Creating a device-based access level

This page shows how to create device-based access levels using Access Context Manager.

To learn how to apply access levels on Identity-Aware Proxy (IAP)-secured resources, see the Context-Aware Access documentation.

Overview

An access level is a set of attributes assigned to requests based on their origin. Using information such as device type, you can designate what level of access to grant. For example, you might assign a "High_Trust" level to devices with encrypted drives and "Medium_Trust" trust to devices that only have a screen lock.

Device information is gathered and referenced by access levels once you set up Endpoint Verification.

An access level is enforced by adding it as a Cloud IAM condition on your IAP-secured resource. This process is part of the Context-Aware Access approach to securing apps and resources.

For more information, see the Access Context Manager overview.

Before you begin

  • You must be granted one of the following roles:

    • Access Context Manager Admin
    • Access Context Manager Editor
    • Access Context Manager Reader
  • Set up Endpoint Verification.

Creating an access level

The following process creates a device-based access level.

For this example, assume you want to create an access level that allows users to access your resource only if they have encrypted device storage.

Console

  1. Got to the Access Context Manager page in the Cloud Console.

    Go to the Access Context Manager page

  2. If you are prompted, select your organization.

  3. At the top of the Access Context Manager page, click New.

  4. In the New Access Level pane, in the Conditions section, click Add attribute and then click Device Policy.

  5. Click the Storage encryption drop-down and select Encrypted. Note that this rule will only work once you set up Endpoint Verification on your employees' devices.

  6. Click Save.

gcloud

  1. Create a .yaml file for an access level that includes device policy attributes.

    In this example, to limit access to only users with encrypted device storage, you would enter the following in the .yaml file:

    - devicePolicy:
        allowedEncryptionStatuses
          - ENCRYPTED
    

    For a list of device policy access level attributes and their YAML format, see Device policy attributes. See this example access level YAML file for a comprehensive YAML file of all possible attributes.

    Note that the devicePolicy rule only works once you set up Endpoint Verification on your employees' devices.

  2. Save the file. In this example, the file is named CONDITIONS.yaml.

  3. Create the access level.

    gcloud access-context-manager levels create NAME \
       --title TITLE \
       --basic-level-spec CONDITIONS.yaml \
       --policy=POLICY_NAME
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

    • POLICY_NAME is the name of your organization's access policy.

    You should see output similar to:

    Create request issued for: NAME
    Waiting for operation [accessPolicies/POLICY_NAME/accessLevels/NAME/create/1521594488380943] to complete...done.
    Created level NAME.
    

API

  1. Craft a request body to create an AccessLevel resource.

    In this example, to limit access to only users with encrypted device storage, you would enter the following in the .yaml file:

    {
     "name": "NAME",
     "title": "TITLE",
     "basic": {
       "conditions": [
         {
         "devicePolicy": [
           "allowedEncryptionStatuses": [
             "ENCRYPTED"
           ]
         ]
         }
       ]
     }
    }
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

    For a list of device policy access level attributes and their YAML format, see Device policy attributes. See this example access level YAML file for a comprehensive YAML file of all possible attributes.

  2. Create the access level by calling accessLevels.create.

    POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels
    

    Where:

    • POLICY_NAME is the name of your organization's access policy.

Applying an access level

After creating your access level, you need to apply it to an IAP-secured resource for it to take affect. This process is a part of making your Google Cloud resources context-aware.

  1. Secure your resource with IAP.

  2. Apply your access level to the resource.