GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/cloudflare-typescript

Public

mirrored from https://github.com/cloudflare/cloudflare-typescriptAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
7609e84ab3db53e79aefce6a112e90cb2a2bbba0

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

cloudflare-typescript/src/resources/access

src/resources/access/groups.ts

7714lines · modecode

RawDownload
Latest commit unavailable.
1// File generated from our OpenAPI spec by Stainless.
2
3import * as Core from 'cloudflare/core';
4import { APIResource } from 'cloudflare/resource';
5import * as GroupsAPI from 'cloudflare/resources/access/groups';
6
7export class Groups extends APIResource {
8 /**
9 * Creates a new Access group.
10 */
11 create(
12 accountOrZone: string,
13 accountOrZoneId: string,
14 body: GroupCreateParams,
15 options?: Core.RequestOptions,
16 ): Core.APIPromise<GroupCreateResponse> {
17 return (
18 this._client.post(`/${accountOrZone}/${accountOrZoneId}/access/groups`, {
19 body,
20 ...options,
21 }) as Core.APIPromise<{ result: GroupCreateResponse }>
22 )._thenUnwrap((obj) => obj.result);
23 }
24
25 /**
26 * Lists all Access groups.
27 */
28 list(
29 accountOrZone: string,
30 accountOrZoneId: string,
31 options?: Core.RequestOptions,
32 ): Core.APIPromise<GroupListResponse | null> {
33 return (
34 this._client.get(`/${accountOrZone}/${accountOrZoneId}/access/groups`, options) as Core.APIPromise<{
35 result: GroupListResponse | null;
36 }>
37 )._thenUnwrap((obj) => obj.result);
38 }
39
40 /**
41 * Deletes an Access group.
42 */
43 delete(
44 accountOrZone: string,
45 accountOrZoneId: string,
46 uuid: string,
47 options?: Core.RequestOptions,
48 ): Core.APIPromise<GroupDeleteResponse> {
49 return (
50 this._client.delete(
51 `/${accountOrZone}/${accountOrZoneId}/access/groups/${uuid}`,
52 options,
53 ) as Core.APIPromise<{ result: GroupDeleteResponse }>
54 )._thenUnwrap((obj) => obj.result);
55 }
56
57 /**
58 * Fetches a single Access group.
59 */
60 get(
61 accountOrZone: string,
62 accountOrZoneId: string,
63 uuid: string,
64 options?: Core.RequestOptions,
65 ): Core.APIPromise<GroupGetResponse> {
66 return (
67 this._client.get(
68 `/${accountOrZone}/${accountOrZoneId}/access/groups/${uuid}`,
69 options,
70 ) as Core.APIPromise<{ result: GroupGetResponse }>
71 )._thenUnwrap((obj) => obj.result);
72 }
73
74 /**
75 * Updates a configured Access group.
76 */
77 replace(
78 accountOrZone: string,
79 accountOrZoneId: string,
80 uuid: string,
81 body: GroupReplaceParams,
82 options?: Core.RequestOptions,
83 ): Core.APIPromise<GroupReplaceResponse> {
84 return (
85 this._client.put(`/${accountOrZone}/${accountOrZoneId}/access/groups/${uuid}`, {
86 body,
87 ...options,
88 }) as Core.APIPromise<{ result: GroupReplaceResponse }>
89 )._thenUnwrap((obj) => obj.result);
90 }
91}
92
93export interface GroupCreateResponse {
94 /**
95 * UUID
96 */
97 id?: string;
98
99 created_at?: string;
100
101 /**
102 * Rules evaluated with a NOT logical operator. To match a policy, a user cannot
103 * meet any of the Exclude rules.
104 */
105 exclude?: Array<
106 | GroupCreateResponse.AccessEmailRule
107 | GroupCreateResponse.AccessEmailListRule
108 | GroupCreateResponse.AccessDomainRule
109 | GroupCreateResponse.AccessEveryoneRule
110 | GroupCreateResponse.AccessIPRule
111 | GroupCreateResponse.AccessIPListRule
112 | GroupCreateResponse.AccessCertificateRule
113 | GroupCreateResponse.AccessAccessGroupRule
114 | GroupCreateResponse.AccessAzureGroupRule
115 | GroupCreateResponse.AccessGitHubOrganizationRule
116 | GroupCreateResponse.AccessGsuiteGroupRule
117 | GroupCreateResponse.AccessOktaGroupRule
118 | GroupCreateResponse.AccessSamlGroupRule
119 | GroupCreateResponse.AccessServiceTokenRule
120 | GroupCreateResponse.AccessAnyValidServiceTokenRule
121 | GroupCreateResponse.AccessExternalEvaluationRule
122 | GroupCreateResponse.AccessCountryRule
123 | GroupCreateResponse.AccessAuthenticationMethodRule
124 | GroupCreateResponse.AccessDevicePostureRule
125 >;
126
127 /**
128 * Rules evaluated with an OR logical operator. A user needs to meet only one of
129 * the Include rules.
130 */
131 include?: Array<
132 | GroupCreateResponse.AccessEmailRule
133 | GroupCreateResponse.AccessEmailListRule
134 | GroupCreateResponse.AccessDomainRule
135 | GroupCreateResponse.AccessEveryoneRule
136 | GroupCreateResponse.AccessIPRule
137 | GroupCreateResponse.AccessIPListRule
138 | GroupCreateResponse.AccessCertificateRule
139 | GroupCreateResponse.AccessAccessGroupRule
140 | GroupCreateResponse.AccessAzureGroupRule
141 | GroupCreateResponse.AccessGitHubOrganizationRule
142 | GroupCreateResponse.AccessGsuiteGroupRule
143 | GroupCreateResponse.AccessOktaGroupRule
144 | GroupCreateResponse.AccessSamlGroupRule
145 | GroupCreateResponse.AccessServiceTokenRule
146 | GroupCreateResponse.AccessAnyValidServiceTokenRule
147 | GroupCreateResponse.AccessExternalEvaluationRule
148 | GroupCreateResponse.AccessCountryRule
149 | GroupCreateResponse.AccessAuthenticationMethodRule
150 | GroupCreateResponse.AccessDevicePostureRule
151 >;
152
153 /**
154 * Rules evaluated with an AND logical operator. To match a policy, a user must
155 * meet all of the Require rules.
156 */
157 is_default?: Array<
158 | GroupCreateResponse.AccessEmailRule
159 | GroupCreateResponse.AccessEmailListRule
160 | GroupCreateResponse.AccessDomainRule
161 | GroupCreateResponse.AccessEveryoneRule
162 | GroupCreateResponse.AccessIPRule
163 | GroupCreateResponse.AccessIPListRule
164 | GroupCreateResponse.AccessCertificateRule
165 | GroupCreateResponse.AccessAccessGroupRule
166 | GroupCreateResponse.AccessAzureGroupRule
167 | GroupCreateResponse.AccessGitHubOrganizationRule
168 | GroupCreateResponse.AccessGsuiteGroupRule
169 | GroupCreateResponse.AccessOktaGroupRule
170 | GroupCreateResponse.AccessSamlGroupRule
171 | GroupCreateResponse.AccessServiceTokenRule
172 | GroupCreateResponse.AccessAnyValidServiceTokenRule
173 | GroupCreateResponse.AccessExternalEvaluationRule
174 | GroupCreateResponse.AccessCountryRule
175 | GroupCreateResponse.AccessAuthenticationMethodRule
176 | GroupCreateResponse.AccessDevicePostureRule
177 >;
178
179 /**
180 * The name of the Access group.
181 */
182 name?: string;
183
184 /**
185 * Rules evaluated with an AND logical operator. To match a policy, a user must
186 * meet all of the Require rules.
187 */
188 require?: Array<
189 | GroupCreateResponse.AccessEmailRule
190 | GroupCreateResponse.AccessEmailListRule
191 | GroupCreateResponse.AccessDomainRule
192 | GroupCreateResponse.AccessEveryoneRule
193 | GroupCreateResponse.AccessIPRule
194 | GroupCreateResponse.AccessIPListRule
195 | GroupCreateResponse.AccessCertificateRule
196 | GroupCreateResponse.AccessAccessGroupRule
197 | GroupCreateResponse.AccessAzureGroupRule
198 | GroupCreateResponse.AccessGitHubOrganizationRule
199 | GroupCreateResponse.AccessGsuiteGroupRule
200 | GroupCreateResponse.AccessOktaGroupRule
201 | GroupCreateResponse.AccessSamlGroupRule
202 | GroupCreateResponse.AccessServiceTokenRule
203 | GroupCreateResponse.AccessAnyValidServiceTokenRule
204 | GroupCreateResponse.AccessExternalEvaluationRule
205 | GroupCreateResponse.AccessCountryRule
206 | GroupCreateResponse.AccessAuthenticationMethodRule
207 | GroupCreateResponse.AccessDevicePostureRule
208 >;
209
210 updated_at?: string;
211}
212
213export namespace GroupCreateResponse {
214 /**
215 * Matches a specific email.
216 */
217 export interface AccessEmailRule {
218 email: AccessEmailRule.Email;
219 }
220
221 export namespace AccessEmailRule {
222 export interface Email {
223 /**
224 * The email of the user.
225 */
226 email: string;
227 }
228 }
229
230 /**
231 * Matches an email address from a list.
232 */
233 export interface AccessEmailListRule {
234 email_list: AccessEmailListRule.EmailList;
235 }
236
237 export namespace AccessEmailListRule {
238 export interface EmailList {
239 /**
240 * The ID of a previously created email list.
241 */
242 id: string;
243 }
244 }
245
246 /**
247 * Match an entire email domain.
248 */
249 export interface AccessDomainRule {
250 email_domain: AccessDomainRule.EmailDomain;
251 }
252
253 export namespace AccessDomainRule {
254 export interface EmailDomain {
255 /**
256 * The email domain to match.
257 */
258 domain: string;
259 }
260 }
261
262 /**
263 * Matches everyone.
264 */
265 export interface AccessEveryoneRule {
266 /**
267 * An empty object which matches on all users.
268 */
269 everyone: unknown;
270 }
271
272 /**
273 * Matches an IP address block.
274 */
275 export interface AccessIPRule {
276 ip: AccessIPRule.IP;
277 }
278
279 export namespace AccessIPRule {
280 export interface IP {
281 /**
282 * An IPv4 or IPv6 CIDR block.
283 */
284 ip: string;
285 }
286 }
287
288 /**
289 * Matches an IP address from a list.
290 */
291 export interface AccessIPListRule {
292 ip_list: AccessIPListRule.IPList;
293 }
294
295 export namespace AccessIPListRule {
296 export interface IPList {
297 /**
298 * The ID of a previously created IP list.
299 */
300 id: string;
301 }
302 }
303
304 /**
305 * Matches any valid client certificate.
306 */
307 export interface AccessCertificateRule {
308 certificate: unknown;
309 }
310
311 /**
312 * Matches an Access group.
313 */
314 export interface AccessAccessGroupRule {
315 group: AccessAccessGroupRule.Group;
316 }
317
318 export namespace AccessAccessGroupRule {
319 export interface Group {
320 /**
321 * The ID of a previously created Access group.
322 */
323 id: string;
324 }
325 }
326
327 /**
328 * Matches an Azure group. Requires an Azure identity provider.
329 */
330 export interface AccessAzureGroupRule {
331 azureAD: AccessAzureGroupRule.AzureAd;
332 }
333
334 export namespace AccessAzureGroupRule {
335 export interface AzureAd {
336 /**
337 * The ID of an Azure group.
338 */
339 id: string;
340
341 /**
342 * The ID of your Azure identity provider.
343 */
344 connection_id: string;
345 }
346 }
347
348 /**
349 * Matches a Github organization. Requires a Github identity provider.
350 */
351 export interface AccessGitHubOrganizationRule {
352 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
353 }
354
355 export namespace AccessGitHubOrganizationRule {
356 export interface GitHubOrganization {
357 /**
358 * The ID of your Github identity provider.
359 */
360 connection_id: string;
361
362 /**
363 * The name of the organization.
364 */
365 name: string;
366 }
367 }
368
369 /**
370 * Matches a group in Google Workspace. Requires a Google Workspace identity
371 * provider.
372 */
373 export interface AccessGsuiteGroupRule {
374 gsuite: AccessGsuiteGroupRule.Gsuite;
375 }
376
377 export namespace AccessGsuiteGroupRule {
378 export interface Gsuite {
379 /**
380 * The ID of your Google Workspace identity provider.
381 */
382 connection_id: string;
383
384 /**
385 * The email of the Google Workspace group.
386 */
387 email: string;
388 }
389 }
390
391 /**
392 * Matches an Okta group. Requires an Okta identity provider.
393 */
394 export interface AccessOktaGroupRule {
395 okta: AccessOktaGroupRule.Okta;
396 }
397
398 export namespace AccessOktaGroupRule {
399 export interface Okta {
400 /**
401 * The ID of your Okta identity provider.
402 */
403 connection_id: string;
404
405 /**
406 * The email of the Okta group.
407 */
408 email: string;
409 }
410 }
411
412 /**
413 * Matches a SAML group. Requires a SAML identity provider.
414 */
415 export interface AccessSamlGroupRule {
416 saml: AccessSamlGroupRule.Saml;
417 }
418
419 export namespace AccessSamlGroupRule {
420 export interface Saml {
421 /**
422 * The name of the SAML attribute.
423 */
424 attribute_name: string;
425
426 /**
427 * The SAML attribute value to look for.
428 */
429 attribute_value: string;
430 }
431 }
432
433 /**
434 * Matches a specific Access Service Token
435 */
436 export interface AccessServiceTokenRule {
437 service_token: AccessServiceTokenRule.ServiceToken;
438 }
439
440 export namespace AccessServiceTokenRule {
441 export interface ServiceToken {
442 /**
443 * The ID of a Service Token.
444 */
445 token_id: string;
446 }
447 }
448
449 /**
450 * Matches any valid Access Service Token
451 */
452 export interface AccessAnyValidServiceTokenRule {
453 /**
454 * An empty object which matches on all service tokens.
455 */
456 any_valid_service_token: unknown;
457 }
458
459 /**
460 * Create Allow or Block policies which evaluate the user based on custom criteria.
461 */
462 export interface AccessExternalEvaluationRule {
463 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
464 }
465
466 export namespace AccessExternalEvaluationRule {
467 export interface ExternalEvaluation {
468 /**
469 * The API endpoint containing your business logic.
470 */
471 evaluate_url: string;
472
473 /**
474 * The API endpoint containing the key that Access uses to verify that the response
475 * came from your API.
476 */
477 keys_url: string;
478 }
479 }
480
481 /**
482 * Matches a specific country
483 */
484 export interface AccessCountryRule {
485 geo: AccessCountryRule.Geo;
486 }
487
488 export namespace AccessCountryRule {
489 export interface Geo {
490 /**
491 * The country code that should be matched.
492 */
493 country_code: string;
494 }
495 }
496
497 /**
498 * Enforce different MFA options
499 */
500 export interface AccessAuthenticationMethodRule {
501 auth_method: AccessAuthenticationMethodRule.AuthMethod;
502 }
503
504 export namespace AccessAuthenticationMethodRule {
505 export interface AuthMethod {
506 /**
507 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
508 */
509 auth_method: string;
510 }
511 }
512
513 /**
514 * Enforces a device posture rule has run successfully
515 */
516 export interface AccessDevicePostureRule {
517 device_posture: AccessDevicePostureRule.DevicePosture;
518 }
519
520 export namespace AccessDevicePostureRule {
521 export interface DevicePosture {
522 /**
523 * The ID of a device posture integration.
524 */
525 integration_uid: string;
526 }
527 }
528
529 /**
530 * Matches a specific email.
531 */
532 export interface AccessEmailRule {
533 email: AccessEmailRule.Email;
534 }
535
536 export namespace AccessEmailRule {
537 export interface Email {
538 /**
539 * The email of the user.
540 */
541 email: string;
542 }
543 }
544
545 /**
546 * Matches an email address from a list.
547 */
548 export interface AccessEmailListRule {
549 email_list: AccessEmailListRule.EmailList;
550 }
551
552 export namespace AccessEmailListRule {
553 export interface EmailList {
554 /**
555 * The ID of a previously created email list.
556 */
557 id: string;
558 }
559 }
560
561 /**
562 * Match an entire email domain.
563 */
564 export interface AccessDomainRule {
565 email_domain: AccessDomainRule.EmailDomain;
566 }
567
568 export namespace AccessDomainRule {
569 export interface EmailDomain {
570 /**
571 * The email domain to match.
572 */
573 domain: string;
574 }
575 }
576
577 /**
578 * Matches everyone.
579 */
580 export interface AccessEveryoneRule {
581 /**
582 * An empty object which matches on all users.
583 */
584 everyone: unknown;
585 }
586
587 /**
588 * Matches an IP address block.
589 */
590 export interface AccessIPRule {
591 ip: AccessIPRule.IP;
592 }
593
594 export namespace AccessIPRule {
595 export interface IP {
596 /**
597 * An IPv4 or IPv6 CIDR block.
598 */
599 ip: string;
600 }
601 }
602
603 /**
604 * Matches an IP address from a list.
605 */
606 export interface AccessIPListRule {
607 ip_list: AccessIPListRule.IPList;
608 }
609
610 export namespace AccessIPListRule {
611 export interface IPList {
612 /**
613 * The ID of a previously created IP list.
614 */
615 id: string;
616 }
617 }
618
619 /**
620 * Matches any valid client certificate.
621 */
622 export interface AccessCertificateRule {
623 certificate: unknown;
624 }
625
626 /**
627 * Matches an Access group.
628 */
629 export interface AccessAccessGroupRule {
630 group: AccessAccessGroupRule.Group;
631 }
632
633 export namespace AccessAccessGroupRule {
634 export interface Group {
635 /**
636 * The ID of a previously created Access group.
637 */
638 id: string;
639 }
640 }
641
642 /**
643 * Matches an Azure group. Requires an Azure identity provider.
644 */
645 export interface AccessAzureGroupRule {
646 azureAD: AccessAzureGroupRule.AzureAd;
647 }
648
649 export namespace AccessAzureGroupRule {
650 export interface AzureAd {
651 /**
652 * The ID of an Azure group.
653 */
654 id: string;
655
656 /**
657 * The ID of your Azure identity provider.
658 */
659 connection_id: string;
660 }
661 }
662
663 /**
664 * Matches a Github organization. Requires a Github identity provider.
665 */
666 export interface AccessGitHubOrganizationRule {
667 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
668 }
669
670 export namespace AccessGitHubOrganizationRule {
671 export interface GitHubOrganization {
672 /**
673 * The ID of your Github identity provider.
674 */
675 connection_id: string;
676
677 /**
678 * The name of the organization.
679 */
680 name: string;
681 }
682 }
683
684 /**
685 * Matches a group in Google Workspace. Requires a Google Workspace identity
686 * provider.
687 */
688 export interface AccessGsuiteGroupRule {
689 gsuite: AccessGsuiteGroupRule.Gsuite;
690 }
691
692 export namespace AccessGsuiteGroupRule {
693 export interface Gsuite {
694 /**
695 * The ID of your Google Workspace identity provider.
696 */
697 connection_id: string;
698
699 /**
700 * The email of the Google Workspace group.
701 */
702 email: string;
703 }
704 }
705
706 /**
707 * Matches an Okta group. Requires an Okta identity provider.
708 */
709 export interface AccessOktaGroupRule {
710 okta: AccessOktaGroupRule.Okta;
711 }
712
713 export namespace AccessOktaGroupRule {
714 export interface Okta {
715 /**
716 * The ID of your Okta identity provider.
717 */
718 connection_id: string;
719
720 /**
721 * The email of the Okta group.
722 */
723 email: string;
724 }
725 }
726
727 /**
728 * Matches a SAML group. Requires a SAML identity provider.
729 */
730 export interface AccessSamlGroupRule {
731 saml: AccessSamlGroupRule.Saml;
732 }
733
734 export namespace AccessSamlGroupRule {
735 export interface Saml {
736 /**
737 * The name of the SAML attribute.
738 */
739 attribute_name: string;
740
741 /**
742 * The SAML attribute value to look for.
743 */
744 attribute_value: string;
745 }
746 }
747
748 /**
749 * Matches a specific Access Service Token
750 */
751 export interface AccessServiceTokenRule {
752 service_token: AccessServiceTokenRule.ServiceToken;
753 }
754
755 export namespace AccessServiceTokenRule {
756 export interface ServiceToken {
757 /**
758 * The ID of a Service Token.
759 */
760 token_id: string;
761 }
762 }
763
764 /**
765 * Matches any valid Access Service Token
766 */
767 export interface AccessAnyValidServiceTokenRule {
768 /**
769 * An empty object which matches on all service tokens.
770 */
771 any_valid_service_token: unknown;
772 }
773
774 /**
775 * Create Allow or Block policies which evaluate the user based on custom criteria.
776 */
777 export interface AccessExternalEvaluationRule {
778 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
779 }
780
781 export namespace AccessExternalEvaluationRule {
782 export interface ExternalEvaluation {
783 /**
784 * The API endpoint containing your business logic.
785 */
786 evaluate_url: string;
787
788 /**
789 * The API endpoint containing the key that Access uses to verify that the response
790 * came from your API.
791 */
792 keys_url: string;
793 }
794 }
795
796 /**
797 * Matches a specific country
798 */
799 export interface AccessCountryRule {
800 geo: AccessCountryRule.Geo;
801 }
802
803 export namespace AccessCountryRule {
804 export interface Geo {
805 /**
806 * The country code that should be matched.
807 */
808 country_code: string;
809 }
810 }
811
812 /**
813 * Enforce different MFA options
814 */
815 export interface AccessAuthenticationMethodRule {
816 auth_method: AccessAuthenticationMethodRule.AuthMethod;
817 }
818
819 export namespace AccessAuthenticationMethodRule {
820 export interface AuthMethod {
821 /**
822 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
823 */
824 auth_method: string;
825 }
826 }
827
828 /**
829 * Enforces a device posture rule has run successfully
830 */
831 export interface AccessDevicePostureRule {
832 device_posture: AccessDevicePostureRule.DevicePosture;
833 }
834
835 export namespace AccessDevicePostureRule {
836 export interface DevicePosture {
837 /**
838 * The ID of a device posture integration.
839 */
840 integration_uid: string;
841 }
842 }
843
844 /**
845 * Matches a specific email.
846 */
847 export interface AccessEmailRule {
848 email: AccessEmailRule.Email;
849 }
850
851 export namespace AccessEmailRule {
852 export interface Email {
853 /**
854 * The email of the user.
855 */
856 email: string;
857 }
858 }
859
860 /**
861 * Matches an email address from a list.
862 */
863 export interface AccessEmailListRule {
864 email_list: AccessEmailListRule.EmailList;
865 }
866
867 export namespace AccessEmailListRule {
868 export interface EmailList {
869 /**
870 * The ID of a previously created email list.
871 */
872 id: string;
873 }
874 }
875
876 /**
877 * Match an entire email domain.
878 */
879 export interface AccessDomainRule {
880 email_domain: AccessDomainRule.EmailDomain;
881 }
882
883 export namespace AccessDomainRule {
884 export interface EmailDomain {
885 /**
886 * The email domain to match.
887 */
888 domain: string;
889 }
890 }
891
892 /**
893 * Matches everyone.
894 */
895 export interface AccessEveryoneRule {
896 /**
897 * An empty object which matches on all users.
898 */
899 everyone: unknown;
900 }
901
902 /**
903 * Matches an IP address block.
904 */
905 export interface AccessIPRule {
906 ip: AccessIPRule.IP;
907 }
908
909 export namespace AccessIPRule {
910 export interface IP {
911 /**
912 * An IPv4 or IPv6 CIDR block.
913 */
914 ip: string;
915 }
916 }
917
918 /**
919 * Matches an IP address from a list.
920 */
921 export interface AccessIPListRule {
922 ip_list: AccessIPListRule.IPList;
923 }
924
925 export namespace AccessIPListRule {
926 export interface IPList {
927 /**
928 * The ID of a previously created IP list.
929 */
930 id: string;
931 }
932 }
933
934 /**
935 * Matches any valid client certificate.
936 */
937 export interface AccessCertificateRule {
938 certificate: unknown;
939 }
940
941 /**
942 * Matches an Access group.
943 */
944 export interface AccessAccessGroupRule {
945 group: AccessAccessGroupRule.Group;
946 }
947
948 export namespace AccessAccessGroupRule {
949 export interface Group {
950 /**
951 * The ID of a previously created Access group.
952 */
953 id: string;
954 }
955 }
956
957 /**
958 * Matches an Azure group. Requires an Azure identity provider.
959 */
960 export interface AccessAzureGroupRule {
961 azureAD: AccessAzureGroupRule.AzureAd;
962 }
963
964 export namespace AccessAzureGroupRule {
965 export interface AzureAd {
966 /**
967 * The ID of an Azure group.
968 */
969 id: string;
970
971 /**
972 * The ID of your Azure identity provider.
973 */
974 connection_id: string;
975 }
976 }
977
978 /**
979 * Matches a Github organization. Requires a Github identity provider.
980 */
981 export interface AccessGitHubOrganizationRule {
982 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
983 }
984
985 export namespace AccessGitHubOrganizationRule {
986 export interface GitHubOrganization {
987 /**
988 * The ID of your Github identity provider.
989 */
990 connection_id: string;
991
992 /**
993 * The name of the organization.
994 */
995 name: string;
996 }
997 }
998
999 /**
1000 * Matches a group in Google Workspace. Requires a Google Workspace identity
1001 * provider.
1002 */
1003 export interface AccessGsuiteGroupRule {
1004 gsuite: AccessGsuiteGroupRule.Gsuite;
1005 }
1006
1007 export namespace AccessGsuiteGroupRule {
1008 export interface Gsuite {
1009 /**
1010 * The ID of your Google Workspace identity provider.
1011 */
1012 connection_id: string;
1013
1014 /**
1015 * The email of the Google Workspace group.
1016 */
1017 email: string;
1018 }
1019 }
1020
1021 /**
1022 * Matches an Okta group. Requires an Okta identity provider.
1023 */
1024 export interface AccessOktaGroupRule {
1025 okta: AccessOktaGroupRule.Okta;
1026 }
1027
1028 export namespace AccessOktaGroupRule {
1029 export interface Okta {
1030 /**
1031 * The ID of your Okta identity provider.
1032 */
1033 connection_id: string;
1034
1035 /**
1036 * The email of the Okta group.
1037 */
1038 email: string;
1039 }
1040 }
1041
1042 /**
1043 * Matches a SAML group. Requires a SAML identity provider.
1044 */
1045 export interface AccessSamlGroupRule {
1046 saml: AccessSamlGroupRule.Saml;
1047 }
1048
1049 export namespace AccessSamlGroupRule {
1050 export interface Saml {
1051 /**
1052 * The name of the SAML attribute.
1053 */
1054 attribute_name: string;
1055
1056 /**
1057 * The SAML attribute value to look for.
1058 */
1059 attribute_value: string;
1060 }
1061 }
1062
1063 /**
1064 * Matches a specific Access Service Token
1065 */
1066 export interface AccessServiceTokenRule {
1067 service_token: AccessServiceTokenRule.ServiceToken;
1068 }
1069
1070 export namespace AccessServiceTokenRule {
1071 export interface ServiceToken {
1072 /**
1073 * The ID of a Service Token.
1074 */
1075 token_id: string;
1076 }
1077 }
1078
1079 /**
1080 * Matches any valid Access Service Token
1081 */
1082 export interface AccessAnyValidServiceTokenRule {
1083 /**
1084 * An empty object which matches on all service tokens.
1085 */
1086 any_valid_service_token: unknown;
1087 }
1088
1089 /**
1090 * Create Allow or Block policies which evaluate the user based on custom criteria.
1091 */
1092 export interface AccessExternalEvaluationRule {
1093 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
1094 }
1095
1096 export namespace AccessExternalEvaluationRule {
1097 export interface ExternalEvaluation {
1098 /**
1099 * The API endpoint containing your business logic.
1100 */
1101 evaluate_url: string;
1102
1103 /**
1104 * The API endpoint containing the key that Access uses to verify that the response
1105 * came from your API.
1106 */
1107 keys_url: string;
1108 }
1109 }
1110
1111 /**
1112 * Matches a specific country
1113 */
1114 export interface AccessCountryRule {
1115 geo: AccessCountryRule.Geo;
1116 }
1117
1118 export namespace AccessCountryRule {
1119 export interface Geo {
1120 /**
1121 * The country code that should be matched.
1122 */
1123 country_code: string;
1124 }
1125 }
1126
1127 /**
1128 * Enforce different MFA options
1129 */
1130 export interface AccessAuthenticationMethodRule {
1131 auth_method: AccessAuthenticationMethodRule.AuthMethod;
1132 }
1133
1134 export namespace AccessAuthenticationMethodRule {
1135 export interface AuthMethod {
1136 /**
1137 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
1138 */
1139 auth_method: string;
1140 }
1141 }
1142
1143 /**
1144 * Enforces a device posture rule has run successfully
1145 */
1146 export interface AccessDevicePostureRule {
1147 device_posture: AccessDevicePostureRule.DevicePosture;
1148 }
1149
1150 export namespace AccessDevicePostureRule {
1151 export interface DevicePosture {
1152 /**
1153 * The ID of a device posture integration.
1154 */
1155 integration_uid: string;
1156 }
1157 }
1158
1159 /**
1160 * Matches a specific email.
1161 */
1162 export interface AccessEmailRule {
1163 email: AccessEmailRule.Email;
1164 }
1165
1166 export namespace AccessEmailRule {
1167 export interface Email {
1168 /**
1169 * The email of the user.
1170 */
1171 email: string;
1172 }
1173 }
1174
1175 /**
1176 * Matches an email address from a list.
1177 */
1178 export interface AccessEmailListRule {
1179 email_list: AccessEmailListRule.EmailList;
1180 }
1181
1182 export namespace AccessEmailListRule {
1183 export interface EmailList {
1184 /**
1185 * The ID of a previously created email list.
1186 */
1187 id: string;
1188 }
1189 }
1190
1191 /**
1192 * Match an entire email domain.
1193 */
1194 export interface AccessDomainRule {
1195 email_domain: AccessDomainRule.EmailDomain;
1196 }
1197
1198 export namespace AccessDomainRule {
1199 export interface EmailDomain {
1200 /**
1201 * The email domain to match.
1202 */
1203 domain: string;
1204 }
1205 }
1206
1207 /**
1208 * Matches everyone.
1209 */
1210 export interface AccessEveryoneRule {
1211 /**
1212 * An empty object which matches on all users.
1213 */
1214 everyone: unknown;
1215 }
1216
1217 /**
1218 * Matches an IP address block.
1219 */
1220 export interface AccessIPRule {
1221 ip: AccessIPRule.IP;
1222 }
1223
1224 export namespace AccessIPRule {
1225 export interface IP {
1226 /**
1227 * An IPv4 or IPv6 CIDR block.
1228 */
1229 ip: string;
1230 }
1231 }
1232
1233 /**
1234 * Matches an IP address from a list.
1235 */
1236 export interface AccessIPListRule {
1237 ip_list: AccessIPListRule.IPList;
1238 }
1239
1240 export namespace AccessIPListRule {
1241 export interface IPList {
1242 /**
1243 * The ID of a previously created IP list.
1244 */
1245 id: string;
1246 }
1247 }
1248
1249 /**
1250 * Matches any valid client certificate.
1251 */
1252 export interface AccessCertificateRule {
1253 certificate: unknown;
1254 }
1255
1256 /**
1257 * Matches an Access group.
1258 */
1259 export interface AccessAccessGroupRule {
1260 group: AccessAccessGroupRule.Group;
1261 }
1262
1263 export namespace AccessAccessGroupRule {
1264 export interface Group {
1265 /**
1266 * The ID of a previously created Access group.
1267 */
1268 id: string;
1269 }
1270 }
1271
1272 /**
1273 * Matches an Azure group. Requires an Azure identity provider.
1274 */
1275 export interface AccessAzureGroupRule {
1276 azureAD: AccessAzureGroupRule.AzureAd;
1277 }
1278
1279 export namespace AccessAzureGroupRule {
1280 export interface AzureAd {
1281 /**
1282 * The ID of an Azure group.
1283 */
1284 id: string;
1285
1286 /**
1287 * The ID of your Azure identity provider.
1288 */
1289 connection_id: string;
1290 }
1291 }
1292
1293 /**
1294 * Matches a Github organization. Requires a Github identity provider.
1295 */
1296 export interface AccessGitHubOrganizationRule {
1297 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
1298 }
1299
1300 export namespace AccessGitHubOrganizationRule {
1301 export interface GitHubOrganization {
1302 /**
1303 * The ID of your Github identity provider.
1304 */
1305 connection_id: string;
1306
1307 /**
1308 * The name of the organization.
1309 */
1310 name: string;
1311 }
1312 }
1313
1314 /**
1315 * Matches a group in Google Workspace. Requires a Google Workspace identity
1316 * provider.
1317 */
1318 export interface AccessGsuiteGroupRule {
1319 gsuite: AccessGsuiteGroupRule.Gsuite;
1320 }
1321
1322 export namespace AccessGsuiteGroupRule {
1323 export interface Gsuite {
1324 /**
1325 * The ID of your Google Workspace identity provider.
1326 */
1327 connection_id: string;
1328
1329 /**
1330 * The email of the Google Workspace group.
1331 */
1332 email: string;
1333 }
1334 }
1335
1336 /**
1337 * Matches an Okta group. Requires an Okta identity provider.
1338 */
1339 export interface AccessOktaGroupRule {
1340 okta: AccessOktaGroupRule.Okta;
1341 }
1342
1343 export namespace AccessOktaGroupRule {
1344 export interface Okta {
1345 /**
1346 * The ID of your Okta identity provider.
1347 */
1348 connection_id: string;
1349
1350 /**
1351 * The email of the Okta group.
1352 */
1353 email: string;
1354 }
1355 }
1356
1357 /**
1358 * Matches a SAML group. Requires a SAML identity provider.
1359 */
1360 export interface AccessSamlGroupRule {
1361 saml: AccessSamlGroupRule.Saml;
1362 }
1363
1364 export namespace AccessSamlGroupRule {
1365 export interface Saml {
1366 /**
1367 * The name of the SAML attribute.
1368 */
1369 attribute_name: string;
1370
1371 /**
1372 * The SAML attribute value to look for.
1373 */
1374 attribute_value: string;
1375 }
1376 }
1377
1378 /**
1379 * Matches a specific Access Service Token
1380 */
1381 export interface AccessServiceTokenRule {
1382 service_token: AccessServiceTokenRule.ServiceToken;
1383 }
1384
1385 export namespace AccessServiceTokenRule {
1386 export interface ServiceToken {
1387 /**
1388 * The ID of a Service Token.
1389 */
1390 token_id: string;
1391 }
1392 }
1393
1394 /**
1395 * Matches any valid Access Service Token
1396 */
1397 export interface AccessAnyValidServiceTokenRule {
1398 /**
1399 * An empty object which matches on all service tokens.
1400 */
1401 any_valid_service_token: unknown;
1402 }
1403
1404 /**
1405 * Create Allow or Block policies which evaluate the user based on custom criteria.
1406 */
1407 export interface AccessExternalEvaluationRule {
1408 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
1409 }
1410
1411 export namespace AccessExternalEvaluationRule {
1412 export interface ExternalEvaluation {
1413 /**
1414 * The API endpoint containing your business logic.
1415 */
1416 evaluate_url: string;
1417
1418 /**
1419 * The API endpoint containing the key that Access uses to verify that the response
1420 * came from your API.
1421 */
1422 keys_url: string;
1423 }
1424 }
1425
1426 /**
1427 * Matches a specific country
1428 */
1429 export interface AccessCountryRule {
1430 geo: AccessCountryRule.Geo;
1431 }
1432
1433 export namespace AccessCountryRule {
1434 export interface Geo {
1435 /**
1436 * The country code that should be matched.
1437 */
1438 country_code: string;
1439 }
1440 }
1441
1442 /**
1443 * Enforce different MFA options
1444 */
1445 export interface AccessAuthenticationMethodRule {
1446 auth_method: AccessAuthenticationMethodRule.AuthMethod;
1447 }
1448
1449 export namespace AccessAuthenticationMethodRule {
1450 export interface AuthMethod {
1451 /**
1452 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
1453 */
1454 auth_method: string;
1455 }
1456 }
1457
1458 /**
1459 * Enforces a device posture rule has run successfully
1460 */
1461 export interface AccessDevicePostureRule {
1462 device_posture: AccessDevicePostureRule.DevicePosture;
1463 }
1464
1465 export namespace AccessDevicePostureRule {
1466 export interface DevicePosture {
1467 /**
1468 * The ID of a device posture integration.
1469 */
1470 integration_uid: string;
1471 }
1472 }
1473}
1474
1475export type GroupListResponse = Array<GroupListResponse.GroupListResponseItem>;
1476
1477export namespace GroupListResponse {
1478 export interface GroupListResponseItem {
1479 /**
1480 * UUID
1481 */
1482 id?: string;
1483
1484 created_at?: string;
1485
1486 /**
1487 * Rules evaluated with a NOT logical operator. To match a policy, a user cannot
1488 * meet any of the Exclude rules.
1489 */
1490 exclude?: Array<
1491 | GroupListResponseItem.AccessEmailRule
1492 | GroupListResponseItem.AccessEmailListRule
1493 | GroupListResponseItem.AccessDomainRule
1494 | GroupListResponseItem.AccessEveryoneRule
1495 | GroupListResponseItem.AccessIPRule
1496 | GroupListResponseItem.AccessIPListRule
1497 | GroupListResponseItem.AccessCertificateRule
1498 | GroupListResponseItem.AccessAccessGroupRule
1499 | GroupListResponseItem.AccessAzureGroupRule
1500 | GroupListResponseItem.AccessGitHubOrganizationRule
1501 | GroupListResponseItem.AccessGsuiteGroupRule
1502 | GroupListResponseItem.AccessOktaGroupRule
1503 | GroupListResponseItem.AccessSamlGroupRule
1504 | GroupListResponseItem.AccessServiceTokenRule
1505 | GroupListResponseItem.AccessAnyValidServiceTokenRule
1506 | GroupListResponseItem.AccessExternalEvaluationRule
1507 | GroupListResponseItem.AccessCountryRule
1508 | GroupListResponseItem.AccessAuthenticationMethodRule
1509 | GroupListResponseItem.AccessDevicePostureRule
1510 >;
1511
1512 /**
1513 * Rules evaluated with an OR logical operator. A user needs to meet only one of
1514 * the Include rules.
1515 */
1516 include?: Array<
1517 | GroupListResponseItem.AccessEmailRule
1518 | GroupListResponseItem.AccessEmailListRule
1519 | GroupListResponseItem.AccessDomainRule
1520 | GroupListResponseItem.AccessEveryoneRule
1521 | GroupListResponseItem.AccessIPRule
1522 | GroupListResponseItem.AccessIPListRule
1523 | GroupListResponseItem.AccessCertificateRule
1524 | GroupListResponseItem.AccessAccessGroupRule
1525 | GroupListResponseItem.AccessAzureGroupRule
1526 | GroupListResponseItem.AccessGitHubOrganizationRule
1527 | GroupListResponseItem.AccessGsuiteGroupRule
1528 | GroupListResponseItem.AccessOktaGroupRule
1529 | GroupListResponseItem.AccessSamlGroupRule
1530 | GroupListResponseItem.AccessServiceTokenRule
1531 | GroupListResponseItem.AccessAnyValidServiceTokenRule
1532 | GroupListResponseItem.AccessExternalEvaluationRule
1533 | GroupListResponseItem.AccessCountryRule
1534 | GroupListResponseItem.AccessAuthenticationMethodRule
1535 | GroupListResponseItem.AccessDevicePostureRule
1536 >;
1537
1538 /**
1539 * Rules evaluated with an AND logical operator. To match a policy, a user must
1540 * meet all of the Require rules.
1541 */
1542 is_default?: Array<
1543 | GroupListResponseItem.AccessEmailRule
1544 | GroupListResponseItem.AccessEmailListRule
1545 | GroupListResponseItem.AccessDomainRule
1546 | GroupListResponseItem.AccessEveryoneRule
1547 | GroupListResponseItem.AccessIPRule
1548 | GroupListResponseItem.AccessIPListRule
1549 | GroupListResponseItem.AccessCertificateRule
1550 | GroupListResponseItem.AccessAccessGroupRule
1551 | GroupListResponseItem.AccessAzureGroupRule
1552 | GroupListResponseItem.AccessGitHubOrganizationRule
1553 | GroupListResponseItem.AccessGsuiteGroupRule
1554 | GroupListResponseItem.AccessOktaGroupRule
1555 | GroupListResponseItem.AccessSamlGroupRule
1556 | GroupListResponseItem.AccessServiceTokenRule
1557 | GroupListResponseItem.AccessAnyValidServiceTokenRule
1558 | GroupListResponseItem.AccessExternalEvaluationRule
1559 | GroupListResponseItem.AccessCountryRule
1560 | GroupListResponseItem.AccessAuthenticationMethodRule
1561 | GroupListResponseItem.AccessDevicePostureRule
1562 >;
1563
1564 /**
1565 * The name of the Access group.
1566 */
1567 name?: string;
1568
1569 /**
1570 * Rules evaluated with an AND logical operator. To match a policy, a user must
1571 * meet all of the Require rules.
1572 */
1573 require?: Array<
1574 | GroupListResponseItem.AccessEmailRule
1575 | GroupListResponseItem.AccessEmailListRule
1576 | GroupListResponseItem.AccessDomainRule
1577 | GroupListResponseItem.AccessEveryoneRule
1578 | GroupListResponseItem.AccessIPRule
1579 | GroupListResponseItem.AccessIPListRule
1580 | GroupListResponseItem.AccessCertificateRule
1581 | GroupListResponseItem.AccessAccessGroupRule
1582 | GroupListResponseItem.AccessAzureGroupRule
1583 | GroupListResponseItem.AccessGitHubOrganizationRule
1584 | GroupListResponseItem.AccessGsuiteGroupRule
1585 | GroupListResponseItem.AccessOktaGroupRule
1586 | GroupListResponseItem.AccessSamlGroupRule
1587 | GroupListResponseItem.AccessServiceTokenRule
1588 | GroupListResponseItem.AccessAnyValidServiceTokenRule
1589 | GroupListResponseItem.AccessExternalEvaluationRule
1590 | GroupListResponseItem.AccessCountryRule
1591 | GroupListResponseItem.AccessAuthenticationMethodRule
1592 | GroupListResponseItem.AccessDevicePostureRule
1593 >;
1594
1595 updated_at?: string;
1596 }
1597
1598 export namespace GroupListResponseItem {
1599 /**
1600 * Matches a specific email.
1601 */
1602 export interface AccessEmailRule {
1603 email: AccessEmailRule.Email;
1604 }
1605
1606 export namespace AccessEmailRule {
1607 export interface Email {
1608 /**
1609 * The email of the user.
1610 */
1611 email: string;
1612 }
1613 }
1614
1615 /**
1616 * Matches an email address from a list.
1617 */
1618 export interface AccessEmailListRule {
1619 email_list: AccessEmailListRule.EmailList;
1620 }
1621
1622 export namespace AccessEmailListRule {
1623 export interface EmailList {
1624 /**
1625 * The ID of a previously created email list.
1626 */
1627 id: string;
1628 }
1629 }
1630
1631 /**
1632 * Match an entire email domain.
1633 */
1634 export interface AccessDomainRule {
1635 email_domain: AccessDomainRule.EmailDomain;
1636 }
1637
1638 export namespace AccessDomainRule {
1639 export interface EmailDomain {
1640 /**
1641 * The email domain to match.
1642 */
1643 domain: string;
1644 }
1645 }
1646
1647 /**
1648 * Matches everyone.
1649 */
1650 export interface AccessEveryoneRule {
1651 /**
1652 * An empty object which matches on all users.
1653 */
1654 everyone: unknown;
1655 }
1656
1657 /**
1658 * Matches an IP address block.
1659 */
1660 export interface AccessIPRule {
1661 ip: AccessIPRule.IP;
1662 }
1663
1664 export namespace AccessIPRule {
1665 export interface IP {
1666 /**
1667 * An IPv4 or IPv6 CIDR block.
1668 */
1669 ip: string;
1670 }
1671 }
1672
1673 /**
1674 * Matches an IP address from a list.
1675 */
1676 export interface AccessIPListRule {
1677 ip_list: AccessIPListRule.IPList;
1678 }
1679
1680 export namespace AccessIPListRule {
1681 export interface IPList {
1682 /**
1683 * The ID of a previously created IP list.
1684 */
1685 id: string;
1686 }
1687 }
1688
1689 /**
1690 * Matches any valid client certificate.
1691 */
1692 export interface AccessCertificateRule {
1693 certificate: unknown;
1694 }
1695
1696 /**
1697 * Matches an Access group.
1698 */
1699 export interface AccessAccessGroupRule {
1700 group: AccessAccessGroupRule.Group;
1701 }
1702
1703 export namespace AccessAccessGroupRule {
1704 export interface Group {
1705 /**
1706 * The ID of a previously created Access group.
1707 */
1708 id: string;
1709 }
1710 }
1711
1712 /**
1713 * Matches an Azure group. Requires an Azure identity provider.
1714 */
1715 export interface AccessAzureGroupRule {
1716 azureAD: AccessAzureGroupRule.AzureAd;
1717 }
1718
1719 export namespace AccessAzureGroupRule {
1720 export interface AzureAd {
1721 /**
1722 * The ID of an Azure group.
1723 */
1724 id: string;
1725
1726 /**
1727 * The ID of your Azure identity provider.
1728 */
1729 connection_id: string;
1730 }
1731 }
1732
1733 /**
1734 * Matches a Github organization. Requires a Github identity provider.
1735 */
1736 export interface AccessGitHubOrganizationRule {
1737 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
1738 }
1739
1740 export namespace AccessGitHubOrganizationRule {
1741 export interface GitHubOrganization {
1742 /**
1743 * The ID of your Github identity provider.
1744 */
1745 connection_id: string;
1746
1747 /**
1748 * The name of the organization.
1749 */
1750 name: string;
1751 }
1752 }
1753
1754 /**
1755 * Matches a group in Google Workspace. Requires a Google Workspace identity
1756 * provider.
1757 */
1758 export interface AccessGsuiteGroupRule {
1759 gsuite: AccessGsuiteGroupRule.Gsuite;
1760 }
1761
1762 export namespace AccessGsuiteGroupRule {
1763 export interface Gsuite {
1764 /**
1765 * The ID of your Google Workspace identity provider.
1766 */
1767 connection_id: string;
1768
1769 /**
1770 * The email of the Google Workspace group.
1771 */
1772 email: string;
1773 }
1774 }
1775
1776 /**
1777 * Matches an Okta group. Requires an Okta identity provider.
1778 */
1779 export interface AccessOktaGroupRule {
1780 okta: AccessOktaGroupRule.Okta;
1781 }
1782
1783 export namespace AccessOktaGroupRule {
1784 export interface Okta {
1785 /**
1786 * The ID of your Okta identity provider.
1787 */
1788 connection_id: string;
1789
1790 /**
1791 * The email of the Okta group.
1792 */
1793 email: string;
1794 }
1795 }
1796
1797 /**
1798 * Matches a SAML group. Requires a SAML identity provider.
1799 */
1800 export interface AccessSamlGroupRule {
1801 saml: AccessSamlGroupRule.Saml;
1802 }
1803
1804 export namespace AccessSamlGroupRule {
1805 export interface Saml {
1806 /**
1807 * The name of the SAML attribute.
1808 */
1809 attribute_name: string;
1810
1811 /**
1812 * The SAML attribute value to look for.
1813 */
1814 attribute_value: string;
1815 }
1816 }
1817
1818 /**
1819 * Matches a specific Access Service Token
1820 */
1821 export interface AccessServiceTokenRule {
1822 service_token: AccessServiceTokenRule.ServiceToken;
1823 }
1824
1825 export namespace AccessServiceTokenRule {
1826 export interface ServiceToken {
1827 /**
1828 * The ID of a Service Token.
1829 */
1830 token_id: string;
1831 }
1832 }
1833
1834 /**
1835 * Matches any valid Access Service Token
1836 */
1837 export interface AccessAnyValidServiceTokenRule {
1838 /**
1839 * An empty object which matches on all service tokens.
1840 */
1841 any_valid_service_token: unknown;
1842 }
1843
1844 /**
1845 * Create Allow or Block policies which evaluate the user based on custom criteria.
1846 */
1847 export interface AccessExternalEvaluationRule {
1848 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
1849 }
1850
1851 export namespace AccessExternalEvaluationRule {
1852 export interface ExternalEvaluation {
1853 /**
1854 * The API endpoint containing your business logic.
1855 */
1856 evaluate_url: string;
1857
1858 /**
1859 * The API endpoint containing the key that Access uses to verify that the response
1860 * came from your API.
1861 */
1862 keys_url: string;
1863 }
1864 }
1865
1866 /**
1867 * Matches a specific country
1868 */
1869 export interface AccessCountryRule {
1870 geo: AccessCountryRule.Geo;
1871 }
1872
1873 export namespace AccessCountryRule {
1874 export interface Geo {
1875 /**
1876 * The country code that should be matched.
1877 */
1878 country_code: string;
1879 }
1880 }
1881
1882 /**
1883 * Enforce different MFA options
1884 */
1885 export interface AccessAuthenticationMethodRule {
1886 auth_method: AccessAuthenticationMethodRule.AuthMethod;
1887 }
1888
1889 export namespace AccessAuthenticationMethodRule {
1890 export interface AuthMethod {
1891 /**
1892 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
1893 */
1894 auth_method: string;
1895 }
1896 }
1897
1898 /**
1899 * Enforces a device posture rule has run successfully
1900 */
1901 export interface AccessDevicePostureRule {
1902 device_posture: AccessDevicePostureRule.DevicePosture;
1903 }
1904
1905 export namespace AccessDevicePostureRule {
1906 export interface DevicePosture {
1907 /**
1908 * The ID of a device posture integration.
1909 */
1910 integration_uid: string;
1911 }
1912 }
1913
1914 /**
1915 * Matches a specific email.
1916 */
1917 export interface AccessEmailRule {
1918 email: AccessEmailRule.Email;
1919 }
1920
1921 export namespace AccessEmailRule {
1922 export interface Email {
1923 /**
1924 * The email of the user.
1925 */
1926 email: string;
1927 }
1928 }
1929
1930 /**
1931 * Matches an email address from a list.
1932 */
1933 export interface AccessEmailListRule {
1934 email_list: AccessEmailListRule.EmailList;
1935 }
1936
1937 export namespace AccessEmailListRule {
1938 export interface EmailList {
1939 /**
1940 * The ID of a previously created email list.
1941 */
1942 id: string;
1943 }
1944 }
1945
1946 /**
1947 * Match an entire email domain.
1948 */
1949 export interface AccessDomainRule {
1950 email_domain: AccessDomainRule.EmailDomain;
1951 }
1952
1953 export namespace AccessDomainRule {
1954 export interface EmailDomain {
1955 /**
1956 * The email domain to match.
1957 */
1958 domain: string;
1959 }
1960 }
1961
1962 /**
1963 * Matches everyone.
1964 */
1965 export interface AccessEveryoneRule {
1966 /**
1967 * An empty object which matches on all users.
1968 */
1969 everyone: unknown;
1970 }
1971
1972 /**
1973 * Matches an IP address block.
1974 */
1975 export interface AccessIPRule {
1976 ip: AccessIPRule.IP;
1977 }
1978
1979 export namespace AccessIPRule {
1980 export interface IP {
1981 /**
1982 * An IPv4 or IPv6 CIDR block.
1983 */
1984 ip: string;
1985 }
1986 }
1987
1988 /**
1989 * Matches an IP address from a list.
1990 */
1991 export interface AccessIPListRule {
1992 ip_list: AccessIPListRule.IPList;
1993 }
1994
1995 export namespace AccessIPListRule {
1996 export interface IPList {
1997 /**
1998 * The ID of a previously created IP list.
1999 */
2000 id: string;
2001 }
2002 }
2003
2004 /**
2005 * Matches any valid client certificate.
2006 */
2007 export interface AccessCertificateRule {
2008 certificate: unknown;
2009 }
2010
2011 /**
2012 * Matches an Access group.
2013 */
2014 export interface AccessAccessGroupRule {
2015 group: AccessAccessGroupRule.Group;
2016 }
2017
2018 export namespace AccessAccessGroupRule {
2019 export interface Group {
2020 /**
2021 * The ID of a previously created Access group.
2022 */
2023 id: string;
2024 }
2025 }
2026
2027 /**
2028 * Matches an Azure group. Requires an Azure identity provider.
2029 */
2030 export interface AccessAzureGroupRule {
2031 azureAD: AccessAzureGroupRule.AzureAd;
2032 }
2033
2034 export namespace AccessAzureGroupRule {
2035 export interface AzureAd {
2036 /**
2037 * The ID of an Azure group.
2038 */
2039 id: string;
2040
2041 /**
2042 * The ID of your Azure identity provider.
2043 */
2044 connection_id: string;
2045 }
2046 }
2047
2048 /**
2049 * Matches a Github organization. Requires a Github identity provider.
2050 */
2051 export interface AccessGitHubOrganizationRule {
2052 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
2053 }
2054
2055 export namespace AccessGitHubOrganizationRule {
2056 export interface GitHubOrganization {
2057 /**
2058 * The ID of your Github identity provider.
2059 */
2060 connection_id: string;
2061
2062 /**
2063 * The name of the organization.
2064 */
2065 name: string;
2066 }
2067 }
2068
2069 /**
2070 * Matches a group in Google Workspace. Requires a Google Workspace identity
2071 * provider.
2072 */
2073 export interface AccessGsuiteGroupRule {
2074 gsuite: AccessGsuiteGroupRule.Gsuite;
2075 }
2076
2077 export namespace AccessGsuiteGroupRule {
2078 export interface Gsuite {
2079 /**
2080 * The ID of your Google Workspace identity provider.
2081 */
2082 connection_id: string;
2083
2084 /**
2085 * The email of the Google Workspace group.
2086 */
2087 email: string;
2088 }
2089 }
2090
2091 /**
2092 * Matches an Okta group. Requires an Okta identity provider.
2093 */
2094 export interface AccessOktaGroupRule {
2095 okta: AccessOktaGroupRule.Okta;
2096 }
2097
2098 export namespace AccessOktaGroupRule {
2099 export interface Okta {
2100 /**
2101 * The ID of your Okta identity provider.
2102 */
2103 connection_id: string;
2104
2105 /**
2106 * The email of the Okta group.
2107 */
2108 email: string;
2109 }
2110 }
2111
2112 /**
2113 * Matches a SAML group. Requires a SAML identity provider.
2114 */
2115 export interface AccessSamlGroupRule {
2116 saml: AccessSamlGroupRule.Saml;
2117 }
2118
2119 export namespace AccessSamlGroupRule {
2120 export interface Saml {
2121 /**
2122 * The name of the SAML attribute.
2123 */
2124 attribute_name: string;
2125
2126 /**
2127 * The SAML attribute value to look for.
2128 */
2129 attribute_value: string;
2130 }
2131 }
2132
2133 /**
2134 * Matches a specific Access Service Token
2135 */
2136 export interface AccessServiceTokenRule {
2137 service_token: AccessServiceTokenRule.ServiceToken;
2138 }
2139
2140 export namespace AccessServiceTokenRule {
2141 export interface ServiceToken {
2142 /**
2143 * The ID of a Service Token.
2144 */
2145 token_id: string;
2146 }
2147 }
2148
2149 /**
2150 * Matches any valid Access Service Token
2151 */
2152 export interface AccessAnyValidServiceTokenRule {
2153 /**
2154 * An empty object which matches on all service tokens.
2155 */
2156 any_valid_service_token: unknown;
2157 }
2158
2159 /**
2160 * Create Allow or Block policies which evaluate the user based on custom criteria.
2161 */
2162 export interface AccessExternalEvaluationRule {
2163 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
2164 }
2165
2166 export namespace AccessExternalEvaluationRule {
2167 export interface ExternalEvaluation {
2168 /**
2169 * The API endpoint containing your business logic.
2170 */
2171 evaluate_url: string;
2172
2173 /**
2174 * The API endpoint containing the key that Access uses to verify that the response
2175 * came from your API.
2176 */
2177 keys_url: string;
2178 }
2179 }
2180
2181 /**
2182 * Matches a specific country
2183 */
2184 export interface AccessCountryRule {
2185 geo: AccessCountryRule.Geo;
2186 }
2187
2188 export namespace AccessCountryRule {
2189 export interface Geo {
2190 /**
2191 * The country code that should be matched.
2192 */
2193 country_code: string;
2194 }
2195 }
2196
2197 /**
2198 * Enforce different MFA options
2199 */
2200 export interface AccessAuthenticationMethodRule {
2201 auth_method: AccessAuthenticationMethodRule.AuthMethod;
2202 }
2203
2204 export namespace AccessAuthenticationMethodRule {
2205 export interface AuthMethod {
2206 /**
2207 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
2208 */
2209 auth_method: string;
2210 }
2211 }
2212
2213 /**
2214 * Enforces a device posture rule has run successfully
2215 */
2216 export interface AccessDevicePostureRule {
2217 device_posture: AccessDevicePostureRule.DevicePosture;
2218 }
2219
2220 export namespace AccessDevicePostureRule {
2221 export interface DevicePosture {
2222 /**
2223 * The ID of a device posture integration.
2224 */
2225 integration_uid: string;
2226 }
2227 }
2228
2229 /**
2230 * Matches a specific email.
2231 */
2232 export interface AccessEmailRule {
2233 email: AccessEmailRule.Email;
2234 }
2235
2236 export namespace AccessEmailRule {
2237 export interface Email {
2238 /**
2239 * The email of the user.
2240 */
2241 email: string;
2242 }
2243 }
2244
2245 /**
2246 * Matches an email address from a list.
2247 */
2248 export interface AccessEmailListRule {
2249 email_list: AccessEmailListRule.EmailList;
2250 }
2251
2252 export namespace AccessEmailListRule {
2253 export interface EmailList {
2254 /**
2255 * The ID of a previously created email list.
2256 */
2257 id: string;
2258 }
2259 }
2260
2261 /**
2262 * Match an entire email domain.
2263 */
2264 export interface AccessDomainRule {
2265 email_domain: AccessDomainRule.EmailDomain;
2266 }
2267
2268 export namespace AccessDomainRule {
2269 export interface EmailDomain {
2270 /**
2271 * The email domain to match.
2272 */
2273 domain: string;
2274 }
2275 }
2276
2277 /**
2278 * Matches everyone.
2279 */
2280 export interface AccessEveryoneRule {
2281 /**
2282 * An empty object which matches on all users.
2283 */
2284 everyone: unknown;
2285 }
2286
2287 /**
2288 * Matches an IP address block.
2289 */
2290 export interface AccessIPRule {
2291 ip: AccessIPRule.IP;
2292 }
2293
2294 export namespace AccessIPRule {
2295 export interface IP {
2296 /**
2297 * An IPv4 or IPv6 CIDR block.
2298 */
2299 ip: string;
2300 }
2301 }
2302
2303 /**
2304 * Matches an IP address from a list.
2305 */
2306 export interface AccessIPListRule {
2307 ip_list: AccessIPListRule.IPList;
2308 }
2309
2310 export namespace AccessIPListRule {
2311 export interface IPList {
2312 /**
2313 * The ID of a previously created IP list.
2314 */
2315 id: string;
2316 }
2317 }
2318
2319 /**
2320 * Matches any valid client certificate.
2321 */
2322 export interface AccessCertificateRule {
2323 certificate: unknown;
2324 }
2325
2326 /**
2327 * Matches an Access group.
2328 */
2329 export interface AccessAccessGroupRule {
2330 group: AccessAccessGroupRule.Group;
2331 }
2332
2333 export namespace AccessAccessGroupRule {
2334 export interface Group {
2335 /**
2336 * The ID of a previously created Access group.
2337 */
2338 id: string;
2339 }
2340 }
2341
2342 /**
2343 * Matches an Azure group. Requires an Azure identity provider.
2344 */
2345 export interface AccessAzureGroupRule {
2346 azureAD: AccessAzureGroupRule.AzureAd;
2347 }
2348
2349 export namespace AccessAzureGroupRule {
2350 export interface AzureAd {
2351 /**
2352 * The ID of an Azure group.
2353 */
2354 id: string;
2355
2356 /**
2357 * The ID of your Azure identity provider.
2358 */
2359 connection_id: string;
2360 }
2361 }
2362
2363 /**
2364 * Matches a Github organization. Requires a Github identity provider.
2365 */
2366 export interface AccessGitHubOrganizationRule {
2367 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
2368 }
2369
2370 export namespace AccessGitHubOrganizationRule {
2371 export interface GitHubOrganization {
2372 /**
2373 * The ID of your Github identity provider.
2374 */
2375 connection_id: string;
2376
2377 /**
2378 * The name of the organization.
2379 */
2380 name: string;
2381 }
2382 }
2383
2384 /**
2385 * Matches a group in Google Workspace. Requires a Google Workspace identity
2386 * provider.
2387 */
2388 export interface AccessGsuiteGroupRule {
2389 gsuite: AccessGsuiteGroupRule.Gsuite;
2390 }
2391
2392 export namespace AccessGsuiteGroupRule {
2393 export interface Gsuite {
2394 /**
2395 * The ID of your Google Workspace identity provider.
2396 */
2397 connection_id: string;
2398
2399 /**
2400 * The email of the Google Workspace group.
2401 */
2402 email: string;
2403 }
2404 }
2405
2406 /**
2407 * Matches an Okta group. Requires an Okta identity provider.
2408 */
2409 export interface AccessOktaGroupRule {
2410 okta: AccessOktaGroupRule.Okta;
2411 }
2412
2413 export namespace AccessOktaGroupRule {
2414 export interface Okta {
2415 /**
2416 * The ID of your Okta identity provider.
2417 */
2418 connection_id: string;
2419
2420 /**
2421 * The email of the Okta group.
2422 */
2423 email: string;
2424 }
2425 }
2426
2427 /**
2428 * Matches a SAML group. Requires a SAML identity provider.
2429 */
2430 export interface AccessSamlGroupRule {
2431 saml: AccessSamlGroupRule.Saml;
2432 }
2433
2434 export namespace AccessSamlGroupRule {
2435 export interface Saml {
2436 /**
2437 * The name of the SAML attribute.
2438 */
2439 attribute_name: string;
2440
2441 /**
2442 * The SAML attribute value to look for.
2443 */
2444 attribute_value: string;
2445 }
2446 }
2447
2448 /**
2449 * Matches a specific Access Service Token
2450 */
2451 export interface AccessServiceTokenRule {
2452 service_token: AccessServiceTokenRule.ServiceToken;
2453 }
2454
2455 export namespace AccessServiceTokenRule {
2456 export interface ServiceToken {
2457 /**
2458 * The ID of a Service Token.
2459 */
2460 token_id: string;
2461 }
2462 }
2463
2464 /**
2465 * Matches any valid Access Service Token
2466 */
2467 export interface AccessAnyValidServiceTokenRule {
2468 /**
2469 * An empty object which matches on all service tokens.
2470 */
2471 any_valid_service_token: unknown;
2472 }
2473
2474 /**
2475 * Create Allow or Block policies which evaluate the user based on custom criteria.
2476 */
2477 export interface AccessExternalEvaluationRule {
2478 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
2479 }
2480
2481 export namespace AccessExternalEvaluationRule {
2482 export interface ExternalEvaluation {
2483 /**
2484 * The API endpoint containing your business logic.
2485 */
2486 evaluate_url: string;
2487
2488 /**
2489 * The API endpoint containing the key that Access uses to verify that the response
2490 * came from your API.
2491 */
2492 keys_url: string;
2493 }
2494 }
2495
2496 /**
2497 * Matches a specific country
2498 */
2499 export interface AccessCountryRule {
2500 geo: AccessCountryRule.Geo;
2501 }
2502
2503 export namespace AccessCountryRule {
2504 export interface Geo {
2505 /**
2506 * The country code that should be matched.
2507 */
2508 country_code: string;
2509 }
2510 }
2511
2512 /**
2513 * Enforce different MFA options
2514 */
2515 export interface AccessAuthenticationMethodRule {
2516 auth_method: AccessAuthenticationMethodRule.AuthMethod;
2517 }
2518
2519 export namespace AccessAuthenticationMethodRule {
2520 export interface AuthMethod {
2521 /**
2522 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
2523 */
2524 auth_method: string;
2525 }
2526 }
2527
2528 /**
2529 * Enforces a device posture rule has run successfully
2530 */
2531 export interface AccessDevicePostureRule {
2532 device_posture: AccessDevicePostureRule.DevicePosture;
2533 }
2534
2535 export namespace AccessDevicePostureRule {
2536 export interface DevicePosture {
2537 /**
2538 * The ID of a device posture integration.
2539 */
2540 integration_uid: string;
2541 }
2542 }
2543
2544 /**
2545 * Matches a specific email.
2546 */
2547 export interface AccessEmailRule {
2548 email: AccessEmailRule.Email;
2549 }
2550
2551 export namespace AccessEmailRule {
2552 export interface Email {
2553 /**
2554 * The email of the user.
2555 */
2556 email: string;
2557 }
2558 }
2559
2560 /**
2561 * Matches an email address from a list.
2562 */
2563 export interface AccessEmailListRule {
2564 email_list: AccessEmailListRule.EmailList;
2565 }
2566
2567 export namespace AccessEmailListRule {
2568 export interface EmailList {
2569 /**
2570 * The ID of a previously created email list.
2571 */
2572 id: string;
2573 }
2574 }
2575
2576 /**
2577 * Match an entire email domain.
2578 */
2579 export interface AccessDomainRule {
2580 email_domain: AccessDomainRule.EmailDomain;
2581 }
2582
2583 export namespace AccessDomainRule {
2584 export interface EmailDomain {
2585 /**
2586 * The email domain to match.
2587 */
2588 domain: string;
2589 }
2590 }
2591
2592 /**
2593 * Matches everyone.
2594 */
2595 export interface AccessEveryoneRule {
2596 /**
2597 * An empty object which matches on all users.
2598 */
2599 everyone: unknown;
2600 }
2601
2602 /**
2603 * Matches an IP address block.
2604 */
2605 export interface AccessIPRule {
2606 ip: AccessIPRule.IP;
2607 }
2608
2609 export namespace AccessIPRule {
2610 export interface IP {
2611 /**
2612 * An IPv4 or IPv6 CIDR block.
2613 */
2614 ip: string;
2615 }
2616 }
2617
2618 /**
2619 * Matches an IP address from a list.
2620 */
2621 export interface AccessIPListRule {
2622 ip_list: AccessIPListRule.IPList;
2623 }
2624
2625 export namespace AccessIPListRule {
2626 export interface IPList {
2627 /**
2628 * The ID of a previously created IP list.
2629 */
2630 id: string;
2631 }
2632 }
2633
2634 /**
2635 * Matches any valid client certificate.
2636 */
2637 export interface AccessCertificateRule {
2638 certificate: unknown;
2639 }
2640
2641 /**
2642 * Matches an Access group.
2643 */
2644 export interface AccessAccessGroupRule {
2645 group: AccessAccessGroupRule.Group;
2646 }
2647
2648 export namespace AccessAccessGroupRule {
2649 export interface Group {
2650 /**
2651 * The ID of a previously created Access group.
2652 */
2653 id: string;
2654 }
2655 }
2656
2657 /**
2658 * Matches an Azure group. Requires an Azure identity provider.
2659 */
2660 export interface AccessAzureGroupRule {
2661 azureAD: AccessAzureGroupRule.AzureAd;
2662 }
2663
2664 export namespace AccessAzureGroupRule {
2665 export interface AzureAd {
2666 /**
2667 * The ID of an Azure group.
2668 */
2669 id: string;
2670
2671 /**
2672 * The ID of your Azure identity provider.
2673 */
2674 connection_id: string;
2675 }
2676 }
2677
2678 /**
2679 * Matches a Github organization. Requires a Github identity provider.
2680 */
2681 export interface AccessGitHubOrganizationRule {
2682 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
2683 }
2684
2685 export namespace AccessGitHubOrganizationRule {
2686 export interface GitHubOrganization {
2687 /**
2688 * The ID of your Github identity provider.
2689 */
2690 connection_id: string;
2691
2692 /**
2693 * The name of the organization.
2694 */
2695 name: string;
2696 }
2697 }
2698
2699 /**
2700 * Matches a group in Google Workspace. Requires a Google Workspace identity
2701 * provider.
2702 */
2703 export interface AccessGsuiteGroupRule {
2704 gsuite: AccessGsuiteGroupRule.Gsuite;
2705 }
2706
2707 export namespace AccessGsuiteGroupRule {
2708 export interface Gsuite {
2709 /**
2710 * The ID of your Google Workspace identity provider.
2711 */
2712 connection_id: string;
2713
2714 /**
2715 * The email of the Google Workspace group.
2716 */
2717 email: string;
2718 }
2719 }
2720
2721 /**
2722 * Matches an Okta group. Requires an Okta identity provider.
2723 */
2724 export interface AccessOktaGroupRule {
2725 okta: AccessOktaGroupRule.Okta;
2726 }
2727
2728 export namespace AccessOktaGroupRule {
2729 export interface Okta {
2730 /**
2731 * The ID of your Okta identity provider.
2732 */
2733 connection_id: string;
2734
2735 /**
2736 * The email of the Okta group.
2737 */
2738 email: string;
2739 }
2740 }
2741
2742 /**
2743 * Matches a SAML group. Requires a SAML identity provider.
2744 */
2745 export interface AccessSamlGroupRule {
2746 saml: AccessSamlGroupRule.Saml;
2747 }
2748
2749 export namespace AccessSamlGroupRule {
2750 export interface Saml {
2751 /**
2752 * The name of the SAML attribute.
2753 */
2754 attribute_name: string;
2755
2756 /**
2757 * The SAML attribute value to look for.
2758 */
2759 attribute_value: string;
2760 }
2761 }
2762
2763 /**
2764 * Matches a specific Access Service Token
2765 */
2766 export interface AccessServiceTokenRule {
2767 service_token: AccessServiceTokenRule.ServiceToken;
2768 }
2769
2770 export namespace AccessServiceTokenRule {
2771 export interface ServiceToken {
2772 /**
2773 * The ID of a Service Token.
2774 */
2775 token_id: string;
2776 }
2777 }
2778
2779 /**
2780 * Matches any valid Access Service Token
2781 */
2782 export interface AccessAnyValidServiceTokenRule {
2783 /**
2784 * An empty object which matches on all service tokens.
2785 */
2786 any_valid_service_token: unknown;
2787 }
2788
2789 /**
2790 * Create Allow or Block policies which evaluate the user based on custom criteria.
2791 */
2792 export interface AccessExternalEvaluationRule {
2793 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
2794 }
2795
2796 export namespace AccessExternalEvaluationRule {
2797 export interface ExternalEvaluation {
2798 /**
2799 * The API endpoint containing your business logic.
2800 */
2801 evaluate_url: string;
2802
2803 /**
2804 * The API endpoint containing the key that Access uses to verify that the response
2805 * came from your API.
2806 */
2807 keys_url: string;
2808 }
2809 }
2810
2811 /**
2812 * Matches a specific country
2813 */
2814 export interface AccessCountryRule {
2815 geo: AccessCountryRule.Geo;
2816 }
2817
2818 export namespace AccessCountryRule {
2819 export interface Geo {
2820 /**
2821 * The country code that should be matched.
2822 */
2823 country_code: string;
2824 }
2825 }
2826
2827 /**
2828 * Enforce different MFA options
2829 */
2830 export interface AccessAuthenticationMethodRule {
2831 auth_method: AccessAuthenticationMethodRule.AuthMethod;
2832 }
2833
2834 export namespace AccessAuthenticationMethodRule {
2835 export interface AuthMethod {
2836 /**
2837 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
2838 */
2839 auth_method: string;
2840 }
2841 }
2842
2843 /**
2844 * Enforces a device posture rule has run successfully
2845 */
2846 export interface AccessDevicePostureRule {
2847 device_posture: AccessDevicePostureRule.DevicePosture;
2848 }
2849
2850 export namespace AccessDevicePostureRule {
2851 export interface DevicePosture {
2852 /**
2853 * The ID of a device posture integration.
2854 */
2855 integration_uid: string;
2856 }
2857 }
2858 }
2859}
2860
2861export interface GroupDeleteResponse {
2862 /**
2863 * UUID
2864 */
2865 id?: string;
2866}
2867
2868export interface GroupGetResponse {
2869 /**
2870 * UUID
2871 */
2872 id?: string;
2873
2874 created_at?: string;
2875
2876 /**
2877 * Rules evaluated with a NOT logical operator. To match a policy, a user cannot
2878 * meet any of the Exclude rules.
2879 */
2880 exclude?: Array<
2881 | GroupGetResponse.AccessEmailRule
2882 | GroupGetResponse.AccessEmailListRule
2883 | GroupGetResponse.AccessDomainRule
2884 | GroupGetResponse.AccessEveryoneRule
2885 | GroupGetResponse.AccessIPRule
2886 | GroupGetResponse.AccessIPListRule
2887 | GroupGetResponse.AccessCertificateRule
2888 | GroupGetResponse.AccessAccessGroupRule
2889 | GroupGetResponse.AccessAzureGroupRule
2890 | GroupGetResponse.AccessGitHubOrganizationRule
2891 | GroupGetResponse.AccessGsuiteGroupRule
2892 | GroupGetResponse.AccessOktaGroupRule
2893 | GroupGetResponse.AccessSamlGroupRule
2894 | GroupGetResponse.AccessServiceTokenRule
2895 | GroupGetResponse.AccessAnyValidServiceTokenRule
2896 | GroupGetResponse.AccessExternalEvaluationRule
2897 | GroupGetResponse.AccessCountryRule
2898 | GroupGetResponse.AccessAuthenticationMethodRule
2899 | GroupGetResponse.AccessDevicePostureRule
2900 >;
2901
2902 /**
2903 * Rules evaluated with an OR logical operator. A user needs to meet only one of
2904 * the Include rules.
2905 */
2906 include?: Array<
2907 | GroupGetResponse.AccessEmailRule
2908 | GroupGetResponse.AccessEmailListRule
2909 | GroupGetResponse.AccessDomainRule
2910 | GroupGetResponse.AccessEveryoneRule
2911 | GroupGetResponse.AccessIPRule
2912 | GroupGetResponse.AccessIPListRule
2913 | GroupGetResponse.AccessCertificateRule
2914 | GroupGetResponse.AccessAccessGroupRule
2915 | GroupGetResponse.AccessAzureGroupRule
2916 | GroupGetResponse.AccessGitHubOrganizationRule
2917 | GroupGetResponse.AccessGsuiteGroupRule
2918 | GroupGetResponse.AccessOktaGroupRule
2919 | GroupGetResponse.AccessSamlGroupRule
2920 | GroupGetResponse.AccessServiceTokenRule
2921 | GroupGetResponse.AccessAnyValidServiceTokenRule
2922 | GroupGetResponse.AccessExternalEvaluationRule
2923 | GroupGetResponse.AccessCountryRule
2924 | GroupGetResponse.AccessAuthenticationMethodRule
2925 | GroupGetResponse.AccessDevicePostureRule
2926 >;
2927
2928 /**
2929 * Rules evaluated with an AND logical operator. To match a policy, a user must
2930 * meet all of the Require rules.
2931 */
2932 is_default?: Array<
2933 | GroupGetResponse.AccessEmailRule
2934 | GroupGetResponse.AccessEmailListRule
2935 | GroupGetResponse.AccessDomainRule
2936 | GroupGetResponse.AccessEveryoneRule
2937 | GroupGetResponse.AccessIPRule
2938 | GroupGetResponse.AccessIPListRule
2939 | GroupGetResponse.AccessCertificateRule
2940 | GroupGetResponse.AccessAccessGroupRule
2941 | GroupGetResponse.AccessAzureGroupRule
2942 | GroupGetResponse.AccessGitHubOrganizationRule
2943 | GroupGetResponse.AccessGsuiteGroupRule
2944 | GroupGetResponse.AccessOktaGroupRule
2945 | GroupGetResponse.AccessSamlGroupRule
2946 | GroupGetResponse.AccessServiceTokenRule
2947 | GroupGetResponse.AccessAnyValidServiceTokenRule
2948 | GroupGetResponse.AccessExternalEvaluationRule
2949 | GroupGetResponse.AccessCountryRule
2950 | GroupGetResponse.AccessAuthenticationMethodRule
2951 | GroupGetResponse.AccessDevicePostureRule
2952 >;
2953
2954 /**
2955 * The name of the Access group.
2956 */
2957 name?: string;
2958
2959 /**
2960 * Rules evaluated with an AND logical operator. To match a policy, a user must
2961 * meet all of the Require rules.
2962 */
2963 require?: Array<
2964 | GroupGetResponse.AccessEmailRule
2965 | GroupGetResponse.AccessEmailListRule
2966 | GroupGetResponse.AccessDomainRule
2967 | GroupGetResponse.AccessEveryoneRule
2968 | GroupGetResponse.AccessIPRule
2969 | GroupGetResponse.AccessIPListRule
2970 | GroupGetResponse.AccessCertificateRule
2971 | GroupGetResponse.AccessAccessGroupRule
2972 | GroupGetResponse.AccessAzureGroupRule
2973 | GroupGetResponse.AccessGitHubOrganizationRule
2974 | GroupGetResponse.AccessGsuiteGroupRule
2975 | GroupGetResponse.AccessOktaGroupRule
2976 | GroupGetResponse.AccessSamlGroupRule
2977 | GroupGetResponse.AccessServiceTokenRule
2978 | GroupGetResponse.AccessAnyValidServiceTokenRule
2979 | GroupGetResponse.AccessExternalEvaluationRule
2980 | GroupGetResponse.AccessCountryRule
2981 | GroupGetResponse.AccessAuthenticationMethodRule
2982 | GroupGetResponse.AccessDevicePostureRule
2983 >;
2984
2985 updated_at?: string;
2986}
2987
2988export namespace GroupGetResponse {
2989 /**
2990 * Matches a specific email.
2991 */
2992 export interface AccessEmailRule {
2993 email: AccessEmailRule.Email;
2994 }
2995
2996 export namespace AccessEmailRule {
2997 export interface Email {
2998 /**
2999 * The email of the user.
3000 */
3001 email: string;
3002 }
3003 }
3004
3005 /**
3006 * Matches an email address from a list.
3007 */
3008 export interface AccessEmailListRule {
3009 email_list: AccessEmailListRule.EmailList;
3010 }
3011
3012 export namespace AccessEmailListRule {
3013 export interface EmailList {
3014 /**
3015 * The ID of a previously created email list.
3016 */
3017 id: string;
3018 }
3019 }
3020
3021 /**
3022 * Match an entire email domain.
3023 */
3024 export interface AccessDomainRule {
3025 email_domain: AccessDomainRule.EmailDomain;
3026 }
3027
3028 export namespace AccessDomainRule {
3029 export interface EmailDomain {
3030 /**
3031 * The email domain to match.
3032 */
3033 domain: string;
3034 }
3035 }
3036
3037 /**
3038 * Matches everyone.
3039 */
3040 export interface AccessEveryoneRule {
3041 /**
3042 * An empty object which matches on all users.
3043 */
3044 everyone: unknown;
3045 }
3046
3047 /**
3048 * Matches an IP address block.
3049 */
3050 export interface AccessIPRule {
3051 ip: AccessIPRule.IP;
3052 }
3053
3054 export namespace AccessIPRule {
3055 export interface IP {
3056 /**
3057 * An IPv4 or IPv6 CIDR block.
3058 */
3059 ip: string;
3060 }
3061 }
3062
3063 /**
3064 * Matches an IP address from a list.
3065 */
3066 export interface AccessIPListRule {
3067 ip_list: AccessIPListRule.IPList;
3068 }
3069
3070 export namespace AccessIPListRule {
3071 export interface IPList {
3072 /**
3073 * The ID of a previously created IP list.
3074 */
3075 id: string;
3076 }
3077 }
3078
3079 /**
3080 * Matches any valid client certificate.
3081 */
3082 export interface AccessCertificateRule {
3083 certificate: unknown;
3084 }
3085
3086 /**
3087 * Matches an Access group.
3088 */
3089 export interface AccessAccessGroupRule {
3090 group: AccessAccessGroupRule.Group;
3091 }
3092
3093 export namespace AccessAccessGroupRule {
3094 export interface Group {
3095 /**
3096 * The ID of a previously created Access group.
3097 */
3098 id: string;
3099 }
3100 }
3101
3102 /**
3103 * Matches an Azure group. Requires an Azure identity provider.
3104 */
3105 export interface AccessAzureGroupRule {
3106 azureAD: AccessAzureGroupRule.AzureAd;
3107 }
3108
3109 export namespace AccessAzureGroupRule {
3110 export interface AzureAd {
3111 /**
3112 * The ID of an Azure group.
3113 */
3114 id: string;
3115
3116 /**
3117 * The ID of your Azure identity provider.
3118 */
3119 connection_id: string;
3120 }
3121 }
3122
3123 /**
3124 * Matches a Github organization. Requires a Github identity provider.
3125 */
3126 export interface AccessGitHubOrganizationRule {
3127 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
3128 }
3129
3130 export namespace AccessGitHubOrganizationRule {
3131 export interface GitHubOrganization {
3132 /**
3133 * The ID of your Github identity provider.
3134 */
3135 connection_id: string;
3136
3137 /**
3138 * The name of the organization.
3139 */
3140 name: string;
3141 }
3142 }
3143
3144 /**
3145 * Matches a group in Google Workspace. Requires a Google Workspace identity
3146 * provider.
3147 */
3148 export interface AccessGsuiteGroupRule {
3149 gsuite: AccessGsuiteGroupRule.Gsuite;
3150 }
3151
3152 export namespace AccessGsuiteGroupRule {
3153 export interface Gsuite {
3154 /**
3155 * The ID of your Google Workspace identity provider.
3156 */
3157 connection_id: string;
3158
3159 /**
3160 * The email of the Google Workspace group.
3161 */
3162 email: string;
3163 }
3164 }
3165
3166 /**
3167 * Matches an Okta group. Requires an Okta identity provider.
3168 */
3169 export interface AccessOktaGroupRule {
3170 okta: AccessOktaGroupRule.Okta;
3171 }
3172
3173 export namespace AccessOktaGroupRule {
3174 export interface Okta {
3175 /**
3176 * The ID of your Okta identity provider.
3177 */
3178 connection_id: string;
3179
3180 /**
3181 * The email of the Okta group.
3182 */
3183 email: string;
3184 }
3185 }
3186
3187 /**
3188 * Matches a SAML group. Requires a SAML identity provider.
3189 */
3190 export interface AccessSamlGroupRule {
3191 saml: AccessSamlGroupRule.Saml;
3192 }
3193
3194 export namespace AccessSamlGroupRule {
3195 export interface Saml {
3196 /**
3197 * The name of the SAML attribute.
3198 */
3199 attribute_name: string;
3200
3201 /**
3202 * The SAML attribute value to look for.
3203 */
3204 attribute_value: string;
3205 }
3206 }
3207
3208 /**
3209 * Matches a specific Access Service Token
3210 */
3211 export interface AccessServiceTokenRule {
3212 service_token: AccessServiceTokenRule.ServiceToken;
3213 }
3214
3215 export namespace AccessServiceTokenRule {
3216 export interface ServiceToken {
3217 /**
3218 * The ID of a Service Token.
3219 */
3220 token_id: string;
3221 }
3222 }
3223
3224 /**
3225 * Matches any valid Access Service Token
3226 */
3227 export interface AccessAnyValidServiceTokenRule {
3228 /**
3229 * An empty object which matches on all service tokens.
3230 */
3231 any_valid_service_token: unknown;
3232 }
3233
3234 /**
3235 * Create Allow or Block policies which evaluate the user based on custom criteria.
3236 */
3237 export interface AccessExternalEvaluationRule {
3238 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
3239 }
3240
3241 export namespace AccessExternalEvaluationRule {
3242 export interface ExternalEvaluation {
3243 /**
3244 * The API endpoint containing your business logic.
3245 */
3246 evaluate_url: string;
3247
3248 /**
3249 * The API endpoint containing the key that Access uses to verify that the response
3250 * came from your API.
3251 */
3252 keys_url: string;
3253 }
3254 }
3255
3256 /**
3257 * Matches a specific country
3258 */
3259 export interface AccessCountryRule {
3260 geo: AccessCountryRule.Geo;
3261 }
3262
3263 export namespace AccessCountryRule {
3264 export interface Geo {
3265 /**
3266 * The country code that should be matched.
3267 */
3268 country_code: string;
3269 }
3270 }
3271
3272 /**
3273 * Enforce different MFA options
3274 */
3275 export interface AccessAuthenticationMethodRule {
3276 auth_method: AccessAuthenticationMethodRule.AuthMethod;
3277 }
3278
3279 export namespace AccessAuthenticationMethodRule {
3280 export interface AuthMethod {
3281 /**
3282 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
3283 */
3284 auth_method: string;
3285 }
3286 }
3287
3288 /**
3289 * Enforces a device posture rule has run successfully
3290 */
3291 export interface AccessDevicePostureRule {
3292 device_posture: AccessDevicePostureRule.DevicePosture;
3293 }
3294
3295 export namespace AccessDevicePostureRule {
3296 export interface DevicePosture {
3297 /**
3298 * The ID of a device posture integration.
3299 */
3300 integration_uid: string;
3301 }
3302 }
3303
3304 /**
3305 * Matches a specific email.
3306 */
3307 export interface AccessEmailRule {
3308 email: AccessEmailRule.Email;
3309 }
3310
3311 export namespace AccessEmailRule {
3312 export interface Email {
3313 /**
3314 * The email of the user.
3315 */
3316 email: string;
3317 }
3318 }
3319
3320 /**
3321 * Matches an email address from a list.
3322 */
3323 export interface AccessEmailListRule {
3324 email_list: AccessEmailListRule.EmailList;
3325 }
3326
3327 export namespace AccessEmailListRule {
3328 export interface EmailList {
3329 /**
3330 * The ID of a previously created email list.
3331 */
3332 id: string;
3333 }
3334 }
3335
3336 /**
3337 * Match an entire email domain.
3338 */
3339 export interface AccessDomainRule {
3340 email_domain: AccessDomainRule.EmailDomain;
3341 }
3342
3343 export namespace AccessDomainRule {
3344 export interface EmailDomain {
3345 /**
3346 * The email domain to match.
3347 */
3348 domain: string;
3349 }
3350 }
3351
3352 /**
3353 * Matches everyone.
3354 */
3355 export interface AccessEveryoneRule {
3356 /**
3357 * An empty object which matches on all users.
3358 */
3359 everyone: unknown;
3360 }
3361
3362 /**
3363 * Matches an IP address block.
3364 */
3365 export interface AccessIPRule {
3366 ip: AccessIPRule.IP;
3367 }
3368
3369 export namespace AccessIPRule {
3370 export interface IP {
3371 /**
3372 * An IPv4 or IPv6 CIDR block.
3373 */
3374 ip: string;
3375 }
3376 }
3377
3378 /**
3379 * Matches an IP address from a list.
3380 */
3381 export interface AccessIPListRule {
3382 ip_list: AccessIPListRule.IPList;
3383 }
3384
3385 export namespace AccessIPListRule {
3386 export interface IPList {
3387 /**
3388 * The ID of a previously created IP list.
3389 */
3390 id: string;
3391 }
3392 }
3393
3394 /**
3395 * Matches any valid client certificate.
3396 */
3397 export interface AccessCertificateRule {
3398 certificate: unknown;
3399 }
3400
3401 /**
3402 * Matches an Access group.
3403 */
3404 export interface AccessAccessGroupRule {
3405 group: AccessAccessGroupRule.Group;
3406 }
3407
3408 export namespace AccessAccessGroupRule {
3409 export interface Group {
3410 /**
3411 * The ID of a previously created Access group.
3412 */
3413 id: string;
3414 }
3415 }
3416
3417 /**
3418 * Matches an Azure group. Requires an Azure identity provider.
3419 */
3420 export interface AccessAzureGroupRule {
3421 azureAD: AccessAzureGroupRule.AzureAd;
3422 }
3423
3424 export namespace AccessAzureGroupRule {
3425 export interface AzureAd {
3426 /**
3427 * The ID of an Azure group.
3428 */
3429 id: string;
3430
3431 /**
3432 * The ID of your Azure identity provider.
3433 */
3434 connection_id: string;
3435 }
3436 }
3437
3438 /**
3439 * Matches a Github organization. Requires a Github identity provider.
3440 */
3441 export interface AccessGitHubOrganizationRule {
3442 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
3443 }
3444
3445 export namespace AccessGitHubOrganizationRule {
3446 export interface GitHubOrganization {
3447 /**
3448 * The ID of your Github identity provider.
3449 */
3450 connection_id: string;
3451
3452 /**
3453 * The name of the organization.
3454 */
3455 name: string;
3456 }
3457 }
3458
3459 /**
3460 * Matches a group in Google Workspace. Requires a Google Workspace identity
3461 * provider.
3462 */
3463 export interface AccessGsuiteGroupRule {
3464 gsuite: AccessGsuiteGroupRule.Gsuite;
3465 }
3466
3467 export namespace AccessGsuiteGroupRule {
3468 export interface Gsuite {
3469 /**
3470 * The ID of your Google Workspace identity provider.
3471 */
3472 connection_id: string;
3473
3474 /**
3475 * The email of the Google Workspace group.
3476 */
3477 email: string;
3478 }
3479 }
3480
3481 /**
3482 * Matches an Okta group. Requires an Okta identity provider.
3483 */
3484 export interface AccessOktaGroupRule {
3485 okta: AccessOktaGroupRule.Okta;
3486 }
3487
3488 export namespace AccessOktaGroupRule {
3489 export interface Okta {
3490 /**
3491 * The ID of your Okta identity provider.
3492 */
3493 connection_id: string;
3494
3495 /**
3496 * The email of the Okta group.
3497 */
3498 email: string;
3499 }
3500 }
3501
3502 /**
3503 * Matches a SAML group. Requires a SAML identity provider.
3504 */
3505 export interface AccessSamlGroupRule {
3506 saml: AccessSamlGroupRule.Saml;
3507 }
3508
3509 export namespace AccessSamlGroupRule {
3510 export interface Saml {
3511 /**
3512 * The name of the SAML attribute.
3513 */
3514 attribute_name: string;
3515
3516 /**
3517 * The SAML attribute value to look for.
3518 */
3519 attribute_value: string;
3520 }
3521 }
3522
3523 /**
3524 * Matches a specific Access Service Token
3525 */
3526 export interface AccessServiceTokenRule {
3527 service_token: AccessServiceTokenRule.ServiceToken;
3528 }
3529
3530 export namespace AccessServiceTokenRule {
3531 export interface ServiceToken {
3532 /**
3533 * The ID of a Service Token.
3534 */
3535 token_id: string;
3536 }
3537 }
3538
3539 /**
3540 * Matches any valid Access Service Token
3541 */
3542 export interface AccessAnyValidServiceTokenRule {
3543 /**
3544 * An empty object which matches on all service tokens.
3545 */
3546 any_valid_service_token: unknown;
3547 }
3548
3549 /**
3550 * Create Allow or Block policies which evaluate the user based on custom criteria.
3551 */
3552 export interface AccessExternalEvaluationRule {
3553 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
3554 }
3555
3556 export namespace AccessExternalEvaluationRule {
3557 export interface ExternalEvaluation {
3558 /**
3559 * The API endpoint containing your business logic.
3560 */
3561 evaluate_url: string;
3562
3563 /**
3564 * The API endpoint containing the key that Access uses to verify that the response
3565 * came from your API.
3566 */
3567 keys_url: string;
3568 }
3569 }
3570
3571 /**
3572 * Matches a specific country
3573 */
3574 export interface AccessCountryRule {
3575 geo: AccessCountryRule.Geo;
3576 }
3577
3578 export namespace AccessCountryRule {
3579 export interface Geo {
3580 /**
3581 * The country code that should be matched.
3582 */
3583 country_code: string;
3584 }
3585 }
3586
3587 /**
3588 * Enforce different MFA options
3589 */
3590 export interface AccessAuthenticationMethodRule {
3591 auth_method: AccessAuthenticationMethodRule.AuthMethod;
3592 }
3593
3594 export namespace AccessAuthenticationMethodRule {
3595 export interface AuthMethod {
3596 /**
3597 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
3598 */
3599 auth_method: string;
3600 }
3601 }
3602
3603 /**
3604 * Enforces a device posture rule has run successfully
3605 */
3606 export interface AccessDevicePostureRule {
3607 device_posture: AccessDevicePostureRule.DevicePosture;
3608 }
3609
3610 export namespace AccessDevicePostureRule {
3611 export interface DevicePosture {
3612 /**
3613 * The ID of a device posture integration.
3614 */
3615 integration_uid: string;
3616 }
3617 }
3618
3619 /**
3620 * Matches a specific email.
3621 */
3622 export interface AccessEmailRule {
3623 email: AccessEmailRule.Email;
3624 }
3625
3626 export namespace AccessEmailRule {
3627 export interface Email {
3628 /**
3629 * The email of the user.
3630 */
3631 email: string;
3632 }
3633 }
3634
3635 /**
3636 * Matches an email address from a list.
3637 */
3638 export interface AccessEmailListRule {
3639 email_list: AccessEmailListRule.EmailList;
3640 }
3641
3642 export namespace AccessEmailListRule {
3643 export interface EmailList {
3644 /**
3645 * The ID of a previously created email list.
3646 */
3647 id: string;
3648 }
3649 }
3650
3651 /**
3652 * Match an entire email domain.
3653 */
3654 export interface AccessDomainRule {
3655 email_domain: AccessDomainRule.EmailDomain;
3656 }
3657
3658 export namespace AccessDomainRule {
3659 export interface EmailDomain {
3660 /**
3661 * The email domain to match.
3662 */
3663 domain: string;
3664 }
3665 }
3666
3667 /**
3668 * Matches everyone.
3669 */
3670 export interface AccessEveryoneRule {
3671 /**
3672 * An empty object which matches on all users.
3673 */
3674 everyone: unknown;
3675 }
3676
3677 /**
3678 * Matches an IP address block.
3679 */
3680 export interface AccessIPRule {
3681 ip: AccessIPRule.IP;
3682 }
3683
3684 export namespace AccessIPRule {
3685 export interface IP {
3686 /**
3687 * An IPv4 or IPv6 CIDR block.
3688 */
3689 ip: string;
3690 }
3691 }
3692
3693 /**
3694 * Matches an IP address from a list.
3695 */
3696 export interface AccessIPListRule {
3697 ip_list: AccessIPListRule.IPList;
3698 }
3699
3700 export namespace AccessIPListRule {
3701 export interface IPList {
3702 /**
3703 * The ID of a previously created IP list.
3704 */
3705 id: string;
3706 }
3707 }
3708
3709 /**
3710 * Matches any valid client certificate.
3711 */
3712 export interface AccessCertificateRule {
3713 certificate: unknown;
3714 }
3715
3716 /**
3717 * Matches an Access group.
3718 */
3719 export interface AccessAccessGroupRule {
3720 group: AccessAccessGroupRule.Group;
3721 }
3722
3723 export namespace AccessAccessGroupRule {
3724 export interface Group {
3725 /**
3726 * The ID of a previously created Access group.
3727 */
3728 id: string;
3729 }
3730 }
3731
3732 /**
3733 * Matches an Azure group. Requires an Azure identity provider.
3734 */
3735 export interface AccessAzureGroupRule {
3736 azureAD: AccessAzureGroupRule.AzureAd;
3737 }
3738
3739 export namespace AccessAzureGroupRule {
3740 export interface AzureAd {
3741 /**
3742 * The ID of an Azure group.
3743 */
3744 id: string;
3745
3746 /**
3747 * The ID of your Azure identity provider.
3748 */
3749 connection_id: string;
3750 }
3751 }
3752
3753 /**
3754 * Matches a Github organization. Requires a Github identity provider.
3755 */
3756 export interface AccessGitHubOrganizationRule {
3757 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
3758 }
3759
3760 export namespace AccessGitHubOrganizationRule {
3761 export interface GitHubOrganization {
3762 /**
3763 * The ID of your Github identity provider.
3764 */
3765 connection_id: string;
3766
3767 /**
3768 * The name of the organization.
3769 */
3770 name: string;
3771 }
3772 }
3773
3774 /**
3775 * Matches a group in Google Workspace. Requires a Google Workspace identity
3776 * provider.
3777 */
3778 export interface AccessGsuiteGroupRule {
3779 gsuite: AccessGsuiteGroupRule.Gsuite;
3780 }
3781
3782 export namespace AccessGsuiteGroupRule {
3783 export interface Gsuite {
3784 /**
3785 * The ID of your Google Workspace identity provider.
3786 */
3787 connection_id: string;
3788
3789 /**
3790 * The email of the Google Workspace group.
3791 */
3792 email: string;
3793 }
3794 }
3795
3796 /**
3797 * Matches an Okta group. Requires an Okta identity provider.
3798 */
3799 export interface AccessOktaGroupRule {
3800 okta: AccessOktaGroupRule.Okta;
3801 }
3802
3803 export namespace AccessOktaGroupRule {
3804 export interface Okta {
3805 /**
3806 * The ID of your Okta identity provider.
3807 */
3808 connection_id: string;
3809
3810 /**
3811 * The email of the Okta group.
3812 */
3813 email: string;
3814 }
3815 }
3816
3817 /**
3818 * Matches a SAML group. Requires a SAML identity provider.
3819 */
3820 export interface AccessSamlGroupRule {
3821 saml: AccessSamlGroupRule.Saml;
3822 }
3823
3824 export namespace AccessSamlGroupRule {
3825 export interface Saml {
3826 /**
3827 * The name of the SAML attribute.
3828 */
3829 attribute_name: string;
3830
3831 /**
3832 * The SAML attribute value to look for.
3833 */
3834 attribute_value: string;
3835 }
3836 }
3837
3838 /**
3839 * Matches a specific Access Service Token
3840 */
3841 export interface AccessServiceTokenRule {
3842 service_token: AccessServiceTokenRule.ServiceToken;
3843 }
3844
3845 export namespace AccessServiceTokenRule {
3846 export interface ServiceToken {
3847 /**
3848 * The ID of a Service Token.
3849 */
3850 token_id: string;
3851 }
3852 }
3853
3854 /**
3855 * Matches any valid Access Service Token
3856 */
3857 export interface AccessAnyValidServiceTokenRule {
3858 /**
3859 * An empty object which matches on all service tokens.
3860 */
3861 any_valid_service_token: unknown;
3862 }
3863
3864 /**
3865 * Create Allow or Block policies which evaluate the user based on custom criteria.
3866 */
3867 export interface AccessExternalEvaluationRule {
3868 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
3869 }
3870
3871 export namespace AccessExternalEvaluationRule {
3872 export interface ExternalEvaluation {
3873 /**
3874 * The API endpoint containing your business logic.
3875 */
3876 evaluate_url: string;
3877
3878 /**
3879 * The API endpoint containing the key that Access uses to verify that the response
3880 * came from your API.
3881 */
3882 keys_url: string;
3883 }
3884 }
3885
3886 /**
3887 * Matches a specific country
3888 */
3889 export interface AccessCountryRule {
3890 geo: AccessCountryRule.Geo;
3891 }
3892
3893 export namespace AccessCountryRule {
3894 export interface Geo {
3895 /**
3896 * The country code that should be matched.
3897 */
3898 country_code: string;
3899 }
3900 }
3901
3902 /**
3903 * Enforce different MFA options
3904 */
3905 export interface AccessAuthenticationMethodRule {
3906 auth_method: AccessAuthenticationMethodRule.AuthMethod;
3907 }
3908
3909 export namespace AccessAuthenticationMethodRule {
3910 export interface AuthMethod {
3911 /**
3912 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
3913 */
3914 auth_method: string;
3915 }
3916 }
3917
3918 /**
3919 * Enforces a device posture rule has run successfully
3920 */
3921 export interface AccessDevicePostureRule {
3922 device_posture: AccessDevicePostureRule.DevicePosture;
3923 }
3924
3925 export namespace AccessDevicePostureRule {
3926 export interface DevicePosture {
3927 /**
3928 * The ID of a device posture integration.
3929 */
3930 integration_uid: string;
3931 }
3932 }
3933
3934 /**
3935 * Matches a specific email.
3936 */
3937 export interface AccessEmailRule {
3938 email: AccessEmailRule.Email;
3939 }
3940
3941 export namespace AccessEmailRule {
3942 export interface Email {
3943 /**
3944 * The email of the user.
3945 */
3946 email: string;
3947 }
3948 }
3949
3950 /**
3951 * Matches an email address from a list.
3952 */
3953 export interface AccessEmailListRule {
3954 email_list: AccessEmailListRule.EmailList;
3955 }
3956
3957 export namespace AccessEmailListRule {
3958 export interface EmailList {
3959 /**
3960 * The ID of a previously created email list.
3961 */
3962 id: string;
3963 }
3964 }
3965
3966 /**
3967 * Match an entire email domain.
3968 */
3969 export interface AccessDomainRule {
3970 email_domain: AccessDomainRule.EmailDomain;
3971 }
3972
3973 export namespace AccessDomainRule {
3974 export interface EmailDomain {
3975 /**
3976 * The email domain to match.
3977 */
3978 domain: string;
3979 }
3980 }
3981
3982 /**
3983 * Matches everyone.
3984 */
3985 export interface AccessEveryoneRule {
3986 /**
3987 * An empty object which matches on all users.
3988 */
3989 everyone: unknown;
3990 }
3991
3992 /**
3993 * Matches an IP address block.
3994 */
3995 export interface AccessIPRule {
3996 ip: AccessIPRule.IP;
3997 }
3998
3999 export namespace AccessIPRule {
4000 export interface IP {
4001 /**
4002 * An IPv4 or IPv6 CIDR block.
4003 */
4004 ip: string;
4005 }
4006 }
4007
4008 /**
4009 * Matches an IP address from a list.
4010 */
4011 export interface AccessIPListRule {
4012 ip_list: AccessIPListRule.IPList;
4013 }
4014
4015 export namespace AccessIPListRule {
4016 export interface IPList {
4017 /**
4018 * The ID of a previously created IP list.
4019 */
4020 id: string;
4021 }
4022 }
4023
4024 /**
4025 * Matches any valid client certificate.
4026 */
4027 export interface AccessCertificateRule {
4028 certificate: unknown;
4029 }
4030
4031 /**
4032 * Matches an Access group.
4033 */
4034 export interface AccessAccessGroupRule {
4035 group: AccessAccessGroupRule.Group;
4036 }
4037
4038 export namespace AccessAccessGroupRule {
4039 export interface Group {
4040 /**
4041 * The ID of a previously created Access group.
4042 */
4043 id: string;
4044 }
4045 }
4046
4047 /**
4048 * Matches an Azure group. Requires an Azure identity provider.
4049 */
4050 export interface AccessAzureGroupRule {
4051 azureAD: AccessAzureGroupRule.AzureAd;
4052 }
4053
4054 export namespace AccessAzureGroupRule {
4055 export interface AzureAd {
4056 /**
4057 * The ID of an Azure group.
4058 */
4059 id: string;
4060
4061 /**
4062 * The ID of your Azure identity provider.
4063 */
4064 connection_id: string;
4065 }
4066 }
4067
4068 /**
4069 * Matches a Github organization. Requires a Github identity provider.
4070 */
4071 export interface AccessGitHubOrganizationRule {
4072 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
4073 }
4074
4075 export namespace AccessGitHubOrganizationRule {
4076 export interface GitHubOrganization {
4077 /**
4078 * The ID of your Github identity provider.
4079 */
4080 connection_id: string;
4081
4082 /**
4083 * The name of the organization.
4084 */
4085 name: string;
4086 }
4087 }
4088
4089 /**
4090 * Matches a group in Google Workspace. Requires a Google Workspace identity
4091 * provider.
4092 */
4093 export interface AccessGsuiteGroupRule {
4094 gsuite: AccessGsuiteGroupRule.Gsuite;
4095 }
4096
4097 export namespace AccessGsuiteGroupRule {
4098 export interface Gsuite {
4099 /**
4100 * The ID of your Google Workspace identity provider.
4101 */
4102 connection_id: string;
4103
4104 /**
4105 * The email of the Google Workspace group.
4106 */
4107 email: string;
4108 }
4109 }
4110
4111 /**
4112 * Matches an Okta group. Requires an Okta identity provider.
4113 */
4114 export interface AccessOktaGroupRule {
4115 okta: AccessOktaGroupRule.Okta;
4116 }
4117
4118 export namespace AccessOktaGroupRule {
4119 export interface Okta {
4120 /**
4121 * The ID of your Okta identity provider.
4122 */
4123 connection_id: string;
4124
4125 /**
4126 * The email of the Okta group.
4127 */
4128 email: string;
4129 }
4130 }
4131
4132 /**
4133 * Matches a SAML group. Requires a SAML identity provider.
4134 */
4135 export interface AccessSamlGroupRule {
4136 saml: AccessSamlGroupRule.Saml;
4137 }
4138
4139 export namespace AccessSamlGroupRule {
4140 export interface Saml {
4141 /**
4142 * The name of the SAML attribute.
4143 */
4144 attribute_name: string;
4145
4146 /**
4147 * The SAML attribute value to look for.
4148 */
4149 attribute_value: string;
4150 }
4151 }
4152
4153 /**
4154 * Matches a specific Access Service Token
4155 */
4156 export interface AccessServiceTokenRule {
4157 service_token: AccessServiceTokenRule.ServiceToken;
4158 }
4159
4160 export namespace AccessServiceTokenRule {
4161 export interface ServiceToken {
4162 /**
4163 * The ID of a Service Token.
4164 */
4165 token_id: string;
4166 }
4167 }
4168
4169 /**
4170 * Matches any valid Access Service Token
4171 */
4172 export interface AccessAnyValidServiceTokenRule {
4173 /**
4174 * An empty object which matches on all service tokens.
4175 */
4176 any_valid_service_token: unknown;
4177 }
4178
4179 /**
4180 * Create Allow or Block policies which evaluate the user based on custom criteria.
4181 */
4182 export interface AccessExternalEvaluationRule {
4183 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
4184 }
4185
4186 export namespace AccessExternalEvaluationRule {
4187 export interface ExternalEvaluation {
4188 /**
4189 * The API endpoint containing your business logic.
4190 */
4191 evaluate_url: string;
4192
4193 /**
4194 * The API endpoint containing the key that Access uses to verify that the response
4195 * came from your API.
4196 */
4197 keys_url: string;
4198 }
4199 }
4200
4201 /**
4202 * Matches a specific country
4203 */
4204 export interface AccessCountryRule {
4205 geo: AccessCountryRule.Geo;
4206 }
4207
4208 export namespace AccessCountryRule {
4209 export interface Geo {
4210 /**
4211 * The country code that should be matched.
4212 */
4213 country_code: string;
4214 }
4215 }
4216
4217 /**
4218 * Enforce different MFA options
4219 */
4220 export interface AccessAuthenticationMethodRule {
4221 auth_method: AccessAuthenticationMethodRule.AuthMethod;
4222 }
4223
4224 export namespace AccessAuthenticationMethodRule {
4225 export interface AuthMethod {
4226 /**
4227 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
4228 */
4229 auth_method: string;
4230 }
4231 }
4232
4233 /**
4234 * Enforces a device posture rule has run successfully
4235 */
4236 export interface AccessDevicePostureRule {
4237 device_posture: AccessDevicePostureRule.DevicePosture;
4238 }
4239
4240 export namespace AccessDevicePostureRule {
4241 export interface DevicePosture {
4242 /**
4243 * The ID of a device posture integration.
4244 */
4245 integration_uid: string;
4246 }
4247 }
4248}
4249
4250export interface GroupReplaceResponse {
4251 /**
4252 * UUID
4253 */
4254 id?: string;
4255
4256 created_at?: string;
4257
4258 /**
4259 * Rules evaluated with a NOT logical operator. To match a policy, a user cannot
4260 * meet any of the Exclude rules.
4261 */
4262 exclude?: Array<
4263 | GroupReplaceResponse.AccessEmailRule
4264 | GroupReplaceResponse.AccessEmailListRule
4265 | GroupReplaceResponse.AccessDomainRule
4266 | GroupReplaceResponse.AccessEveryoneRule
4267 | GroupReplaceResponse.AccessIPRule
4268 | GroupReplaceResponse.AccessIPListRule
4269 | GroupReplaceResponse.AccessCertificateRule
4270 | GroupReplaceResponse.AccessAccessGroupRule
4271 | GroupReplaceResponse.AccessAzureGroupRule
4272 | GroupReplaceResponse.AccessGitHubOrganizationRule
4273 | GroupReplaceResponse.AccessGsuiteGroupRule
4274 | GroupReplaceResponse.AccessOktaGroupRule
4275 | GroupReplaceResponse.AccessSamlGroupRule
4276 | GroupReplaceResponse.AccessServiceTokenRule
4277 | GroupReplaceResponse.AccessAnyValidServiceTokenRule
4278 | GroupReplaceResponse.AccessExternalEvaluationRule
4279 | GroupReplaceResponse.AccessCountryRule
4280 | GroupReplaceResponse.AccessAuthenticationMethodRule
4281 | GroupReplaceResponse.AccessDevicePostureRule
4282 >;
4283
4284 /**
4285 * Rules evaluated with an OR logical operator. A user needs to meet only one of
4286 * the Include rules.
4287 */
4288 include?: Array<
4289 | GroupReplaceResponse.AccessEmailRule
4290 | GroupReplaceResponse.AccessEmailListRule
4291 | GroupReplaceResponse.AccessDomainRule
4292 | GroupReplaceResponse.AccessEveryoneRule
4293 | GroupReplaceResponse.AccessIPRule
4294 | GroupReplaceResponse.AccessIPListRule
4295 | GroupReplaceResponse.AccessCertificateRule
4296 | GroupReplaceResponse.AccessAccessGroupRule
4297 | GroupReplaceResponse.AccessAzureGroupRule
4298 | GroupReplaceResponse.AccessGitHubOrganizationRule
4299 | GroupReplaceResponse.AccessGsuiteGroupRule
4300 | GroupReplaceResponse.AccessOktaGroupRule
4301 | GroupReplaceResponse.AccessSamlGroupRule
4302 | GroupReplaceResponse.AccessServiceTokenRule
4303 | GroupReplaceResponse.AccessAnyValidServiceTokenRule
4304 | GroupReplaceResponse.AccessExternalEvaluationRule
4305 | GroupReplaceResponse.AccessCountryRule
4306 | GroupReplaceResponse.AccessAuthenticationMethodRule
4307 | GroupReplaceResponse.AccessDevicePostureRule
4308 >;
4309
4310 /**
4311 * Rules evaluated with an AND logical operator. To match a policy, a user must
4312 * meet all of the Require rules.
4313 */
4314 is_default?: Array<
4315 | GroupReplaceResponse.AccessEmailRule
4316 | GroupReplaceResponse.AccessEmailListRule
4317 | GroupReplaceResponse.AccessDomainRule
4318 | GroupReplaceResponse.AccessEveryoneRule
4319 | GroupReplaceResponse.AccessIPRule
4320 | GroupReplaceResponse.AccessIPListRule
4321 | GroupReplaceResponse.AccessCertificateRule
4322 | GroupReplaceResponse.AccessAccessGroupRule
4323 | GroupReplaceResponse.AccessAzureGroupRule
4324 | GroupReplaceResponse.AccessGitHubOrganizationRule
4325 | GroupReplaceResponse.AccessGsuiteGroupRule
4326 | GroupReplaceResponse.AccessOktaGroupRule
4327 | GroupReplaceResponse.AccessSamlGroupRule
4328 | GroupReplaceResponse.AccessServiceTokenRule
4329 | GroupReplaceResponse.AccessAnyValidServiceTokenRule
4330 | GroupReplaceResponse.AccessExternalEvaluationRule
4331 | GroupReplaceResponse.AccessCountryRule
4332 | GroupReplaceResponse.AccessAuthenticationMethodRule
4333 | GroupReplaceResponse.AccessDevicePostureRule
4334 >;
4335
4336 /**
4337 * The name of the Access group.
4338 */
4339 name?: string;
4340
4341 /**
4342 * Rules evaluated with an AND logical operator. To match a policy, a user must
4343 * meet all of the Require rules.
4344 */
4345 require?: Array<
4346 | GroupReplaceResponse.AccessEmailRule
4347 | GroupReplaceResponse.AccessEmailListRule
4348 | GroupReplaceResponse.AccessDomainRule
4349 | GroupReplaceResponse.AccessEveryoneRule
4350 | GroupReplaceResponse.AccessIPRule
4351 | GroupReplaceResponse.AccessIPListRule
4352 | GroupReplaceResponse.AccessCertificateRule
4353 | GroupReplaceResponse.AccessAccessGroupRule
4354 | GroupReplaceResponse.AccessAzureGroupRule
4355 | GroupReplaceResponse.AccessGitHubOrganizationRule
4356 | GroupReplaceResponse.AccessGsuiteGroupRule
4357 | GroupReplaceResponse.AccessOktaGroupRule
4358 | GroupReplaceResponse.AccessSamlGroupRule
4359 | GroupReplaceResponse.AccessServiceTokenRule
4360 | GroupReplaceResponse.AccessAnyValidServiceTokenRule
4361 | GroupReplaceResponse.AccessExternalEvaluationRule
4362 | GroupReplaceResponse.AccessCountryRule
4363 | GroupReplaceResponse.AccessAuthenticationMethodRule
4364 | GroupReplaceResponse.AccessDevicePostureRule
4365 >;
4366
4367 updated_at?: string;
4368}
4369
4370export namespace GroupReplaceResponse {
4371 /**
4372 * Matches a specific email.
4373 */
4374 export interface AccessEmailRule {
4375 email: AccessEmailRule.Email;
4376 }
4377
4378 export namespace AccessEmailRule {
4379 export interface Email {
4380 /**
4381 * The email of the user.
4382 */
4383 email: string;
4384 }
4385 }
4386
4387 /**
4388 * Matches an email address from a list.
4389 */
4390 export interface AccessEmailListRule {
4391 email_list: AccessEmailListRule.EmailList;
4392 }
4393
4394 export namespace AccessEmailListRule {
4395 export interface EmailList {
4396 /**
4397 * The ID of a previously created email list.
4398 */
4399 id: string;
4400 }
4401 }
4402
4403 /**
4404 * Match an entire email domain.
4405 */
4406 export interface AccessDomainRule {
4407 email_domain: AccessDomainRule.EmailDomain;
4408 }
4409
4410 export namespace AccessDomainRule {
4411 export interface EmailDomain {
4412 /**
4413 * The email domain to match.
4414 */
4415 domain: string;
4416 }
4417 }
4418
4419 /**
4420 * Matches everyone.
4421 */
4422 export interface AccessEveryoneRule {
4423 /**
4424 * An empty object which matches on all users.
4425 */
4426 everyone: unknown;
4427 }
4428
4429 /**
4430 * Matches an IP address block.
4431 */
4432 export interface AccessIPRule {
4433 ip: AccessIPRule.IP;
4434 }
4435
4436 export namespace AccessIPRule {
4437 export interface IP {
4438 /**
4439 * An IPv4 or IPv6 CIDR block.
4440 */
4441 ip: string;
4442 }
4443 }
4444
4445 /**
4446 * Matches an IP address from a list.
4447 */
4448 export interface AccessIPListRule {
4449 ip_list: AccessIPListRule.IPList;
4450 }
4451
4452 export namespace AccessIPListRule {
4453 export interface IPList {
4454 /**
4455 * The ID of a previously created IP list.
4456 */
4457 id: string;
4458 }
4459 }
4460
4461 /**
4462 * Matches any valid client certificate.
4463 */
4464 export interface AccessCertificateRule {
4465 certificate: unknown;
4466 }
4467
4468 /**
4469 * Matches an Access group.
4470 */
4471 export interface AccessAccessGroupRule {
4472 group: AccessAccessGroupRule.Group;
4473 }
4474
4475 export namespace AccessAccessGroupRule {
4476 export interface Group {
4477 /**
4478 * The ID of a previously created Access group.
4479 */
4480 id: string;
4481 }
4482 }
4483
4484 /**
4485 * Matches an Azure group. Requires an Azure identity provider.
4486 */
4487 export interface AccessAzureGroupRule {
4488 azureAD: AccessAzureGroupRule.AzureAd;
4489 }
4490
4491 export namespace AccessAzureGroupRule {
4492 export interface AzureAd {
4493 /**
4494 * The ID of an Azure group.
4495 */
4496 id: string;
4497
4498 /**
4499 * The ID of your Azure identity provider.
4500 */
4501 connection_id: string;
4502 }
4503 }
4504
4505 /**
4506 * Matches a Github organization. Requires a Github identity provider.
4507 */
4508 export interface AccessGitHubOrganizationRule {
4509 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
4510 }
4511
4512 export namespace AccessGitHubOrganizationRule {
4513 export interface GitHubOrganization {
4514 /**
4515 * The ID of your Github identity provider.
4516 */
4517 connection_id: string;
4518
4519 /**
4520 * The name of the organization.
4521 */
4522 name: string;
4523 }
4524 }
4525
4526 /**
4527 * Matches a group in Google Workspace. Requires a Google Workspace identity
4528 * provider.
4529 */
4530 export interface AccessGsuiteGroupRule {
4531 gsuite: AccessGsuiteGroupRule.Gsuite;
4532 }
4533
4534 export namespace AccessGsuiteGroupRule {
4535 export interface Gsuite {
4536 /**
4537 * The ID of your Google Workspace identity provider.
4538 */
4539 connection_id: string;
4540
4541 /**
4542 * The email of the Google Workspace group.
4543 */
4544 email: string;
4545 }
4546 }
4547
4548 /**
4549 * Matches an Okta group. Requires an Okta identity provider.
4550 */
4551 export interface AccessOktaGroupRule {
4552 okta: AccessOktaGroupRule.Okta;
4553 }
4554
4555 export namespace AccessOktaGroupRule {
4556 export interface Okta {
4557 /**
4558 * The ID of your Okta identity provider.
4559 */
4560 connection_id: string;
4561
4562 /**
4563 * The email of the Okta group.
4564 */
4565 email: string;
4566 }
4567 }
4568
4569 /**
4570 * Matches a SAML group. Requires a SAML identity provider.
4571 */
4572 export interface AccessSamlGroupRule {
4573 saml: AccessSamlGroupRule.Saml;
4574 }
4575
4576 export namespace AccessSamlGroupRule {
4577 export interface Saml {
4578 /**
4579 * The name of the SAML attribute.
4580 */
4581 attribute_name: string;
4582
4583 /**
4584 * The SAML attribute value to look for.
4585 */
4586 attribute_value: string;
4587 }
4588 }
4589
4590 /**
4591 * Matches a specific Access Service Token
4592 */
4593 export interface AccessServiceTokenRule {
4594 service_token: AccessServiceTokenRule.ServiceToken;
4595 }
4596
4597 export namespace AccessServiceTokenRule {
4598 export interface ServiceToken {
4599 /**
4600 * The ID of a Service Token.
4601 */
4602 token_id: string;
4603 }
4604 }
4605
4606 /**
4607 * Matches any valid Access Service Token
4608 */
4609 export interface AccessAnyValidServiceTokenRule {
4610 /**
4611 * An empty object which matches on all service tokens.
4612 */
4613 any_valid_service_token: unknown;
4614 }
4615
4616 /**
4617 * Create Allow or Block policies which evaluate the user based on custom criteria.
4618 */
4619 export interface AccessExternalEvaluationRule {
4620 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
4621 }
4622
4623 export namespace AccessExternalEvaluationRule {
4624 export interface ExternalEvaluation {
4625 /**
4626 * The API endpoint containing your business logic.
4627 */
4628 evaluate_url: string;
4629
4630 /**
4631 * The API endpoint containing the key that Access uses to verify that the response
4632 * came from your API.
4633 */
4634 keys_url: string;
4635 }
4636 }
4637
4638 /**
4639 * Matches a specific country
4640 */
4641 export interface AccessCountryRule {
4642 geo: AccessCountryRule.Geo;
4643 }
4644
4645 export namespace AccessCountryRule {
4646 export interface Geo {
4647 /**
4648 * The country code that should be matched.
4649 */
4650 country_code: string;
4651 }
4652 }
4653
4654 /**
4655 * Enforce different MFA options
4656 */
4657 export interface AccessAuthenticationMethodRule {
4658 auth_method: AccessAuthenticationMethodRule.AuthMethod;
4659 }
4660
4661 export namespace AccessAuthenticationMethodRule {
4662 export interface AuthMethod {
4663 /**
4664 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
4665 */
4666 auth_method: string;
4667 }
4668 }
4669
4670 /**
4671 * Enforces a device posture rule has run successfully
4672 */
4673 export interface AccessDevicePostureRule {
4674 device_posture: AccessDevicePostureRule.DevicePosture;
4675 }
4676
4677 export namespace AccessDevicePostureRule {
4678 export interface DevicePosture {
4679 /**
4680 * The ID of a device posture integration.
4681 */
4682 integration_uid: string;
4683 }
4684 }
4685
4686 /**
4687 * Matches a specific email.
4688 */
4689 export interface AccessEmailRule {
4690 email: AccessEmailRule.Email;
4691 }
4692
4693 export namespace AccessEmailRule {
4694 export interface Email {
4695 /**
4696 * The email of the user.
4697 */
4698 email: string;
4699 }
4700 }
4701
4702 /**
4703 * Matches an email address from a list.
4704 */
4705 export interface AccessEmailListRule {
4706 email_list: AccessEmailListRule.EmailList;
4707 }
4708
4709 export namespace AccessEmailListRule {
4710 export interface EmailList {
4711 /**
4712 * The ID of a previously created email list.
4713 */
4714 id: string;
4715 }
4716 }
4717
4718 /**
4719 * Match an entire email domain.
4720 */
4721 export interface AccessDomainRule {
4722 email_domain: AccessDomainRule.EmailDomain;
4723 }
4724
4725 export namespace AccessDomainRule {
4726 export interface EmailDomain {
4727 /**
4728 * The email domain to match.
4729 */
4730 domain: string;
4731 }
4732 }
4733
4734 /**
4735 * Matches everyone.
4736 */
4737 export interface AccessEveryoneRule {
4738 /**
4739 * An empty object which matches on all users.
4740 */
4741 everyone: unknown;
4742 }
4743
4744 /**
4745 * Matches an IP address block.
4746 */
4747 export interface AccessIPRule {
4748 ip: AccessIPRule.IP;
4749 }
4750
4751 export namespace AccessIPRule {
4752 export interface IP {
4753 /**
4754 * An IPv4 or IPv6 CIDR block.
4755 */
4756 ip: string;
4757 }
4758 }
4759
4760 /**
4761 * Matches an IP address from a list.
4762 */
4763 export interface AccessIPListRule {
4764 ip_list: AccessIPListRule.IPList;
4765 }
4766
4767 export namespace AccessIPListRule {
4768 export interface IPList {
4769 /**
4770 * The ID of a previously created IP list.
4771 */
4772 id: string;
4773 }
4774 }
4775
4776 /**
4777 * Matches any valid client certificate.
4778 */
4779 export interface AccessCertificateRule {
4780 certificate: unknown;
4781 }
4782
4783 /**
4784 * Matches an Access group.
4785 */
4786 export interface AccessAccessGroupRule {
4787 group: AccessAccessGroupRule.Group;
4788 }
4789
4790 export namespace AccessAccessGroupRule {
4791 export interface Group {
4792 /**
4793 * The ID of a previously created Access group.
4794 */
4795 id: string;
4796 }
4797 }
4798
4799 /**
4800 * Matches an Azure group. Requires an Azure identity provider.
4801 */
4802 export interface AccessAzureGroupRule {
4803 azureAD: AccessAzureGroupRule.AzureAd;
4804 }
4805
4806 export namespace AccessAzureGroupRule {
4807 export interface AzureAd {
4808 /**
4809 * The ID of an Azure group.
4810 */
4811 id: string;
4812
4813 /**
4814 * The ID of your Azure identity provider.
4815 */
4816 connection_id: string;
4817 }
4818 }
4819
4820 /**
4821 * Matches a Github organization. Requires a Github identity provider.
4822 */
4823 export interface AccessGitHubOrganizationRule {
4824 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
4825 }
4826
4827 export namespace AccessGitHubOrganizationRule {
4828 export interface GitHubOrganization {
4829 /**
4830 * The ID of your Github identity provider.
4831 */
4832 connection_id: string;
4833
4834 /**
4835 * The name of the organization.
4836 */
4837 name: string;
4838 }
4839 }
4840
4841 /**
4842 * Matches a group in Google Workspace. Requires a Google Workspace identity
4843 * provider.
4844 */
4845 export interface AccessGsuiteGroupRule {
4846 gsuite: AccessGsuiteGroupRule.Gsuite;
4847 }
4848
4849 export namespace AccessGsuiteGroupRule {
4850 export interface Gsuite {
4851 /**
4852 * The ID of your Google Workspace identity provider.
4853 */
4854 connection_id: string;
4855
4856 /**
4857 * The email of the Google Workspace group.
4858 */
4859 email: string;
4860 }
4861 }
4862
4863 /**
4864 * Matches an Okta group. Requires an Okta identity provider.
4865 */
4866 export interface AccessOktaGroupRule {
4867 okta: AccessOktaGroupRule.Okta;
4868 }
4869
4870 export namespace AccessOktaGroupRule {
4871 export interface Okta {
4872 /**
4873 * The ID of your Okta identity provider.
4874 */
4875 connection_id: string;
4876
4877 /**
4878 * The email of the Okta group.
4879 */
4880 email: string;
4881 }
4882 }
4883
4884 /**
4885 * Matches a SAML group. Requires a SAML identity provider.
4886 */
4887 export interface AccessSamlGroupRule {
4888 saml: AccessSamlGroupRule.Saml;
4889 }
4890
4891 export namespace AccessSamlGroupRule {
4892 export interface Saml {
4893 /**
4894 * The name of the SAML attribute.
4895 */
4896 attribute_name: string;
4897
4898 /**
4899 * The SAML attribute value to look for.
4900 */
4901 attribute_value: string;
4902 }
4903 }
4904
4905 /**
4906 * Matches a specific Access Service Token
4907 */
4908 export interface AccessServiceTokenRule {
4909 service_token: AccessServiceTokenRule.ServiceToken;
4910 }
4911
4912 export namespace AccessServiceTokenRule {
4913 export interface ServiceToken {
4914 /**
4915 * The ID of a Service Token.
4916 */
4917 token_id: string;
4918 }
4919 }
4920
4921 /**
4922 * Matches any valid Access Service Token
4923 */
4924 export interface AccessAnyValidServiceTokenRule {
4925 /**
4926 * An empty object which matches on all service tokens.
4927 */
4928 any_valid_service_token: unknown;
4929 }
4930
4931 /**
4932 * Create Allow or Block policies which evaluate the user based on custom criteria.
4933 */
4934 export interface AccessExternalEvaluationRule {
4935 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
4936 }
4937
4938 export namespace AccessExternalEvaluationRule {
4939 export interface ExternalEvaluation {
4940 /**
4941 * The API endpoint containing your business logic.
4942 */
4943 evaluate_url: string;
4944
4945 /**
4946 * The API endpoint containing the key that Access uses to verify that the response
4947 * came from your API.
4948 */
4949 keys_url: string;
4950 }
4951 }
4952
4953 /**
4954 * Matches a specific country
4955 */
4956 export interface AccessCountryRule {
4957 geo: AccessCountryRule.Geo;
4958 }
4959
4960 export namespace AccessCountryRule {
4961 export interface Geo {
4962 /**
4963 * The country code that should be matched.
4964 */
4965 country_code: string;
4966 }
4967 }
4968
4969 /**
4970 * Enforce different MFA options
4971 */
4972 export interface AccessAuthenticationMethodRule {
4973 auth_method: AccessAuthenticationMethodRule.AuthMethod;
4974 }
4975
4976 export namespace AccessAuthenticationMethodRule {
4977 export interface AuthMethod {
4978 /**
4979 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
4980 */
4981 auth_method: string;
4982 }
4983 }
4984
4985 /**
4986 * Enforces a device posture rule has run successfully
4987 */
4988 export interface AccessDevicePostureRule {
4989 device_posture: AccessDevicePostureRule.DevicePosture;
4990 }
4991
4992 export namespace AccessDevicePostureRule {
4993 export interface DevicePosture {
4994 /**
4995 * The ID of a device posture integration.
4996 */
4997 integration_uid: string;
4998 }
4999 }
5000
5001 /**
5002 * Matches a specific email.
5003 */
5004 export interface AccessEmailRule {
5005 email: AccessEmailRule.Email;
5006 }
5007
5008 export namespace AccessEmailRule {
5009 export interface Email {
5010 /**
5011 * The email of the user.
5012 */
5013 email: string;
5014 }
5015 }
5016
5017 /**
5018 * Matches an email address from a list.
5019 */
5020 export interface AccessEmailListRule {
5021 email_list: AccessEmailListRule.EmailList;
5022 }
5023
5024 export namespace AccessEmailListRule {
5025 export interface EmailList {
5026 /**
5027 * The ID of a previously created email list.
5028 */
5029 id: string;
5030 }
5031 }
5032
5033 /**
5034 * Match an entire email domain.
5035 */
5036 export interface AccessDomainRule {
5037 email_domain: AccessDomainRule.EmailDomain;
5038 }
5039
5040 export namespace AccessDomainRule {
5041 export interface EmailDomain {
5042 /**
5043 * The email domain to match.
5044 */
5045 domain: string;
5046 }
5047 }
5048
5049 /**
5050 * Matches everyone.
5051 */
5052 export interface AccessEveryoneRule {
5053 /**
5054 * An empty object which matches on all users.
5055 */
5056 everyone: unknown;
5057 }
5058
5059 /**
5060 * Matches an IP address block.
5061 */
5062 export interface AccessIPRule {
5063 ip: AccessIPRule.IP;
5064 }
5065
5066 export namespace AccessIPRule {
5067 export interface IP {
5068 /**
5069 * An IPv4 or IPv6 CIDR block.
5070 */
5071 ip: string;
5072 }
5073 }
5074
5075 /**
5076 * Matches an IP address from a list.
5077 */
5078 export interface AccessIPListRule {
5079 ip_list: AccessIPListRule.IPList;
5080 }
5081
5082 export namespace AccessIPListRule {
5083 export interface IPList {
5084 /**
5085 * The ID of a previously created IP list.
5086 */
5087 id: string;
5088 }
5089 }
5090
5091 /**
5092 * Matches any valid client certificate.
5093 */
5094 export interface AccessCertificateRule {
5095 certificate: unknown;
5096 }
5097
5098 /**
5099 * Matches an Access group.
5100 */
5101 export interface AccessAccessGroupRule {
5102 group: AccessAccessGroupRule.Group;
5103 }
5104
5105 export namespace AccessAccessGroupRule {
5106 export interface Group {
5107 /**
5108 * The ID of a previously created Access group.
5109 */
5110 id: string;
5111 }
5112 }
5113
5114 /**
5115 * Matches an Azure group. Requires an Azure identity provider.
5116 */
5117 export interface AccessAzureGroupRule {
5118 azureAD: AccessAzureGroupRule.AzureAd;
5119 }
5120
5121 export namespace AccessAzureGroupRule {
5122 export interface AzureAd {
5123 /**
5124 * The ID of an Azure group.
5125 */
5126 id: string;
5127
5128 /**
5129 * The ID of your Azure identity provider.
5130 */
5131 connection_id: string;
5132 }
5133 }
5134
5135 /**
5136 * Matches a Github organization. Requires a Github identity provider.
5137 */
5138 export interface AccessGitHubOrganizationRule {
5139 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
5140 }
5141
5142 export namespace AccessGitHubOrganizationRule {
5143 export interface GitHubOrganization {
5144 /**
5145 * The ID of your Github identity provider.
5146 */
5147 connection_id: string;
5148
5149 /**
5150 * The name of the organization.
5151 */
5152 name: string;
5153 }
5154 }
5155
5156 /**
5157 * Matches a group in Google Workspace. Requires a Google Workspace identity
5158 * provider.
5159 */
5160 export interface AccessGsuiteGroupRule {
5161 gsuite: AccessGsuiteGroupRule.Gsuite;
5162 }
5163
5164 export namespace AccessGsuiteGroupRule {
5165 export interface Gsuite {
5166 /**
5167 * The ID of your Google Workspace identity provider.
5168 */
5169 connection_id: string;
5170
5171 /**
5172 * The email of the Google Workspace group.
5173 */
5174 email: string;
5175 }
5176 }
5177
5178 /**
5179 * Matches an Okta group. Requires an Okta identity provider.
5180 */
5181 export interface AccessOktaGroupRule {
5182 okta: AccessOktaGroupRule.Okta;
5183 }
5184
5185 export namespace AccessOktaGroupRule {
5186 export interface Okta {
5187 /**
5188 * The ID of your Okta identity provider.
5189 */
5190 connection_id: string;
5191
5192 /**
5193 * The email of the Okta group.
5194 */
5195 email: string;
5196 }
5197 }
5198
5199 /**
5200 * Matches a SAML group. Requires a SAML identity provider.
5201 */
5202 export interface AccessSamlGroupRule {
5203 saml: AccessSamlGroupRule.Saml;
5204 }
5205
5206 export namespace AccessSamlGroupRule {
5207 export interface Saml {
5208 /**
5209 * The name of the SAML attribute.
5210 */
5211 attribute_name: string;
5212
5213 /**
5214 * The SAML attribute value to look for.
5215 */
5216 attribute_value: string;
5217 }
5218 }
5219
5220 /**
5221 * Matches a specific Access Service Token
5222 */
5223 export interface AccessServiceTokenRule {
5224 service_token: AccessServiceTokenRule.ServiceToken;
5225 }
5226
5227 export namespace AccessServiceTokenRule {
5228 export interface ServiceToken {
5229 /**
5230 * The ID of a Service Token.
5231 */
5232 token_id: string;
5233 }
5234 }
5235
5236 /**
5237 * Matches any valid Access Service Token
5238 */
5239 export interface AccessAnyValidServiceTokenRule {
5240 /**
5241 * An empty object which matches on all service tokens.
5242 */
5243 any_valid_service_token: unknown;
5244 }
5245
5246 /**
5247 * Create Allow or Block policies which evaluate the user based on custom criteria.
5248 */
5249 export interface AccessExternalEvaluationRule {
5250 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
5251 }
5252
5253 export namespace AccessExternalEvaluationRule {
5254 export interface ExternalEvaluation {
5255 /**
5256 * The API endpoint containing your business logic.
5257 */
5258 evaluate_url: string;
5259
5260 /**
5261 * The API endpoint containing the key that Access uses to verify that the response
5262 * came from your API.
5263 */
5264 keys_url: string;
5265 }
5266 }
5267
5268 /**
5269 * Matches a specific country
5270 */
5271 export interface AccessCountryRule {
5272 geo: AccessCountryRule.Geo;
5273 }
5274
5275 export namespace AccessCountryRule {
5276 export interface Geo {
5277 /**
5278 * The country code that should be matched.
5279 */
5280 country_code: string;
5281 }
5282 }
5283
5284 /**
5285 * Enforce different MFA options
5286 */
5287 export interface AccessAuthenticationMethodRule {
5288 auth_method: AccessAuthenticationMethodRule.AuthMethod;
5289 }
5290
5291 export namespace AccessAuthenticationMethodRule {
5292 export interface AuthMethod {
5293 /**
5294 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
5295 */
5296 auth_method: string;
5297 }
5298 }
5299
5300 /**
5301 * Enforces a device posture rule has run successfully
5302 */
5303 export interface AccessDevicePostureRule {
5304 device_posture: AccessDevicePostureRule.DevicePosture;
5305 }
5306
5307 export namespace AccessDevicePostureRule {
5308 export interface DevicePosture {
5309 /**
5310 * The ID of a device posture integration.
5311 */
5312 integration_uid: string;
5313 }
5314 }
5315
5316 /**
5317 * Matches a specific email.
5318 */
5319 export interface AccessEmailRule {
5320 email: AccessEmailRule.Email;
5321 }
5322
5323 export namespace AccessEmailRule {
5324 export interface Email {
5325 /**
5326 * The email of the user.
5327 */
5328 email: string;
5329 }
5330 }
5331
5332 /**
5333 * Matches an email address from a list.
5334 */
5335 export interface AccessEmailListRule {
5336 email_list: AccessEmailListRule.EmailList;
5337 }
5338
5339 export namespace AccessEmailListRule {
5340 export interface EmailList {
5341 /**
5342 * The ID of a previously created email list.
5343 */
5344 id: string;
5345 }
5346 }
5347
5348 /**
5349 * Match an entire email domain.
5350 */
5351 export interface AccessDomainRule {
5352 email_domain: AccessDomainRule.EmailDomain;
5353 }
5354
5355 export namespace AccessDomainRule {
5356 export interface EmailDomain {
5357 /**
5358 * The email domain to match.
5359 */
5360 domain: string;
5361 }
5362 }
5363
5364 /**
5365 * Matches everyone.
5366 */
5367 export interface AccessEveryoneRule {
5368 /**
5369 * An empty object which matches on all users.
5370 */
5371 everyone: unknown;
5372 }
5373
5374 /**
5375 * Matches an IP address block.
5376 */
5377 export interface AccessIPRule {
5378 ip: AccessIPRule.IP;
5379 }
5380
5381 export namespace AccessIPRule {
5382 export interface IP {
5383 /**
5384 * An IPv4 or IPv6 CIDR block.
5385 */
5386 ip: string;
5387 }
5388 }
5389
5390 /**
5391 * Matches an IP address from a list.
5392 */
5393 export interface AccessIPListRule {
5394 ip_list: AccessIPListRule.IPList;
5395 }
5396
5397 export namespace AccessIPListRule {
5398 export interface IPList {
5399 /**
5400 * The ID of a previously created IP list.
5401 */
5402 id: string;
5403 }
5404 }
5405
5406 /**
5407 * Matches any valid client certificate.
5408 */
5409 export interface AccessCertificateRule {
5410 certificate: unknown;
5411 }
5412
5413 /**
5414 * Matches an Access group.
5415 */
5416 export interface AccessAccessGroupRule {
5417 group: AccessAccessGroupRule.Group;
5418 }
5419
5420 export namespace AccessAccessGroupRule {
5421 export interface Group {
5422 /**
5423 * The ID of a previously created Access group.
5424 */
5425 id: string;
5426 }
5427 }
5428
5429 /**
5430 * Matches an Azure group. Requires an Azure identity provider.
5431 */
5432 export interface AccessAzureGroupRule {
5433 azureAD: AccessAzureGroupRule.AzureAd;
5434 }
5435
5436 export namespace AccessAzureGroupRule {
5437 export interface AzureAd {
5438 /**
5439 * The ID of an Azure group.
5440 */
5441 id: string;
5442
5443 /**
5444 * The ID of your Azure identity provider.
5445 */
5446 connection_id: string;
5447 }
5448 }
5449
5450 /**
5451 * Matches a Github organization. Requires a Github identity provider.
5452 */
5453 export interface AccessGitHubOrganizationRule {
5454 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
5455 }
5456
5457 export namespace AccessGitHubOrganizationRule {
5458 export interface GitHubOrganization {
5459 /**
5460 * The ID of your Github identity provider.
5461 */
5462 connection_id: string;
5463
5464 /**
5465 * The name of the organization.
5466 */
5467 name: string;
5468 }
5469 }
5470
5471 /**
5472 * Matches a group in Google Workspace. Requires a Google Workspace identity
5473 * provider.
5474 */
5475 export interface AccessGsuiteGroupRule {
5476 gsuite: AccessGsuiteGroupRule.Gsuite;
5477 }
5478
5479 export namespace AccessGsuiteGroupRule {
5480 export interface Gsuite {
5481 /**
5482 * The ID of your Google Workspace identity provider.
5483 */
5484 connection_id: string;
5485
5486 /**
5487 * The email of the Google Workspace group.
5488 */
5489 email: string;
5490 }
5491 }
5492
5493 /**
5494 * Matches an Okta group. Requires an Okta identity provider.
5495 */
5496 export interface AccessOktaGroupRule {
5497 okta: AccessOktaGroupRule.Okta;
5498 }
5499
5500 export namespace AccessOktaGroupRule {
5501 export interface Okta {
5502 /**
5503 * The ID of your Okta identity provider.
5504 */
5505 connection_id: string;
5506
5507 /**
5508 * The email of the Okta group.
5509 */
5510 email: string;
5511 }
5512 }
5513
5514 /**
5515 * Matches a SAML group. Requires a SAML identity provider.
5516 */
5517 export interface AccessSamlGroupRule {
5518 saml: AccessSamlGroupRule.Saml;
5519 }
5520
5521 export namespace AccessSamlGroupRule {
5522 export interface Saml {
5523 /**
5524 * The name of the SAML attribute.
5525 */
5526 attribute_name: string;
5527
5528 /**
5529 * The SAML attribute value to look for.
5530 */
5531 attribute_value: string;
5532 }
5533 }
5534
5535 /**
5536 * Matches a specific Access Service Token
5537 */
5538 export interface AccessServiceTokenRule {
5539 service_token: AccessServiceTokenRule.ServiceToken;
5540 }
5541
5542 export namespace AccessServiceTokenRule {
5543 export interface ServiceToken {
5544 /**
5545 * The ID of a Service Token.
5546 */
5547 token_id: string;
5548 }
5549 }
5550
5551 /**
5552 * Matches any valid Access Service Token
5553 */
5554 export interface AccessAnyValidServiceTokenRule {
5555 /**
5556 * An empty object which matches on all service tokens.
5557 */
5558 any_valid_service_token: unknown;
5559 }
5560
5561 /**
5562 * Create Allow or Block policies which evaluate the user based on custom criteria.
5563 */
5564 export interface AccessExternalEvaluationRule {
5565 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
5566 }
5567
5568 export namespace AccessExternalEvaluationRule {
5569 export interface ExternalEvaluation {
5570 /**
5571 * The API endpoint containing your business logic.
5572 */
5573 evaluate_url: string;
5574
5575 /**
5576 * The API endpoint containing the key that Access uses to verify that the response
5577 * came from your API.
5578 */
5579 keys_url: string;
5580 }
5581 }
5582
5583 /**
5584 * Matches a specific country
5585 */
5586 export interface AccessCountryRule {
5587 geo: AccessCountryRule.Geo;
5588 }
5589
5590 export namespace AccessCountryRule {
5591 export interface Geo {
5592 /**
5593 * The country code that should be matched.
5594 */
5595 country_code: string;
5596 }
5597 }
5598
5599 /**
5600 * Enforce different MFA options
5601 */
5602 export interface AccessAuthenticationMethodRule {
5603 auth_method: AccessAuthenticationMethodRule.AuthMethod;
5604 }
5605
5606 export namespace AccessAuthenticationMethodRule {
5607 export interface AuthMethod {
5608 /**
5609 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
5610 */
5611 auth_method: string;
5612 }
5613 }
5614
5615 /**
5616 * Enforces a device posture rule has run successfully
5617 */
5618 export interface AccessDevicePostureRule {
5619 device_posture: AccessDevicePostureRule.DevicePosture;
5620 }
5621
5622 export namespace AccessDevicePostureRule {
5623 export interface DevicePosture {
5624 /**
5625 * The ID of a device posture integration.
5626 */
5627 integration_uid: string;
5628 }
5629 }
5630}
5631
5632export interface GroupCreateParams {
5633 /**
5634 * Rules evaluated with an OR logical operator. A user needs to meet only one of
5635 * the Include rules.
5636 */
5637 include: Array<
5638 | GroupCreateParams.AccessEmailRule
5639 | GroupCreateParams.AccessEmailListRule
5640 | GroupCreateParams.AccessDomainRule
5641 | GroupCreateParams.AccessEveryoneRule
5642 | GroupCreateParams.AccessIPRule
5643 | GroupCreateParams.AccessIPListRule
5644 | GroupCreateParams.AccessCertificateRule
5645 | GroupCreateParams.AccessAccessGroupRule
5646 | GroupCreateParams.AccessAzureGroupRule
5647 | GroupCreateParams.AccessGitHubOrganizationRule
5648 | GroupCreateParams.AccessGsuiteGroupRule
5649 | GroupCreateParams.AccessOktaGroupRule
5650 | GroupCreateParams.AccessSamlGroupRule
5651 | GroupCreateParams.AccessServiceTokenRule
5652 | GroupCreateParams.AccessAnyValidServiceTokenRule
5653 | GroupCreateParams.AccessExternalEvaluationRule
5654 | GroupCreateParams.AccessCountryRule
5655 | GroupCreateParams.AccessAuthenticationMethodRule
5656 | GroupCreateParams.AccessDevicePostureRule
5657 >;
5658
5659 /**
5660 * The name of the Access group.
5661 */
5662 name: string;
5663
5664 /**
5665 * Rules evaluated with a NOT logical operator. To match a policy, a user cannot
5666 * meet any of the Exclude rules.
5667 */
5668 exclude?: Array<
5669 | GroupCreateParams.AccessEmailRule
5670 | GroupCreateParams.AccessEmailListRule
5671 | GroupCreateParams.AccessDomainRule
5672 | GroupCreateParams.AccessEveryoneRule
5673 | GroupCreateParams.AccessIPRule
5674 | GroupCreateParams.AccessIPListRule
5675 | GroupCreateParams.AccessCertificateRule
5676 | GroupCreateParams.AccessAccessGroupRule
5677 | GroupCreateParams.AccessAzureGroupRule
5678 | GroupCreateParams.AccessGitHubOrganizationRule
5679 | GroupCreateParams.AccessGsuiteGroupRule
5680 | GroupCreateParams.AccessOktaGroupRule
5681 | GroupCreateParams.AccessSamlGroupRule
5682 | GroupCreateParams.AccessServiceTokenRule
5683 | GroupCreateParams.AccessAnyValidServiceTokenRule
5684 | GroupCreateParams.AccessExternalEvaluationRule
5685 | GroupCreateParams.AccessCountryRule
5686 | GroupCreateParams.AccessAuthenticationMethodRule
5687 | GroupCreateParams.AccessDevicePostureRule
5688 >;
5689
5690 /**
5691 * Whether this is the default group
5692 */
5693 is_default?: boolean;
5694
5695 /**
5696 * Rules evaluated with an AND logical operator. To match a policy, a user must
5697 * meet all of the Require rules.
5698 */
5699 require?: Array<
5700 | GroupCreateParams.AccessEmailRule
5701 | GroupCreateParams.AccessEmailListRule
5702 | GroupCreateParams.AccessDomainRule
5703 | GroupCreateParams.AccessEveryoneRule
5704 | GroupCreateParams.AccessIPRule
5705 | GroupCreateParams.AccessIPListRule
5706 | GroupCreateParams.AccessCertificateRule
5707 | GroupCreateParams.AccessAccessGroupRule
5708 | GroupCreateParams.AccessAzureGroupRule
5709 | GroupCreateParams.AccessGitHubOrganizationRule
5710 | GroupCreateParams.AccessGsuiteGroupRule
5711 | GroupCreateParams.AccessOktaGroupRule
5712 | GroupCreateParams.AccessSamlGroupRule
5713 | GroupCreateParams.AccessServiceTokenRule
5714 | GroupCreateParams.AccessAnyValidServiceTokenRule
5715 | GroupCreateParams.AccessExternalEvaluationRule
5716 | GroupCreateParams.AccessCountryRule
5717 | GroupCreateParams.AccessAuthenticationMethodRule
5718 | GroupCreateParams.AccessDevicePostureRule
5719 >;
5720}
5721
5722export namespace GroupCreateParams {
5723 /**
5724 * Matches a specific email.
5725 */
5726 export interface AccessEmailRule {
5727 email: AccessEmailRule.Email;
5728 }
5729
5730 export namespace AccessEmailRule {
5731 export interface Email {
5732 /**
5733 * The email of the user.
5734 */
5735 email: string;
5736 }
5737 }
5738
5739 /**
5740 * Matches an email address from a list.
5741 */
5742 export interface AccessEmailListRule {
5743 email_list: AccessEmailListRule.EmailList;
5744 }
5745
5746 export namespace AccessEmailListRule {
5747 export interface EmailList {
5748 /**
5749 * The ID of a previously created email list.
5750 */
5751 id: string;
5752 }
5753 }
5754
5755 /**
5756 * Match an entire email domain.
5757 */
5758 export interface AccessDomainRule {
5759 email_domain: AccessDomainRule.EmailDomain;
5760 }
5761
5762 export namespace AccessDomainRule {
5763 export interface EmailDomain {
5764 /**
5765 * The email domain to match.
5766 */
5767 domain: string;
5768 }
5769 }
5770
5771 /**
5772 * Matches everyone.
5773 */
5774 export interface AccessEveryoneRule {
5775 /**
5776 * An empty object which matches on all users.
5777 */
5778 everyone: unknown;
5779 }
5780
5781 /**
5782 * Matches an IP address block.
5783 */
5784 export interface AccessIPRule {
5785 ip: AccessIPRule.IP;
5786 }
5787
5788 export namespace AccessIPRule {
5789 export interface IP {
5790 /**
5791 * An IPv4 or IPv6 CIDR block.
5792 */
5793 ip: string;
5794 }
5795 }
5796
5797 /**
5798 * Matches an IP address from a list.
5799 */
5800 export interface AccessIPListRule {
5801 ip_list: AccessIPListRule.IPList;
5802 }
5803
5804 export namespace AccessIPListRule {
5805 export interface IPList {
5806 /**
5807 * The ID of a previously created IP list.
5808 */
5809 id: string;
5810 }
5811 }
5812
5813 /**
5814 * Matches any valid client certificate.
5815 */
5816 export interface AccessCertificateRule {
5817 certificate: unknown;
5818 }
5819
5820 /**
5821 * Matches an Access group.
5822 */
5823 export interface AccessAccessGroupRule {
5824 group: AccessAccessGroupRule.Group;
5825 }
5826
5827 export namespace AccessAccessGroupRule {
5828 export interface Group {
5829 /**
5830 * The ID of a previously created Access group.
5831 */
5832 id: string;
5833 }
5834 }
5835
5836 /**
5837 * Matches an Azure group. Requires an Azure identity provider.
5838 */
5839 export interface AccessAzureGroupRule {
5840 azureAD: AccessAzureGroupRule.AzureAd;
5841 }
5842
5843 export namespace AccessAzureGroupRule {
5844 export interface AzureAd {
5845 /**
5846 * The ID of an Azure group.
5847 */
5848 id: string;
5849
5850 /**
5851 * The ID of your Azure identity provider.
5852 */
5853 connection_id: string;
5854 }
5855 }
5856
5857 /**
5858 * Matches a Github organization. Requires a Github identity provider.
5859 */
5860 export interface AccessGitHubOrganizationRule {
5861 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
5862 }
5863
5864 export namespace AccessGitHubOrganizationRule {
5865 export interface GitHubOrganization {
5866 /**
5867 * The ID of your Github identity provider.
5868 */
5869 connection_id: string;
5870
5871 /**
5872 * The name of the organization.
5873 */
5874 name: string;
5875 }
5876 }
5877
5878 /**
5879 * Matches a group in Google Workspace. Requires a Google Workspace identity
5880 * provider.
5881 */
5882 export interface AccessGsuiteGroupRule {
5883 gsuite: AccessGsuiteGroupRule.Gsuite;
5884 }
5885
5886 export namespace AccessGsuiteGroupRule {
5887 export interface Gsuite {
5888 /**
5889 * The ID of your Google Workspace identity provider.
5890 */
5891 connection_id: string;
5892
5893 /**
5894 * The email of the Google Workspace group.
5895 */
5896 email: string;
5897 }
5898 }
5899
5900 /**
5901 * Matches an Okta group. Requires an Okta identity provider.
5902 */
5903 export interface AccessOktaGroupRule {
5904 okta: AccessOktaGroupRule.Okta;
5905 }
5906
5907 export namespace AccessOktaGroupRule {
5908 export interface Okta {
5909 /**
5910 * The ID of your Okta identity provider.
5911 */
5912 connection_id: string;
5913
5914 /**
5915 * The email of the Okta group.
5916 */
5917 email: string;
5918 }
5919 }
5920
5921 /**
5922 * Matches a SAML group. Requires a SAML identity provider.
5923 */
5924 export interface AccessSamlGroupRule {
5925 saml: AccessSamlGroupRule.Saml;
5926 }
5927
5928 export namespace AccessSamlGroupRule {
5929 export interface Saml {
5930 /**
5931 * The name of the SAML attribute.
5932 */
5933 attribute_name: string;
5934
5935 /**
5936 * The SAML attribute value to look for.
5937 */
5938 attribute_value: string;
5939 }
5940 }
5941
5942 /**
5943 * Matches a specific Access Service Token
5944 */
5945 export interface AccessServiceTokenRule {
5946 service_token: AccessServiceTokenRule.ServiceToken;
5947 }
5948
5949 export namespace AccessServiceTokenRule {
5950 export interface ServiceToken {
5951 /**
5952 * The ID of a Service Token.
5953 */
5954 token_id: string;
5955 }
5956 }
5957
5958 /**
5959 * Matches any valid Access Service Token
5960 */
5961 export interface AccessAnyValidServiceTokenRule {
5962 /**
5963 * An empty object which matches on all service tokens.
5964 */
5965 any_valid_service_token: unknown;
5966 }
5967
5968 /**
5969 * Create Allow or Block policies which evaluate the user based on custom criteria.
5970 */
5971 export interface AccessExternalEvaluationRule {
5972 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
5973 }
5974
5975 export namespace AccessExternalEvaluationRule {
5976 export interface ExternalEvaluation {
5977 /**
5978 * The API endpoint containing your business logic.
5979 */
5980 evaluate_url: string;
5981
5982 /**
5983 * The API endpoint containing the key that Access uses to verify that the response
5984 * came from your API.
5985 */
5986 keys_url: string;
5987 }
5988 }
5989
5990 /**
5991 * Matches a specific country
5992 */
5993 export interface AccessCountryRule {
5994 geo: AccessCountryRule.Geo;
5995 }
5996
5997 export namespace AccessCountryRule {
5998 export interface Geo {
5999 /**
6000 * The country code that should be matched.
6001 */
6002 country_code: string;
6003 }
6004 }
6005
6006 /**
6007 * Enforce different MFA options
6008 */
6009 export interface AccessAuthenticationMethodRule {
6010 auth_method: AccessAuthenticationMethodRule.AuthMethod;
6011 }
6012
6013 export namespace AccessAuthenticationMethodRule {
6014 export interface AuthMethod {
6015 /**
6016 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
6017 */
6018 auth_method: string;
6019 }
6020 }
6021
6022 /**
6023 * Enforces a device posture rule has run successfully
6024 */
6025 export interface AccessDevicePostureRule {
6026 device_posture: AccessDevicePostureRule.DevicePosture;
6027 }
6028
6029 export namespace AccessDevicePostureRule {
6030 export interface DevicePosture {
6031 /**
6032 * The ID of a device posture integration.
6033 */
6034 integration_uid: string;
6035 }
6036 }
6037
6038 /**
6039 * Matches a specific email.
6040 */
6041 export interface AccessEmailRule {
6042 email: AccessEmailRule.Email;
6043 }
6044
6045 export namespace AccessEmailRule {
6046 export interface Email {
6047 /**
6048 * The email of the user.
6049 */
6050 email: string;
6051 }
6052 }
6053
6054 /**
6055 * Matches an email address from a list.
6056 */
6057 export interface AccessEmailListRule {
6058 email_list: AccessEmailListRule.EmailList;
6059 }
6060
6061 export namespace AccessEmailListRule {
6062 export interface EmailList {
6063 /**
6064 * The ID of a previously created email list.
6065 */
6066 id: string;
6067 }
6068 }
6069
6070 /**
6071 * Match an entire email domain.
6072 */
6073 export interface AccessDomainRule {
6074 email_domain: AccessDomainRule.EmailDomain;
6075 }
6076
6077 export namespace AccessDomainRule {
6078 export interface EmailDomain {
6079 /**
6080 * The email domain to match.
6081 */
6082 domain: string;
6083 }
6084 }
6085
6086 /**
6087 * Matches everyone.
6088 */
6089 export interface AccessEveryoneRule {
6090 /**
6091 * An empty object which matches on all users.
6092 */
6093 everyone: unknown;
6094 }
6095
6096 /**
6097 * Matches an IP address block.
6098 */
6099 export interface AccessIPRule {
6100 ip: AccessIPRule.IP;
6101 }
6102
6103 export namespace AccessIPRule {
6104 export interface IP {
6105 /**
6106 * An IPv4 or IPv6 CIDR block.
6107 */
6108 ip: string;
6109 }
6110 }
6111
6112 /**
6113 * Matches an IP address from a list.
6114 */
6115 export interface AccessIPListRule {
6116 ip_list: AccessIPListRule.IPList;
6117 }
6118
6119 export namespace AccessIPListRule {
6120 export interface IPList {
6121 /**
6122 * The ID of a previously created IP list.
6123 */
6124 id: string;
6125 }
6126 }
6127
6128 /**
6129 * Matches any valid client certificate.
6130 */
6131 export interface AccessCertificateRule {
6132 certificate: unknown;
6133 }
6134
6135 /**
6136 * Matches an Access group.
6137 */
6138 export interface AccessAccessGroupRule {
6139 group: AccessAccessGroupRule.Group;
6140 }
6141
6142 export namespace AccessAccessGroupRule {
6143 export interface Group {
6144 /**
6145 * The ID of a previously created Access group.
6146 */
6147 id: string;
6148 }
6149 }
6150
6151 /**
6152 * Matches an Azure group. Requires an Azure identity provider.
6153 */
6154 export interface AccessAzureGroupRule {
6155 azureAD: AccessAzureGroupRule.AzureAd;
6156 }
6157
6158 export namespace AccessAzureGroupRule {
6159 export interface AzureAd {
6160 /**
6161 * The ID of an Azure group.
6162 */
6163 id: string;
6164
6165 /**
6166 * The ID of your Azure identity provider.
6167 */
6168 connection_id: string;
6169 }
6170 }
6171
6172 /**
6173 * Matches a Github organization. Requires a Github identity provider.
6174 */
6175 export interface AccessGitHubOrganizationRule {
6176 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
6177 }
6178
6179 export namespace AccessGitHubOrganizationRule {
6180 export interface GitHubOrganization {
6181 /**
6182 * The ID of your Github identity provider.
6183 */
6184 connection_id: string;
6185
6186 /**
6187 * The name of the organization.
6188 */
6189 name: string;
6190 }
6191 }
6192
6193 /**
6194 * Matches a group in Google Workspace. Requires a Google Workspace identity
6195 * provider.
6196 */
6197 export interface AccessGsuiteGroupRule {
6198 gsuite: AccessGsuiteGroupRule.Gsuite;
6199 }
6200
6201 export namespace AccessGsuiteGroupRule {
6202 export interface Gsuite {
6203 /**
6204 * The ID of your Google Workspace identity provider.
6205 */
6206 connection_id: string;
6207
6208 /**
6209 * The email of the Google Workspace group.
6210 */
6211 email: string;
6212 }
6213 }
6214
6215 /**
6216 * Matches an Okta group. Requires an Okta identity provider.
6217 */
6218 export interface AccessOktaGroupRule {
6219 okta: AccessOktaGroupRule.Okta;
6220 }
6221
6222 export namespace AccessOktaGroupRule {
6223 export interface Okta {
6224 /**
6225 * The ID of your Okta identity provider.
6226 */
6227 connection_id: string;
6228
6229 /**
6230 * The email of the Okta group.
6231 */
6232 email: string;
6233 }
6234 }
6235
6236 /**
6237 * Matches a SAML group. Requires a SAML identity provider.
6238 */
6239 export interface AccessSamlGroupRule {
6240 saml: AccessSamlGroupRule.Saml;
6241 }
6242
6243 export namespace AccessSamlGroupRule {
6244 export interface Saml {
6245 /**
6246 * The name of the SAML attribute.
6247 */
6248 attribute_name: string;
6249
6250 /**
6251 * The SAML attribute value to look for.
6252 */
6253 attribute_value: string;
6254 }
6255 }
6256
6257 /**
6258 * Matches a specific Access Service Token
6259 */
6260 export interface AccessServiceTokenRule {
6261 service_token: AccessServiceTokenRule.ServiceToken;
6262 }
6263
6264 export namespace AccessServiceTokenRule {
6265 export interface ServiceToken {
6266 /**
6267 * The ID of a Service Token.
6268 */
6269 token_id: string;
6270 }
6271 }
6272
6273 /**
6274 * Matches any valid Access Service Token
6275 */
6276 export interface AccessAnyValidServiceTokenRule {
6277 /**
6278 * An empty object which matches on all service tokens.
6279 */
6280 any_valid_service_token: unknown;
6281 }
6282
6283 /**
6284 * Create Allow or Block policies which evaluate the user based on custom criteria.
6285 */
6286 export interface AccessExternalEvaluationRule {
6287 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
6288 }
6289
6290 export namespace AccessExternalEvaluationRule {
6291 export interface ExternalEvaluation {
6292 /**
6293 * The API endpoint containing your business logic.
6294 */
6295 evaluate_url: string;
6296
6297 /**
6298 * The API endpoint containing the key that Access uses to verify that the response
6299 * came from your API.
6300 */
6301 keys_url: string;
6302 }
6303 }
6304
6305 /**
6306 * Matches a specific country
6307 */
6308 export interface AccessCountryRule {
6309 geo: AccessCountryRule.Geo;
6310 }
6311
6312 export namespace AccessCountryRule {
6313 export interface Geo {
6314 /**
6315 * The country code that should be matched.
6316 */
6317 country_code: string;
6318 }
6319 }
6320
6321 /**
6322 * Enforce different MFA options
6323 */
6324 export interface AccessAuthenticationMethodRule {
6325 auth_method: AccessAuthenticationMethodRule.AuthMethod;
6326 }
6327
6328 export namespace AccessAuthenticationMethodRule {
6329 export interface AuthMethod {
6330 /**
6331 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
6332 */
6333 auth_method: string;
6334 }
6335 }
6336
6337 /**
6338 * Enforces a device posture rule has run successfully
6339 */
6340 export interface AccessDevicePostureRule {
6341 device_posture: AccessDevicePostureRule.DevicePosture;
6342 }
6343
6344 export namespace AccessDevicePostureRule {
6345 export interface DevicePosture {
6346 /**
6347 * The ID of a device posture integration.
6348 */
6349 integration_uid: string;
6350 }
6351 }
6352
6353 /**
6354 * Matches a specific email.
6355 */
6356 export interface AccessEmailRule {
6357 email: AccessEmailRule.Email;
6358 }
6359
6360 export namespace AccessEmailRule {
6361 export interface Email {
6362 /**
6363 * The email of the user.
6364 */
6365 email: string;
6366 }
6367 }
6368
6369 /**
6370 * Matches an email address from a list.
6371 */
6372 export interface AccessEmailListRule {
6373 email_list: AccessEmailListRule.EmailList;
6374 }
6375
6376 export namespace AccessEmailListRule {
6377 export interface EmailList {
6378 /**
6379 * The ID of a previously created email list.
6380 */
6381 id: string;
6382 }
6383 }
6384
6385 /**
6386 * Match an entire email domain.
6387 */
6388 export interface AccessDomainRule {
6389 email_domain: AccessDomainRule.EmailDomain;
6390 }
6391
6392 export namespace AccessDomainRule {
6393 export interface EmailDomain {
6394 /**
6395 * The email domain to match.
6396 */
6397 domain: string;
6398 }
6399 }
6400
6401 /**
6402 * Matches everyone.
6403 */
6404 export interface AccessEveryoneRule {
6405 /**
6406 * An empty object which matches on all users.
6407 */
6408 everyone: unknown;
6409 }
6410
6411 /**
6412 * Matches an IP address block.
6413 */
6414 export interface AccessIPRule {
6415 ip: AccessIPRule.IP;
6416 }
6417
6418 export namespace AccessIPRule {
6419 export interface IP {
6420 /**
6421 * An IPv4 or IPv6 CIDR block.
6422 */
6423 ip: string;
6424 }
6425 }
6426
6427 /**
6428 * Matches an IP address from a list.
6429 */
6430 export interface AccessIPListRule {
6431 ip_list: AccessIPListRule.IPList;
6432 }
6433
6434 export namespace AccessIPListRule {
6435 export interface IPList {
6436 /**
6437 * The ID of a previously created IP list.
6438 */
6439 id: string;
6440 }
6441 }
6442
6443 /**
6444 * Matches any valid client certificate.
6445 */
6446 export interface AccessCertificateRule {
6447 certificate: unknown;
6448 }
6449
6450 /**
6451 * Matches an Access group.
6452 */
6453 export interface AccessAccessGroupRule {
6454 group: AccessAccessGroupRule.Group;
6455 }
6456
6457 export namespace AccessAccessGroupRule {
6458 export interface Group {
6459 /**
6460 * The ID of a previously created Access group.
6461 */
6462 id: string;
6463 }
6464 }
6465
6466 /**
6467 * Matches an Azure group. Requires an Azure identity provider.
6468 */
6469 export interface AccessAzureGroupRule {
6470 azureAD: AccessAzureGroupRule.AzureAd;
6471 }
6472
6473 export namespace AccessAzureGroupRule {
6474 export interface AzureAd {
6475 /**
6476 * The ID of an Azure group.
6477 */
6478 id: string;
6479
6480 /**
6481 * The ID of your Azure identity provider.
6482 */
6483 connection_id: string;
6484 }
6485 }
6486
6487 /**
6488 * Matches a Github organization. Requires a Github identity provider.
6489 */
6490 export interface AccessGitHubOrganizationRule {
6491 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
6492 }
6493
6494 export namespace AccessGitHubOrganizationRule {
6495 export interface GitHubOrganization {
6496 /**
6497 * The ID of your Github identity provider.
6498 */
6499 connection_id: string;
6500
6501 /**
6502 * The name of the organization.
6503 */
6504 name: string;
6505 }
6506 }
6507
6508 /**
6509 * Matches a group in Google Workspace. Requires a Google Workspace identity
6510 * provider.
6511 */
6512 export interface AccessGsuiteGroupRule {
6513 gsuite: AccessGsuiteGroupRule.Gsuite;
6514 }
6515
6516 export namespace AccessGsuiteGroupRule {
6517 export interface Gsuite {
6518 /**
6519 * The ID of your Google Workspace identity provider.
6520 */
6521 connection_id: string;
6522
6523 /**
6524 * The email of the Google Workspace group.
6525 */
6526 email: string;
6527 }
6528 }
6529
6530 /**
6531 * Matches an Okta group. Requires an Okta identity provider.
6532 */
6533 export interface AccessOktaGroupRule {
6534 okta: AccessOktaGroupRule.Okta;
6535 }
6536
6537 export namespace AccessOktaGroupRule {
6538 export interface Okta {
6539 /**
6540 * The ID of your Okta identity provider.
6541 */
6542 connection_id: string;
6543
6544 /**
6545 * The email of the Okta group.
6546 */
6547 email: string;
6548 }
6549 }
6550
6551 /**
6552 * Matches a SAML group. Requires a SAML identity provider.
6553 */
6554 export interface AccessSamlGroupRule {
6555 saml: AccessSamlGroupRule.Saml;
6556 }
6557
6558 export namespace AccessSamlGroupRule {
6559 export interface Saml {
6560 /**
6561 * The name of the SAML attribute.
6562 */
6563 attribute_name: string;
6564
6565 /**
6566 * The SAML attribute value to look for.
6567 */
6568 attribute_value: string;
6569 }
6570 }
6571
6572 /**
6573 * Matches a specific Access Service Token
6574 */
6575 export interface AccessServiceTokenRule {
6576 service_token: AccessServiceTokenRule.ServiceToken;
6577 }
6578
6579 export namespace AccessServiceTokenRule {
6580 export interface ServiceToken {
6581 /**
6582 * The ID of a Service Token.
6583 */
6584 token_id: string;
6585 }
6586 }
6587
6588 /**
6589 * Matches any valid Access Service Token
6590 */
6591 export interface AccessAnyValidServiceTokenRule {
6592 /**
6593 * An empty object which matches on all service tokens.
6594 */
6595 any_valid_service_token: unknown;
6596 }
6597
6598 /**
6599 * Create Allow or Block policies which evaluate the user based on custom criteria.
6600 */
6601 export interface AccessExternalEvaluationRule {
6602 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
6603 }
6604
6605 export namespace AccessExternalEvaluationRule {
6606 export interface ExternalEvaluation {
6607 /**
6608 * The API endpoint containing your business logic.
6609 */
6610 evaluate_url: string;
6611
6612 /**
6613 * The API endpoint containing the key that Access uses to verify that the response
6614 * came from your API.
6615 */
6616 keys_url: string;
6617 }
6618 }
6619
6620 /**
6621 * Matches a specific country
6622 */
6623 export interface AccessCountryRule {
6624 geo: AccessCountryRule.Geo;
6625 }
6626
6627 export namespace AccessCountryRule {
6628 export interface Geo {
6629 /**
6630 * The country code that should be matched.
6631 */
6632 country_code: string;
6633 }
6634 }
6635
6636 /**
6637 * Enforce different MFA options
6638 */
6639 export interface AccessAuthenticationMethodRule {
6640 auth_method: AccessAuthenticationMethodRule.AuthMethod;
6641 }
6642
6643 export namespace AccessAuthenticationMethodRule {
6644 export interface AuthMethod {
6645 /**
6646 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
6647 */
6648 auth_method: string;
6649 }
6650 }
6651
6652 /**
6653 * Enforces a device posture rule has run successfully
6654 */
6655 export interface AccessDevicePostureRule {
6656 device_posture: AccessDevicePostureRule.DevicePosture;
6657 }
6658
6659 export namespace AccessDevicePostureRule {
6660 export interface DevicePosture {
6661 /**
6662 * The ID of a device posture integration.
6663 */
6664 integration_uid: string;
6665 }
6666 }
6667}
6668
6669export interface GroupReplaceParams {
6670 /**
6671 * Rules evaluated with an OR logical operator. A user needs to meet only one of
6672 * the Include rules.
6673 */
6674 include: Array<
6675 | GroupReplaceParams.AccessEmailRule
6676 | GroupReplaceParams.AccessEmailListRule
6677 | GroupReplaceParams.AccessDomainRule
6678 | GroupReplaceParams.AccessEveryoneRule
6679 | GroupReplaceParams.AccessIPRule
6680 | GroupReplaceParams.AccessIPListRule
6681 | GroupReplaceParams.AccessCertificateRule
6682 | GroupReplaceParams.AccessAccessGroupRule
6683 | GroupReplaceParams.AccessAzureGroupRule
6684 | GroupReplaceParams.AccessGitHubOrganizationRule
6685 | GroupReplaceParams.AccessGsuiteGroupRule
6686 | GroupReplaceParams.AccessOktaGroupRule
6687 | GroupReplaceParams.AccessSamlGroupRule
6688 | GroupReplaceParams.AccessServiceTokenRule
6689 | GroupReplaceParams.AccessAnyValidServiceTokenRule
6690 | GroupReplaceParams.AccessExternalEvaluationRule
6691 | GroupReplaceParams.AccessCountryRule
6692 | GroupReplaceParams.AccessAuthenticationMethodRule
6693 | GroupReplaceParams.AccessDevicePostureRule
6694 >;
6695
6696 /**
6697 * The name of the Access group.
6698 */
6699 name: string;
6700
6701 /**
6702 * Rules evaluated with a NOT logical operator. To match a policy, a user cannot
6703 * meet any of the Exclude rules.
6704 */
6705 exclude?: Array<
6706 | GroupReplaceParams.AccessEmailRule
6707 | GroupReplaceParams.AccessEmailListRule
6708 | GroupReplaceParams.AccessDomainRule
6709 | GroupReplaceParams.AccessEveryoneRule
6710 | GroupReplaceParams.AccessIPRule
6711 | GroupReplaceParams.AccessIPListRule
6712 | GroupReplaceParams.AccessCertificateRule
6713 | GroupReplaceParams.AccessAccessGroupRule
6714 | GroupReplaceParams.AccessAzureGroupRule
6715 | GroupReplaceParams.AccessGitHubOrganizationRule
6716 | GroupReplaceParams.AccessGsuiteGroupRule
6717 | GroupReplaceParams.AccessOktaGroupRule
6718 | GroupReplaceParams.AccessSamlGroupRule
6719 | GroupReplaceParams.AccessServiceTokenRule
6720 | GroupReplaceParams.AccessAnyValidServiceTokenRule
6721 | GroupReplaceParams.AccessExternalEvaluationRule
6722 | GroupReplaceParams.AccessCountryRule
6723 | GroupReplaceParams.AccessAuthenticationMethodRule
6724 | GroupReplaceParams.AccessDevicePostureRule
6725 >;
6726
6727 /**
6728 * Whether this is the default group
6729 */
6730 is_default?: boolean;
6731
6732 /**
6733 * Rules evaluated with an AND logical operator. To match a policy, a user must
6734 * meet all of the Require rules.
6735 */
6736 require?: Array<
6737 | GroupReplaceParams.AccessEmailRule
6738 | GroupReplaceParams.AccessEmailListRule
6739 | GroupReplaceParams.AccessDomainRule
6740 | GroupReplaceParams.AccessEveryoneRule
6741 | GroupReplaceParams.AccessIPRule
6742 | GroupReplaceParams.AccessIPListRule
6743 | GroupReplaceParams.AccessCertificateRule
6744 | GroupReplaceParams.AccessAccessGroupRule
6745 | GroupReplaceParams.AccessAzureGroupRule
6746 | GroupReplaceParams.AccessGitHubOrganizationRule
6747 | GroupReplaceParams.AccessGsuiteGroupRule
6748 | GroupReplaceParams.AccessOktaGroupRule
6749 | GroupReplaceParams.AccessSamlGroupRule
6750 | GroupReplaceParams.AccessServiceTokenRule
6751 | GroupReplaceParams.AccessAnyValidServiceTokenRule
6752 | GroupReplaceParams.AccessExternalEvaluationRule
6753 | GroupReplaceParams.AccessCountryRule
6754 | GroupReplaceParams.AccessAuthenticationMethodRule
6755 | GroupReplaceParams.AccessDevicePostureRule
6756 >;
6757}
6758
6759export namespace GroupReplaceParams {
6760 /**
6761 * Matches a specific email.
6762 */
6763 export interface AccessEmailRule {
6764 email: AccessEmailRule.Email;
6765 }
6766
6767 export namespace AccessEmailRule {
6768 export interface Email {
6769 /**
6770 * The email of the user.
6771 */
6772 email: string;
6773 }
6774 }
6775
6776 /**
6777 * Matches an email address from a list.
6778 */
6779 export interface AccessEmailListRule {
6780 email_list: AccessEmailListRule.EmailList;
6781 }
6782
6783 export namespace AccessEmailListRule {
6784 export interface EmailList {
6785 /**
6786 * The ID of a previously created email list.
6787 */
6788 id: string;
6789 }
6790 }
6791
6792 /**
6793 * Match an entire email domain.
6794 */
6795 export interface AccessDomainRule {
6796 email_domain: AccessDomainRule.EmailDomain;
6797 }
6798
6799 export namespace AccessDomainRule {
6800 export interface EmailDomain {
6801 /**
6802 * The email domain to match.
6803 */
6804 domain: string;
6805 }
6806 }
6807
6808 /**
6809 * Matches everyone.
6810 */
6811 export interface AccessEveryoneRule {
6812 /**
6813 * An empty object which matches on all users.
6814 */
6815 everyone: unknown;
6816 }
6817
6818 /**
6819 * Matches an IP address block.
6820 */
6821 export interface AccessIPRule {
6822 ip: AccessIPRule.IP;
6823 }
6824
6825 export namespace AccessIPRule {
6826 export interface IP {
6827 /**
6828 * An IPv4 or IPv6 CIDR block.
6829 */
6830 ip: string;
6831 }
6832 }
6833
6834 /**
6835 * Matches an IP address from a list.
6836 */
6837 export interface AccessIPListRule {
6838 ip_list: AccessIPListRule.IPList;
6839 }
6840
6841 export namespace AccessIPListRule {
6842 export interface IPList {
6843 /**
6844 * The ID of a previously created IP list.
6845 */
6846 id: string;
6847 }
6848 }
6849
6850 /**
6851 * Matches any valid client certificate.
6852 */
6853 export interface AccessCertificateRule {
6854 certificate: unknown;
6855 }
6856
6857 /**
6858 * Matches an Access group.
6859 */
6860 export interface AccessAccessGroupRule {
6861 group: AccessAccessGroupRule.Group;
6862 }
6863
6864 export namespace AccessAccessGroupRule {
6865 export interface Group {
6866 /**
6867 * The ID of a previously created Access group.
6868 */
6869 id: string;
6870 }
6871 }
6872
6873 /**
6874 * Matches an Azure group. Requires an Azure identity provider.
6875 */
6876 export interface AccessAzureGroupRule {
6877 azureAD: AccessAzureGroupRule.AzureAd;
6878 }
6879
6880 export namespace AccessAzureGroupRule {
6881 export interface AzureAd {
6882 /**
6883 * The ID of an Azure group.
6884 */
6885 id: string;
6886
6887 /**
6888 * The ID of your Azure identity provider.
6889 */
6890 connection_id: string;
6891 }
6892 }
6893
6894 /**
6895 * Matches a Github organization. Requires a Github identity provider.
6896 */
6897 export interface AccessGitHubOrganizationRule {
6898 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
6899 }
6900
6901 export namespace AccessGitHubOrganizationRule {
6902 export interface GitHubOrganization {
6903 /**
6904 * The ID of your Github identity provider.
6905 */
6906 connection_id: string;
6907
6908 /**
6909 * The name of the organization.
6910 */
6911 name: string;
6912 }
6913 }
6914
6915 /**
6916 * Matches a group in Google Workspace. Requires a Google Workspace identity
6917 * provider.
6918 */
6919 export interface AccessGsuiteGroupRule {
6920 gsuite: AccessGsuiteGroupRule.Gsuite;
6921 }
6922
6923 export namespace AccessGsuiteGroupRule {
6924 export interface Gsuite {
6925 /**
6926 * The ID of your Google Workspace identity provider.
6927 */
6928 connection_id: string;
6929
6930 /**
6931 * The email of the Google Workspace group.
6932 */
6933 email: string;
6934 }
6935 }
6936
6937 /**
6938 * Matches an Okta group. Requires an Okta identity provider.
6939 */
6940 export interface AccessOktaGroupRule {
6941 okta: AccessOktaGroupRule.Okta;
6942 }
6943
6944 export namespace AccessOktaGroupRule {
6945 export interface Okta {
6946 /**
6947 * The ID of your Okta identity provider.
6948 */
6949 connection_id: string;
6950
6951 /**
6952 * The email of the Okta group.
6953 */
6954 email: string;
6955 }
6956 }
6957
6958 /**
6959 * Matches a SAML group. Requires a SAML identity provider.
6960 */
6961 export interface AccessSamlGroupRule {
6962 saml: AccessSamlGroupRule.Saml;
6963 }
6964
6965 export namespace AccessSamlGroupRule {
6966 export interface Saml {
6967 /**
6968 * The name of the SAML attribute.
6969 */
6970 attribute_name: string;
6971
6972 /**
6973 * The SAML attribute value to look for.
6974 */
6975 attribute_value: string;
6976 }
6977 }
6978
6979 /**
6980 * Matches a specific Access Service Token
6981 */
6982 export interface AccessServiceTokenRule {
6983 service_token: AccessServiceTokenRule.ServiceToken;
6984 }
6985
6986 export namespace AccessServiceTokenRule {
6987 export interface ServiceToken {
6988 /**
6989 * The ID of a Service Token.
6990 */
6991 token_id: string;
6992 }
6993 }
6994
6995 /**
6996 * Matches any valid Access Service Token
6997 */
6998 export interface AccessAnyValidServiceTokenRule {
6999 /**
7000 * An empty object which matches on all service tokens.
7001 */
7002 any_valid_service_token: unknown;
7003 }
7004
7005 /**
7006 * Create Allow or Block policies which evaluate the user based on custom criteria.
7007 */
7008 export interface AccessExternalEvaluationRule {
7009 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
7010 }
7011
7012 export namespace AccessExternalEvaluationRule {
7013 export interface ExternalEvaluation {
7014 /**
7015 * The API endpoint containing your business logic.
7016 */
7017 evaluate_url: string;
7018
7019 /**
7020 * The API endpoint containing the key that Access uses to verify that the response
7021 * came from your API.
7022 */
7023 keys_url: string;
7024 }
7025 }
7026
7027 /**
7028 * Matches a specific country
7029 */
7030 export interface AccessCountryRule {
7031 geo: AccessCountryRule.Geo;
7032 }
7033
7034 export namespace AccessCountryRule {
7035 export interface Geo {
7036 /**
7037 * The country code that should be matched.
7038 */
7039 country_code: string;
7040 }
7041 }
7042
7043 /**
7044 * Enforce different MFA options
7045 */
7046 export interface AccessAuthenticationMethodRule {
7047 auth_method: AccessAuthenticationMethodRule.AuthMethod;
7048 }
7049
7050 export namespace AccessAuthenticationMethodRule {
7051 export interface AuthMethod {
7052 /**
7053 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
7054 */
7055 auth_method: string;
7056 }
7057 }
7058
7059 /**
7060 * Enforces a device posture rule has run successfully
7061 */
7062 export interface AccessDevicePostureRule {
7063 device_posture: AccessDevicePostureRule.DevicePosture;
7064 }
7065
7066 export namespace AccessDevicePostureRule {
7067 export interface DevicePosture {
7068 /**
7069 * The ID of a device posture integration.
7070 */
7071 integration_uid: string;
7072 }
7073 }
7074
7075 /**
7076 * Matches a specific email.
7077 */
7078 export interface AccessEmailRule {
7079 email: AccessEmailRule.Email;
7080 }
7081
7082 export namespace AccessEmailRule {
7083 export interface Email {
7084 /**
7085 * The email of the user.
7086 */
7087 email: string;
7088 }
7089 }
7090
7091 /**
7092 * Matches an email address from a list.
7093 */
7094 export interface AccessEmailListRule {
7095 email_list: AccessEmailListRule.EmailList;
7096 }
7097
7098 export namespace AccessEmailListRule {
7099 export interface EmailList {
7100 /**
7101 * The ID of a previously created email list.
7102 */
7103 id: string;
7104 }
7105 }
7106
7107 /**
7108 * Match an entire email domain.
7109 */
7110 export interface AccessDomainRule {
7111 email_domain: AccessDomainRule.EmailDomain;
7112 }
7113
7114 export namespace AccessDomainRule {
7115 export interface EmailDomain {
7116 /**
7117 * The email domain to match.
7118 */
7119 domain: string;
7120 }
7121 }
7122
7123 /**
7124 * Matches everyone.
7125 */
7126 export interface AccessEveryoneRule {
7127 /**
7128 * An empty object which matches on all users.
7129 */
7130 everyone: unknown;
7131 }
7132
7133 /**
7134 * Matches an IP address block.
7135 */
7136 export interface AccessIPRule {
7137 ip: AccessIPRule.IP;
7138 }
7139
7140 export namespace AccessIPRule {
7141 export interface IP {
7142 /**
7143 * An IPv4 or IPv6 CIDR block.
7144 */
7145 ip: string;
7146 }
7147 }
7148
7149 /**
7150 * Matches an IP address from a list.
7151 */
7152 export interface AccessIPListRule {
7153 ip_list: AccessIPListRule.IPList;
7154 }
7155
7156 export namespace AccessIPListRule {
7157 export interface IPList {
7158 /**
7159 * The ID of a previously created IP list.
7160 */
7161 id: string;
7162 }
7163 }
7164
7165 /**
7166 * Matches any valid client certificate.
7167 */
7168 export interface AccessCertificateRule {
7169 certificate: unknown;
7170 }
7171
7172 /**
7173 * Matches an Access group.
7174 */
7175 export interface AccessAccessGroupRule {
7176 group: AccessAccessGroupRule.Group;
7177 }
7178
7179 export namespace AccessAccessGroupRule {
7180 export interface Group {
7181 /**
7182 * The ID of a previously created Access group.
7183 */
7184 id: string;
7185 }
7186 }
7187
7188 /**
7189 * Matches an Azure group. Requires an Azure identity provider.
7190 */
7191 export interface AccessAzureGroupRule {
7192 azureAD: AccessAzureGroupRule.AzureAd;
7193 }
7194
7195 export namespace AccessAzureGroupRule {
7196 export interface AzureAd {
7197 /**
7198 * The ID of an Azure group.
7199 */
7200 id: string;
7201
7202 /**
7203 * The ID of your Azure identity provider.
7204 */
7205 connection_id: string;
7206 }
7207 }
7208
7209 /**
7210 * Matches a Github organization. Requires a Github identity provider.
7211 */
7212 export interface AccessGitHubOrganizationRule {
7213 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
7214 }
7215
7216 export namespace AccessGitHubOrganizationRule {
7217 export interface GitHubOrganization {
7218 /**
7219 * The ID of your Github identity provider.
7220 */
7221 connection_id: string;
7222
7223 /**
7224 * The name of the organization.
7225 */
7226 name: string;
7227 }
7228 }
7229
7230 /**
7231 * Matches a group in Google Workspace. Requires a Google Workspace identity
7232 * provider.
7233 */
7234 export interface AccessGsuiteGroupRule {
7235 gsuite: AccessGsuiteGroupRule.Gsuite;
7236 }
7237
7238 export namespace AccessGsuiteGroupRule {
7239 export interface Gsuite {
7240 /**
7241 * The ID of your Google Workspace identity provider.
7242 */
7243 connection_id: string;
7244
7245 /**
7246 * The email of the Google Workspace group.
7247 */
7248 email: string;
7249 }
7250 }
7251
7252 /**
7253 * Matches an Okta group. Requires an Okta identity provider.
7254 */
7255 export interface AccessOktaGroupRule {
7256 okta: AccessOktaGroupRule.Okta;
7257 }
7258
7259 export namespace AccessOktaGroupRule {
7260 export interface Okta {
7261 /**
7262 * The ID of your Okta identity provider.
7263 */
7264 connection_id: string;
7265
7266 /**
7267 * The email of the Okta group.
7268 */
7269 email: string;
7270 }
7271 }
7272
7273 /**
7274 * Matches a SAML group. Requires a SAML identity provider.
7275 */
7276 export interface AccessSamlGroupRule {
7277 saml: AccessSamlGroupRule.Saml;
7278 }
7279
7280 export namespace AccessSamlGroupRule {
7281 export interface Saml {
7282 /**
7283 * The name of the SAML attribute.
7284 */
7285 attribute_name: string;
7286
7287 /**
7288 * The SAML attribute value to look for.
7289 */
7290 attribute_value: string;
7291 }
7292 }
7293
7294 /**
7295 * Matches a specific Access Service Token
7296 */
7297 export interface AccessServiceTokenRule {
7298 service_token: AccessServiceTokenRule.ServiceToken;
7299 }
7300
7301 export namespace AccessServiceTokenRule {
7302 export interface ServiceToken {
7303 /**
7304 * The ID of a Service Token.
7305 */
7306 token_id: string;
7307 }
7308 }
7309
7310 /**
7311 * Matches any valid Access Service Token
7312 */
7313 export interface AccessAnyValidServiceTokenRule {
7314 /**
7315 * An empty object which matches on all service tokens.
7316 */
7317 any_valid_service_token: unknown;
7318 }
7319
7320 /**
7321 * Create Allow or Block policies which evaluate the user based on custom criteria.
7322 */
7323 export interface AccessExternalEvaluationRule {
7324 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
7325 }
7326
7327 export namespace AccessExternalEvaluationRule {
7328 export interface ExternalEvaluation {
7329 /**
7330 * The API endpoint containing your business logic.
7331 */
7332 evaluate_url: string;
7333
7334 /**
7335 * The API endpoint containing the key that Access uses to verify that the response
7336 * came from your API.
7337 */
7338 keys_url: string;
7339 }
7340 }
7341
7342 /**
7343 * Matches a specific country
7344 */
7345 export interface AccessCountryRule {
7346 geo: AccessCountryRule.Geo;
7347 }
7348
7349 export namespace AccessCountryRule {
7350 export interface Geo {
7351 /**
7352 * The country code that should be matched.
7353 */
7354 country_code: string;
7355 }
7356 }
7357
7358 /**
7359 * Enforce different MFA options
7360 */
7361 export interface AccessAuthenticationMethodRule {
7362 auth_method: AccessAuthenticationMethodRule.AuthMethod;
7363 }
7364
7365 export namespace AccessAuthenticationMethodRule {
7366 export interface AuthMethod {
7367 /**
7368 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
7369 */
7370 auth_method: string;
7371 }
7372 }
7373
7374 /**
7375 * Enforces a device posture rule has run successfully
7376 */
7377 export interface AccessDevicePostureRule {
7378 device_posture: AccessDevicePostureRule.DevicePosture;
7379 }
7380
7381 export namespace AccessDevicePostureRule {
7382 export interface DevicePosture {
7383 /**
7384 * The ID of a device posture integration.
7385 */
7386 integration_uid: string;
7387 }
7388 }
7389
7390 /**
7391 * Matches a specific email.
7392 */
7393 export interface AccessEmailRule {
7394 email: AccessEmailRule.Email;
7395 }
7396
7397 export namespace AccessEmailRule {
7398 export interface Email {
7399 /**
7400 * The email of the user.
7401 */
7402 email: string;
7403 }
7404 }
7405
7406 /**
7407 * Matches an email address from a list.
7408 */
7409 export interface AccessEmailListRule {
7410 email_list: AccessEmailListRule.EmailList;
7411 }
7412
7413 export namespace AccessEmailListRule {
7414 export interface EmailList {
7415 /**
7416 * The ID of a previously created email list.
7417 */
7418 id: string;
7419 }
7420 }
7421
7422 /**
7423 * Match an entire email domain.
7424 */
7425 export interface AccessDomainRule {
7426 email_domain: AccessDomainRule.EmailDomain;
7427 }
7428
7429 export namespace AccessDomainRule {
7430 export interface EmailDomain {
7431 /**
7432 * The email domain to match.
7433 */
7434 domain: string;
7435 }
7436 }
7437
7438 /**
7439 * Matches everyone.
7440 */
7441 export interface AccessEveryoneRule {
7442 /**
7443 * An empty object which matches on all users.
7444 */
7445 everyone: unknown;
7446 }
7447
7448 /**
7449 * Matches an IP address block.
7450 */
7451 export interface AccessIPRule {
7452 ip: AccessIPRule.IP;
7453 }
7454
7455 export namespace AccessIPRule {
7456 export interface IP {
7457 /**
7458 * An IPv4 or IPv6 CIDR block.
7459 */
7460 ip: string;
7461 }
7462 }
7463
7464 /**
7465 * Matches an IP address from a list.
7466 */
7467 export interface AccessIPListRule {
7468 ip_list: AccessIPListRule.IPList;
7469 }
7470
7471 export namespace AccessIPListRule {
7472 export interface IPList {
7473 /**
7474 * The ID of a previously created IP list.
7475 */
7476 id: string;
7477 }
7478 }
7479
7480 /**
7481 * Matches any valid client certificate.
7482 */
7483 export interface AccessCertificateRule {
7484 certificate: unknown;
7485 }
7486
7487 /**
7488 * Matches an Access group.
7489 */
7490 export interface AccessAccessGroupRule {
7491 group: AccessAccessGroupRule.Group;
7492 }
7493
7494 export namespace AccessAccessGroupRule {
7495 export interface Group {
7496 /**
7497 * The ID of a previously created Access group.
7498 */
7499 id: string;
7500 }
7501 }
7502
7503 /**
7504 * Matches an Azure group. Requires an Azure identity provider.
7505 */
7506 export interface AccessAzureGroupRule {
7507 azureAD: AccessAzureGroupRule.AzureAd;
7508 }
7509
7510 export namespace AccessAzureGroupRule {
7511 export interface AzureAd {
7512 /**
7513 * The ID of an Azure group.
7514 */
7515 id: string;
7516
7517 /**
7518 * The ID of your Azure identity provider.
7519 */
7520 connection_id: string;
7521 }
7522 }
7523
7524 /**
7525 * Matches a Github organization. Requires a Github identity provider.
7526 */
7527 export interface AccessGitHubOrganizationRule {
7528 'github-organization': AccessGitHubOrganizationRule.GitHubOrganization;
7529 }
7530
7531 export namespace AccessGitHubOrganizationRule {
7532 export interface GitHubOrganization {
7533 /**
7534 * The ID of your Github identity provider.
7535 */
7536 connection_id: string;
7537
7538 /**
7539 * The name of the organization.
7540 */
7541 name: string;
7542 }
7543 }
7544
7545 /**
7546 * Matches a group in Google Workspace. Requires a Google Workspace identity
7547 * provider.
7548 */
7549 export interface AccessGsuiteGroupRule {
7550 gsuite: AccessGsuiteGroupRule.Gsuite;
7551 }
7552
7553 export namespace AccessGsuiteGroupRule {
7554 export interface Gsuite {
7555 /**
7556 * The ID of your Google Workspace identity provider.
7557 */
7558 connection_id: string;
7559
7560 /**
7561 * The email of the Google Workspace group.
7562 */
7563 email: string;
7564 }
7565 }
7566
7567 /**
7568 * Matches an Okta group. Requires an Okta identity provider.
7569 */
7570 export interface AccessOktaGroupRule {
7571 okta: AccessOktaGroupRule.Okta;
7572 }
7573
7574 export namespace AccessOktaGroupRule {
7575 export interface Okta {
7576 /**
7577 * The ID of your Okta identity provider.
7578 */
7579 connection_id: string;
7580
7581 /**
7582 * The email of the Okta group.
7583 */
7584 email: string;
7585 }
7586 }
7587
7588 /**
7589 * Matches a SAML group. Requires a SAML identity provider.
7590 */
7591 export interface AccessSamlGroupRule {
7592 saml: AccessSamlGroupRule.Saml;
7593 }
7594
7595 export namespace AccessSamlGroupRule {
7596 export interface Saml {
7597 /**
7598 * The name of the SAML attribute.
7599 */
7600 attribute_name: string;
7601
7602 /**
7603 * The SAML attribute value to look for.
7604 */
7605 attribute_value: string;
7606 }
7607 }
7608
7609 /**
7610 * Matches a specific Access Service Token
7611 */
7612 export interface AccessServiceTokenRule {
7613 service_token: AccessServiceTokenRule.ServiceToken;
7614 }
7615
7616 export namespace AccessServiceTokenRule {
7617 export interface ServiceToken {
7618 /**
7619 * The ID of a Service Token.
7620 */
7621 token_id: string;
7622 }
7623 }
7624
7625 /**
7626 * Matches any valid Access Service Token
7627 */
7628 export interface AccessAnyValidServiceTokenRule {
7629 /**
7630 * An empty object which matches on all service tokens.
7631 */
7632 any_valid_service_token: unknown;
7633 }
7634
7635 /**
7636 * Create Allow or Block policies which evaluate the user based on custom criteria.
7637 */
7638 export interface AccessExternalEvaluationRule {
7639 external_evaluation: AccessExternalEvaluationRule.ExternalEvaluation;
7640 }
7641
7642 export namespace AccessExternalEvaluationRule {
7643 export interface ExternalEvaluation {
7644 /**
7645 * The API endpoint containing your business logic.
7646 */
7647 evaluate_url: string;
7648
7649 /**
7650 * The API endpoint containing the key that Access uses to verify that the response
7651 * came from your API.
7652 */
7653 keys_url: string;
7654 }
7655 }
7656
7657 /**
7658 * Matches a specific country
7659 */
7660 export interface AccessCountryRule {
7661 geo: AccessCountryRule.Geo;
7662 }
7663
7664 export namespace AccessCountryRule {
7665 export interface Geo {
7666 /**
7667 * The country code that should be matched.
7668 */
7669 country_code: string;
7670 }
7671 }
7672
7673 /**
7674 * Enforce different MFA options
7675 */
7676 export interface AccessAuthenticationMethodRule {
7677 auth_method: AccessAuthenticationMethodRule.AuthMethod;
7678 }
7679
7680 export namespace AccessAuthenticationMethodRule {
7681 export interface AuthMethod {
7682 /**
7683 * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.
7684 */
7685 auth_method: string;
7686 }
7687 }
7688
7689 /**
7690 * Enforces a device posture rule has run successfully
7691 */
7692 export interface AccessDevicePostureRule {
7693 device_posture: AccessDevicePostureRule.DevicePosture;
7694 }
7695
7696 export namespace AccessDevicePostureRule {
7697 export interface DevicePosture {
7698 /**
7699 * The ID of a device posture integration.
7700 */
7701 integration_uid: string;
7702 }
7703 }
7704}
7705
7706export namespace Groups {
7707 export import GroupCreateResponse = GroupsAPI.GroupCreateResponse;
7708 export import GroupListResponse = GroupsAPI.GroupListResponse;
7709 export import GroupDeleteResponse = GroupsAPI.GroupDeleteResponse;
7710 export import GroupGetResponse = GroupsAPI.GroupGetResponse;
7711 export import GroupReplaceResponse = GroupsAPI.GroupReplaceResponse;
7712 export import GroupCreateParams = GroupsAPI.GroupCreateParams;
7713 export import GroupReplaceParams = GroupsAPI.GroupReplaceParams;
7714}
7715