About Access Rule Attributes
The Cisco Secure Access policy is the collection of an organization's internet and private access rules, default rules, and rule settings. An access rule has various components that you can identify by the policy's rule attributes in the Policy Rules API.
Using Rule Attributes on Access Rules
Create and manage access rules with rule components through the Policy Rules API.
- You can use rule attributes to compose rule conditions on access rules.
- You can use rule attributes to filter the rules in the Access policy.
For example, access rules have source and destination components. You can build a rule with source components by adding groups of rule attributes and their values.
To start using rule attributes on access rules:
- Identify the name of the rule attribute and the rule component.
- (Optional) Get the list of IDs or ID for the value of the rule attribute.
- Use the rule attribute in the API request to create or manage an access rule.
You can set rule attributes for the Policy Rules API in the filters query parameter. You can also set the rule attribute information (attributeName, attributeValue, attributeOperator) for the ruleConditions.
Rule Attribute Operators
- =
- IN
- AND
- INTERSECT
Rule Attribute Values for Network and Service Objects
When the attributeName in a rule condition is umbrella.destination.logical_operator and the attributeOperator is AND, Secure Access uses the logical AND operator to combine the Network Objects or Network Object Groups with Service Objects and Service Object Groups. Otherwise, Secure Access uses the logical OR operator to combine the destination components.
You must add the logical AND operator to the rule condition to combine the Network and Service Objects and Network Object Groups and Service Objects Groups with the AND operator.
| Rule Attribute Value | Description |
|---|---|
(umbrella.destination.networkObjectIds && umbrella.destination.serviceObjectIds) | Network Objects AND with Service Objects. |
(umbrella.destination.networkObjectGroupIds && umbrella.destination.serviceObjectIds) | Network Object Groups AND with Service Objects. |
(umbrella.destination.networkObjectGroupIds && umbrella.destination.serviceObjectGroupIds) | Network Object Groups AND with Service Object Groups. |
(umbrella.destination.serviceObjectGroupIds && umbrella.destination.networkObjectIds) | Service Object Groups AND with Network Objects. |
((umbrella.destination.networkObjectIds || umbrella.destination.networkObjectGroupIds) && (umbrella.destination.serviceObjectIds || umbrella.destination.serviceObjectGroupIds)) | Network Objects OR with Network Object Groups, then AND with Service Objects OR with Service Object Groups. |
((umbrella.destination.networkObjectIds || umbrella.destination.networkObjectGroupIds) && umbrella.destination.serviceObjectIds) | Network Objects OR with Network Object Groups, then AND with Service Objects. |
((umbrella.destination.networkObjectIds || umbrella.destination.networkObjectGroupIds) && umbrella.destination.serviceObjectGroupIds) | Network Objects OR with Network Object Groups, then AND with Service Object Groups |
((umbrella.destination.serviceObjectIds || umbrella.destination.serviceObjectGroupIds) && umbrella.destination.networkObjectIds) | Service Objects OR with Service Object Groups, then AND with Network Objects. |
((umbrella.destination.serviceObjectIds || umbrella.destination.serviceObjectGroupIds) && umbrella.destination.networkObjectGroupIds) | Service Objects OR with Service Object Groups, then AND with Network Object Groups |
Rule Attributes for Sources on Access Rules
Sources are either resources that you pre-configure in Secure Access or resources that you add on a specific access rule.
Reusable Source Components
Reusable source components are resources that you configure and add in Secure Access. Pre-configured source components are available for you to add on the access rules.
An example of pre-configured source components are users and groups. Users and groups are resources that you add to the Secure Access organization through the integration of cloud identity providers or an on-premises identity provider (IdP) with Secure Access.
You can use rule attributes to add and manage the reusable source components on the access rules.
| Rule Attribute | Description |
|---|---|
umbrella.source.identity_ids |
The list of the IDs for the users and groups. |
umbrella.source.identity_type_ids |
The list of the origin IDs for the user devices. |
umbrella.source.networkObjectIds |
The list of IDs for the Network Objects. |
umbrella.source.networkObjectGroupIds |
The list of IDs for the Network Object Groups. |
umbrella.source.all |
The list of all source components. |
Related API Endpoints
Composite Source Components
A composite source is a resource that is available only on the access rule, not as a resource in the organization. An example of a composite source is the IP address for a network that is managed by the organization.
You can use rule attributes to add and manage the composite sources on the access rules.
| Rule Attribute | Description |
|---|---|
umbrella.source.ip_address |
The IP address of a network that is managed by the organization. |
Rule Attributes for Destinations on Access Rules
Destinations are either resources that you pre-configure in Secure Access or resources that you add on a specific access rule. Destination resources can represent internet or private destinations.
Reusable Destination Components
Reusable destination components are resources that you configure and add in Secure Access. Pre-configured destination components are available for you to add on the access rules. An example of a pre-configured destination component is an application list.
You can use rule attributes to add and manage the reusable destination components on the access rules.
| Rule Attribute | Description |
|---|---|
umbrella.destination.all |
The list of all destination components. |
umbrella.destination.application_ids |
The list of IDs for the internet applications. |
umbrella.destination.application_list_ids |
The IDs for the internet application lists. |
umbrella.destination.category_ids |
The list of IDs for the content categories. |
umbrella.destination.category_list_ids |
The IDs for the content category lists. |
umbrella.destination.destination_list_ids |
The IDs for the destination lists. |
umbrella.destination.private_application_ids |
The list of IDs for the private applications. |
umbrella.destination.private_application_group_ids |
The IDs for the private application groups. |
umbrella.destination.geolocations |
The list of geolocation information, which includes the continent and country code. |
umbrella.destination.networkObjectIds |
The list of IDs for the Network Objects. |
umbrella.destination.networkObjectGroupIds |
The list of IDs for the Network Object Groups. |
umbrella.destination.serviceObjectIds |
The list of IDs for the Service Objects. |
umbrella.destination.serviceObjectGroupIds |
The list of IDs for the Service Object Groups. |
umbrella.destination.logical_operator |
The logical operator used with the destination component in a rule. |
umbrella.destination.private_resource_ids |
The list of IDs for private resources. |
Related API Endpoints
Composite Destination Components
A composite destination is a resource that is available only on the access rule, not as a resource in Secure Access. An example of a composite destination is an IP address, port, or protocol information for a destination.
You can use rule attributes to add and manage the composite destinations on the access rules.
| Rule Attribute | Description |
|---|---|
umbrella.destination.ip_address |
(Deprecated) The IP address for an application. |
umbrella.destination.port |
(Deprecated) The port or range of ports of an application. |
umbrella.destination.network_protocol |
(Deprecated) The protocols of an application. |
umbrella.destination.composite_inline_ips |
The composite destination created on an access rule for an application. |