Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From zscaler
Creates ZPA access policy rules with v2 conditions. Walks through requirements gathering, identity attribute lookups, condition payload construction, and rule creation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/zscaler:create-access-policy-ruleThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
access policy, access rule, allow rule, deny rule, zpa policy, scim group policy, saml policy, platform restriction, country restriction, posture check, require approval, zero trust policy, conditional access
access policy, access rule, allow rule, deny rule, zpa policy, scim group policy, saml policy, platform restriction, country restriction, posture check, require approval, zero trust policy, conditional access
Create ZPA access policy rules that control who can access private applications. Access policies use the v2 condition format and support a rich set of condition types: identity-based (SAML/SCIM), device-based (platform, posture, Chrome Enterprise), network-based (trusted networks, country codes), and risk-based (ZIA risk factors).
Use this skill when: An administrator asks to create an access policy rule, grant or deny application access based on user identity, device posture, location, or any combination of conditions.
Each condition block must contain a single object type. Multiple condition blocks are ANDed together. Within a condition block, multiple operands or entry_values are ORed.
values)| Object Type | Description | Values |
|---|---|---|
APP | Application segments | Application segment IDs |
APP_GROUP | Segment groups | Segment group IDs |
CLIENT_TYPE | Client connector type | zpn_client_type_zapp, zpn_client_type_exporter, zpn_client_type_machine_tunnel, zpn_client_type_browser_isolation, zpn_client_type_ip_anchoring, zpn_client_type_edge_connector, zpn_client_type_branch_connector, zpn_client_type_zapp_partner |
MACHINE_GRP | Machine groups | Machine group IDs |
LOCATION | Locations | Location IDs |
EDGE_CONNECTOR_GROUP | Edge connector groups | Edge connector group IDs |
BRANCH_CONNECTOR_GROUP | Branch connector groups | Branch connector group IDs |
entry_values with lhs/rhs)| Object Type | LHS | RHS |
|---|---|---|
SAML | SAML attribute ID | Attribute value to match (email, group name, etc.) |
SCIM | SCIM attribute header ID | Attribute value to match |
SCIM_GROUP | Identity Provider ID | SCIM group ID |
PLATFORM | linux, android, ios, mac, windows | "true" or "false" |
COUNTRY_CODE | ISO 3166 Alpha-2 code (US, CA, GB) | "true" or "false" |
POSTURE | Posture profile posture_udid | "true" or "false" |
TRUSTED_NETWORK | Trusted network network_id | "true" or "false" |
RISK_FACTOR_TYPE | ZIA | UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL |
CHROME_ENTERPRISE | managed | "true" or "false" |
| Action | Description |
|---|---|
ALLOW | Permit access |
DENY | Block access |
REQUIRE_APPROVAL | Require explicit approval before access |
Reference: ZPA Baseline Recommendations v1.0 §Access Policy Construction (A–H). Before building conditions, identify which rule class this fits — that determines where the rule belongs in the policy order and which conditions are mandatory.
| Order | Class | Action | Mandatory criteria | Notes |
|---|---|---|---|---|
| 1 | A. Deception (if licensed) | ALLOW | Predefined criteria | Tenant feature — auto-provisioned. Do not modify the default rule. |
| 2 | B. Machine Tunnel allow | ALLOW | CLIENT_TYPE = zpn_client_type_machine_tunnel + APP (specific) + minimum POSTURE | For AD DCs, SCCM, patch services. |
| 3 | B'. Machine Tunnel block-rest | DENY | CLIENT_TYPE = zpn_client_type_machine_tunnel | Stops machine traffic from inheriting user rules. |
| 4 | C. Contractor allow | ALLOW | SCIM_GROUP (Contractors) + APP + CLIENT_TYPE + POSTURE | Tightly scoped to approved apps only. |
| 5 | C'. Contractor block-rest | DENY | SCIM_GROUP (Contractors) | Prevents contractor inheritance of employee rules. |
| 6 | D. Posture remediation allow | ALLOW | APP (remediation segment) + CLIENT_TYPE | Lets non-compliant devices reach the remediation app only. |
| 7 + N | D'. Posture block per-OS | DENY | POSTURE (failed) + PLATFORM (Windows / macOS / iOS / Android / Linux) | One rule per OS — see "Per-OS posture gotcha" below. |
| Mid | E. Critical app allow | ALLOW | SCIM_GROUP + APP (crown-jewel) + CLIENT_TYPE (ZCC only) + POSTURE | Apply optional extra posture checks (cert, registry). |
| Mid | E'. Critical app block-rest | DENY | APP (crown-jewel) only | Defense-in-depth even though E only allows approved users. |
| After E | F. Standard internal apps | ALLOW | SCIM_GROUP (employees) + APP + CLIENT_TYPE | Baseline access for non-sensitive apps. |
| Near bottom | G. Discovery wildcard catch-all | ALLOW | APP (wildcard discovery segment) + SCIM_GROUP | Discovery only — never above critical apps. |
| Bottom | H. Block-All explicit | DENY | None — match all | Improves logging and audit clarity beyond ZPA's implicit deny. |
Defining a posture-block rule for only Windows leaves macOS, iOS, Android, and Linux implicitly allowed even when their device posture has failed. The doc is explicit about this on page 30: create one block rule per OS in use, each with its own POSTURE and PLATFORM criteria. This is the #1 posture-enforcement mistake.
audit-baseline-compliance skill.Ask the administrator:
Required:
ALLOW, DENY, or REQUIRE_APPROVALOptional:
If the rule uses identity-based conditions (SAML, SCIM, SCIM_GROUP), look up the required IDs first.
For SCIM groups:
get_zpa_scim_group(search="<group_name>")
```text
Note both the SCIM group ID (used as `rhs`) and the Identity Provider ID (used as `lhs`).
**For SAML attributes:**
```text
get_zpa_saml_attribute(search="<attribute_name>")
```text
Note the SAML attribute ID (used as `lhs`). The `rhs` is the value to match (e.g., an email address or group name string).
**For SCIM attributes:**
```text
get_zpa_scim_attribute(search="<attribute_name>")
```text
**For segment groups (APP_GROUP):**
```text
zpa_list_segment_groups()
```text
**For posture profiles:**
```text
get_zpa_posture_profile(search="<profile_name>")
```text
Note the `posture_udid` value (used as `lhs`).
**For trusted networks:**
```text
get_zpa_trusted_network(search="<network_name>")
```text
Note the `network_id` value (used as `lhs`).
---
### Step 3: Build the Conditions Payload
Conditions use a list of dictionaries. Each dictionary represents one condition block with an `operator` and `operands`. **Separate condition blocks for each object type.**
**Format:**
```json
[
{
"operator": "OR",
"operands": [
{
"object_type": "<OBJECT_TYPE>",
"values": ["<id1>", "<id2>"]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "<OBJECT_TYPE>",
"entry_values": [
{"lhs": "<lhs_value>", "rhs": "<rhs_value>"}
]
}
]
}
]
```text
**Rules:**
- Each condition block contains **one object type only**
- Multiple condition blocks are **ANDed** together (all must match)
- Within a block, multiple `entry_values` or multiple `values` are **ORed** (any can match)
- Value-based types (`APP`, `APP_GROUP`, `CLIENT_TYPE`, etc.) use `values`
- Entry-based types (`SAML`, `SCIM_GROUP`, `PLATFORM`, etc.) use `entry_values`
---
### Step 4: Create the Rule
```text
zpa_create_access_policy_rule(
name="<rule_name>",
action_type="ALLOW",
description="<description>",
conditions=<conditions_payload>,
app_connector_group_ids=["<optional_connector_group_ids>"],
app_server_group_ids=["<optional_server_group_ids>"]
)
```text
---
### Step 5: Verify
```text
zpa_get_access_policy_rule(rule_id="<returned_rule_id>")
```text
---
## Ready-to-Use Examples
### Example 1: Allow SCIM Groups to Access a Segment Group
Allow members of "Engineering" or "DevOps" SCIM groups to access an application segment group.
**Step 1: Look up IDs**
```text
get_zpa_scim_group(search="Engineering")
get_zpa_scim_group(search="DevOps")
zpa_list_segment_groups()
```text
**Step 2: Create rule**
```text
zpa_create_access_policy_rule(
name="Allow Engineering and DevOps",
action_type="ALLOW",
description="Grants Engineering and DevOps teams access to internal apps",
conditions=[
{
"operator": "OR",
"operands": [
{
"object_type": "APP_GROUP",
"values": ["<segment_group_id>"]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "SCIM_GROUP",
"entry_values": [
{"lhs": "<idp_id>", "rhs": "<engineering_scim_group_id>"},
{"lhs": "<idp_id>", "rhs": "<devops_scim_group_id>"}
]
}
]
}
]
)
```text
**Logic:** User must be in the segment group's apps AND be a member of Engineering OR DevOps.
---
### Example 2: Allow SAML Users with Platform Restriction
Allow specific SAML-identified users, but only from macOS and Windows devices.
**Step 1: Look up SAML attribute**
```text
get_zpa_saml_attribute(search="Email_Users")
```text
**Step 2: Create rule**
```text
zpa_create_access_policy_rule(
name="Allow Specific Users on Mac/Windows",
action_type="ALLOW",
conditions=[
{
"operator": "OR",
"operands": [
{
"object_type": "SAML",
"entry_values": [
{"lhs": "<saml_email_attribute_id>", "rhs": "[email protected]"},
{"lhs": "<saml_email_attribute_id>", "rhs": "[email protected]"}
]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "PLATFORM",
"entry_values": [
{"lhs": "mac", "rhs": "true"},
{"lhs": "windows", "rhs": "true"}
]
}
]
}
]
)
```text
**Logic:** User must match a SAML email AND be on macOS OR Windows.
---
### Example 3: Country-Based Access Restriction
Allow access only from the United States and Canada.
```text
zpa_create_access_policy_rule(
name="US and Canada Only",
action_type="ALLOW",
description="Restrict access to US and Canadian locations",
conditions=[
{
"operator": "OR",
"operands": [
{
"object_type": "APP_GROUP",
"values": ["<segment_group_id>"]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "COUNTRY_CODE",
"entry_values": [
{"lhs": "US", "rhs": "true"},
{"lhs": "CA", "rhs": "true"}
]
}
]
}
]
)
```text
---
### Example 4: Posture-Based Access with Risk Factor
Allow access only from devices that pass a posture check and have a ZIA risk score of LOW or below.
**Step 1: Look up posture profile**
```text
get_zpa_posture_profile(search="CrowdStrike_ZTA")
```text
**Step 2: Create rule**
```text
zpa_create_access_policy_rule(
name="Posture and Risk Check",
action_type="ALLOW",
conditions=[
{
"operator": "OR",
"operands": [
{
"object_type": "POSTURE",
"entry_values": [
{"lhs": "<posture_udid>", "rhs": "true"}
]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "RISK_FACTOR_TYPE",
"entry_values": [
{"lhs": "ZIA", "rhs": "UNKNOWN"},
{"lhs": "ZIA", "rhs": "LOW"}
]
}
]
}
]
)
```text
**Logic:** Device must pass posture check AND have a ZIA risk score of UNKNOWN or LOW.
---
### Example 5: Combined SCIM + SAML + Platform + Country
A comprehensive rule combining identity, device, and location conditions.
```text
zpa_create_access_policy_rule(
name="Comprehensive Access Rule",
action_type="ALLOW",
description="Engineering team, Mac/Linux only, from US/CA",
conditions=[
{
"operator": "OR",
"operands": [
{
"object_type": "APP_GROUP",
"values": ["<segment_group_id>"]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "SCIM_GROUP",
"entry_values": [
{"lhs": "<idp_id>", "rhs": "<engineering_group_id>"}
]
},
{
"object_type": "SAML",
"entry_values": [
{"lhs": "<saml_email_attr_id>", "rhs": "[email protected]"}
]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "PLATFORM",
"entry_values": [
{"lhs": "mac", "rhs": "true"},
{"lhs": "linux", "rhs": "true"}
]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "COUNTRY_CODE",
"entry_values": [
{"lhs": "US", "rhs": "true"},
{"lhs": "CA", "rhs": "true"}
]
}
]
}
]
)
```text
**Logic:** Must access apps in the segment group AND (be in Engineering SCIM group OR be <[email protected]>) AND (be on macOS OR Linux) AND (be in US OR Canada).
---
### Example 6: Deny Rule
Block access from specific platforms.
```text
zpa_create_access_policy_rule(
name="Deny Android and iOS",
action_type="DENY",
description="Block mobile device access to sensitive applications",
conditions=[
{
"operator": "OR",
"operands": [
{
"object_type": "APP_GROUP",
"values": ["<sensitive_apps_segment_group_id>"]
}
]
},
{
"operator": "OR",
"operands": [
{
"object_type": "PLATFORM",
"entry_values": [
{"lhs": "android", "rhs": "true"},
{"lhs": "ios", "rhs": "true"}
]
}
]
}
]
)
```text
---
## Edge Cases
### No Conditions (Global Rule)
A rule with no conditions applies to all users and all applications:
```text
zpa_create_access_policy_rule(
name="Default Allow All",
action_type="ALLOW",
conditions=[]
)
```text
### Mixing SAML and SCIM in the Same Condition Block
SAML and SCIM_GROUP operands can share a condition block since they are identity types. They are ORed within the block:
```json
{
"operator": "OR",
"operands": [
{
"object_type": "SAML",
"entry_values": [{"lhs": "<saml_attr_id>", "rhs": "[email protected]"}]
},
{
"object_type": "SCIM_GROUP",
"entry_values": [{"lhs": "<idp_id>", "rhs": "<scim_group_id>"}]
}
]
}
```text
### Trusted Network Condition
```json
{
"operator": "OR",
"operands": [
{
"object_type": "TRUSTED_NETWORK",
"entry_values": [{"lhs": "<network_id>", "rhs": "true"}]
}
]
}
```text
---
## Quick Reference
**Tools used:**
- `get_zpa_scim_group(search)` -- look up SCIM group IDs
- `get_zpa_saml_attribute(search)` -- look up SAML attribute IDs
- `get_zpa_scim_attribute(search)` -- look up SCIM attribute IDs
- `get_zpa_posture_profile(search)` -- look up posture profile UDIDs
- `get_zpa_trusted_network(search)` -- look up trusted network IDs
- `zpa_list_segment_groups()` -- look up segment group IDs
- `zpa_create_access_policy_rule(name, action_type, conditions, ...)` -- create the rule
- `zpa_get_access_policy_rule(rule_id)` -- verify the rule
**Condition logic:**
- Multiple condition blocks = AND (all must match)
- Multiple entry_values within a block = OR (any can match)
- Separate condition blocks per object type
**Actions:** `ALLOW`, `DENY`, `REQUIRE_APPROVAL`
npx claudepluginhub zscaler/zscaler-mcp-server --plugin zscalerCreates ZPA conditional access rules combining identity, device posture, platform, country, and risk-score checks for private applications. Use when an admin requests multi-check access rules.
Configures Zscaler Private Access (ZPA) to replace VPN with zero trust network access via App Connectors and application segmentation.
Configures Zscaler Private Access (ZPA) for ZTNA replacing VPNs: deploys App Connectors on Linux VMs, defines application segments, sets identity- and posture-based access policies, integrates IdPs.