Stay organized with collections
Save and categorize content based on your preferences.
Access levels define various attributes that are used to filter
requests made to certain resources. The following table lists the
attributes supported by access levels and provides additional details
about each attribute.
When you create or modify an access level using the gcloud command-line tool, you must format
the attributes in YAML. This table includes the YAML syntax for each attribute,
and the valid values. Links to the REST and RPC reference information for each
attribute are also included.
Checks whether a request is coming from one or more IPv4 and/or
IPv6 CIDR blocks that you specify.
You cannot include private IP ranges for this attribute. For
example, 192.168.0.0/16 or
172.16.0.0/12.
When you specify more than one IP subnetwork, the values you enter are combined using an OR operator when the condition is evaluated. The request has to match any one of the values that you specify in order for the condition to evaluate to true.
YAML
ipSubnetworks
Valid values
A list of one or more IPv4 and/or IPv6 CIDR blocks.
Checks whether a request originated from a specific region.
Regions are identified by the corresponding
ISO
3166-1 alpha-2 codes.
When you specify more than one region, the values you enter are ORd when the condition is evaluated. Users are granted access if they are in one of the regions that you specify.
Checks whether a request is coming from a specific user or
service account.
This attribute can only be included in conditions when
creating or modifying an access level using the gcloud command-line tool or the
Access Context Manager API. If you created an access level using
Google Cloud console, either of the methods previously mentioned
can be used to add principals to that access level.
YAML
members
Valid values
A list of one or more user or service accounts, formatted as:
user: EMAIL
serviceAccount: EMAIL
Where:
EMAIL is the email that corresponds to the user
or service account that you want to include in the access
level.
Only certain device policy attributes can be used with mobile
devices. The Supports mobile devices row identifies
whether an attribute can be used with mobile devices.
Checks whether the device has been approved by a
an administrator.
Supports mobile devices
Yes
YAML
requireAdminApproval
Valid values
true
false
If omitted, defaults to false.
API reference
None
Require corp owned device
Description
Checks whether the device is owned by your
enterprise.
Supports mobile devices
Yes
YAML
requireCorpOwned
Valid values
true
false
If omitted, defaults to false.
API reference
None
OS policy
Description
Checks whether a device is using a specified operating
system. Additionally, you can specify a minimum
version of an OS that a device must be using.
If you create a Chrome OS policy, you can also specify
that it must be a
verified Chrome OS
.
When you select more than one operating system, the values you select are ORd when the condition is evaluated. Users are granted access if they have one of the operating systems that you specify.
Supports mobile devices
Yes
YAML
osConstraints
Valid values
osConstraints is a list that must include
one or more instances of osType.
osType can be paired with an instance of
minimumVersion, but
minimumVersion is not required.
osType must include a list of one or
more of the following values:
DESKTOP_MAC
DESKTOP_WINDOWS
DESKTOP_CHROME_OS
DESKTOP_LINUX
IOS
ANDROID
minimumVersion is optional. If used,
it must be included with osType.
minimumVersion must include a minimum
version formatted as MAJOR.MINOR.PATCH.
For example: 10.5.301.
If you specify DESKTOP_CHROME_OS for
osType, you can optionally include
requireVerifiedChromeOs.
Valid values for
requireVerifiedChromeOs are:
true
false
If you specify IOS or
ANDROID for
osType, you can optionally include
any device policy attribute that supports mobile
devices.
