Implement Conditional Access Policies via API - Identity as a Service

Create Conditional Access Policy

Operation description

Create Conditional Access Policy

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

eiam:CreateConditionalAccessPolicy

create

*ConditionalAccessPolicy

acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/conditionalaccesspolicy/*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	Instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx
ConditionalAccessPolicyName	string	Yes	Conditional access policy name	My conditional access policy
Description	string	No	Description of the conditional access policy	Test description
ConditionalAccessPolicyType	string	Yes	Type of the conditional access policy, with the following options: arn:alibaba:idaas:authn:access:policy:system: System policy. Valid values: arn:alibaba:idaas:authn:access:policy:system : arn:alibaba:idaas:authn:access:policy:system	arn:alibaba:idaas:authn:access:policy:system
DecisionType	string	Yes	Execution type of the conditional access policy, with the following options: enforcement: Enforce the policy. Valid values: enforcement : enforcement	enforcement
EvaluateAt	string	Yes	Execution point of the conditional access policy, with the following options: arn:alibaba:idaas:authn:access:rule:eval_at:after_step1: Allow. Valid values: arn:alibaba:idaas:authn:access:rule:eval_at:after_step1 : arn:alibaba:idaas:authn:access:rule:eval_at:after_step1	arn:alibaba:idaas:authn:access:rule:eval_at:after_step1
DecisionConfig	object	No	Action configuration for the conditional access policy
Effect	string	No	Decision action for the conditional access policy, with the following options: allow: Allow. deny: Deny. Valid values: allow : allow deny : deny	allow or deny
MfaType	string	No	MFA type for the conditional access policy, with the following options: directly_access: Direct access mfa_required: MFA required Valid values: directly_access : directly_access mfa_required : mfa_required	directly_access
MfaAuthenticationIntervalSeconds	integer	No	Re-authentication interval (in seconds) for the conditional access policy Maximum MFA re-authentication interval: 86400 Minimum MFA re-authentication interval: 300	500
MfaAuthenticationMethods	array	No	Allowed MFA types for the conditional access policy, with the following options: ia_otp_sms: SMS verification code ia_otp_email: Email verification code ia_totp: OTP dynamic password ia_webauthn: WebAuthn Valid values: ia_otp_email : ia_otp_email ia_otp_sms : ia_otp_sms ia_webauthn : ia_webauthn ia_totp : ia_totp
	string	No	MFA type	ia_totp
ActiveSessionReuseStatus	string	No	Whether to enable session reuse Valid values: disabled : disabled enabled : enabled	enabled
ConditionsConfig	object	No	Condition content configuration for the conditional access policy
Applications	object	No	Target applications for the conditional access policy
IncludeApplications	array	No	Included applications
	string	No	Application ID	app_xxxx
ExcludeApplications	array	No	Excluded applications
	string	No	Application ID	app_xxxx
Users	object	No	Target users of the conditional access policy
IncludeUsers	array	No	Selected user
	string	No	User ID	user_xxxx
ExcludeUsers	array	No	Excluded users
	string	No	User ID	user_xxxx
IncludeGroups	array	No	Included user groups
	string	No	Group ID	group_xxxxx
ExcludeGroups	array	No	Excluded user groups
	string	No	Group ID	group_xxxxx
IncludeOrganizationalUnits	array	No	Included organizations
	string	No	Organization ID	ou_sdfnbsxxxx
ExcludeOrganizationalUnits	array	No	Excluded organizations
	string	No	Organization ID	ou_xxxxx
NetworkZones	object	No	Network zones for conditional access policy
IncludeNetworkZones	array	No	Included network zones
	string	No	Network zone ID	network_xxxxx
ExcludeNetworkZones	array	No	Excluded network zones
	string	No	Network zone ID	network_xxxxx
Priority	integer	No	Priority of the conditional access policy, lower values indicate higher priority Minimum value: 1 Maximum value: 100	1
ClientToken	string	No	Idempotent token.	client-token-example

Response elements

Element	Type	Description	Example
	object	Response result
RequestId	string	Request ID.	0441BD79-92F3-53AA-8657-F8CE4A2B912A
ConditionalAccessPolicyId	string	Conditional Access Policy ID	cp_xxxxx

Examples

Success response

JSON format

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A",
  "ConditionalAccessPolicyId": "cp_xxxxx"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.