This page details the objects and attributes that are used to the build the Common Expression Language (CEL) expressions for custom access levels. Examples are included.
To learn more about CEL, see the CEL language definition.
This page contains the following sections:
Objects
Access Context Manager provides four objects that contain access level attributes.
Objects | |
---|---|
origin
|
Contains attributes that identify the origin of the request. |
request.auth
|
Contains attributes that identify authentication and authorization aspects of the request. |
levels
|
Contains attributes to define dependency on other access levels. |
device
|
Contains attributes that describe the device the request originated from. |
origin
attributes
This section lists the attributes supported by the origin
object.
Attributes | |||||
---|---|---|---|---|---|
ip
|
|
||||
region_code
|
|
request.auth
attributes
This section lists the attributes supported by the request.auth
object.
Attributes | |||||
---|---|---|---|---|---|
principal
|
|
levels
attribute
This section lists the attributes supported by the levels
object.
Attributes | |||||
---|---|---|---|---|---|
level name
|
|
device
attribute
This section lists the attributes supported by the device
object.
Attributes | |||||
---|---|---|---|---|---|
encryption_status
|
|
||||
is_admin_approved_device
|
|
||||
is_corp_owned_device
|
|
||||
is_secured_with_screenlock
|
|
||||
os_type
|
|
||||
vendors
|
|
||||
verified_chrome_os
|
|
Functions
Access Context Manager provides the following functions for use in the CEL expressions for custom access levels.
Functions | |||||
---|---|---|---|---|---|
inIpRange(address, [subnets])
|
|
||||
device.versionAtLeast(minVersion)
|
|
||||
certificateBindingState(origin, device)
|
|
Example CEL expressions
This section includes examples of CEL expressions used to create custom access levels.
Example 1
device.encryption_status == DeviceEncryptionStatus.ENCRYPTED && (origin.region_code in ["US"] || device.is_admin_approved_device)
This example represents an access level that requires the following conditions be met in order to allow a request:
The device that the request originated from is encrypted.
One or more of the following is true:
The request originated in the United States.
The device that the request originated from is approved by the domain administrator.
Example 2
(device.os_type == OsType.DESKTOP_WINDOWS && device.is_corp_owned_device) || (device.os_type == OsType.DESKTOP_MAC && device.is_admin_approved_device && device.versionAtLeast("10.11.0"))
This example represents an access level that requires the following conditions be met in order to allow a request:
One of the following is true:
The device that the request originated from uses a desktop Windows operating system and is owned by your organization.
The device that the request originated from uses a desktop Mac operating system, is approved by the domain administrator, and is using at least MacOS 10.11.
Example 3
(certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE)
This example represents an access level that requires the following condition be met in order to allow a request:
- The
certificateBindingState
extension function determines that the certificate presented at request time matches one of the device certificates that was registered when the device was enrolled in endpoint verification.