-
Notifications
You must be signed in to change notification settings - Fork 473
l Context Aware Access Levels
Google Context Aware Access (CAA) provides contextual security requirements for endpoints accessing Google Workspace Services. GAM 6.20 and newer can create and manage access levels which can be assigned to Workspace services for your users.
- Grant Service Account Rights to Manage CAA
- Creating an Access Level
- Updating an Access Level
- Parameters for Basic Levels
- Showing all Access Levels
- Deleting an Access Level
In order for GAM to manage CAA access levels, you need to grant your service account a special role for your GCP organization.
- Run a GAM command like
gam print caalevels. This will show you the service account email and role you need to grant it. Copy the service account email. - As an organization admin (Workspace Super Admin should work) go to https://console.cloud.google.com.
- In the top blue bar, to the right of "Google Cloud Platform" click the selected project.
- Select your GCP organization which has a building icon next to it and is named after your primary domain.
- In the 3-bar "hamburger" menu at the top left, click IAM & Admin > IAM. The page should show
permissions for organization <primary domain> - Near the top click "Add".
- Enter the service account email address you recorded earlier.
- Select Roles > Access Context Manager > Access Context Manager Editor.
- Click Save. It may take 15 minutes or more for the role permissions to propagate.
- Confirm the role is in place by re-running
gam print caalevels
gam create caalevel <name> [basic <basic condition> | custom <CEL query>]
Creates a new access level with the defined conditions. CAA supports basic and custom conditions. Custom is followed by a CEL query. Basic is followed by a basic condition.
This example defines a custom access level that requires the user to use a Cloud-managed Chrome browser (CBCM) or be logged into a Cloud-managed Chrome profile.
gam create caalevel custom "device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED | ChromeManagementState.CHROME_MANAGEMENT_STATE_PROFILE_MANAGED"
This example creates a basic access level that requires the user to come from the US or Canada regions
gam create caalevel CORP_COUNTRIES basic condition regions US,CA endcondition
This example creates a basic access level that requires the user come from one of the given IP ranges
gam create caalevel CORP_IPS basic condition ipsubnetworks 1.2.3.0/24,4.5.6.0/24 endcondition
gam update caalevel <name> [basic <basic condition> | custom <CEL query>]
Updates an existing access level. CAA supports basic and custom conditions. Custom is followed by a CEL query. Basic is followed by a basic condition.
This example adds UK to the allowed regions for CORP_COUNTRIES
gam update caalevel CORP_COUNTRIES basic condition regions US,CA,UK endcondition
gam create/update accesslevel <name> basic
combiningfunction and|or
condition
negate true|false
ipsubnetworks ip4range,ip6range,...
regions <country code>,country code>,...
devicepolicy
requirescreenlock true|false
allowedencryptionstatuses ENCRYPTION_UNSUPPORTED,ENCRYPTED,UNENCRYPTED
alloweddevicemanagementlevels NONE,BASIC,COMPLETE
requireadminapproval true|false
requirecorpowned true|false
osconstraints DESKTOP_MAC:version,DESKTOP_WINDOWS:version,DESKTOP_LINUX:version,
DESKTOP_CHROME_OS:version,VERIFIED_DESKTOP_CHROME_OS:version,
ANDROID:version,IOS:version
enddevicepolicy
endcondition
condition
<another condition>
endcondition
Defines a basic access level. The combiningfunction argument specifies if a user must pass all 2+ conditions (AND) or only one (OR). The negate argument specifies whether a user that matches the condition passes it or fails. The ipsubnetworks argument specifies a comma-separated list of IPv4 or IPv6 networks the user must be coming from to match. The regions argument specifies a comma-separated list of country/regions the user must be coming from to match. The device policy argument specifies characteristics of the user's device that must be present to match.
gam print caalevels
Prints out the current defined access levels.
gam delete caalevel <name>
Deletes the specified access level.
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Verifying a GAM7 Build is Legitimate and Official
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
- GAM with minimal GCP rights
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Account Auditing
- Calendar Settings
- Chat Bot commands
- Chrome Browser Management
- Chrome Policy Settings
- Context Aware Access levels
- Data Transfers
- Domain Verification
- Google Drive Management
- Group Settings
- Inbound SSO Settings
- Managing Admins
- Managing Classroom
- Managing Custom User Schemas
- Managing Devices
- Managing Organizations
- Managing Product Licenses
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- OAuth Authentication Related Commands
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Printers
- Unmanaged Users and Invitations
- User Email Settings
- User Security Settings