access_policies
Creates, updates, deletes, gets or lists an access_policies resource.
Overview
| Name | access_policies |
| Type | Resource |
| Id | cloudflare.zero_trust.access_policies |
Fields
The following fields are returned by SELECT queries:
- get_by_account
- list_by_account
Get an Access reusable policy response.
| Name | Datatype | Description |
|---|---|---|
id | string | The UUID of the policy (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the Access policy. (example: Allow devs) |
app_count | integer | Number of access applications currently using this policy. |
approval_groups | array | Administrators who can approve a temporary authentication request. (x-stainless-collection-type: set) |
approval_required | boolean | Requires the user to request access from an administrator at the start of each session. |
connection_rules | object | The rules that define how users may connect to targets secured by your application. (title: Connection Rules) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
decision | string | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. (allow, deny, non_identity, bypass) (example: allow) |
exclude | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. (x-stainless-collection-type: set) |
include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. (x-stainless-collection-type: set) |
isolation_required | boolean | Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
purpose_justification_prompt | string | A custom message that will appear on the purpose justification screen. (example: Please enter a justification for entering this protected domain.) |
purpose_justification_required | boolean | Require users to enter a justification when they log in to the application. |
require | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. (x-stainless-collection-type: set) |
reusable | boolean | (true) |
session_duration | string | The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (default: 24h, example: 24h) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
List Access reusable policies response.
| Name | Datatype | Description |
|---|---|---|
id | string | The UUID of the policy (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the Access policy. (example: Allow devs) |
app_count | integer | Number of access applications currently using this policy. |
approval_groups | array | Administrators who can approve a temporary authentication request. (x-stainless-collection-type: set) |
approval_required | boolean | Requires the user to request access from an administrator at the start of each session. |
connection_rules | object | The rules that define how users may connect to targets secured by your application. (title: Connection Rules) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
decision | string | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. (allow, deny, non_identity, bypass) (example: allow) |
exclude | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. (x-stainless-collection-type: set) |
include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. (x-stainless-collection-type: set) |
isolation_required | boolean | Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
purpose_justification_prompt | string | A custom message that will appear on the purpose justification screen. (example: Please enter a justification for entering this protected domain.) |
purpose_justification_required | boolean | Require users to enter a justification when they log in to the application. |
require | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. (x-stainless-collection-type: set) |
reusable | boolean | (true) |
session_duration | string | The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (default: 24h, example: 24h) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_by_account | select | account_id, policy_id | Fetches a single Access reusable policy. | |
list_by_account | select | account_id | page, per_page | Lists Access reusable policies. |
create_by_account | insert | account_id, include, decision, name | Creates a new Access reusable policy. | |
update_by_account | replace | account_id, policy_id, include, decision, name | Updates a Access reusable policy. | |
delete_by_account | delete | account_id, policy_id | Deletes an Access reusable policy. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
policy_id | string | The Access policy ID. |
page | integer | |
per_page | integer |
SELECT examples
- get_by_account
- list_by_account
Fetches a single Access reusable policy.
SELECT
id,
name,
app_count,
approval_groups,
approval_required,
connection_rules,
created_at,
decision,
exclude,
include,
isolation_required,
mfa_config,
purpose_justification_prompt,
purpose_justification_required,
require,
reusable,
session_duration,
updated_at
FROM cloudflare.zero_trust.access_policies
WHERE account_id = '{{ account_id }}' -- required
AND policy_id = '{{ policy_id }}' -- required
;
Lists Access reusable policies.
SELECT
id,
name,
app_count,
approval_groups,
approval_required,
connection_rules,
created_at,
decision,
exclude,
include,
isolation_required,
mfa_config,
purpose_justification_prompt,
purpose_justification_required,
require,
reusable,
session_duration,
updated_at
FROM cloudflare.zero_trust.access_policies
WHERE account_id = '{{ account_id }}' -- required
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
;
INSERT examples
- create_by_account
- Manifest
Creates a new Access reusable policy.
INSERT INTO cloudflare.zero_trust.access_policies (
approval_groups,
approval_required,
connection_rules,
isolation_required,
mfa_config,
purpose_justification_prompt,
purpose_justification_required,
session_duration,
decision,
exclude,
include,
name,
require,
account_id
)
SELECT
'{{ approval_groups }}',
{{ approval_required }},
'{{ connection_rules }}',
{{ isolation_required }},
'{{ mfa_config }}',
'{{ purpose_justification_prompt }}',
{{ purpose_justification_required }},
'{{ session_duration }}',
'{{ decision }}' /* required */,
'{{ exclude }}',
'{{ include }}' /* required */,
'{{ name }}' /* required */,
'{{ require }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: access_policies
props:
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the access_policies resource.
- name: approval_groups
description: |
Administrators who can approve a temporary authentication request.
value:
- approvals_needed: {{ approvals_needed }}
email_addresses: "{{ email_addresses }}"
email_list_uuid: "{{ email_list_uuid }}"
- name: approval_required
value: {{ approval_required }}
description: |
Requires the user to request access from an administrator at the start of each session.
- name: connection_rules
description: |
The rules that define how users may connect to targets secured by your application.
value:
rdp:
allowed_clipboard_local_to_remote_formats:
- "{{ allowed_clipboard_local_to_remote_formats }}"
allowed_clipboard_remote_to_local_formats:
- "{{ allowed_clipboard_remote_to_local_formats }}"
- name: isolation_required
value: {{ isolation_required }}
description: |
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- name: mfa_config
description: |
Configures multi-factor authentication (MFA) settings.
value:
allowed_authenticators:
- "{{ allowed_authenticators }}"
mfa_disabled: {{ mfa_disabled }}
session_duration: "{{ session_duration }}"
- name: purpose_justification_prompt
value: "{{ purpose_justification_prompt }}"
description: |
A custom message that will appear on the purpose justification screen.
- name: purpose_justification_required
value: {{ purpose_justification_required }}
description: |
Require users to enter a justification when they log in to the application.
- name: session_duration
value: "{{ session_duration }}"
description: |
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
default: 24h
- name: decision
value: "{{ decision }}"
description: |
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
valid_values: ['allow', 'deny', 'non_identity', 'bypass']
- name: exclude
description: |
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
value:
- group:
id: "{{ id }}"
any_valid_service_token: "{{ any_valid_service_token }}"
auth_context:
ac_id: "{{ ac_id }}"
id: "{{ id }}"
identity_provider_id: "{{ identity_provider_id }}"
auth_method:
auth_method: "{{ auth_method }}"
azureAD:
id: "{{ id }}"
identity_provider_id: "{{ identity_provider_id }}"
certificate: "{{ certificate }}"
common_name:
common_name: "{{ common_name }}"
geo:
country_code: "{{ country_code }}"
device_posture:
integration_uid: "{{ integration_uid }}"
email_domain:
domain: "{{ domain }}"
email_list:
id: "{{ id }}"
email:
email: "{{ email }}"
everyone: "{{ everyone }}"
external_evaluation:
evaluate_url: "{{ evaluate_url }}"
keys_url: "{{ keys_url }}"
github-organization:
identity_provider_id: "{{ identity_provider_id }}"
name: "{{ name }}"
team: "{{ team }}"
gsuite:
email: "{{ email }}"
identity_provider_id: "{{ identity_provider_id }}"
login_method:
id: "{{ id }}"
ip_list:
id: "{{ id }}"
ip:
ip: "{{ ip }}"
okta:
identity_provider_id: "{{ identity_provider_id }}"
name: "{{ name }}"
saml:
attribute_name: "{{ attribute_name }}"
attribute_value: "{{ attribute_value }}"
identity_provider_id: "{{ identity_provider_id }}"
oidc:
claim_name: "{{ claim_name }}"
claim_value: "{{ claim_value }}"
identity_provider_id: "{{ identity_provider_id }}"
service_token:
token_id: "{{ token_id }}"
linked_app_token:
app_uid: "{{ app_uid }}"
user_risk_score:
user_risk_score:
- "{{ user_risk_score }}"
default:
- name: include
description: |
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
value:
- group:
id: "{{ id }}"
any_valid_service_token: "{{ any_valid_service_token }}"
auth_context:
ac_id: "{{ ac_id }}"
id: "{{ id }}"
identity_provider_id: "{{ identity_provider_id }}"
auth_method:
auth_method: "{{ auth_method }}"
azureAD:
id: "{{ id }}"
identity_provider_id: "{{ identity_provider_id }}"
certificate: "{{ certificate }}"
common_name:
common_name: "{{ common_name }}"
geo:
country_code: "{{ country_code }}"
device_posture:
integration_uid: "{{ integration_uid }}"
email_domain:
domain: "{{ domain }}"
email_list:
id: "{{ id }}"
email:
email: "{{ email }}"
everyone: "{{ everyone }}"
external_evaluation:
evaluate_url: "{{ evaluate_url }}"
keys_url: "{{ keys_url }}"
github-organization:
identity_provider_id: "{{ identity_provider_id }}"
name: "{{ name }}"
team: "{{ team }}"
gsuite:
email: "{{ email }}"
identity_provider_id: "{{ identity_provider_id }}"
login_method:
id: "{{ id }}"
ip_list:
id: "{{ id }}"
ip:
ip: "{{ ip }}"
okta:
identity_provider_id: "{{ identity_provider_id }}"
name: "{{ name }}"
saml:
attribute_name: "{{ attribute_name }}"
attribute_value: "{{ attribute_value }}"
identity_provider_id: "{{ identity_provider_id }}"
oidc:
claim_name: "{{ claim_name }}"
claim_value: "{{ claim_value }}"
identity_provider_id: "{{ identity_provider_id }}"
service_token:
token_id: "{{ token_id }}"
linked_app_token:
app_uid: "{{ app_uid }}"
user_risk_score:
user_risk_score:
- "{{ user_risk_score }}"
default:
- name: name
value: "{{ name }}"
description: |
The name of the Access policy.
- name: require
description: |
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
value:
- group:
id: "{{ id }}"
any_valid_service_token: "{{ any_valid_service_token }}"
auth_context:
ac_id: "{{ ac_id }}"
id: "{{ id }}"
identity_provider_id: "{{ identity_provider_id }}"
auth_method:
auth_method: "{{ auth_method }}"
azureAD:
id: "{{ id }}"
identity_provider_id: "{{ identity_provider_id }}"
certificate: "{{ certificate }}"
common_name:
common_name: "{{ common_name }}"
geo:
country_code: "{{ country_code }}"
device_posture:
integration_uid: "{{ integration_uid }}"
email_domain:
domain: "{{ domain }}"
email_list:
id: "{{ id }}"
email:
email: "{{ email }}"
everyone: "{{ everyone }}"
external_evaluation:
evaluate_url: "{{ evaluate_url }}"
keys_url: "{{ keys_url }}"
github-organization:
identity_provider_id: "{{ identity_provider_id }}"
name: "{{ name }}"
team: "{{ team }}"
gsuite:
email: "{{ email }}"
identity_provider_id: "{{ identity_provider_id }}"
login_method:
id: "{{ id }}"
ip_list:
id: "{{ id }}"
ip:
ip: "{{ ip }}"
okta:
identity_provider_id: "{{ identity_provider_id }}"
name: "{{ name }}"
saml:
attribute_name: "{{ attribute_name }}"
attribute_value: "{{ attribute_value }}"
identity_provider_id: "{{ identity_provider_id }}"
oidc:
claim_name: "{{ claim_name }}"
claim_value: "{{ claim_value }}"
identity_provider_id: "{{ identity_provider_id }}"
service_token:
token_id: "{{ token_id }}"
linked_app_token:
app_uid: "{{ app_uid }}"
user_risk_score:
user_risk_score:
- "{{ user_risk_score }}"
default:
REPLACE examples
- update_by_account
Updates a Access reusable policy.
REPLACE cloudflare.zero_trust.access_policies
SET
approval_groups = '{{ approval_groups }}',
approval_required = {{ approval_required }},
connection_rules = '{{ connection_rules }}',
isolation_required = {{ isolation_required }},
mfa_config = '{{ mfa_config }}',
purpose_justification_prompt = '{{ purpose_justification_prompt }}',
purpose_justification_required = {{ purpose_justification_required }},
session_duration = '{{ session_duration }}',
decision = '{{ decision }}',
exclude = '{{ exclude }}',
include = '{{ include }}',
name = '{{ name }}',
require = '{{ require }}'
WHERE
account_id = '{{ account_id }}' --required
AND policy_id = '{{ policy_id }}' --required
AND include = '{{ include }}' --required
AND decision = '{{ decision }}' --required
AND name = '{{ name }}' --required
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete_by_account
Deletes an Access reusable policy.
DELETE FROM cloudflare.zero_trust.access_policies
WHERE account_id = '{{ account_id }}' --required
AND policy_id = '{{ policy_id }}' --required
;