## Create an Access group **post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Creates a new Access group. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access group. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional boolean` Whether this is the default group - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ```