Create and assign custom access levels using Tanium data

This document shows you how to create device-based custom access levels using Tanium data and assign those access levels to your organizational resources.

Before you begin

  1. Set up BeyondCorp Enterprise and Tanium integration.
  2. Ensure that you have one of the following Identity and Access Management roles:
    • Access Context Manager Admin (roles/accesscontextmanager.policyAdmin)
    • Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
  3. Understand the objects and attributes that are used to the build the Common Expression Language (CEL) expressions for custom access levels. For details, see Custom access level specification.

Create custom access levels

You can create access levels with one or more conditions. If you want the users' devices to satisfy multiple conditions (a logical AND of conditions), create an access level that contains all the required conditions.

To create a new custom access level using the data provided by Tanium, do the following:

  1. Go to the Access Context Manager page in the Cloud Console.

    Go to Access Context Manager
  2. If you are prompted, select your organization.
  3. On the Access Context Manager page, click New.
  4. In the New Access Level pane, enter the following:
    1. In the Access level title field, enter a title for the access level. The title must be at most 50 characters, start with a letter, and can contain only numbers, letters, underscores, and spaces.
    2. In the Create Conditions in section, select Advanced Mode.
    3. In the Conditions section, enter the expressions for your custom access level. The condition must resolve to a single boolean value.

      To find the available Tanium fields for your CEL expression, you can review the Tanium data collected for your devices.

      The following CEL expression creates a rule that allows access only from Tanium-managed devices with no high severity vulnerabilities on the most recent Comply scans:

      device.vendors["Tanium"].is_managed_device == true && device.vendors["Tanium"].data["vulnerabilities.countHigh"] == 0.0
      For examples and more information about Common Expression Language (CEL) support and custom access levels, see the Custom access level specification.
    4. Click Save.

Assign custom access levels

You can assign custom access levels to control access to applications. These applications include Google Workspace apps and the applications that are protected by Identity-Aware Proxy on Google Cloud (also known as IAP-secured resource). You can assign one or more access levels for the apps. If you select multiple access levels, users' devices only need to satisfy the conditions in one of the access levels to be granted access to the app.

Assign custom access levels for Google Workspace applications

Assign custom access levels for Google Workspace applications from the Google Workspace Admin console:

  1. From the Admin console Home page, go to Security > Context-Aware Access.

    Go to Context-Aware Access
  2. Click Assign access levels.

    You see a list of apps.

  3. In the Organizational units section, select your organizational unit or group.
  4. Select the app for which you want to assign an access level, and click Assign.

    access level assign

    You see a list of all access levels. Access levels are a shared resource between Google Workspace, Cloud Identity, and Google Cloud so you might see access levels you didn't create in the list.

  5. Select one or more access levels for the app.
  6. To apply the access levels to users on desktop and mobile apps (and on the browser), select Apply to Google desktop and mobile apps. This checkbox applies to built-in apps only.
  7. Click Save, and then click Assign. The access level name displays in the assigned access levels list next to the app.

Assign custom access levels for IAP-secured resources

To assign custom access levels for IAP-secured resources from the Google Cloud Console, follow the instructions in Applying an access level for IAP-secured resources.