Access level attributes

Access levels define various attributes that are used to filter requests made to certain resources. The following table lists the attributes supported by access levels and provides additional details about each attribute.

When you create or modify an access level using the gcloud command-line tool, you must format the attributes in YAML. This table includes the YAML syntax for each attribute, and the valid values. Links to the REST and RPC reference information for each attribute are also included.

For more information about access levels and YAML, refer to the example YAML for an access level.

You can include the following attributes in your access level:

IP subnetworks
Regions
Access level dependency
Principals
Device policy

Attributes

IP subnetworks

Description	Checks whether a request is coming from one or more IPv4 and/or IPv6 CIDR blocks that you specify. You cannot include private IP ranges for this attribute. For example, `192.168.0.0/16` or `172.16.0.0/12`.
YAML	`ipSubnetworks`
Valid values	A list of one or more IPv4 and/or IPv6 CIDR blocks.
API reference	`REST` `RPC`

Regions

Description	Checks whether a request originated from a specific region. Regions are identified by the corresponding ISO 3166-1 alpha-2 codes. Caution: The origin of a request is determined by the geolocation of the IP address that the request originated from. Because of this, the region attribute only works for requests that originate from a public IP address. Because private IP addresses cannot be geolocated, access levels that require a region will always deny requests from private IP addresses and do not support requests made using Private Google Access.
YAML	`regions`
Valid values	A list of one or more ISO 3166-1 alpha-2 codes.
API reference	None

Access level dependency

Description	Checks whether a request meets the criteria of one or more access levels.
YAML	`requiredAccessLevels`
Valid values	A list of one or more existing access levels formatted as: `accessPolicies/POLICY-NAME/accessLevels/LEVEL-NAME` Where: `POLICY-NAME` is the numeric name of your Organization's access policy. `LEVEL-NAME` is the name of the access level that you want to add as a dependency.
API reference	`REST` `RPC`

Principals

Description	Checks whether a request is coming from a specific user or service account. This attribute can only be included in conditions when creating or modifying an access level using the `gcloud` command-line tool or the Access Context Manager API. If you created an access level using Google Cloud Console, either of the methods previously mentioned can be used to add principals to that access level.
YAML	`members`
Valid values	A list of one or more user or service accounts, formatted as: `user: EMAIL` `serviceAccount: EMAIL` Where: `EMAIL` is the email that corresponds to the user or service account that you want to include in the access level. Groups are not supported.
API reference	`REST` `RPC`

Device policy

Requirements

To use the device policy attributes with mobile devices, you must configure MDM for your organization.

To use the device policy attributes with other devices, Endpoint Verification must be enabled.

Description

A device policy is a collection of attributes that are used to filter requests based on information about the device where the request originated.

For example, device policy attributes are used in conjunction with Identity-Aware Proxy to support context-aware access.

YAML devicePolicy

Valid values

devicePolicy is a list of one or more device policy attributes. The following attributes are supported:

Require screen lock
Storage encryption
Require admin approval
Require corp owned device
OS policy

Only certain device policy attributes can be used with mobile devices. The Supports mobile devices row identifies whether an attribute can be used with mobile devices.

API reference

REST
RPC

Device policy attributes

Require screen lock

Description	Checks if a device has screen lock enabled.
Supports mobile devices	Yes
YAML	`requireScreenlock`
Valid values	`true` `false` If omitted, defaults to `false`.
API reference	`REST` `RPC`

Storage encryption

Description	Checks whether the device is encrypted, not encrypted, or does not support storage encryption.
Supports mobile devices	Yes Important: For an iOS device to satisfy the the storage encryption attribute, screen lock must be enabled on the device.
YAML	`allowedEncryptionStatuses`
Valid values	One or more of the following values: `ENCRYPTION_UNSUPPORTED` `ENCRYPTED` `UNENCRYPTED`
API reference	`REST` `RPC`

Require admin approval

Description	Checks whether the device has been approved by a an administrator.
Supports mobile devices	Yes
YAML	`requireAdminApproval`
Valid values	`true` `false` If omitted, defaults to `false`.
API reference	None

Require corp owned device

Description	Checks whether the device is owned by your enterprise.
Supports mobile devices	Yes
YAML	`requireCorpOwned`
Valid values	`true` `false` If omitted, defaults to `false`.
API reference	None

OS policy

Description	Checks whether a device is using a specified operating system. Additionally, you can specify a minimum version of an OS that a device must be using. If you create a Chrome OS policy, you can also specify that it must be a verified Chrome OS .
Supports mobile devices	Yes
YAML	`osConstraints`
Valid values	`osConstraints` is a list that must include one or more instances of `osType`. `osType` can be paired with an instance of `minimumVersion`, but `minimumVersion` is not required. `osType` must include a list of one or more of the following values: `DESKTOP_MAC` `DESKTOP_WINDOWS` `DESKTOP_CHROME_OS` `IOS` `ANDROID` `minimumVersion` is optional. If used, it must be included with `osType`. `minimumVersion` must include a minimum version formatted as `MAJOR.MINOR.PATCH`. For example: 10.5.301. If you specify `DESKTOP_CHROME_OS` for `osType`, you can optionally include `requireVerifiedChromeOs`. Valid values for `requireVerifiedChromeOs` are: `true` `false` If you specify `IOS` or `ANDROID` for `osType`, you can optionally include any device policy attribute that supports mobile devices.
API reference	`REST` `RPC`