access/policies` Lists Access reusable policies. ### Parameters - `account_id: str` Identifier. - `page: Optional[int]` Page number of results. - `per_page: Optional[int]` Number of results per page. ### Returns - `class PolicyListResponse: …` - `id: Optional[str]` The UUID of the policy - `app_count: Optional[int]` Number of access applications currently using this policy. - `approval_groups: Optional[List[ApprovalGroup]]` Administrators who can approve a temporary authentication request. - `approvals_needed: float` The number of approvals needed to obtain access. - `email_addresses: Optional[List[str]]` A list of emails that can approve the access request. - `email_list_uuid: Optional[str]` The UUID of an re-usable email list. - `approval_required: Optional[bool]` Requires the user to request access from an administrator at the start of each session. - `connection_rules: Optional[ConnectionRules]` The rules that define how users may connect to targets secured by your application. - `rdp: Optional[ConnectionRulesRDP]` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: Optional[datetime]` - `decision: Optional[Decision]` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: Optional[List[AccessRule]]` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `class GroupRule: …` Matches an Access group. - `group: Group` - `id: str` The ID of a previously created Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `any_valid_service_token: AnyValidServiceToken` An empty object which matches on all service tokens. - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: AccessAuthContextRuleAuthContext` - `id: str` The ID of an Authentication context. - `ac_id: str` The ACID of an Authentication context. - `identity_provider_id: str` The ID of your Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `auth_method: AuthMethod` - `auth_method: str` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `azure_ad: AzureAD` - `id: str` The ID of an Azure group. - `identity_provider_id: str` The ID of your Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `certificate: Certificate` - `class AccessCommonNameRule: …` Matches a specific common name. - `common_name: AccessCommonNameRuleCommonName` - `common_name: str` The common name to match. - `class CountryRule: …` Matches a specific country - `geo: Geo` - `country_code: str` The country code that should be matched. - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `device_posture: DevicePosture` - `integration_uid: str` The ID of a device posture integration. - `class DomainRule: …` Match an entire email domain. - `email_domain: EmailDomain` - `domain: str` The email domain to match. - `class EmailListRule: …` Matches an email address from a list. - `email_list: EmailList` - `id: str` The ID of a previously created email list. - `class EmailRule: …` Matches a specific email. - `email: Email` - `email: str` The email of the user. - `class EveryoneRule: …` Matches everyone. - `everyone: Everyone` An empty object which matches on all users. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: ExternalEvaluation` - `evaluate_url: str` The API endpoint containing your business logic. - `keys_url: str` The API endpoint containing the key that Access uses to verify that the response came from your API. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `github_organization: GitHubOrganization` - `identity_provider_id: str` The ID of your Github identity provider. - `name: str` The name of the organization. - `team: Optional[str]` The name of the team - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: GSuite` - `email: str` The email of the Google Workspace group. - `identity_provider_id: str` The ID of your Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `login_method: AccessLoginMethodRuleLoginMethod` - `id: str` The ID of an identity provider. - `class IPListRule: …` Matches an IP address from a list. - `ip_list: IPList` - `id: str` The ID of a previously created IP list. - `class IPRule: …` Matches an IP address block. - `ip: IP` - `ip: str` An IPv4 or IPv6 CIDR block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `okta: Okta` - `identity_provider_id: str` The ID of your Okta identity provider. - `name: str` The name of the Okta group. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `saml: SAML` - `attribute_name: str` The name of the SAML attribute. - `attribute_value: str` The SAML attribute value to look for. - `identity_provider_id: str` The ID of your SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: AccessOIDCClaimRuleOIDC` - `claim_name: str` The name of the OIDC claim. - `claim_value: str` The OIDC claim value to look for. - `identity_provider_id: str` The ID of your OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `service_token: ServiceToken` - `token_id: str` The ID of a Service Token. - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken` - `app_uid: str` The ID of an Access OIDC SaaS application - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `user_risk_score: AccessUserRiskScoreRuleUserRiskScore` - `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: Optional[List[AccessRule]]` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `isolation_required: Optional[bool]` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: Optional[MfaConfig]` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: Optional[bool]` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: Optional[str]` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: Optional[str]` The name of the Access policy. - `purpose_justification_prompt: Optional[str]` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: Optional[bool]` Require users to enter a justification when they log in to the application. - `require: Optional[List[AccessRule]]` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `class GroupRule: …` Matches an Access group. - `class AnyValidServiceTokenRule: …` Matches any valid Access Service Token - `class AccessAuthContextRule: …` Matches an Azure Authentication Context. Requires an Azure identity provider. - `class AuthenticationMethodRule: …` Enforce different MFA options - `class AzureGroupRule: …` Matches an Azure group. Requires an Azure identity provider. - `class CertificateRule: …` Matches any valid client certificate. - `class AccessCommonNameRule: …` Matches a specific common name. - `class CountryRule: …` Matches a specific country - `class AccessDevicePostureRule: …` Enforces a device posture rule has run successfully - `class DomainRule: …` Match an entire email domain. - `class EmailListRule: …` Matches an email address from a list. - `class EmailRule: …` Matches a specific email. - `class EveryoneRule: …` Matches everyone. - `class ExternalEvaluationRule: …` Create Allow or Block policies which evaluate the user based on custom criteria. - `class GitHubOrganizationRule: …` Matches a Github organization. Requires a Github identity provider. - `class GSuiteGroupRule: …` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `class AccessLoginMethodRule: …` Matches a specific identity provider id. - `class IPListRule: …` Matches an IP address from a list. - `class IPRule: …` Matches an IP address block. - `class OktaGroupRule: …` Matches an Okta group. Requires an Okta identity provider. - `class SAMLGroupRule: …` Matches a SAML group. Requires a SAML identity provider. - `class AccessOIDCClaimRule: …` Matches an OIDC claim. Requires an OIDC identity provider. - `class ServiceTokenRule: …` Matches a specific Access Service Token - `class AccessLinkedAppTokenRule: …` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `class AccessUserRiskScoreRule: …` Matches a user's risk score. - `reusable: Optional[Literal[true]]` - `true` - `session_duration: Optional[str]` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: Optional[datetime]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) page = client.zero_trust.access.policies.list( account_id="023e105f4ecef8ad9ca31a8372d0c353", ) page = page.result[0] print(page.id) ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "certificate": {} } ], "include": [ { "certificate": {} } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "certificate": {} } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ```