Creating a custom access level

After a custom access level is created, it can be managed in the same manner as basic access levels.

For details about building Common Expression Language (CEL) expressions for custom access levels, refer to the custom access level specification.

Console

To create a custom access level:

  1. Open the Access Context Manager page in the Cloud Console.

    Open the Access Context Manager page

  2. If you are prompted, select your organization.

  3. At the top of the Access Context Manager page, click New.

  4. In the New Access Level pane:

    1. In the Access level title box, enter a title for the access level. The title must be at most 50 characters, start with a letter, and can contain only numbers, letters, underscores, and spaces.

    2. Following Create Conditions in, select Advanced Mode.

    3. In the Conditions section, enter the expressions for your custom access level. The condition must resolve to a single boolean value.

      For examples and more information about Common Expression Language (CEL) support and custom access levels, see the Custom access level specification.

    4. Click Save.

gcloud

Before you begin

To create a custom access level using the gcloud command-line tool, use the gcloud access-context-manager levels create command.

gcloud access-context-manager levels create LEVEL_NAME \
  --title=TITLE \
  --custom-level-spec=FILE \
  --description=DESCRIPTION \
  --policy=POLICY_NAME

Where:

  • LEVEL_NAME is a unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores. The name can be a maximum of 50 characters.

  • TITLE is the short, human-readable title for the access level.

  • FILE is a .yaml file that contains your CEL expression formatted as a single key-value pair: expression: "CEL_EXPRESSION".

    For examples and more information about Common Expression Language (CEL) support and custom access levels, see the Custom access level specification.

  • DESCRIPTION (optional) is a human-readable description of the access level.

  • POLICY_NAME is the numeric name of your organization's access policy.

Optionally, you can include any of the gcloud-wide flags.

custom-level-spec .yaml file

When you use the gcloud command-line tool to create a custom access level, you must provide a .yaml file for the custom-level-spec option. The .yaml file defines a CEL expression that resolves to a single boolean value. The .yaml file must contain a single key-value pair formatted as expression: "CEL_EXPRESSION". The value for expression must be a string.

Example .yaml file

expression: "device.encryption_status == DeviceEncryptionStatus.ENCRYPTED && (origin.region_code in ['US'] || device.is_admin_approved_device)"

Example command

gcloud access-context-manager levels create Custom_Trust \
    --custom-level-spec=customspec.yaml \
    --description="Custom access level for corp." \
    --title="Custom Trust Level"

REST

Before you begin

To create a custom access level, use the accessPolicies.accessLevels.create method.

Request body

In the request body for the call, include an instance of the AccessLevel object.

{
  "name": string,
  "title": string,
  "description": string,
  "custom": {
    "expr": {
      "expression": string,
      "title": string,
      "description": string
    }
  }
}

For the custom field, create an object that includes the CEL expressions for your custom access level. The complete expression must resolve to a boolean value. The title and description fields are optional.

Example

{
  "name": "example_custom_level",
  "title": "Example custom level",
  "description": "An example custom access level.",
  "custom":  {
    "expr": {
      "expression": "device.is_corp_owned == true || (device.os_type != OsType.OS_UNSPECIFIED && device.is_admin_approved_device == true)",
      "title": "Check for known devices",
      "description": "Permits requests from corp-owned devices and admin-approved devices with a known OS."
    }
  }
}

RPC

Before you begin

To create a custom access level, call CreateAccessLevel.

For the access_level field, include an instance of AccessLevel.

Fields
name
Type string
Description

Required.

The resource name for the access level. The POLICY_ID is the numeric name of your Organization's access policy. The SHORT_NAME must begin with a letter, and include only letters, numbers, and underscores.

Format:

                accessPolicies/policy_id/accessLevels/short_name
                

title
Type string
Description

A human-readable label for the access level. Access levels must have unique names.

description
Type string
Description

A description of the access level.

custom
Type string
Description

The CEL expressions for your custom access level. The complete expression must resolve to a boolean value.