policies#

The following methods allow for interaction with the ZPA Policy Sets API endpoints.

Methods are accessible via zpa.policies

class PolicySetsAPI#
add_access_rule(name, action, **kwargs)#

Add a new Access Policy rule.

See the ZPA Access Policy API reference for further detail on optional keyword parameter structures.

Parameters:

  • name (str) – The name of the new rule.

  • action (str) –

    The action for the policy. Accepted values are:

    allow
    deny

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • conditions (list) –

    A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

    [('app', 'id', '99999'),
('app', 'id', '88888'),
('app_group', 'id', '77777),
('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
('trusted_network', 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx', True)]

  • custom_msg (str) – A custom message.

  • description (str) – A description for the rule.

Returns:

The resource record of the newly created access policy rule.

Return type:

Box

add_client_forwarding_rule(name, action, **kwargs)#

Add a new Client Forwarding Policy rule.

See the ZPA Client Forwarding Policy API reference for further detail on optional keyword parameter structures.

Parameters:

  • name (str) – The name of the new rule.

  • action (str) –

    The action for the policy. Accepted values are:

    intercept
    intercept_accessible
    bypass

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • conditions (list) –

    A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

    [('app', 'id', '926196382959075416'),
('app', 'id', '926196382959075417'),
('app_group', 'id', '926196382959075332),
('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]

  • custom_msg (str) – A custom message.

  • description (str) – A description for the rule.

Returns:

The resource record of the newly created Client Forwarding Policy rule.

Return type:

Box

add_timeout_rule(name, **kwargs)#

Add a new Timeout Policy rule.

See the ZPA Timeout Policy API reference for further detail on optional keyword parameter structures.

Parameters:

  • name (str) – The name of the new rule.

  • **kwargs – Optional parameters.

Keyword Arguments:

  • conditions (list) –

    A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

    [('app', 'id', '926196382959075416'),
('app', 'id', '926196382959075417'),
('app_group', 'id', '926196382959075332),
('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]

  • custom_msg (str) – A custom message.

  • description (str) – A description for the rule.

  • re_auth_idle_timeout (int) – The re-authentication idle timeout value in seconds.

  • re_auth_timeout (int) – The re-authentication timeout value in seconds.

Returns:

The resource record of the newly created Timeout Policy rule.

Return type:

Box

delete_rule(policy_type, rule_id)#

Deletes the specified policy rule.

Parameters:

  • policy_type (str) –

    The type of policy the rule belongs to. Accepted values are:

    access
    timeout
    client_forwarding
    siem

  • rule_id (str) – The unique identifier for the policy rule.

Returns:

The response code for the operation.

Return type:

int

Examples

>>> zpa.policies.delete_rule(policy_id='99999',
...    rule_id='88888')
get_policy(policy_type)#

Returns the policy and rule sets for the given policy type.

Parameters:

policy_type (str) –

The type of policy to be returned. Accepted values are:

access - returns the Access Policy
timeout - returns the Timeout Policy
client_forwarding - returns the Client Forwarding Policy
siem - returns the SIEM Policy

Returns:

The resource record of the specified policy type.

Return type:

Box

Examples

Request the specified Policy.

>>> pprint(zpa.policies.get_policy('access'))
get_rule(policy_type, rule_id)#

Returns the specified policy rule.

Parameters:

  • policy_type (str) –

    The type of policy to be returned. Accepted values are:

    access
    timeout
    client_forwarding
    siem

  • rule_id (str) – The unique identifier for the policy rule.

Returns:

The resource record for the requested rule.

Return type:

Box

Examples

>>> policy_rule = zpa.policies.get_rule(policy_id='99999',
...    rule_id='88888')
list_rules(policy_type, **kwargs)#

Returns policy rules for a given policy type.

Parameters:

policy_type (str) –

The policy type. Accepted values are:

access - returns Access Policy rules
timeout - returns Timeout Policy rules
client_forwarding - returns Client Forwarding Policy rules

Returns:

A list of all policy rules that match the requested type.

Return type:

list

Examples

>>> for policy in zpa.policies.list_type('type')
...    pprint(policy)
reorder_rule(policy_type, rule_id, order)#

Change the order of an existing policy rule.

Parameters:

  • rule_id (str) – The unique id of the rule that will be reordered.

  • order (str) – The new order for the rule.

  • policy_type (str) –

    The policy type. Accepted values are:

    access
    timeout
    client_forwarding

Returns:

The updated policy rule resource record.

Return type:

Box

Examples

Updates the order for an existing policy rule:

>>> zpa.policies.reorder_rule(policy_type='access',
...    rule_id='88888',
...    order='2')
update_rule(policy_type, rule_id, **kwargs)#

Update an existing policy rule.

Ensure you are using the correct arguments for the policy type that you want to update.

Parameters:

  • policy_type (str) –

    The policy type. Accepted values are:

    access
    timeout
    client_forwarding

  • rule_id (str) – The unique identifier for the rule to be updated.

  • **kwargs – Optional keyword args.

Keyword Arguments:

  • action (str) –

    The action for the policy. Accepted values are:

    allow
    deny
    intercept
    intercept_accessible
    bypass

  • conditions (list) –

    A list of conditional rule tuples. Tuples must follow the convention: Object Type, LHS value, RHS value. If you are adding multiple values for the same object type then you will need a new entry for each value. E.g.

    [('app', 'id', '926196382959075416'),
('app', 'id', '926196382959075417'),
('app_group', 'id', '926196382959075332),
('client_type', 'zpn_client_type_exporter', 'zpn_client_type_zapp'),
('trusted_network', 'b15e4cad-fa6e-8182-9fc3-8125ee6a65e1', True)]

  • custom_msg (str) – A custom message.

  • description (str) – A description for the rule.

  • re_auth_idle_timeout (int) – The re-authentication idle timeout value in seconds.

  • re_auth_timeout (int) – The re-authentication timeout value in seconds.

Returns:

The updated policy-rule resource record.

Return type:

Box

Examples

Updates the name only for an Access Policy rule:

>>> zpa.policies.update_rule('access', '99999', name='new_rule_name')

Updates the action only for a Client Forwarding Policy rule:

>>> zpa.policies.update_rule('client_forwarding', '888888', action='BYPASS')