Stay organized with collections
Save and categorize content based on your preferences.
This page details the objects and attributes that are used to the build the
Common Expression Language (CEL)
expressions for custom access levels. Examples are included.
Contains attributes that describe the device the request originated
from.
origin attributes
This section lists the attributes supported by the origin object.
Attributes
ip
Type
string
Description
The IP address the request originated from. If the IP address
cannot be determined, origin.ip evaluates
to an error. We recommend that you use
inIpRange to check if the origin IP address is in a
specific IP address range instead of doing a string comparison.
Example:
inIpRange(origin.ip, ["203.0.113.24"])
region_code
Type
string
Description
The ISO
3166-1 alpha-2 code for the country or region where
the request originated from. If the region code cannot be
determined, origin.region_code evaluates
to an error.
Example:
origin.region_code == "GB"
origin.region_code in ["US", "FR", "JP"]
request.auth attributes
This section lists the attributes supported by the request.auth object.
Attributes
principal
Type
string, list(string)
Description
The unique ID of the user who issued the request.
The value for request.auth.principal must be one
or more unique user IDs. The UUIDs can be obtained using the
Admin SDK Directory API.
The value must be in the following format:
https://accounts.google.com/UUID
Where UUID is the UUID of a user.
Example:
request.auth.principal == "https://accounts.google.com/1134924314572461055"
request.auth.principal in ["https://accounts.google.com/1134924314572461055", "https://accounts.google.com/3134824314572461115"]
claims.crd_str.pwd
Type
boolean
Description
User authenticated with a password.
Example:
request.auth.claims.crd_str.pwd == true
claims.crd_str.push
Type
boolean
Description
User authenticated with a push notification to the mobile device.
Example:
request.auth.claims.crd_str.push == true
claims.crd_str.sms
Type
boolean
Description
User authenticated using a code sent to SMS or via a phone call.
Example:
request.auth.claims.crd_str.sms == true
claims.crd_str.swk
Type
boolean
Description
2SV used a software key, such as a phone, as security key.
Example:
request.auth.claims.crd_str.swk == true
claims.crd_str.hwk
Type
boolean
Description
2SV used a hardware key, such as Google Titan Key.
Example:
request.auth.claims.crd_str.hwk == true
claims.crd_str.otp
Type
boolean
Description
User authenticated with one time password methods (Google Authenticator and Backup Codes).
Example:
request.auth.claims.crd_str.otp == true
claims.crd_str.mfa
Type
boolean
Description
User authenticated with any of the methods in this table except pwd.
This section lists the attributes supported by the levels object.
Attributes
level name
Type
boolean
Description
level name corresponds to the name of an existing
access level.
When used, the conditions of the specified access level must
also be met in addition to the other requirements of your custom
access level.
Example:
levels.allow_corp_ips
Where allow_corp_ips is the name of an
access level.
device attribute
This section lists the attributes supported by the device object. If no device
associated to the identifiers in the request is found, all of the following
attributes will evaluate to an error.
Attributes
encryption_status
Type
enum
Description
Describes the encryption status of the device.
Enum values:
enum DeviceEncryptionStatus {
// The encryption status of the device is not specified or not known.
ENCRYPTION_UNSPECIFIED == 0;
// The device does not support encryption.
ENCRYPTION_UNSUPPORTED == 1;
// The device supports encryption, but is currently unencrypted.
UNENCRYPTED == 2;
// The device is encrypted.
ENCRYPTED == 3;
}
Whether the device has been approved by the domain
administrator.
Example:
device.is_admin_approved_device == true
is_corp_owned_device
Type
boolean
Description
Whether the device is owned by the organization.
Example:
device.is_corp_owned_device == true
is_secured_with_screenlock
Type
boolean
Description
Whether the device has its screen lock function enabled.
Example:
device.is_secured_with_screenlock == true
os_type
Type
enum
Description
Identifies which operating system the device is using.
Enum values:
enum OsType {
// The operating system of the device is not specified or not known.
OS_UNSPECIFIED == 0;
// A desktop Mac operating system.
DESKTOP_MAC == 1;
// A desktop Windows operating system.
DESKTOP_WINDOWS == 2;
// A desktop Linux operating system.
DESKTOP_LINUX == 3;
// An Android operating system.
ANDROID == 4;
// An iOS operating system.
IOS == 5;
// A desktop ChromeOS operating system.
DESKTOP_CHROME_OS == 6;
}
The vendors object is used to access data provided
by third-party security and endpoint management vendors. Each
vendor may populate three shared top-level attributes:
is_compliant_device,
is_managed_device, and
device_health_score.
Additionally, vendors may provide their own keys and values
that are referenced using the data attribute.
The available keys for the data attribute vary
from vendor to vendor. Ensure that you are consistent when comparing the key value in your policy expression. For example, if you expect the key value to be a string or boolean, ensure that you compare it with a string or boolean in the policy expression correspondingly. Note that when the value is an integer, you should compare it with a double number in the policy expression.
Enum values:
// Health score of the device as provided by the vendor (possibly third party).
enum DeviceHealthScore {
// The health score for the device is not specified or unknown.
DEVICE_HEALTH_SCORE_UNSPECIFIED = 0;
// The health of the device is very poor.
VERY_POOR = 1;
// The health of the device is poor.
POOR = 2;
// The health of the device is ok.
NEUTRAL = 3;
// The health of the device is good.
GOOD = 4;
// The health of the device is very good.
VERY_GOOD = 5;
}
Is the browser managed, at the browser level or at the profile level, and by the enterprise under the correct domain.
A browser is considered to be managed if the policies are centrally managed and pushed, and that the domain of the managed browser or profile matches the expected domain on the server side.
Following are the available Chrome management states:
State
MANAGED
The browser or profile is managed by the customer.
UNMANAGED
The browser or profile is not managed by any customer.
MANAGED_BY_OTHER_DOMAIN
The browser or profile is managed by some other customer.
PROFILE_MANAGED
The profile is managed by the customer.
BROWSER_MANAGED
The browser is managed by the customer.
Example:
device.chrome.management_state in
[
ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED,
ChromeManagementState.CHROME_MANAGEMENT_STATE_PROFILE_MANAGED,
]
Tests whether the string operand starts with the prefix argument.
Example:
"Sample string".startsWith("Sample")
endsWith()
Type
string.(string) -> bool
Description
Tests whether the string operand ends with the suffix argument.
Example:
"Sample string".endsWith("string")
origin.clientCertFingerprint()
Type
Origin.() -> string
Description
Returns the fingerprint of the certificate associated with the origin. You can use this in macros to test device certificates.
Example:
// Checks if the enterprise certificate associated with the origin matches the device.
device.certificates.exists(cert, cert.is_valid && cert.cert_fingerprint == origin.clientCertFingerprint())
Macros for CEL expressions
You can use the following macros in the CEL expressions for custom access levels:
Macro
Description
has(e.f)
Tests whether a field is available. See Field Selection for more details. Example:
Tests whether a predicate holds for all elements of a list e or keys of a map e. Here x is an identifier to be used in p which binds to the element or key. The all() macro combines per-element predicate results with the and (&&) operator, so if any predicate evaluates to false, the macro evaluates to false, ignoring any errors from other predicates. Example:
This returns false because not all elements are greater than 1: [1,2,3].all(x, x > 1)
e.exists(x, p)
Like the all() macro, but combines the predicate results with the or (||) operator. Example:
This returns true because there is at least one element in the list greater than 1: [1,2,3].exists(x, x > 1)
Checks if the enterprise certificate associated with the device matches the issuer: device.certificates.exists(cert, cert.is_valid && cert.issuer == "[email protected], CN=inter_1, OU=BCEDemo_1, O=BCEDemo, L=NCR, ST=UP, C=IN")
e.exists_one(x, p)
Like the exists() macro, but evaluates to true only if the predicate of exactly one element or key evaluates to true, and the rest to false. Any other combination of boolean results evaluates to false, and any predicate error causes the macro to raise an error. Example:
This returns false because more than one element is greater than 1: [1,2,3].exists_one(x, x > 1)
Example CEL expressions
This section includes examples of CEL expressions used to create custom access
levels.
Example 1
device.encryption_status == DeviceEncryptionStatus.ENCRYPTED && (origin.region_code in ["US"] || device.is_admin_approved_device)
This example represents an access level that requires the following conditions
be met in order to allow a request:
The device that the request originated from is encrypted.
One or more of the following is true:
The request originated in the United States.
The device that the request originated from is approved by the
domain administrator.
This example represents an access level that requires the following conditions
be met in order to allow a request:
One of the following is true:
The device that the request originated from uses a desktop Windows
operating system and is owned by your organization.
The device that the request originated from uses a desktop Mac
operating system, is approved by the domain administrator, and is
using at least MacOS 10.11.
This example represents an access level that requires the following condition
be met in order to allow a request:
The certificateBindingState extension function determines that the
certificate presented at request time matches one of the device
certificates that was registered when the device was enrolled in
endpoint verification.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-26 UTC."],[],[]]