zscaler.zpacloud.zpa_policy_capabilities_access_rule_v2 module – Manage ZPA Access Capabilities Policy Rules (v2)

Note

This module is part of the zscaler.zpacloud collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.zpacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.zpacloud.zpa_policy_capabilities_access_rule_v2.

New in zscaler.zpacloud 2.0.0

Synopsis 

Create, update, or delete a ZPA Access Capabilities Policy Rule using the v2 policy engine.
These rules control fine-grained session capabilities such as clipboard use, file transfers, and session monitoring.

Requirements 

The below requirements are needed on the host that executes this module.

Zscaler SDK Python (https://pypi.org/project/zscaler-sdk-python/)

Parameters 

Parameter	Comments
client_id string	The client ID for OAuth2 authentication. Required for OneAPI client authentication when use_legacy_client=false.
client_secret string	The client secret for OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using private_key.
cloud string	The ZPA cloud provisioned for your organization. Used for OneAPI client authentication when use_legacy_client=false. Choices: `"BETA"` `"GOV"` `"GOVUS"` `"PRODUCTION"` `"QA"` `"QA2"` `"PREVIEW"` `"beta"` `"production"`
conditions list / elements=dictionary	Defines the match conditions under which the rule is applied.
operands list / elements=dictionary	List of operand objects used to evaluate the condition.
entry_values dictionary	A dictionary of left-hand side (lhs) and right-hand side (rhs) values used for advanced condition matching.
lhs string	Left-hand-side value used in operand evaluation.
rhs string	Right-hand-side value used in operand evaluation.
object_type string	The type of object to match in the condition. Choices: `"APP"` `"APP_GROUP"` `"SAML"` `"SCIM"` `"SCIM_GROUP"`
values list / elements=string	A list of values to match for the object type.
operator string	Logical operator used to combine multiple operands. Choices: `"AND"` `"OR"`
customer_id string	The ZPA tenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false.
description string	A description of the capabilities policy rule.
id string	The unique identifier of the capabilities policy rule.
microtenant_id string	The identifier of the microtenant associated with the rule.
name string / required	The name of the capabilities policy rule.
private_key string	The private key for JWT-based OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.
privileged_capabilities dictionary	Specifies the session capabilities enforced by the rule.
clipboard_copy boolean	Allow or deny copying from clipboard during session. Choices: `false` `true`
clipboard_paste boolean	Allow or deny pasting to clipboard during session. Choices: `false` `true`
file_download boolean	Allow or deny file downloads during session. Choices: `false` `true`
file_upload boolean	Allow or deny file uploads during session. Choices: `false` `true`
inspect_file_download boolean	Enable inspection of downloaded files. Choices: `false` `true`
inspect_file_upload boolean	Enable inspection of uploaded files. Choices: `false` `true`
monitor_session boolean	Enable monitoring of the session. Choices: `false` `true`
record_session boolean	Enable recording of the session. Choices: `false` `true`
share_session boolean	Enable session sharing with other users. Choices: `false` `true`
provider dictionary	A dict containing authentication credentials.
client_id string	The client ID for OAuth2 authentication. Required for OneAPI client authentication when use_legacy_client=false.
client_secret string	The client secret for OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using private_key.
cloud string	The ZPA cloud provisioned for your organization. Used for OneAPI client authentication when use_legacy_client=false. Choices: `"BETA"` `"GOV"` `"GOVUS"` `"PRODUCTION"` `"QA"` `"QA2"` `"PREVIEW"` `"beta"` `"production"`
customer_id string	The ZPA tenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false.
microtenant_id string	The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for OneAPI client authentication when use_legacy_client=false.
private_key string	The private key for JWT-based OAuth2 authentication. Used for OneAPI client authentication when use_legacy_client=false and not using client_secret.
use_legacy_client boolean	Whether to use the legacy Zscaler API client. When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication. When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication. Choices: `false` ← (default) `true`
vanity_domain string	The vanity domain provisioned by Zscaler for OAuth2 flows. Required for OneAPI client authentication when use_legacy_client=false.
zpa_client_id string	The ZPA API client ID generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true.
zpa_client_secret string	The ZPA API client secret generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true.
zpa_cloud string	The ZPA cloud provisioned for your organization. Required for legacy client authentication when use_legacy_client=true. Choices: `"BETA"` `"GOV"` `"GOVUS"` `"PRODUCTION"` `"QA"` `"QA2"` `"PREVIEW"` `"beta"` `"production"`
zpa_customer_id string	The ZPA tenant ID found in the Administration Company menu in the ZPA console. Required for legacy client authentication when use_legacy_client=true.
zpa_microtenant_id string	The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for legacy client authentication when use_legacy_client=true.
rule_order string	The evaluation order of the rule within the policy set.
state string	Specifies the desired state of the resource. Choices: `"present"` ← (default) `"absent"`
use_legacy_client boolean	Whether to use the legacy Zscaler API client. When true, uses zpa_client_id/zpa_client_secret/zpa_customer_id/zpa_cloud for authentication. When false (default), uses client_id/client_secret/private_key with vanity_domain for OAuth2 authentication. Choices: `false` ← (default) `true`
vanity_domain string	The vanity domain provisioned by Zscaler for OAuth2 flows. Required for OneAPI client authentication when use_legacy_client=false.
zpa_client_id string	The ZPA API client ID generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true.
zpa_client_secret string	The ZPA API client secret generated from the ZPA console. Required for legacy client authentication when use_legacy_client=true.
zpa_cloud string	The ZPA cloud provisioned for your organization. Required for legacy client authentication when use_legacy_client=true. Choices: `"BETA"` `"GOV"` `"GOVUS"` `"PRODUCTION"` `"QA"` `"QA2"` `"PREVIEW"` `"beta"` `"production"`
zpa_customer_id string	The ZPA tenant ID found in the Administration Company menu in the ZPA console. Required for legacy client authentication when use_legacy_client=true.
zpa_microtenant_id string	The ZPA Microtenant ID found in the Administration Company menu in the ZPA console. Used for legacy client authentication when use_legacy_client=true.

Notes 

Note

Check mode is supported.

Examples 

- name: Create an Access Policy Capability Rule V2
  zscaler.zpacloud.zpa_policy_capabilities_access_rule_v2:
    name: "Ansible_Policy_Capability_Rule_v2"
    description: "Ansible_Policy_Capability_Rule_v2"
    rule_order: "1"
    conditions:
      - operator: "OR"
        operands:
          - object_type: "SCIM"
            entry_values:
              lhs: "72058304855015576"
              rhs: "Smith"
      - operator: "OR"
        operands:
          - object_type: "SCIM_GROUP"
            entry_values:
              lhs: "72058304855015574"
              rhs: "121756"
          - object_type: "SCIM_GROUP"
            entry_values:
              lhs: "72058304855015574"
              rhs: "121677"
      - operator: "OR"
        operands:
          - object_type: "SAML"
            entry_values:
              lhs: "72058304855021553"
              rhs: "jdoe@acme.com"
      - operator: "OR"
        operands:
          - object_type: "SAML"
            entry_values:
              lhs: "72058304855021553"
              rhs: "janedoe@acme.com"
    privileged_capabilities:
      clipboard_copy: true
      clipboard_paste: true
      file_download: true
      file_upload: true

Authors

William Guilherme (@willguibr)

zscaler.zpacloud.zpa_policy_capabilities_access_rule_v2 module – Manage ZPA Access Capabilities Policy Rules (v2)

Synopsis

Requirements

Parameters

Notes

Examples