Creating an access level

This page describes generally how to create access levels. It also includes more focused implementations of access levels. See the following examples:

Before you begin

Create an access level

Console

To create an access level:

  1. Open the Access Context Manager page in the GCP Console.

    Open the Access Context Manager page

  2. If you are prompted, select your organization.

  3. At the top of the Access Context Manager page, click New.

  4. In the New Access Level pane:

    1. In the Access level title box, enter a title for the access level. The title must be at most 50 characters, start with a letter, and can contain only numbers, letters, underscores, and spaces.

    2. Click Add Attribute and then select the attribute you want to add to the condition.

      For a complete list of the attributes you can add, read about access level attributes.

      For example, if you want the access level to consider where a request is coming from within your network, you would select the IP Subnetworks attribute.

      Repeat this step to add multiple attributes to the same condition. When a condition has multiple attributes, all of the attributes must be met by the access request.

    3. Use the When condition is met option to specify whether you want the access level to require that a request meet all specified attributes (TRUE) or whether the request must meet anything but those attributes (FALSE).

      For example, if you want to deny requests from a certain IP address range of your network, specify the IP address range using the IP Subnetworks attribute and then set the condition to FALSE.

    4. Optionally, click Add another condition to add an additional condition to your access level and then repeat the previous two steps.

      For example, if you want to deny access to a subset of IP addresses within a broader IP address range, create a new condition, specify the subset IP address range for the IP Subnetworks attribute, and set the condition to return FALSE.

      Repeat this step to add multiple conditions to the same access level.

    5. In the Conditions section, use the Combine conditions option to specify whether you want the access level to require a request to meet all of the access level conditions (AND) or only one of the conditions (OR).

    6. Click Save

gcloud

Before you begin

To create an access level using the gcloud command-line tool, use the gcloud access-context-manager levels create command.

gcloud access-context-manager levels create LEVEL_NAME OPTIONS \
    --policy=POLICY_NAME

Where:

  • LEVEL_NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores. The name can be a maximum of 50 characters.

  • OPTIONS are the required options from the following table.

    Options
    basic-level-spec

    A .yaml file that specifies one or more conditions for the access level.

    title

    A short title for the access level. The access level's title is displayed in the GCP Console.

    combine-function

    (Optional) Determines how conditions are combined.

    Valid values: AND, OR

    description

    (Optional) A long-form description of the access level.

  • POLICY_NAME is the name of your organization's access policy.

Optionally, you can include any of the gcloud-wide flags.

basic-level-spec .yaml file

When you use the gcloud command-line tool to create an access level, you must provide a .yaml file for the basic-level-spec option. The .yaml file defines one or more conditions for the access level. Conditions must contain at least one attribute.

For a complete list of the attributes you can include in your .yaml file, read about access level attributes.

For more information about access levels and YAML, refer to the example YAML for an access level.

Example command

gcloud access-context-manager levels create Device_Trust \
    --basic-level-spec=corpdevspec.yaml \
    --combine-function=AND \
    --description='Access level that conforms to corporate spec.' \
    --title='Device_Trust Extended'

API

Before you begin

To create an access level, call accessLevels.create.

POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels

Where:

  • POLICY_NAME is the name of your organization's access policy.

Request body

The request body must include an AccessLevel resource that specifies the conditions you want for the new access level.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the POST operation.

Example implementations

The following examples cover a few of the practical ways your organization might want to implement access levels. These examples assume your organization already has an access policy.

Limit access on a corporate network

This example describes how to create an access level condition that allows access only from a specified range of IP addresses (for example, those within a corporate network).

By restricting the range of IP addresses that are granted access, you can make exfiltrating data more difficult for an attacker that is inside or outside your organization.

For this example, assume you want to create an access level that will allow a group of internal auditors to access the Stackdriver Logging service for a project named sensitive-data. All of the devices for the auditors are assigned IPs on a subnet ranging between 203.0.113.0 and 203.0.113.127. You know there won't be any devices assigned to that subnet other than those used by the auditors.

Console

  1. Open the Access Context Manager page in the GCP Console.

    Open the Access Context Manager page

  2. If you are prompted, select your organization.

  3. At the top of the Access Context Manager page, click New.

  4. In the New Access Level pane, in the Conditions section, click Add attribute and then click IP Subnetworks.

  5. In the IP Subnetworks box, enter one or more IPv4 or IPv6 ranges formatted as CIDR blocks.

    In this example, to limit access to only the auditors, you would enter 203.0.113.0/25 in the IP Subnetworks box.

  6. Click Save.

gcloud

  1. Create a .yaml file for an access level that includes one or more IPv4 or IPv6 ranges formatted as CIDR blocks.

    In this example, to limit access to only the auditors, you would enter the following into the .yaml file:

    - ipSubnetworks:
      - 203.0.113.0/25
    
  2. Save the file. In this example, the file is named CONDITIONS.yaml.

  3. Create the access level.

    gcloud access-context-manager levels create NAME \
       --title TITLE \
       --basic-level-spec CONDITIONS.yaml \
       --policy=POLICY_NAME
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

    • POLICY_NAME is the name of your organization's access policy.

    You should see output similar to:

    Create request issued for: NAME
    Waiting for operation [accessPolicies/POLICY_NAME/accessLevels/NAME/create/1521594488380943] to complete...done.
    Created level NAME.
    

API

  1. Craft a request body to create an AccessLevel resource that includes one or more IPv4 or IPv6 ranges formatted as CIDR blocks.

    In this example, to limit access to only the auditors, you would enter the following into the request body:

    {
     "name": "NAME",
     "title": "TITLE",
     "basic": {
       "conditions": [
         {
           "ipSubnetworks": [
             "203.0.113.0/25"
           ]
         }
       ]
     }
    }
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

  2. Create the access level by calling accessLevels.create.

    POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels
    

    Where:

    • POLICY_NAME is the name of your organization's access policy.

Limit access by devices on a network

This example describes how to create an access level that grants access only to devices which meet a specified set of requirements, like a certain operating system (OS) version.

Information about devices is provided to Access Context Manager using Endpoint Verification. The following criteria can be checked when determining whether to grant access:

  • Screen lock is enabled
  • Storage encryption is enabled
  • Device is running a specified operating system kind and version

For this example, assume your organization uses only machines that have either Chrome OS or Windows installed. To add a layer of security, you want to create an access level that will prevent access by anyone using other operating systems. Additionally, to manage risk, you want to make sure that only certain versions of the OSes can gain access.

Console

  1. Open the Access Context Manager page in the GCP Console.

    Open the Access Context Manager page

  2. If you are prompted, select your organization.

  3. At the top of the Access Context Manager page, click New.

  4. In the New Access Level pane, in the Conditions section, click Add attribute and then click Device Policy.

  5. Add the device policy attributes:

    1. Click Add OS Policy and then click Chrome OS Policy.

    2. In the Minimum version box, enter the minimum version of Chrome OS you want to allow.

    3. Repeat steps 1 and 2 for Windows OS Policy.

  6. Click Save.

gcloud

  1. Create a .yaml file for an access level that includes a device policy with OS constraints.

    In this example, to allow only devices with a minimum acceptable version of Chrome OS and Windows, you would enter the following into the .yaml file:

    - devicePolicy:
        osConstraints:
          - osType: DESKTOP_CHROME_OS
            minimumVersion: 11316.165.0
          - osType: DESKTOP_WINDOWS
            minimumVersion: 10.0.1809
    
  2. Save the file. In this example, the file is named CONDITIONS.yaml.

  3. Create the access level.

    gcloud access-context-manager levels create NAME \
       --title TITLE \
       --basic-level-spec CONDITIONS.yaml \
       --policy=POLICY_NAME
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

    • POLICY_NAME is the name of your organization's access policy.

    You should see output similar to:

    Create request issued for: NAME
    Waiting for operation [accessPolicies/POLICY_NAME/accessLevels/NAME/create/1521594488380943] to complete...done.
    Created level NAME.
    

API

  1. Craft a request body to create an AccessLevel resource that includes a device policy with OS constraints.

    In this example, to allow only devices with a minimum acceptable version of Chrome OS and Windows, you would enter the following into the request body:

    {
     "name": "NAME",
     "title": "TITLE",
     "basic": {
       "conditions": [
         {
           "devicePolicy": {
             "osConstraints": [
               {
                 "osType": "DESKTOP_CHROME_OS",
                 "minimumVersion": "11316.165.0"
               },
               {
                 "osType": "DESKTOP_WINDOWS",
                 "minimumVersion": "10.0.1809"
               }
             ]
           {
         }
       ]
     }
    }
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

  2. Create the access level by calling accessLevels.create.

    POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels
    

    Where:

    • POLICY_NAME is the name of your organization's access policy.

Limit access by user or service account

Granting access based on identity is often useful in conjunction with service accounts. For example, to enable a Cloud Function to access data.

This example describes how to grant access to specific users and service accounts that do not fit the criteria of other access levels. In this example, assume you have a system administrator and a service account that you want to provide access to a project's services regardless of the conditions specified in other access levels.

Console

The GCP Console does not currently support adding members to access levels. If you want to add members to access levels, you must use the gcloud command-line tool or the API.

gcloud

  1. Create a .yaml file that contains a condition that lists the members that you want to provide access.

    In this example, you want to add your system administrator (sysadmin@example.com) and a service account (service@project.iam.gserviceaccount.com).

    - members:
        - user:sysadmin@example.com
        - serviceAccount:service@project.iam.gserviceaccount.com
    
  2. Add a condition that lists the access levels that you do not want to apply to the members. The negation is achieved by setting the combining function to OR in step 4.

    In this example, assume the access levels are named Device_Trust and IP_Trust, and that 247332951433 is the name of your access policy.

    - members:
        - user:sysadmin@example.com
        - serviceAccount:service@project.iam.gserviceaccount.com
    
    - requiredAccessLevels:
        - accessPolicies/247332951433/accessLevels/Device_Trust
        - accessPolicies/247332951433/accessLevels/IP_Trust
    
  3. Save the file. In this example, the file is named CONDITIONS.yaml.

  4. Create the access level.

    gcloud access-context-manager levels create NAME \
       --title TITLE \
       --basic-level-spec CONDITIONS.yaml \
       --combine-function=OR \
       --policy=POLICY_NAME
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

    • POLICY_NAME is the name of your organization's access policy.

    • combine-function is set to OR. The default value, AND, requires all conditions be met before an access level is granted. The OR value will give the members access even if other conditions, such as IP address or those inherited from other required access levels, are not met.

    You should see output similar to:

    Create request issued for: NAME
    Waiting for operation [accessPolicies/POLICY_NAME/accessLevels/NAME/create/1521594488380943] to complete...done.
    Created level NAME.
    

API

  1. Craft a request body to create an AccessLevel resource that includes a condition that lists the members that you want to provide access.

    In this example, you want to add your system administrator (sysadmin@example.com) and a service account (service@project.iam.gserviceaccount.com).

    {
     "name": "NAME",
     "title": "TITLE",
     "basic": {
       "conditions": [
         {
           "members": [
             "user:sysadmin@example.com",
             "serviceAccount:service@project.iam.gserviceaccount.com"
           ]
         }
       ]
     }
    }
    

    Where:

    • NAME is the unique name for the access level. It must begin with a letter and include only letters, numbers, and underscores.

    • TITLE is a human-readable title. It must be unique to the policy.

  2. Add a condition that lists the access levels that you do not want to apply to the members. The negation is achieved by setting the combining function to OR in the following step.

    In this example, assume the access levels are named Device_Trust and IP_Trust, and that 247332951433 is the name of your access policy.

    {
     "name": "NAME",
     "title": "TITLE",
     "basic": {
       "conditions": [
         {
           "members": [
             "user:sysadmin@example.com",
             "serviceAccount:service@project.iam.gserviceaccount.com"
           ]
         },
         {
           "requiredAccessLevels": [
             "accessPolicies/247332951433/accessLevels/Device_Trust",
             "accessPolicies/247332951433/accessLevels/IP_Trust"
           ]
         }
       ]
     }
    }
    
  3. Set combiningFunction to OR.

    The default value for combiningFunction, AND, requires all conditions be met before an access level is granted. The OR value will give the members access even if other conditions, such as IP address or those inherited from other required access levels, are not met.

    {
     "name": "NAME",
     "title": "TITLE",
     "basic": {
       "conditions": [
         {
           "members": [
             "user:sysadmin@example.com",
             "serviceAccount:service@project.iam.gserviceaccount.com"
           ]
         },
         {
           "requiredAccessLevels": [
             "accessPolicies/247332951433/accessLevels/Device_Trust",
             "accessPolicies/247332951433/accessLevels/IP_Trust"
           ]
         }
       ],
       "combiningFunction": "OR"
     }
    }
    
  4. Create the access level by calling accessLevels.create.

    POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels
    

    Where:

    • POLICY_NAME is the name of your organization's access policy.
Was this page helpful? Let us know how we did:

Send feedback about...

Access Context Manager