CreateConditionalAccessPolicy - Identity as a Service - Alibaba Cloud Documentation Center

This topic is generated by a machine translation engine without any human intervention. ALIBABA CLOUD DOES NOT GUARANTEE THE ACCURACY OF MACHINE TRANSLATED CONTENT. To request a human-translated version of this topic or provide feedback on this translation, please include it in the feedback form.

Create Conditional Access Policy

Operation description

Create Conditional Access Policy

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- For mandatory resource types, indicate with a prefix of * .
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
eiam:CreateConditionalAccessPolicy	create	ConditionalAccessPolicy `acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/conditionalaccesspolicy/`	none	none

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	Instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx
ConditionalAccessPolicyName	string	Yes	Conditional access policy name	My Conditional Access Policy
Description	string	No	Description of the conditional access policy	Test Description
ConditionalAccessPolicyType	string	Yes	Type of the conditional access policy, with the following options: arn:alibaba:idaas:authn:access:policy:system: System policy.	arn:alibaba:idaas:authn:access:policy:system
DecisionType	string	Yes	Execution type of the conditional access policy, with the following options: enforcement: Enforce the policy.	enforcement
EvaluateAt	string	Yes	Execution point of the conditional access policy, with the following options: arn:alibaba:idaas:authn:access:rule:eval_at:after_step1: Allow.	arn:alibaba:idaas:authn:access:rule:eval_at:after_step1
DecisionConfig	object	No	Action configuration for the conditional access policy
Effect	string	No	Decision action for the conditional access policy, with the following options: allow: Allow. deny: Deny.	allow or deny
MfaType	string	No	MFA type for the conditional access policy, with the following options: directly_access: Direct access mfa_required: MFA required	directly_access
MfaAuthenticationIntervalSeconds	long	No	Re-authentication interval (in seconds) for the conditional access policy Maximum MFA re-authentication interval: 86400 Minimum MFA re-authentication interval: 300	500
MfaAuthenticationMethods	array	No	Allowed MFA types for the conditional access policy, with the following options: ia_otp_sms: SMS verification code ia_otp_email: Email verification code ia_totp: OTP dynamic password ia_webauthn: WebAuthn
	string	No	MFA type	ia_totp
ActiveSessionReuseStatus	string	No	Whether to enable session reuse Enumeration Value: disabled: disabled. enabled: enabled.	enabled
ConditionsConfig	object	No	Condition content configuration for the conditional access policy
Applications	object	No	Target applications for the conditional access policy
IncludeApplications	array	No	Included applications
	string	No	Application ID	app_xxxx
ExcludeApplications	array	No	Excluded applications
	string	No	Application ID	app_xxxx
Users	object	No	Target users of the conditional access policy
IncludeUsers	array	No	Selected user
	string	No	User ID	user_xxxx
ExcludeUsers	array	No	Excluded users
	string	No	User ID	user_xxxx
IncludeGroups	array	No	Included user groups
	string	No	Group ID	group_xxxxx
ExcludeGroups	array	No	Excluded user groups
	string	No	Group ID	group_xxxxx
IncludeOrganizationalUnits	array	No	Included organizations
	string	No	Organization ID	ou_sdfnbsxxxx
ExcludeOrganizationalUnits	array	No	Excluded organizations
	string	No	Organization ID	ou_xxxxx
NetworkZones	object	No	Network zones for conditional access policy
IncludeNetworkZones	array	No	Included network zones
	string	No	Network zone ID	network_xxxxx
ExcludeNetworkZones	array	No	Excluded network zones
	string	No	Network zone ID	network_xxxxx
Priority	integer	No	Priority of the conditional access policy, lower values indicate higher priority Minimum value: 1 Maximum value: 100	1
ClientToken	string	No	Idempotent token.	client-token-example

Response parameters

Parameter	Type	Description	Example
	object	Response result
RequestId	string	Request ID.	0441BD79-92F3-53AA-8657-F8CE4A2B912A
ConditionalAccessPolicyId	string	Conditional Access Policy ID	cp_xxxxx

Examples

Sample success responses

JSONformat

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A",
  "ConditionalAccessPolicyId": "cp_xxxxx"
}

Error codes

For a list of error codes, visit the Service error codes.