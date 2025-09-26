Application Granular Controls allows you to create Gateway HTTP policies to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application.

Prerequisites

To use Application Granular Controls, you must:

Install a Cloudflare certificate or a custom certificate on your users' devices.

Turn on TLS decryption.

Create a policy with Application Granular Controls

To create a Gateway HTTP policy with Application Granular Controls:

In Zero Trust ↗, go to Gateway > Firewall policies. Select HTTP. Select Add a policy. Name the policy. Under Traffic, build a logical expression that defines the traffic you want to allow or block. To use Application Granular Controls, you must use the Application selector with the is operator. In Value, select your desired application. In Controls, choose one or more Application Controls or individual Operations. For example, you can create a policy to block file uploads to ChatGPT: Selector Operator Value Controls Action Application is ChatGPT Upload Block Select Create policy.

For more information, refer to HTTP policies.

Control definitions

Gateway defines Application Granular Controls at different levels of granularity, including Application Controls and Operations.

Application Controls

Application Controls are pre-defined controls which represent user intent, such as uploads or downloads. Cloudflare defines and organizes sets of operations deemed related to specific intents with an application. Application Controls represent the most commonly used controls.

Operations

Operations are the individual API-level actions that an application uses. Defining controls at operation level allows for more fine-grained policies to support use cases such as blocking only certain types of downloads. You can also define controls where there is not an existing application control that covers the required intent, such as blocking comments. However, because each SaaS application uses a unique set of operations with its own scope and behaviors, the use of operation level controls often requires analysis for each desired use case. You can also use operation-level controls in cases where you need variations to the Cloudflare-defined application controls, such as including or excluding certain operations.

Cloudflare provides Operations based on the available APIs for an application.

Operation Groups

Operation Groups are groupings of operations defined by the application vendor. Operation Groups are typically based on a categorization of the different functional areas of the application, such as signature requests, or the entities that the application defines, such as files or folders. These definitions vary by application. Gateway groups operations into these operation groups to match the operations with the corresponding vendor API documentation.

DLP payloads

Application Granular Controls can apply Data Loss Prevention (DLP) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content.

For more information on which operations support DLP payload scanning, refer to the Contains payload column in Compatible applications.

Application APIs

SaaS applications typically provide multiple APIs to interact with. For each application, Application Granular Controls may support the following API types:

Web Application API: These APIs are consumed by the web application that users interact with through their browser.

Platform API: These APIs are exposed to users to allow for programmatic interaction with the SaaS application. These are typically used by automations, scripts, or other applications.

Application Controls use both API types. If both API types are available when creating HTTP policies using Operations, you should select the Operations that align to the API being used, or include both for wider coverage.

Compatible applications

Application Granular Controls supports matching operations within a number of defined applications.

AI ChatGPT

Google Gemini

Perplexity

Claude