Managing access levels

This page describes how to manage existing access levels. You can:

Before you begin

List access levels

Console

To list all access levels, open the Access Context Manager page in the Cloud Console and then, if prompted, select your organization. Your organization's access levels are displayed in a grid on the page, including details about the configuration of each access level.

Open the Access Context Manager page

gcloud

To list all access levels, use the list command.

gcloud access-context-manager levels list --policy=POLICY_NAME

Where:

  • POLICY_NAME is the name of your organization's access policy.

The output will look something like:

NAME             TITLE                  LEVEL_TYPE
Device_Trust     Device_Trust Extended  Basic
Service_Group_A  Service_Group_A        Basic

API

To list all the access levels for a policy, call accessLevels.list.

GET https://accesscontextmanager.googleapis.com/v1alpha/accessPolicies/POLICY_NAME/accessLevels

Where:

  • POLICY_NAME is the name of your organization's access policy.

Request body

The request body must be empty.

Optional parameters

Optionally, include one or more of the following query parameters.

Parameters
pageSize

number

By default, the list of access levels returned by accessLevels.list is paginated. Each page is limited to 100 access levels.

You can use this parameter to modify the number of access levels that are returned per page.

pageToken

string

If the number of access levels returned by your call exceeded the page size, the response body will include a page token.

You can use this parameter in a subsequent call to obtain the next page of results.

accessLevelFormat

enum(LevelFormat)

Normally, access levels are returned as they are defined, either as BasicLevel or CustomLevel.

You can specify the value CEL for this parameter to return BasicLevels as CustomLevels in Cloud Common Expression Language.

Response body

If successful, the response body for the call contains an AccessLevels object that lists the access levels, and a nextPageToken string. nextPageToken only has a value if the number of access levels returned exceeds the page size. Otherwise, nextPageToken is returned as an empty string.

Describe an access level

Console

Using Cloud Console, refer to the steps to list access levels. When you list your access levels, details are provided in the grid that appears.

gcloud

Listing access levels only provides their name, title, and level type. To get detailed information about what a level actually does, use the describe command.

gcloud access-context-manager levels describe LEVEL_NAME \
    --policy=POLICY_NAME

Where:

  • LEVEL_NAME is the name of the access level you want to describe.

  • POLICY_NAME is the name of your organization's access policy.

The command will print information about the level formatted as YAML. For example, if the level restricted access to certain operating system versions, the output might look something like:

basic:
  conditions:
  - devicePolicy:
      allowedEncryptionStatuses:
      - ENCRYPTED
      osConstraints:
      - minimumVersion: 10.13.6
        osType: DESKTOP_MAC
      - minimumVersion: 10.0.18219
        osType: DESKTOP_WINDOWS
      - minimumVersion: 68.0.3440
        osType: DESKTOP_CHROME_OS
      requireScreenlock: true
name: accessPolicies/330193482019/accessLevels/Device_Trust
title: Device_Trust Extended

API

Listing access levels only provides the name, title, and type of the levels. To get detailed information about an access level, call accessLevels.get.

GET https://accesscontextmanager.googleapis.com/v1alpha/accessPolicies/POLICY_NAME/accessLevels/LEVEL_NAME

Where:

  • POLICY_NAME is the name of your organization's access policy.

  • LEVEL_NAME is the name of the access level you want to describe.

Request body

The request body must be empty.

Optional parameters

Optionally, include the accessLevelFormat query parameter. Normally, access levels are returned as they are defined, either as BasicLevel or CustomLevel.

You can specify the value CEL for this parameter to return BasicLevels as CustomLevels in Cloud Common Expression Language.

Response body

If successful, the response body for the call contains an AccessLevel resource that includes details about what the access level does, the last time the level was updated, and more.

Update an access level

Console

To update an access level:

  1. Open the Access Context Manager page in the Cloud Console.

    Open the Access Context Manager page

  2. If you are prompted, select your organization.

  3. In the grid, click the name of the access level that you want to update.

  4. In the Edit Access Level pane, make changes to the access level.

    For a complete list of the attributes that you can add or modify, read about access level attributes.

  5. Click Save.

    In addition to updating or removing any existing conditions, you can add new conditions and add new attributes to existing conditions.

gcloud

Use the update command to update an access level.

gcloud access-context-manager levels update LEVEL_NAME \
    --basic-level-spec=FILE \
    --policy=POLICY_NAME

Where:

  • LEVEL_NAME is the name of the access level that you want to update.

  • FILE is the name of a .yaml file that defines the conditions for the access level.

    For a complete list of the attributes that you can use in your conditions, read about access level attributes.

  • POLICY_NAME is the name of your organization's access policy.

  • You can include one or more of the following options.

    Options
    combine-function

    Determines how conditions are combined.

    Valid values: AND, OR

    description

    A long-form description of the access level.

    title

    A short title for the access level. The access level's title is displayed in the Cloud Console.

    You can include any of the gcloud-wide flags.

Example command

gcloud access-context-manager levels update Device_Trust \
    --build-level-spec=corpdevspec.yaml \
    --combine-function=OR \
    --description='Access level that conforms to updated corporate spec.' \
    --title='Device_Trust Extended' \
    --policy=1034095178592

API

To update an access level, call accessLevels.patch.

PATCH https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels/LEVEL_NAME?updateMask=FIELDS

Where:

  • POLICY_NAME is the name of your organization's access policy.

  • LEVEL_NAME is the name of the access level you want to describe.

  • FIELDS is a comma-separated list of fully-qualified field names that you are updating.

Request body

The request body must include an AccessLevel resource that specifies the changes you want to make to the access level.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the patch operation.

Delete an access level

Console

To delete an access level:

  1. Open the Access Context Manager page in the Cloud Console

    Open the Access Context Manager page

  2. If you are prompted, select your organization.

  3. In the grid, in the row for the access level that you want to delete, click the button.

  4. Click Delete.

  5. In the dialog box that appears, confirm that you want to delete the access level.

gcloud

To delete an access level:

  1. Use the delete command to delete an access level.

    gcloud access-context-manager levels delete LEVEL_NAME \
       --policy=POLICY_NAME
    

    Where:

    • LEVEL_NAME is the name of the access level that you want to delete.

    • POLICY_NAME is the name of your organization's access policy.

  2. Confirm that you want to delete the access level.

    For example:

    You are about to delete level Device_Trust
    
    Do you want to continue (Y/n)?
    
    
    You should see output similar to the following:
    
    
    Waiting for operation [accessPolicies/330193482019/accessLevels/Device_Trust/delete/1531171874311645] to complete...done.
    Deleted level [Device_Trust].
    

API

To delete an access level, call accessLevels.delete.

DELETE https://accesscontextmanager.googleapis.com/v1alpha/accessPolicies/POLICY_NAME/accessLevels/LEVEL_NAME

Where:

  • POLICY_NAME is the name of your organization's access policy.

  • LEVEL_NAME is the name of the access level you want to describe.

Request body

The request body must be empty.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the delete operation.

Was this page helpful? Let us know how we did:

Send feedback about...

Access Context Manager