Creating An Advance Access Level Using CEL from Context Aware Access
This article discusses about the Common Expression Language (CEL) created by Google. It is an open-source, non-compete Turing language that is used for validating data, defining, and implementing constraints.
What is Common Expression Language (CEL)?
Common Expression Language (CEL) is an easy to execute language that is designed to be embedded in an application, also to be built with any logic.
How to write CEL and its syntaxes?
There are four Objects that contain Access Level Attributes as mentioned below with general syntaxes :
- origin (In Basic IP & Location) : Contains attributes that identify the origin of the request.
- request.auth : Contains attributes that identify authentication and authorization aspects of the request.
- levels (In Basic Access level) : Contains attributes to define dependency on other access levels.
- device(In Basic Device & Device OS) : Contains attributes that describe the device the request originated from.
- For defining two policies together (AND), && symbol to be used.
- For matching any one rule out of many (OR), ll symbol to be used.
- For defining a policy with not equals to (NOT), ! symbol to be used.
Here is an example below:
If a policy would be triggered for the location United States of America with Windows OS devices then CEL will be written as below:
(origin.region_code == "US" && device.os_type == OsType.DESKTOP_WINDOWS)
Common Expression Language (CEL) has more syntaxes to write it in a better way, the above example is just a glimpse of this language.
How to use CEL in Google Workspace and implement a policy?
In Google Workspace, we can also embed the CEL while building an ACCESS LEVEL for Context Aware Access.
Context Aware Access is a security feature that secures business (using Google Workspace) by creating granular level policies.
By following below path Context Aware Access option can be reached.
Login to Google Workspace Admin account > Security > Access and Data control > Context Aware Access
Here by clicking on CREATE ACCESS LEVEL, as per requirement Access level should be created.
Here a name has to be given
Here CEL is to be written as per requirement by choosing ADVANCED option (as an example we have chosen the above example) and click on CREATE.
Now Access level is created, then click on ASSIGN TO APPS and select the required apps, then Assign.
Select the checkbox to block using the selected Apps if the access level does not meet and click continue, then Assign. The access level with the policy will be created.
In this way using CEL, an access level is created, which follows the rule like this:
If a device with Windows OS is used in the United States of America, then only Gmail, Google Chat and Google Drive will be accessible, otherwise if any of the 2 conditions do not match, above 3 apps will be blocked.
