다음 예에는 액세스 수준의 .yaml 파일을 만들 때 지정할 수 있는 모든 속성이 포함되어 있습니다. .yaml 파일은 gcloud 명령줄 도구를 사용하여 액세스 수준을 만들거나 수정하는 경우에만 필요합니다.
members 속성에 ID를 포함할 수 있지만 권장되지 않습니다. 경계가 서로 통신하도록 허용하는 방법은 인그레스 및 이그레스 규칙의 identities를 참조하세요.
# Attributes can be included in any order in the condition-devicePolicy:# Must include at least one of the following:allowedEncryptionStatuses:# Must include at least one of the following:-ENCRYPTION_UNSUPPORTED-ENCRYPTED-UNENCRYPTEDosConstraints:# Must include at least one of the following:-osType:DESKTOP_CHROME_OSminimumVersion:11316.165.0# minimumVersion must be formatted as x.x.xrequireVerifiedChromeOs:true-osType:DESKTOP_MAC-osType:DESKTOP_WINDOWS# minimumVersion is not requiredrequireScreenlock:true# requireScreenlock defaults to false if not includedrequireAdminApproval:true# requireAdminApproval defaults to false if not includedrequireCorpOwned:true# requireCorpOwned defaults to false if not includedipSubnetworks:# Must include one or more IPv4 and IPv6 CIDRs-252.0.2.0/24-2001:db8::/32regions:# Must include one or more regions as ISO 3166-1 alpha-2 codes-US-CH-SGrequiredAccessLevels:# Must include one or more existing access levels# Must be formatted as accessPolicies/policy-name/accessLevels/level-name-accessPolicies/247332951433/accessLevels/Device_Trustmembers:# Must include one or more valid IAM users or service accounts-user:exampleuser@example.com-serviceAccount:exampleaccount@example.iam.gserviceaccount.com
negate:true# negate is not required and can only be included with other attributes# If negate is included, none of the attributes included in the condition# can be true for the condition to be met.# You can include more than one condition in the .yaml file-ipSubnetworks:-176.0.2.0/24
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eA \u003ccode\u003e.yaml\u003c/code\u003e file is required when creating or modifying access levels using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool.\u003c/p\u003e\n"],["\u003cp\u003eConditions within the \u003ccode\u003e.yaml\u003c/code\u003e file must include at least one attribute, which can be combined with others using AND or NAND operations.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003edevicePolicy\u003c/code\u003e attribute requires at least one allowed encryption status and one os constraint, and can optionally include requirements such as screen lock, admin approval, and corporate ownership.\u003c/p\u003e\n"],["\u003cp\u003eOther attributes that can be specified include \u003ccode\u003eipSubnetworks\u003c/code\u003e, \u003ccode\u003eregions\u003c/code\u003e, and \u003ccode\u003erequiredAccessLevels\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eWhile \u003ccode\u003emembers\u003c/code\u003e can include identities, it is recommended to refer to ingress and egress rules for perimeter communication; you can use the \u003ccode\u003enegate\u003c/code\u003e attribute to invert the condition's requirement.\u003c/p\u003e\n"]]],[],null,["# Example YAML for an access level\n\nThe following example includes all attributes that can be specified when\nyou create a .yaml file for an access level. A .yaml file is only necessary\nif you are creating or modifying an access level using the `gcloud` command-line tool.\n| **Note:** Conditions must include at least one attribute. If they contain more than one attribute, the attributes can be combined as an **AND** operation (all must be true) or as a **NAND** operation (none can be true) to determine whether the condition is met. You can use any combination of attributes required for your use case. The comments provided for these attributes apply only if you include the attribute in your .yaml file.\n\nAlthough you can include identities in the `members` attribute, Google\nrecommends against doing so. See `identities` in [Ingress and egress\nrules](/vpc-service-controls/docs/ingress-egress-rules) for how to allow\nperimeters to communicate with each other. \n\n # Attributes can be included in any order in the condition\n - devicePolicy:\n # Must include at least one of the following:\n allowedEncryptionStatuses:\n # Must include at least one of the following:\n - ENCRYPTION_UNSUPPORTED\n - ENCRYPTED\n - UNENCRYPTED\n osConstraints:\n # Must include at least one of the following:\n - osType: DESKTOP_CHROME_OS\n minimumVersion: 11316.165.0\n # minimumVersion must be formatted as x.x.x\n requireVerifiedChromeOs: true\n - osType: DESKTOP_MAC\n - osType: DESKTOP_WINDOWS\n # minimumVersion is not required\n requireScreenlock: true\n # requireScreenlock defaults to false if not included\n requireAdminApproval: true\n # requireAdminApproval defaults to false if not included\n requireCorpOwned: true\n # requireCorpOwned defaults to false if not included\n ipSubnetworks:\n # Must include one or more IPv4 and IPv6 CIDRs\n - 252.0.2.0/24\n - 2001:db8::/32\n regions:\n # Must include one or more regions as ISO 3166-1 alpha-2 codes\n - US\n - CH\n - SG\n requiredAccessLevels:\n # Must include one or more existing access levels\n # Must be formatted as accessPolicies/policy-name/accessLevels/level-name\n - accessPolicies/247332951433/accessLevels/Device_Trust\n members:\n # Must include one or more valid IAM users or service accounts\n - user:exampleuser@example.com\n - serviceAccount:exampleaccount@example.iam.gserviceaccount.com\n negate: true\n # negate is not required and can only be included with other attributes\n # If negate is included, none of the attributes included in the condition\n # can be true for the condition to be met.\n\n # You can include more than one condition in the .yaml file\n - ipSubnetworks:\n - 176.0.2.0/24"]]
