API Reference

Zero Trust

Access

Policies

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Create an Access reusable policy

client.ZeroTrust.Access.Policies.New(ctx, params) (*AccessPolicyNewResponse, error)

POST/accounts/{account_id}/access/policies

Creates a new Access reusable policy.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Apps and Policies Write

ParametersExpand Collapse

params AccessPolicyNewParams

AccountID param.Field[string]

Path param: Identifier.

maxLength32

Decision param.Field[Decision]

Body param: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

Include param.Field[[]AccessRule]

Body param: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringOptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user’s risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

type AccessRuleAccessCloudflareAccountMemberRule struct{…}

Matches users who are members of a specific Cloudflare account. Requires a Cloudflare identity provider.

CloudflareAccountMember AccessRuleAccessCloudflareAccountMemberRuleCloudflareAccountMember

AccountID stringOptional

Identifier.

maxLength32

Name param.Field[string]

Body param: The name of the Access policy.

ApprovalGroups param.Field[[]ApprovalGroup]Optional

Body param: Administrators who can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []stringOptional

A list of emails that can approve the access request.

EmailListUUID stringOptional

The UUID of an re-usable email list.

ApprovalRequired param.Field[bool]Optional

Body param: Requires the user to request access from an administrator at the start of each session.

ConnectionRules param.Field[AccessPolicyNewParamsConnectionRules]Optional

Body param: The rules that define how users may connect to targets secured by your application.

RDP AccessPolicyNewParamsConnectionRulesRDPOptional

The RDP-specific rules that define clipboard behavior for RDP connections.

AllowedClipboardLocalToRemoteFormats []AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardLocalToRemoteFormatOptional

Clipboard formats allowed when copying from local machine to remote RDP session.

AllowedClipboardRemoteToLocalFormats []AccessPolicyNewParamsConnectionRulesRDPAllowedClipboardRemoteToLocalFormatOptional

Clipboard formats allowed when copying from remote RDP session to local machine.

Exclude param.Field[[]AccessRule]Optional

Body param: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.