policies¶
The following methods allow for interaction with the ZPA Policy Sets API endpoints.
Methods are accessible via zpa.policies
Copyright (c) 2023, Zscaler Inc.
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- class PolicySetControllerAPI¶
Bases:
APIClientA client object for the Policy Set Controller resource.
- POLICY_MAP = {'access': 'ACCESS_POLICY', 'capabilities': 'CAPABILITIES_POLICY', 'client_forwarding': 'CLIENT_FORWARDING_POLICY', 'clientless': 'CLIENTLESS_SESSION_PROTECTION_POLICY', 'credential': 'CREDENTIAL_POLICY', 'inspection': 'INSPECTION_POLICY', 'isolation': 'ISOLATION_POLICY', 'portal_policy': 'PRIVILEGED_PORTAL_POLICY', 'redirection': 'REDIRECTION_POLICY', 'siem': 'SIEM_POLICY', 'timeout': 'TIMEOUT_POLICY', 'user_portal': 'USER_PORTAL', 'vpn_policy': 'VPN_TUNNEL_POLICY'}¶
- add_access_rule(name, action, app_connector_group_ids=[], app_server_group_ids=[], **kwargs)¶
Add a new Access Policy rule.
See the ZPA Access Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '99999'), ('app', 'id', '88888'), ('app_group', 'id', '77777), ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'), ('trusted_network', 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx', True)]
custom_msg (str) – A custom message.
description (str) – A description for the rule.
app_connector_group_ids (
listofstr) – A list of application connector IDs that will be attached to the access policy rule.app_server_group_ids (
listofstr) – A list of application server group IDs that will be attached to the access policy rule.
- Returns:
The resource record of the newly created access policy rule.
- Return type:
PolicySetControllerV1
- add_access_rule_v2(name, action, app_connector_group_ids=[], app_server_group_ids=[], **kwargs)¶
Add a new Access Policy rule.
See the ZPA Access Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
custom_msg (str) – A custom message.
description (str) – A description for the rule.
app_connector_group_ids (
listofstr) – A list of application connector IDs that will be attached to the access policy rule.app_server_group_ids (
listofstr) – A list of application server group IDs that will be attached to the access policy rule.conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter", "zpn_client_type_zapp", "zpn_client_type_browser_isolation", "zpn_client_type_zapp_partner"]),
- Returns:
The resource record of the newly created access policy rule.
- Return type:
Tuple
Examples
Add Access Policy with Scim Group using OR condition
>>> added_rule, _, err = client.zpa.policies.add_access_rule_v2( ... name=f"NewAccessRule_{random.randint(1000, 10000)}", ... description=f"NewAccessRule_{random.randint(1000, 10000)}", ... action="allow", ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("app_group", ["72058304855114308"]), ... ("OR", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("OR", ("trusted_network", [ ... ("30e749f1-57f5-4cbe-b5fa-5bab3c32c468", "true"), ... ("a6b94584-c988-4896-8f7f-637ae87f1f0c", "true"), ... ])), ... (("chrome_enterprise", "managed", True), ... ("chrome_posture_profile", ["72058304855116487"])) ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding access rule: {err}") ... return ... print(f"Access Rule added successfully: {added_rule.as_dict()}")
Add Access Policy with Scim Group using AND condition
>>> added_rule, _, err = client.zpa.policies.add_access_rule_v2( ... name=f"NewAccessRule_{random.randint(1000, 10000)}", ... description=f"NewAccessRule_{random.randint(1000, 10000)}", ... action="allow", ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("AND", ("posture", "cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true")), ... ("AND", ("posture", "72ddbe89-fa08-4071-94bd-964ce264db10", "true")), ... ("AND", ("scim_group", "72058304855015574", "490880")), ... ("AND", ("scim_group", "72058304855015574", "490877")), ... ) >>> if err: ... print(f"Error adding access rule: {err}") ... return ... print(f"Access Rule added successfully: {added_rule.as_dict()}")
- add_app_protection_rule(name, action, zpn_inspection_profile_id=None, **kwargs)¶
Add a new App Protection Policy rule.
- add_app_protection_rule_v2(name, action, zpn_inspection_profile_id=None, **kwargs)¶
Update an existing app protection policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
inspectbypass_inspectdescription (str) – Additional information about the app protection policy rule.
enabled (bool) – Whether or not the app protection policy rule is enabled.
rule_order (str) – The rule evaluation order number of the rule.
zpn_inspection_profile_id (str) – The unique identifier of the inspection profile. This field is applicable only for inspection policies.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter')]
Examples
Add new for a App Protection Policy rule:
>>> added_rule, _, err = client.zpa.policies.add_app_protection_rule_v2( ... name=f"NewAppProtectionRule_{random.randint(1000, 10000)}", ... description=f"NewAppProtectionRule_{random.randint(1000, 10000)}", ... action='inspect', ... zpn_inspection_profile_id='216199618143363055' ... conditions=[ ... ("app", ["72058304855116918"]), ... ("app_group", ["72058304855114308"]), ... ("OR", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding app protection rule: {err}") ... return ... print(f"App protection Rule added successfully: {added_rule.as_dict()}")
- add_browser_protection_rule_v2(name, action, **kwargs)¶
Add browser protection rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
name (str) – The name of the new rule.
**kwargs – Optional keyword args.
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter"]),
action (str) – The action for the policy. Accepted values are: |
MONITOR|DO_NOT_MONITORdescription (str) – A description for the rule.
Returns:
Examples
Updated an existing Browser Protection Policy rule:
>>> added_rule, _, err = client.zpa.policies.add_browser_protection_rule_v2( ... name=f"AddBrowserProtectionRule_{random.randint(1000, 10000)}", ... description=f"AddBrowserProtectionRule_{random.randint(1000, 10000)}", ... action="MONITOR", ... conditions=[ ... ("app", ["72058304855116918"]), ... ("app_group", ["72058304855114308"]), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding browser protection rule: {err}") ... return ... print(f"Browser Protection Rule added successfully: {added_rule.as_dict()}")
- add_capabilities_rule_v2(name, **kwargs)¶
Add a new Capability Access rule.
See the ZPA Capabilities Policies API reference: for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
rule_order (str) – The new order for the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value.
- conditions: This is for providing the set of conditions for the policy
- object_type: This is for specifying the policy criteria.
The following values are supported: “app”, “app_group”, “saml”, “scim”, “scim_group” - app: The unique Application Segment ID - app_group: The unique Segment Group ID - saml: The unique Identity Provider ID and SAML attribute ID - scim: The unique Identity Provider ID and SCIM attribute ID - scim_group: The unique Identity Provider ID and SCIM_GROUP ID
privileged_capabilities (dict) –
A dictionary specifying the privileged capabilities with boolean values. The supported capabilities are:
clipboard_copy (bool): Indicates the PRA Clipboard Copy function.
clipboard_paste (bool): Indicates the PRA Clipboard Paste function.
file_upload (bool): Indicates the PRA File Transfer capabilities that enables the File Upload function.
file_download (bool): Indicates the PRA File Transfer capabilities that enables the File Download function.
inspect_file_upload (bool): Inspects the file via ZIA sandbox and uploads the file after inspection.
inspect_file_download (bool): Inspects the file via ZIA sandbox and downloads the file after the inspection.
monitor_session (bool): Indicates the PRA Monitoring Capabilities to enable the PRA Session Monitoring.
record_session (bool): Indicates PRA Session Recording capabilities to enable PRA Session Recording.
share_session (bool): Indicates PRA Session Control/Monitoring capabilities to enable PRA Session Monitoring.
- Returns:
The resource record of the newly created Capabilities rule.
- Return type:
Tuple
Examples
Add Access Policy with Scim Group using OR condition
>>> added_rule, _, err = client.zpa.policies.add_capabilities_rule_v2( ... name=f"NewCapabilityRule_{random.randint(1000, 10000)}", ... description=f"NewCapabilityRule_{random.randint(1000, 10000)}", ... privileged_capabilities={ ... "clipboard_copy": True, ... "clipboard_paste": True, ... "file_download": True, ... "file_upload": None, ... "inspect_file_upload": True, ... "inspect_file_download": True, ... "record_session": True, ... }, ... conditions=[ ... ("OR", ("scim", [ ... ("72058304855015576", "Smith"), ... ])), ... ("APP", ["72058304855116918"]), ... ] ... ) >>> if err: ... print(f"Error adding capability rule: {err}") ... return ... print(f"Capability Rule added successfully: {added_rule.as_dict()}")
- add_client_forwarding_rule(name, action, **kwargs)¶
Add a new Client Forwarding Policy rule.
See the ZPA Client Forwarding Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'), ('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]
custom_msg (str) – A custom message.
description (str) – A description for the rule.
Returns:
Examples
Add a new Client Forwarding Policy rule:
>>> zpa.policies.add_client_forwarding_rule( ... name='Add_Forwarding_Rule_v1', ... description='Update_Forwarding_Rule_v1', ... action='isolate', ... conditions=[ ... ("app", ["216199618143361683"]), ... ("app_group", ["216199618143360301"]), ... ("scim_group", "idp_id", "scim_group_id"), ... ("scim_group", "idp_id", "scim_group_id"), ... ], ... )
- add_client_forwarding_rule_v2(name, action, **kwargs)¶
Add a new Client Forwarding Policy rule.
See the ZPA Client Forwarding Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter", "zpn_client_type_zapp", "zpn_client_type_browser_isolation", "zpn_client_type_zapp_partner"]),
description (str) – A description for the rule.
Examples
Add a new Access Policy Forwarding rule:
>>> added_rule, _, err = zpa.policies.add_client_forwarding_rule_v2( ... name=f"NewForwardingRule_{random.randint(1000, 10000)}", ... description=f"NewForwardingRule_{random.randint(1000, 10000)}", ... action='intercept', ... conditions=[ ... ("client_type", ... ['zpn_client_type_edge_connector', ... 'zpn_client_type_branch_connector', ... 'zpn_client_type_machine_tunnel', ... 'zpn_client_type_zapp', ... 'zpn_client_type_zapp_partner']), ... ("app", ["72058304855116918"]), ... ("app_group", ["72058304855114308"]), ... ("OR", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ], ... ) >>> if err: ... print(f"Error adding access forwarding rule: {err}") ... return ... print(f"Access Forwarding Rule added successfully: {added_rule.as_dict()}")
- add_isolation_rule(name, action, zpn_isolation_profile_id=None, **kwargs)¶
Add a new Isolation Policy rule.
See the ZPA Isolation Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter')]
zpn_isolation_profile_id (str) – The isolation profile ID associated with the rule
description (str) – A description for the rule.
Returns:
- add_isolation_rule_v2(name, action, zpn_isolation_profile_id=None, **kwargs)¶
Add a new Isolation Policy rule.
See the ZPA Isolation Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter')]
zpn_isolation_profile_id (str) – The isolation profile ID associated with the rule
description (str) – A description for the rule.
- Returns:
The resource record of the newly created access policy rule.
- Return type:
Tuple
Examples
Add Access Isolation Policy with Scim Group using OR and other conditions
>>> added_rule, _, err = client.zpa.policies.add_isolation_rule_v2( ... name=f"NewIsolationRule{random.randint(1000, 10000)}", ... action="isolate", ... zpn_isolation_profile_id="72058304855039035", ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("OR", ("posture", "cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true")), ... ("OR", ("posture", "72ddbe89-fa08-4071-94bd-964ce264db10", "true")), ... (("chrome_enterprise", "managed", True), ... ("chrome_posture_profile", ["72058304855116487"])) ... ("OR", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding isolation rule: {err}") ... return ... print(f"Isolation Rule added successfully: {added_rule.as_dict()}")
- add_privileged_credential_rule_v2(name, credential_id=None, **kwargs)¶
Add a new Privileged Remote Access Credential Policy rule.
- Parameters:
- Keyword Arguments:
description (str) – Additional information about the credential rule.
rule_order (str) – The rule evaluation order number of the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value.
Examples:
conditions=[ ("console", ["72058304855106742"]), ("OR", ("scim_group", [ ("72058304855015574", "490880"), ("72058304855015574", "490877"), ])), ]
Examples
Add a new Credential Policy rule using credential_id:
>>> added_rule, _, err = client.zpa.policies.add_privileged_credential_rule_v2( ... name=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... description=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... credential_id='6014', ... conditions=[ ... ("console", ["72058304855106742"]), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding PRA Credential rule: {err}") ... return ... print(f"PRA Credential Rule added successfully: {added_rule.as_dict()}")
Add a new Credential Policy rule using credential_pool_id:
>>> added_rule, _, err = client.zpa.policies.add_privileged_credential_rule_v2( ... name=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... description=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... credential_pool_id='15', ... conditions=[ ... ("console", ["72058304855106742"]), ... ("OR", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding PRA Credential rule: {err}") ... return ... print(f"PRA Credential Rule added successfully: {added_rule.as_dict()}")
- add_redirection_rule_v2(name, action, service_edge_group_ids=[], **kwargs)¶
Add a new Redirection Policy rule.
See the ZPA Redirection Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
rule_order (str) – The new order for the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value.
- conditions: This is for providing the set of conditions for the policy
- object_type: This is for specifying the policy criteria.
The following values are supported: “client_type”, “country_code”
- client_type: The client type, must be one of the following:
zpn_client_type_edge_connector, zpn_client_type_branch_connector, zpn_client_type_machine_tunnel, zpn_client_type_zapp, zpn_client_type_zapp_partner
- Returns:
The resource record of the newly created Redirection Policy rule.
- Return type:
Tuple
Example
Add a new redirection rule with various conditions and service edge group IDs:
>>> added_rule, _, err = client.policies.add_redirection_rule( ... name=f"NewRedirectionRule_{random.randint(1000, 10000)}", ... description=f"NewRedirectionRule_{random.randint(1000, 10000)}", ... action='redirect_preferred', ... service_edge_group_ids=['12345', '67890'], ... conditions=[ ... ("client_type", ... 'zpn_client_type_edge_connector', ... 'zpn_client_type_branch_connector', ... 'zpn_client_type_machine_tunnel', ... 'zpn_client_type_zapp', ... 'zpn_client_type_zapp_partner'), ... ]) >>> if err: ... print(f"Error adding redirection rule: {err}") ... return ... print(f"Redirection Rule added successfully: {added_rule.as_dict()}")
- add_timeout_rule(**kwargs)¶
Add a new Timeout Policy rule.
See the ZPA Timeout Policy API reference for further detail on optional keyword parameter structures.
- Parameters:
name (str) – The name of the new rule.
**kwargs – Optional parameters.
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'), ('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]
custom_msg (str) – A custom message.
description (str) – A description for the rule.
re_auth_idle_timeout (int) – The re-authentication idle timeout value in seconds.
re_auth_timeout (int) – The re-authentication timeout value in seconds.
- add_timeout_rule_v2(name, **kwargs)¶
Add a new timeout policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
name (str) – The name of the new rule.
**kwargs – Optional keyword args.
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter", "zpn_client_type_zapp", "zpn_client_type_browser_isolation", "zpn_client_type_zapp_partner"]),
action (str) – The action for the policy. Accepted values are: |
RE_AUTHcustom_msg (str) – A custom message.
description (str) – A description for the rule.
re_auth_idle_timeout (str) – The re-authentication idle timeout value in seconds.
re_auth_timeout (str) – The re-authentication timeout value in seconds.
Returns:
Examples
Add a new Timeout Policy rule:
>>> added_rule, _, err = client.zpa.policies.add_timeout_rule_v2( ... name=f"UpdateTimeoutRule_{random.randint(1000, 10000)}", ... description=f"UpdateTimeoutRule_{random.randint(1000, 10000)}", ... reauth_timeout="172800", ... reauth_idle_timeout="600", ... conditions=[ ... ("client_type", ["zpn_client_type_exporter", ... "zpn_client_type_zapp", "zpn_client_type_browser_isolation", ... "zpn_client_type_zapp_partner", ... ]), ... ("app", ["72058304855116918"]), ... ("app_group", ["72058304855114308"]), ... ("OR", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding timeout rule: {err}") ... return ... print(f"Timeout Rule added successfully: {added_rule.as_dict()}")
- bulk_reorder_rules(policy_type, rules_orders, **kwargs)¶
Bulk change the order of policy rules.
- Parameters:
- Returns:
(Response, error)
- Return type:
Examples
Reordering access policy rules:
>>> zpa.policies.bulk_reorder_rules( ... policy_type='access', ... rules_orders=[ ... '216199618143374210', ... '216199618143374209', ... '216199618143374208', ... '216199618143374207', ... '216199618143374206', ... '216199618143374205', ... '216199618143374204', ... '216199618143374203', ... '216199618143374202', ... '216199618143374201', ... ] ... ) >>> if err: ... print(f"Error reordering rules: {err}") ... return ... print(f"Rules reordered successfully: {zscaler_resp}")
Reordering timeout policy rules for a specific microtenant:
>>> zpa.policies.bulk_reorder_rules( ... policy_type='timeout', ... rules_orders=[ ... '216199618143374220', ... '216199618143374219', ... '216199618143374218', ... '216199618143374217', ... '216199618143374216', ... ], ... microtenant_id='1234567890' ... )
- delete_rule(policy_type, rule_id, microtenant_id=None)¶
Deletes the specified policy rule.
- Parameters:
policy_type (str) –
The type of policy the rule belongs to. Accepted values are:
access- returns the Access Policycapabilities- returns the Capabilities Policyclient_forwarding- returns the Client Forwarding Policyclientless- returns the Clientlesss Session Protection Policycredential- returns the Credential Policyinspection- returns the Inspection Policyisolation- returns the Isolation Policyredirection- returns the Redirection Policysiem- returns the SIEM Policytimeout- returns the Timeout Policyrule_id (str) – The unique identifier for the policy rule.
Examples
>>> _, _, err = client.zpa.policies.delete_rule( ... policy_type=policy_type_name, rule_id='97668990877' ... ) >>> if err: ... print(f"Error deleting rule: {err}") ... return ... print(f"Rule with ID {added_rule.id} deleted successfully.")
- get_policy(policy_type, query_params=None)¶
Returns the policy and rule sets for the given policy type.
- Parameters:
policy_type (str) –
The type of policy to be returned. Accepted values are:
access- returns the Access Policycapabilities- returns the Capabilities Policyclient_forwarding- returns the Client Forwarding Policyclientless- returns the Clientless Session Protection Policycredential- returns the Credential Policyinspection- returns the Inspection Policyisolation- returns the Isolation Policyredirection- returns the Redirection Policysiem- returns the SIEM Policytimeout- returns the Timeout Policy- Returns:
The resource record of the specified policy type.
- Return type:
PolicySetControllerV1
- Raises:
ValueError – If the policy_type is invalid.
Example
>>> policy = zpa.policies.get_policy('access')
- get_policy_rule_count(policy_type, query_params=None)¶
Get the count of policy rules for a given policy type.
This endpoint returns the count of policy rules configured for the specified policy type. The API returns a dictionary with a “count” key containing the number of rules.
- Parameters:
policy_type (str) – The type of policy. Can be either user-friendly format (e.g.,
access)format (or API) –
User-friendly format: |
access- returns count for Access Policy |capabilities- returns count for Capabilities Policy |client_forwarding- returns count for Client Forwarding Policy |clientless- returns count for Clientless Session Protection Policy |credential- returns count for Credential Policy |inspection- returns count for Inspection Policy |isolation- returns count for Isolation Policy |redirection- returns count for Redirection Policy |siem- returns count for SIEM Policy |timeout- returns count for Timeout PolicyAPI format (also accepted): |
ACCESS_POLICY,CAPABILITIES_POLICY,CLIENT_FORWARDING_POLICY, etc.query_params (dict, optional) –
Map of query parameters for the request.
[query_params.microtenant_id]{str}: The microtenant ID, if applicable.
- Returns:
A tuple containing (dictionary with count, Response, error).
The response is a dictionary with the following structure: -
count(str): The count of policy rules as a string.- Return type:
Tuple- Raises:
ValueError – If the policy_type is invalid.
Examples
Get the count of access policy rules:
>>> count_result, _, err = client.zpa.policies.get_policy_rule_count('access') ... if err: ... print(f"Error getting policy rule count: {err}") ... return ... print(f"Policy rule count: {count_result.get('count')}")
Get the count with microtenant ID:
>>> count_result, _, err = client.zpa.policies.get_policy_rule_count( ... 'access', ... query_params={'microtenant_id': '1234567890'} ... ) ... if err: ... print(f"Error getting policy rule count: {err}") ... return ... print(f"Policy rule count: {count_result.get('count')}")
- get_risk_score_values(query_params=None)¶
Gets the list of risk score values available for the specified customer.
This endpoint returns a list of risk score values that can be used in policy conditions. The API does not require any parameters, but optionally accepts exclude_unknown to exclude the “UNKNOWN” value from the response.
- Keyword Arguments:
{dict} (query_params) –
Map of query parameters for the request.
[query_params.exclude_unknown](bool, optional): If True, excludes”UNKNOWN” from the returned list of risk score values.
[query_params.microtenant_id]{str}: The microtenant ID, if applicable.- Returns:
A tuple containing (list of risk score value strings, Response, error).
The response is a list of strings with possible values: -
CRITICAL-HIGH-MEDIUM-LOW-UNKNOWN(if exclude_unknown is not True)- Return type:
Tuple
Examples
Get all risk score values:
>>> risk_scores, _, err = client.zpa.policies.get_risk_score_values() ... if err: ... print(f"Error getting risk score values: {err}") ... return ... print(f"Available risk score values: {risk_scores}")
Get risk score values excluding UNKNOWN:
>>> risk_scores, _, err = client.zpa.policies.get_risk_score_values( ... query_params={'exclude_unknown': True} ... ) ... if err: ... print(f"Error getting risk score values: {err}") ... return ... print(f"Available risk score values: {risk_scores}")
- get_rule(policy_type, rule_id, query_params=None)¶
Returns the specified policy rule.
- Parameters:
policy_type (str) –
The type of policy to be returned. Accepted values are:
accesscapabilitiesclient_forwardingclientlesscredentialinspectionisolationredirectionsiemtimeoutrule_id (str) – The unique identifier for the policy rule.
query_params (dict, optional) – Map of query parameters for the request.
[query_params.microtenant_id]{str}: The microtenant ID, if applicable.
- Returns:
The resource record for the requested rule.
- Return type:
PolicySetControllerV1
Example
>>> rule = zpa.policies.get_rule('access', rule_id='12345')
- list_rules(policy_type, query_params=None)¶
Returns policy rules for a given policy type.
- Parameters:
policy_type (str) –
The policy type. Accepted values are:
access- returns Access Policy rulestimeout- returns Timeout Policy rulesclient_forwarding- returns Client Forwarding Policy rulesisolation- returns Isolation Policy rulesinspection- returns Inspection Policy rulesredirection- returns Redirection Policy rulescredential- returns Credential Policy rulescapabilities- returns Capabilities Policy rulessiem- returns SIEM Policy rules- Keyword Arguments:
{dict} (query_params) –
Map of query parameters for the request.
[query_params.page]{str}: Specifies the page number.[query_params.page_size]{int}: Specifies the page size.If not provided, the default page size is 20. The max page size is 500.
[query_params.search]{str}: The search string used to support search by features and fields for the API.[query_params.microtenant_id]{str}: ID of the microtenant, if applicable.- Returns:
A list of PolicySetControllerV1 objects.
- Return type:
Example
>>> rules = zpa.policies.list_rules('access')
- list_rules_by_appplication_id(policy_type, application_id, query_params=None)¶
Gets paginated policy rules for the specified policy type by application ID
- Parameters:
policy_type (str) – The policy type. Can be either user-friendly format (e.g.,
access)format (or API) –
User-friendly format: |
access- returns Access Policy rules |capabilities- returns Capabilities Policy rules |client_forwarding- returns Client Forwarding Policy rules |clientless- returns Clientless Session Protection Policy |credential- returns Credential Policy rules |inspection- returns Inspection Policy rules |isolation- returns Isolation Policy rules |redirection- returns Redirection Policy rules |siem- returns SIEM Policy rules |timeout- returns Timeout Policy rulesAPI format (also accepted): |
ACCESS_POLICY,CAPABILITIES_POLICY,CLIENT_FORWARDING_POLICY, etc.application_id (str) – The ID of the application to get policy rules for.
- Keyword Arguments:
{dict} (query_params) –
Map of query parameters for the request.
[query_params.page]{str}: Specifies the page number.[query_params.page_size]{int}: Specifies the page size.If not provided, the default page size is 20. The max page size is 500.
[query_params.search]{str}: The search string used to support search by features and fields for the API.[query_params.microtenant_id]{str}: ID of the microtenant, if applicable.- Returns:
A list of PolicySetControllerV2 objects.
- Return type:
Examples
List policy rules for an application:
>>> rules, _, err = client.zpa.policies.list_rules_by_appplication_id( ... 'access', ... '72058304855116918' ... ) ... if err: ... print(f"Error listing policy rules: {err}") ... return ... print(f"Total policy rules found: {len(rules)}") ... for rule in rules: ... print(rule.as_dict())
List policy rules with pagination and microtenant ID:
>>> rules, _, err = client.zpa.policies.list_rules_by_appplication_id( ... 'access', ... '72058304855116918', ... query_params={'page': '1', 'page_size': '50', 'microtenant_id': '1234567890'} ... ) ... if err: ... print(f"Error listing policy rules: {err}") ... return ... print(f"Total policy rules found: {len(rules)}")
- reformat_params = [('app_server_group_ids', 'appServerGroups'), ('app_connector_group_ids', 'PolicySetControllers'), ('service_edge_group_ids', 'serviceEdgeGroups')]¶
- reorder_rule(policy_type, rule_id, rule_order, **kwargs)¶
Change the order of an existing policy rule.
- Parameters:
policy_type (str) –
The policy type. Accepted values:
accesstimeoutclient_forwardingisolationinspectionredirectioncredentialcapabilitiessiem
rule_id (str) – The unique ID of the rule that will be reordered.
rule_order (str) – The new order for the rule.
**kwargs – Optional keyword arguments. - microtenant_id (str): The ID of the microtenant, if applicable.
- Returns:
(Updated rule, response, error)
- Return type:
Examples
Updates the order for an existing access policy rule:
>>> zpa.policies.reorder_rule( ... policy_type='access', ... rule_id='88888', ... rule_order='2' ... )
Updates the order for an existing timeout policy rule with a specific microtenant:
>>> zpa.policies.reorder_rule( ... policy_type='timeout', ... rule_id='77777', ... rule_order='1', ... microtenant_id='1234567890' ... )
- update_access_rule(rule_id, name=None, action=None, app_connector_group_ids=None, app_server_group_ids=None, **kwargs)¶
Update an existing policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
allowdenyapp_connector_group_ids (
listofstr) – A list of application connector IDs that will be attached to the access policy rule. Defaults to an empty list.app_server_group_ids (
listofstr) – A list of server group IDs that will be attached to the access policy rule. Defaults to an empty list.
- Returns:
The updated policy rule record.
- Return type:
PolicySetControllerV1
Examples
Update the name and description of the Access Policy Rule:
>>> zpa.policies.update_access_rule( ... rule_id="999999", ... name='Update_Access_Policy_Rule_v1', ... description='Update_Access_Policy_Rule_v1', ... )
- update_access_rule_v2(rule_id, name=None, action=None, app_connector_group_ids=None, app_server_group_ids=None, **kwargs)¶
Update an existing policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
app_connector_group_ids (
listofstr, optional) – A list of application connector IDs that will be attached to the access policy rule. Defaults to an empty list.app_server_group_ids (
listofstr, optional) – A list of server group IDs that will be attached to the access policy rule. Defaults to an empty list.**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) – The action for the policy. Accepted values are: |
ALLOW|DENYcustom_msg (str) – A custom message.
description (str) – A description for the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter", "zpn_client_type_zapp", "zpn_client_type_browser_isolation", "zpn_client_type_zapp_partner"]),
- Returns:
The resource record of the newly created access policy rule.
- Return type:
Tuple
Examples
Update Access Policy with Scim Group using OR condition
>>> update_rule, _, err = client.zpa.policies.update_access_rule_v2( ... rule_id='45857455526', ... name=f"UpdateAccessRule_{random.randint(1000, 10000)}", ... description=f"UpdateAccessRule_{random.randint(1000, 10000)}", ... action="allow", ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("app_group", ["72058304855114308"]), ... ("OR", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("OR", ("trusted_network", [ ... ("30e749f1-57f5-4cbe-b5fa-5bab3c32c468", "true"), ... ("a6b94584-c988-4896-8f7f-637ae87f1f0c", "true"), ... ])), ... (("chrome_enterprise", "managed", True), ... ("chrome_posture_profile", ["72058304855116487"])) ... ("OR", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("OR", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("OR", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding access rule: {err}") ... return ... print(f"Access Rule added successfully: {added_rule.as_dict()}")
Add Access Policy using AND condition
>>> added_rule, _, err = client.zpa.policies.update_access_rule_v2( ... name=f"NewAccessRule_{random.randint(1000, 10000)}", ... description=f"NewAccessRule_{random.randint(1000, 10000)}", ... action="allow", ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("app_group", ["72058304855114308"]), ... ("AND", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("AND", ("trusted_network", [ ... ("30e749f1-57f5-4cbe-b5fa-5bab3c32c468", "true"), ... ("a6b94584-c988-4896-8f7f-637ae87f1f0c", "true"), ... ])), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ) >>> if err: ... print(f"Error adding access rule: {err}") ... return ... print(f"Access Rule added successfully: {added_rule.as_dict()}")
- update_app_protection_rule(rule_id, name, action, zpn_inspection_profile_id=None, **kwargs)¶
Update an existing app protection policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
isolatebypass_isolatedescription (str) – Additional information about the app protection policy rule.
enabled (bool) – Whether or not the app protection policy rule is enabled.
rule_order (str) – The rule evaluation order number of the rule.
zpn_inspection_profile_id (str) – The unique identifier of the inspection profile. This field is applicable only for inspection policies.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter')]
Returns:
Examples
Updates the name only for an Inspection Policy rule:
>>> zpa.policies.update_app_protection_rule( ... rule_id='216199618143320419', ... name='Update_Inspection_Rule_v2', ... description='Update_Inspection_Rule_v2', ... action='inspect', ... zpn_inspection_profile_id='216199618143363055' ... conditions=[ ... ("app", ["216199618143361683"]), ... ("app_group", ["216199618143360301"]), ... ("scim_group", [("216199618143191058", "2079468"), ("216199618143191058", "2079446")]), ... ], ... )
- update_app_protection_rule_v2(rule_id, name, action, zpn_inspection_profile_id=None, **kwargs)¶
Add a new App Protection Policy rule.
See the ZPA App Protection Policies API reference for further detail on optional keyword parameter structures.
- Parameters:
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
inspectbypass_inspectdescription (str) – Additional information about the credential rule.
enabled (bool) – Whether or not the credential rule is enabled.
rule_order (str) – The rule evaluation order number of the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value.
- conditions: This is for providing the set of conditions for the policy
- object_type: This is for specifying the policy criteria.
The following values are supported: “app”, “app_group”, “saml”, “scim”, “scim_group” * saml: The unique Identity Provider ID and SAML attribute ID * scim: The unique Identity Provider ID and SCIM attribute ID * scim_group: The unique Identity Provider ID and SCIM_GROUP ID
zpa.policies.update_app_protection_rule_v2( name='new_app_protection_rule', description='new_app_protection_rule', zpn_inspection_profile_id='216199618143363055' conditions=[ ("scim_group", [("idp_id", "scim_group_id"), ("idp_id", "scim_group_id")]) ("console", ["console_id"]), ], )
Examples
Update an existing App Protection Policy rule:
>>> updated_rule, _, err = client.zpa.policies.add_app_protection_rule_v2( ... rule_id='97697977' ... name=f"NewAppProtectionRule_{random.randint(1000, 10000)}", ... description=f"NewAppProtectionRule_{random.randint(1000, 10000)}", ... action='inspect', ... zpn_inspection_profile_id='216199618143363055' ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("OR", ("posture", "cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true")), ... ("OR", ("posture", "72ddbe89-fa08-4071-94bd-964ce264db10", "true")), ... ("OR", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ] ... ) >>> if err: ... print(f"Error updating app protection rule: {err}") ... return ... print(f"App protection Rule updated successfully: {updated_rule.as_dict()}")
- update_browser_protection_rule_v2(rule_id, name, action, **kwargs)¶
Update an existing policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter"]),
action (str) – The action for the policy. Accepted values are: |
MONITOR|DO_NOT_MONITORdescription (str) – A description for the rule.
- Returns:
The resource record of the newly created access policy rule.
- Return type:
Tuple
Examples
Updated an existing Browser Protection Policy rule:
>>> updated_rule, _, err = client.zpa.policies.update_browser_protection_rule_v2( ... rule_id='12365865', ... name=f"UpdateBrowserProtectionRule_{random.randint(1000, 10000)}", ... description=f"UpdateBrowserProtectionRule_{random.randint(1000, 10000)}", ... action="DO_NOT_MONITOR", ... conditions=[ ... ("app", ["72058304855116918"]), ... ("app_group", ["72058304855114308"]), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding Browser Protection rule: {err}") ... return ... print(f"Browser Protection Rule added successfully: {updated_rule.as_dict()}")
- update_capabilities_rule_v2(rule_id, name=None, **kwargs)¶
Update an existing capabilities policy rule.
See the ZPA Capabilities Policies API reference: for further detail on optional keyword parameter structures.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
rule_order (str) – The new order for the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value.
- conditions: This is for providing the set of conditions for the policy
- object_type: This is for specifying the policy criteria.
The following values are supported: “app”, “app_group”, “saml”, “scim”, “scim_group” - app: The unique Application Segment ID - app_group: The unique Segment Group ID - saml: The unique Identity Provider ID and SAML attribute ID - scim: The unique Identity Provider ID and SCIM attribute ID - scim_group: The unique Identity Provider ID and SCIM_GROUP ID
privileged_capabilities (dict) –
A dictionary specifying the privileged capabilities with boolean values. The supported capabilities are:
clipboard_copy (bool): Indicates the PRA Clipboard Copy function.
clipboard_paste (bool): Indicates the PRA Clipboard Paste function.
file_upload (bool): Indicates the PRA File Transfer capabilities that enables the File Upload function.
file_download (bool): Indicates the PRA File Transfer capabilities that enables the File Download function.
inspect_file_upload (bool): Inspects the file via ZIA sandbox and uploads the file after the inspection.
inspect_file_download (bool): Inspects the file via ZIA sandbox and downloads the file after inspection.
monitor_session (bool): Indicates PRA Monitoring Capabilities to enable the PRA Session Monitoring.
record_session (bool): Indicates PRA Session Recording capabilities to enable PRA Session Recording.
share_session (bool): Indicates PRA Session Control/Monitoring capabilities to enable PRA Session Monitoring.
- Returns:
The updated policy-capability-rule resource record.
- Return type:
Tuple
Examples
Updates the name and capabilities for an existing Capability Policy rule:
>>> added_rule, _, err = client.zpa.policies.add_capabilities_rule_v2( ... rule_id='8766896', ... name=f"UpdateCapabilityRule_{random.randint(1000, 10000)}", ... description=f"UpdateCapabilityRule_{random.randint(1000, 10000)}", ... privileged_capabilities={ ... "clipboard_copy": True, ... "clipboard_paste": True, ... "file_download": True, ... "file_upload": None, ... "inspect_file_upload": True, ... "inspect_file_download": True, ... "record_session": True, ... }, ... conditions=[ ... ("OR", ("scim", [ ... ("72058304855015576", "Smith"), ... ])), ... ("APP", ["72058304855116918"]), ... ] ... ) >>> if err: ... print(f"Error adding capability rule: {err}") ... return ... print(f"Capability Rule added successfully: {added_rule.as_dict()}")
- update_client_forwarding_rule(rule_id, name=None, action=None, **kwargs)¶
Update an existing Client Forwarding Policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
interceptintercept_accessiblebypassdescription (str) – Additional information about the Client Forwarding Policy rule.
enabled (bool) – Whether or not the Client Forwarding Policy rule. is enabled.
rule_order (str) – The rule evaluation order number of the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', 'app_segment_id'), ('app', 'id', 'app_segment_id'), ('app_group', 'id', 'segment_group_id), ("scim_group", "idp_id", "scim_group_id"), ("scim_group", "idp_id", "scim_group_id"), ('client_type', 'zpn_client_type_exporter')]
Returns:
Examples
Updates the name only for an Client Forwarding Policy rule:
>>> zpa.policies.update_client_forwarding_rule( ... rule_id='216199618143320419', ... name='Update_Forwarding_Rule_v1', ... description='Update_Forwarding_Rule_v1', ... action='isolate', ... conditions=[ ... ("app", ["216199618143361683"]), ... ("app_group", ["216199618143360301"]), ... ("scim_group", "idp_id", "scim_group_id"), ... ("scim_group", "idp_id", "scim_group_id"), ... ], ... )
- update_client_forwarding_rule_v2(rule_id, name=None, action=None, **kwargs)¶
Update an existing client forwarding policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
bypassinterceptintercept_accessibledescription (str) – Additional information about the client forwarding policy rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
("client_type", ['zpn_client_type_edge_connector', 'zpn_client_type_branch_connector', 'zpn_client_type_machine_tunnel', 'zpn_client_type_zapp', 'zpn_client_type_zapp_partner' ]),
Examples
Updates the name only for an Access Policy Forwarding rule:
>>> updated_rule, _, err = zpa.policies.update_client_forwarding_rule( ... rule_id='216199618143320419', ... name=f"UpdateAccessRule_{random.randint(1000, 10000)}", ... description=f"UpdateAccessRule_{random.randint(1000, 10000)}", ... action='intercept', ... conditions=[ ... ("client_type", ... ['zpn_client_type_edge_connector', ... 'zpn_client_type_branch_connector', ... 'zpn_client_type_machine_tunnel', ... 'zpn_client_type_zapp', ... 'zpn_client_type_zapp_partner']), ... ], ... ) >>> if err: ... print(f"Error updating access forwarding rule: {err}") ... return ... print(f"Access Forwarding Rule updated successfully: {updated_rule.as_dict()}")
- update_isolation_rule(rule_id, name=None, action=None, zpn_isolation_profile_id=None, **kwargs)¶
Update an existing client isolation policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
isolatebypass_isolatedescription (str) – Additional information about the client forwarding policy rule.
enabled (bool) – Whether or not the client forwarding policy rule is enabled.
rule_order (str) – The rule evaluation order number of the rule.
zpn_isolation_profile_id (str) – The unique identifier of the inspection profile. This field is applicable only for inspection policies.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter')]
Returns:
Examples
Updates the name only for an Isolation Policy rule:
>>> zpa.policies.update_isolation_rule( ... rule_id='216199618143320419', ... name='Update_Isolation_Rule_v2', ... description='Update_Isolation_Rule_v2', ... action='isolate', ... conditions=[ ... ("app", ["216199618143361683"]), ... ("app_group", ["216199618143360301"]), ... ("scim_group", [("216199618143191058", "2079468"), ("216199618143191058", "2079446")]), ... ], ... )
- update_isolation_rule_v2(rule_id, name=None, action=None, zpn_isolation_profile_id=None, **kwargs)¶
Update an existing client isolation policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
isolatebypass_isolatedescription (str) – Additional information about the client forwarding policy rule.
enabled (bool) – Whether or not the client forwarding policy rule is enabled.
rule_order (str) – The rule evaluation order number of the rule.
zpn_isolation_profile_id (str) – The unique identifier of the inspection profile. This field is applicable only for inspection policies.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter')]
Examples
Updates an Isolation Policy rule:
>>> updated_rule, _, err = client.zpa.policies.update_isolation_rule_v2( ... rule_id='216199618143320419', ... name=f"NewIsolationRule_{random.randint(1000, 10000)}", ... description=f"NewIsolationRule_{random.randint(1000, 10000)}", ... action='isolate', ... conditions=[ ... ("APP", ["72058304855090129"]), ... ("OR", ("posture", "cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true")), ... ("OR", ("posture", "72ddbe89-fa08-4071-94bd-964ce264db10", "true")), ... (("chrome_enterprise", "managed", True), ... ("chrome_posture_profile", ["72058304855116487"])) ... ("OR", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ] ... ) >>> if err: ... print(f"Error updating isolation rule: {err}") ... return ... print(f"Isolation Rule updated successfully: {updated_rule.as_dict()}")
- update_privileged_credential_rule_v2(rule_id, credential_id=None, name=None, **kwargs)¶
Update an existing privileged credential policy rule.
- Parameters:
- Keyword Arguments:
description (str) – Additional information about the credential rule.
rule_order (str) – The rule evaluation order number of the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value.
Examples:
conditions=[ ("console", ["72058304855106742"]), ("OR", ("scim_group", [ ("72058304855015574", "490880"), ("72058304855015574", "490877"), ])), ]
Examples
Update an existing Credential Policy rule using credential_id:
>>> updated_rule, _, err = client.zpa.policies.add_privileged_credential_rule_v2( ... rule_id='72058304855115989', ... name=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... description=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... credential_id='6014', ... conditions=[ ... ("console", ["72058304855106742"]), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding PRA Credential rule: {err}") ... return ... print(f"PRA Credential Rule added successfully: {updated_rule.as_dict()}")
Update an existing Credential Policy rule using credential_pool_id:
>>> updated_rule, _, err = client.zpa.policies.add_privileged_credential_rule_v2( ... rule_id='72058304855115989', ... name=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... description=f"PrivilegedCredentialRule_{random.randint(1000, 10000)}", ... credential_pool_id='15', ... conditions=[ ... ("console", ["72058304855106742"]), ... ("OR", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding PRA Credential rule: {err}") ... return ... print(f"PRA Credential Rule added successfully: {updated_rule.as_dict()}")
- update_redirection_rule_v2(rule_id, name, action, service_edge_group_ids=[], **kwargs)¶
Update an existing policy rule. Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
action (str) –
The action for the policy. Accepted values are:
redirect_defaultredirect_preferredredirect_alwaysdescription (str) – Additional information about the redirection rule.
enabled (bool) – Whether or not the redirection rule is enabled.
rule_order (str) – The rule evaluation order number of the rule.
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
("client_type", [ 'zpn_client_type_edge_connector', 'zpn_client_type_branch_connector', 'zpn_client_type_machine_tunnel', 'zpn_client_type_zapp', 'zpn_client_type_zapp_partner' ]),
- Returns:
The updated policy-rule resource record.
- Return type:
Tuple
Examples
Updates the name only for an Access Policy rule:
>>> updated_rule, _, err = client.policies.add_redirection_rule( ... rule_id='97689668' ... name=f"UpdateRedirectionRule_{random.randint(1000, 10000)}", ... description=f"UpdateRedirectionRule_{random.randint(1000, 10000)}", ... action='redirect_preferred', ... service_edge_group_ids=['12345', '67890'], ... conditions=[ ... ("client_type", ... 'zpn_client_type_edge_connector', ... 'zpn_client_type_branch_connector', ... 'zpn_client_type_machine_tunnel', ... 'zpn_client_type_zapp', ... 'zpn_client_type_zapp_partner'), ... ]) >>> if err: ... print(f"Error adding redirection rule: {err}") ... return ... print(f"Redirection Rule added successfully: {updated_rule.as_dict()}")
- update_timeout_rule(rule_id, **kwargs)¶
Update an existing policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.
[('app', 'id', '926196382959075416'), ('app', 'id', '926196382959075417'), ('app_group', 'id', '926196382959075332), ('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'), ('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]
custom_msg (str) – A custom message.
description (str) – A description for the rule.
re_auth_idle_timeout (int) – The re-authentication idle timeout value in seconds.
re_auth_timeout (int) – The re-authentication timeout value in seconds.
Returns:
Examples
Updates the name only for a Timeout Policy rule:
>>> zpa.policies.update_timeout_rule('99999', name='new_rule_name')
Updates the description for a Timeout Policy rule:
>>> zpa.policies.update_timeout_rule('888888', description='Updated Description')
- update_timeout_rule_v2(rule_id, name=None, **kwargs)¶
Update an existing policy rule.
Ensure you are using the correct arguments for the policy type that you want to update.
- Parameters:
rule_id (str) – The unique identifier for the rule to be updated.
**kwargs – Optional keyword args.
- Keyword Arguments:
conditions (list) –
A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. E.g.
[("app", ["72058304855116918"]), ("app_group", ["72058304855114308"]) ("client_type", ["zpn_client_type_exporter", "zpn_client_type_zapp", "zpn_client_type_browser_isolation", "zpn_client_type_zapp_partner"]),
action (str) – The action for the policy. Accepted values are: |
RE_AUTHcustom_msg (str) – A custom message.
description (str) – A description for the rule.
re_auth_idle_timeout (str) – The re-authentication idle timeout value in seconds.
re_auth_timeout (str) – The re-authentication timeout value in seconds.
- Returns:
The resource record of the newly created access policy rule.
- Return type:
Tuple
Examples
Updated an existing Timeout Policy rule:
>>> updated_rule, _, err = client.zpa.policies.update_timeout_rule_v2( ... rule_id='12365865', ... name=f"UpdateTimeoutRule_{random.randint(1000, 10000)}", ... description=f"UpdateTimeoutRule_{random.randint(1000, 10000)}", ... reauth_timeout="172800", ... reauth_idle_timeout="600", ... conditions=[ ... ("client_type", ["zpn_client_type_exporter", ... "zpn_client_type_zapp", "zpn_client_type_browser_isolation", ... "zpn_client_type_zapp_partner", ... ]), ... ("app", ["72058304855116918"]), ... ("app_group", ["72058304855114308"]), ... ("OR", ("posture", [ ... ("cfab2ee9-9bf4-4482-9dcc-dadf7311c49b", "true"), ... ("72ddbe89-fa08-4071-94bd-964ce264db10", "true"), ... ])), ... ("AND", ("saml", [ ... ("72058304855021553", "jdoe1@acme.com"), ... ("72058304855021553", "jdoe@acme.com"), ... ])), ... ("AND", ("scim_group", [ ... ("72058304855015574", "490880"), ... ("72058304855015574", "490877"), ... ])), ... ("AND", ("scim", [ ... ("72058304855015576", "Smith"), ... ("72058304855015577", "artxngwpbq"), ... ])), ... ] ... ) >>> if err: ... print(f"Error adding timeout rule: {err}") ... return ... print(f"Timeout Rule added successfully: {updated_rule.as_dict()}")
- synchronized(lock)¶
Decorator to ensure that a function is executed with a lock.