apps_policies
Creates, updates, deletes, gets or lists an apps_policies resource.
Overview
| Name | apps_policies |
| Type | Resource |
| Id | cloudflare.zero_trust.apps_policies |
Fields
The following fields are returned by SELECT queries:
- get_by_account
- get_by_zone
- list_by_account
- list_by_zone
Get an Access policy response.
| Name | Datatype | Description |
|---|---|---|
id | string | The UUID of the policy (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the Access policy. (example: Allow devs) |
approval_groups | array | Administrators who can approve a temporary authentication request. (x-stainless-collection-type: set) |
approval_required | boolean | Requires the user to request access from an administrator at the start of each session. |
connection_rules | object | The rules that define how users may connect to targets secured by your application. (title: Connection Rules) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
decision | string | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. (allow, deny, non_identity, bypass) (example: allow) |
exclude | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. (x-stainless-collection-type: set) |
include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. (x-stainless-collection-type: set) |
isolation_required | boolean | Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
precedence | integer | The order of execution for this policy. Must be unique for each policy within an app. |
purpose_justification_prompt | string | A custom message that will appear on the purpose justification screen. (example: Please enter a justification for entering this protected domain.) |
purpose_justification_required | boolean | Require users to enter a justification when they log in to the application. |
require | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. (x-stainless-collection-type: set) |
session_duration | string | The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (default: 24h, example: 24h) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
Get an Access policy response.
| Name | Datatype | Description |
|---|---|---|
id | string | The UUID of the policy (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the Access policy. (example: Allow devs) |
approval_groups | array | Administrators who can approve a temporary authentication request. (x-stainless-collection-type: set) |
approval_required | boolean | Requires the user to request access from an administrator at the start of each session. |
connection_rules | object | The rules that define how users may connect to targets secured by your application. (title: Connection Rules) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
decision | string | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. (allow, deny, non_identity, bypass) (example: allow) |
exclude | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. (x-stainless-collection-type: set) |
include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. (x-stainless-collection-type: set) |
isolation_required | boolean | Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
precedence | integer | The order of execution for this policy. Must be unique for each policy within an app. |
purpose_justification_prompt | string | A custom message that will appear on the purpose justification screen. (example: Please enter a justification for entering this protected domain.) |
purpose_justification_required | boolean | Require users to enter a justification when they log in to the application. |
require | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. (x-stainless-collection-type: set) |
session_duration | string | The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (default: 24h, example: 24h) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
List Access application policies response
| Name | Datatype | Description |
|---|---|---|
id | string | The UUID of the policy (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the Access policy. (example: Allow devs) |
approval_groups | array | Administrators who can approve a temporary authentication request. (x-stainless-collection-type: set) |
approval_required | boolean | Requires the user to request access from an administrator at the start of each session. |
connection_rules | object | The rules that define how users may connect to targets secured by your application. (title: Connection Rules) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
decision | string | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. (allow, deny, non_identity, bypass) (example: allow) |
exclude | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. (x-stainless-collection-type: set) |
include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. (x-stainless-collection-type: set) |
isolation_required | boolean | Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
precedence | integer | The order of execution for this policy. Must be unique for each policy within an app. |
purpose_justification_prompt | string | A custom message that will appear on the purpose justification screen. (example: Please enter a justification for entering this protected domain.) |
purpose_justification_required | boolean | Require users to enter a justification when they log in to the application. |
require | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. (x-stainless-collection-type: set) |
session_duration | string | The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (default: 24h, example: 24h) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
List Access application policies response
| Name | Datatype | Description |
|---|---|---|
id | string | The UUID of the policy (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the Access policy. (example: Allow devs) |
approval_groups | array | Administrators who can approve a temporary authentication request. (x-stainless-collection-type: set) |
approval_required | boolean | Requires the user to request access from an administrator at the start of each session. |
connection_rules | object | The rules that define how users may connect to targets secured by your application. (title: Connection Rules) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
decision | string | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. (allow, deny, non_identity, bypass) (example: allow) |
exclude | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. (x-stainless-collection-type: set) |
include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. (x-stainless-collection-type: set) |
isolation_required | boolean | Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
precedence | integer | The order of execution for this policy. Must be unique for each policy within an app. |
purpose_justification_prompt | string | A custom message that will appear on the purpose justification screen. (example: Please enter a justification for entering this protected domain.) |
purpose_justification_required | boolean | Require users to enter a justification when they log in to the application. |
require | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. (x-stainless-collection-type: set) |
session_duration | string | The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (default: 24h, example: 24h) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_by_account | select | app_id, policy_id, account_id | Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application. | |
get_by_zone | select | app_id, policy_id, zone_id | Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application. | |
list_by_account | select | app_id, account_id | page, per_page | Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application. |
list_by_zone | select | app_id, zone_id | page, per_page | Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application. |
create_by_account | insert | app_id, account_id | Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array. | |
create_by_zone | insert | app_id, zone_id | Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array. | |
update_by_account | replace | app_id, policy_id, account_id | Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. | |
update_by_zone | replace | app_id, policy_id, zone_id | Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. | |
delete_by_account | delete | app_id, policy_id, account_id | Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. | |
delete_by_zone | delete | app_id, policy_id, zone_id | Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
app_id | string | The Access application ID. |
policy_id | string | The Access policy ID. |
zone_id | string | The Cloudflare zone ID. |
page | integer | |
per_page | integer |
SELECT examples
- get_by_account
- get_by_zone
- list_by_account
- list_by_zone
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
SELECT
id,
name,
approval_groups,
approval_required,
connection_rules,
created_at,
decision,
exclude,
include,
isolation_required,
mfa_config,
precedence,
purpose_justification_prompt,
purpose_justification_required,
require,
session_duration,
updated_at
FROM cloudflare.zero_trust.apps_policies
WHERE app_id = '{{ app_id }}' -- required
AND policy_id = '{{ policy_id }}' -- required
AND account_id = '{{ account_id }}' -- required
;
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
SELECT
id,
name,
approval_groups,
approval_required,
connection_rules,
created_at,
decision,
exclude,
include,
isolation_required,
mfa_config,
precedence,
purpose_justification_prompt,
purpose_justification_required,
require,
session_duration,
updated_at
FROM cloudflare.zero_trust.apps_policies
WHERE app_id = '{{ app_id }}' -- required
AND policy_id = '{{ policy_id }}' -- required
AND zone_id = '{{ zone_id }}' -- required
;
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
SELECT
id,
name,
approval_groups,
approval_required,
connection_rules,
created_at,
decision,
exclude,
include,
isolation_required,
mfa_config,
precedence,
purpose_justification_prompt,
purpose_justification_required,
require,
session_duration,
updated_at
FROM cloudflare.zero_trust.apps_policies
WHERE app_id = '{{ app_id }}' -- required
AND account_id = '{{ account_id }}' -- required
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
;
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
SELECT
id,
name,
approval_groups,
approval_required,
connection_rules,
created_at,
decision,
exclude,
include,
isolation_required,
mfa_config,
precedence,
purpose_justification_prompt,
purpose_justification_required,
require,
session_duration,
updated_at
FROM cloudflare.zero_trust.apps_policies
WHERE app_id = '{{ app_id }}' -- required
AND zone_id = '{{ zone_id }}' -- required
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
;
INSERT examples
- create_by_account
- create_by_zone
- Manifest
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
INSERT INTO cloudflare.zero_trust.apps_policies (
precedence,
approval_groups,
approval_required,
connection_rules,
isolation_required,
mfa_config,
purpose_justification_prompt,
purpose_justification_required,
session_duration,
app_id,
account_id
)
SELECT
{{ precedence }},
'{{ approval_groups }}',
{{ approval_required }},
'{{ connection_rules }}',
{{ isolation_required }},
'{{ mfa_config }}',
'{{ purpose_justification_prompt }}',
{{ purpose_justification_required }},
'{{ session_duration }}',
'{{ app_id }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
INSERT INTO cloudflare.zero_trust.apps_policies (
precedence,
approval_groups,
approval_required,
connection_rules,
isolation_required,
mfa_config,
purpose_justification_prompt,
purpose_justification_required,
session_duration,
app_id,
zone_id
)
SELECT
{{ precedence }},
'{{ approval_groups }}',
{{ approval_required }},
'{{ connection_rules }}',
{{ isolation_required }},
'{{ mfa_config }}',
'{{ purpose_justification_prompt }}',
{{ purpose_justification_required }},
'{{ session_duration }}',
'{{ app_id }}',
'{{ zone_id }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: apps_policies
props:
- name: app_id
value: "{{ app_id }}"
description: Required parameter for the apps_policies resource.
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the apps_policies resource.
- name: zone_id
value: "{{ zone_id }}"
description: Required parameter for the apps_policies resource.
- name: precedence
value: {{ precedence }}
description: |
The order of execution for this policy. Must be unique for each policy within an app.
- name: approval_groups
description: |
Administrators who can approve a temporary authentication request.
value:
- approvals_needed: {{ approvals_needed }}
email_addresses: "{{ email_addresses }}"
email_list_uuid: "{{ email_list_uuid }}"
- name: approval_required
value: {{ approval_required }}
description: |
Requires the user to request access from an administrator at the start of each session.
- name: connection_rules
description: |
The rules that define how users may connect to targets secured by your application.
value:
rdp:
allowed_clipboard_local_to_remote_formats:
- "{{ allowed_clipboard_local_to_remote_formats }}"
allowed_clipboard_remote_to_local_formats:
- "{{ allowed_clipboard_remote_to_local_formats }}"
- name: isolation_required
value: {{ isolation_required }}
description: |
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- name: mfa_config
description: |
Configures multi-factor authentication (MFA) settings.
value:
allowed_authenticators:
- "{{ allowed_authenticators }}"
mfa_disabled: {{ mfa_disabled }}
session_duration: "{{ session_duration }}"
- name: purpose_justification_prompt
value: "{{ purpose_justification_prompt }}"
description: |
A custom message that will appear on the purpose justification screen.
- name: purpose_justification_required
value: {{ purpose_justification_required }}
description: |
Require users to enter a justification when they log in to the application.
- name: session_duration
value: "{{ session_duration }}"
description: |
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
default: 24h
REPLACE examples
- update_by_account
- update_by_zone
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
REPLACE cloudflare.zero_trust.apps_policies
SET
precedence = {{ precedence }},
approval_groups = '{{ approval_groups }}',
approval_required = {{ approval_required }},
connection_rules = '{{ connection_rules }}',
isolation_required = {{ isolation_required }},
mfa_config = '{{ mfa_config }}',
purpose_justification_prompt = '{{ purpose_justification_prompt }}',
purpose_justification_required = {{ purpose_justification_required }},
session_duration = '{{ session_duration }}'
WHERE
app_id = '{{ app_id }}' --required
AND policy_id = '{{ policy_id }}' --required
AND account_id = '{{ account_id }}' --required
RETURNING
errors,
messages,
result,
success;
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
REPLACE cloudflare.zero_trust.apps_policies
SET
precedence = {{ precedence }},
approval_groups = '{{ approval_groups }}',
approval_required = {{ approval_required }},
connection_rules = '{{ connection_rules }}',
isolation_required = {{ isolation_required }},
mfa_config = '{{ mfa_config }}',
purpose_justification_prompt = '{{ purpose_justification_prompt }}',
purpose_justification_required = {{ purpose_justification_required }},
session_duration = '{{ session_duration }}'
WHERE
app_id = '{{ app_id }}' --required
AND policy_id = '{{ policy_id }}' --required
AND zone_id = '{{ zone_id }}' --required
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete_by_account
- delete_by_zone
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
DELETE FROM cloudflare.zero_trust.apps_policies
WHERE app_id = '{{ app_id }}' --required
AND policy_id = '{{ policy_id }}' --required
AND account_id = '{{ account_id }}' --required
;
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
DELETE FROM cloudflare.zero_trust.apps_policies
WHERE app_id = '{{ app_id }}' --required
AND policy_id = '{{ policy_id }}' --required
AND zone_id = '{{ zone_id }}' --required
;