Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
The zpa_policy_portal_access_rule resource creates a Privileged Portal Policy Capabilities Rule in the Zscaler Private Access cloud.
⚠️ WARNING:: The attribute <span pulumi-lang-nodejs="ruleOrder" pulumi-lang-dotnet="RuleOrder" pulumi-lang-go="ruleOrder" pulumi-lang-python="rule_order" pulumi-lang-yaml="ruleOrder" pulumi-lang-java="ruleOrder">rule_order</span> is now deprecated in favor of the new resource <span pulumi-lang-nodejs="policyAccessRuleReorder" pulumi-lang-dotnet="PolicyAccessRuleReorder" pulumi-lang-go="policyAccessRuleReorder" pulumi-lang-python="policy_access_rule_reorder" pulumi-lang-yaml="policyAccessRuleReorder" pulumi-lang-java="policyAccessRuleReorder">policy_access_rule_reorder</span>
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as zpa from "@bdzscaler/pulumi-zpa";
const emailUserSso = zpa.getSAMLAttribute({
name: "Email_BD_Okta_Users",
idpName: "BD_Okta_Users",
});
const _this = zpa.getIdPController({
name: "BD_Okta_Users",
});
const a000 = zpa.getSCIMGroups({
idpName: "BD_Okta_Users",
name: "A000",
});
const b000 = zpa.getSCIMGroups({
idpName: "BD_Okta_Users",
name: "B000",
});
const example = new zpa.PolicyPortalAccessRule("example", {
name: "Portal Access Rule",
description: "Allow portal access with specific capabilities",
action: "CHECK_PRIVILEGED_PORTAL_CAPABILITIES",
privilegedPortalCapabilities: {
deleteFile: true,
accessUninspectedFile: true,
requestApprovals: true,
reviewApprovals: true,
},
conditions: [
{
operator: "OR",
operands: [{
objectType: "PRIVILEGE_PORTAL",
values: ["216196257331387235"],
}],
},
{
operator: "OR",
operands: [{
objectType: "COUNTRY_CODE",
entryValues: [
{
lhs: "BR",
rhs: "true",
},
{
lhs: "CA",
rhs: "true",
},
],
}],
},
{
operator: "OR",
operands: [
{
objectType: "SAML",
entryValues: [{
rhs: "user1@acme.com",
lhs: emailUserSso.then(emailUserSso => emailUserSso.id),
}],
},
{
objectType: "SCIM_GROUP",
entryValues: [
{
rhs: a000.then(a000 => a000.id),
lhs: _this.then(_this => _this.id),
},
{
rhs: b000.then(b000 => b000.id),
lhs: _this.then(_this => _this.id),
},
],
},
],
},
],
});
import pulumi
import pulumi_zpa as zpa
import zscaler_pulumi_zpa as zpa
email_user_sso = zpa.get_saml_attribute(name="Email_BD_Okta_Users",
idp_name="BD_Okta_Users")
this = zpa.get_id_p_controller(name="BD_Okta_Users")
a000 = zpa.get_scim_groups(idp_name="BD_Okta_Users",
name="A000")
b000 = zpa.get_scim_groups(idp_name="BD_Okta_Users",
name="B000")
example = zpa.PolicyPortalAccessRule("example",
name="Portal Access Rule",
description="Allow portal access with specific capabilities",
action="CHECK_PRIVILEGED_PORTAL_CAPABILITIES",
privileged_portal_capabilities={
"delete_file": True,
"access_uninspected_file": True,
"request_approvals": True,
"review_approvals": True,
},
conditions=[
{
"operator": "OR",
"operands": [{
"object_type": "PRIVILEGE_PORTAL",
"values": ["216196257331387235"],
}],
},
{
"operator": "OR",
"operands": [{
"object_type": "COUNTRY_CODE",
"entry_values": [
{
"lhs": "BR",
"rhs": "true",
},
{
"lhs": "CA",
"rhs": "true",
},
],
}],
},
{
"operator": "OR",
"operands": [
{
"object_type": "SAML",
"entry_values": [{
"rhs": "user1@acme.com",
"lhs": email_user_sso.id,
}],
},
{
"object_type": "SCIM_GROUP",
"entry_values": [
{
"rhs": a000.id,
"lhs": this.id,
},
{
"rhs": b000.id,
"lhs": this.id,
},
],
},
],
},
])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/zscaler/pulumi-zpa/sdk/go/zpa"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
emailUserSso, err := zpa.GetSAMLAttribute(ctx, &zpa.GetSAMLAttributeArgs{
Name: pulumi.StringRef("Email_BD_Okta_Users"),
IdpName: pulumi.StringRef("BD_Okta_Users"),
}, nil)
if err != nil {
return err
}
this, err := zpa.GetIdPController(ctx, &zpa.GetIdPControllerArgs{
Name: pulumi.StringRef("BD_Okta_Users"),
}, nil)
if err != nil {
return err
}
a000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
IdpName: pulumi.StringRef("BD_Okta_Users"),
Name: pulumi.StringRef("A000"),
}, nil)
if err != nil {
return err
}
b000, err := zpa.GetSCIMGroups(ctx, &zpa.GetSCIMGroupsArgs{
IdpName: pulumi.StringRef("BD_Okta_Users"),
Name: pulumi.StringRef("B000"),
}, nil)
if err != nil {
return err
}
_, err = zpa.NewPolicyPortalAccessRule(ctx, "example", &zpa.PolicyPortalAccessRuleArgs{
Name: pulumi.String("Portal Access Rule"),
Description: pulumi.String("Allow portal access with specific capabilities"),
Action: pulumi.String("CHECK_PRIVILEGED_PORTAL_CAPABILITIES"),
PrivilegedPortalCapabilities: &zpa.PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs{
DeleteFile: pulumi.Bool(true),
AccessUninspectedFile: pulumi.Bool(true),
RequestApprovals: pulumi.Bool(true),
ReviewApprovals: pulumi.Bool(true),
},
Conditions: zpa.PolicyPortalAccessRuleConditionArray{
&zpa.PolicyPortalAccessRuleConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyPortalAccessRuleConditionOperandArray{
&zpa.PolicyPortalAccessRuleConditionOperandArgs{
ObjectType: pulumi.String("PRIVILEGE_PORTAL"),
Values: pulumi.StringArray{
pulumi.String("216196257331387235"),
},
},
},
},
&zpa.PolicyPortalAccessRuleConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyPortalAccessRuleConditionOperandArray{
&zpa.PolicyPortalAccessRuleConditionOperandArgs{
ObjectType: pulumi.String("COUNTRY_CODE"),
EntryValues: zpa.PolicyPortalAccessRuleConditionOperandEntryValueArray{
&zpa.PolicyPortalAccessRuleConditionOperandEntryValueArgs{
Lhs: pulumi.String("BR"),
Rhs: pulumi.String("true"),
},
&zpa.PolicyPortalAccessRuleConditionOperandEntryValueArgs{
Lhs: pulumi.String("CA"),
Rhs: pulumi.String("true"),
},
},
},
},
},
&zpa.PolicyPortalAccessRuleConditionArgs{
Operator: pulumi.String("OR"),
Operands: zpa.PolicyPortalAccessRuleConditionOperandArray{
&zpa.PolicyPortalAccessRuleConditionOperandArgs{
ObjectType: pulumi.String("SAML"),
EntryValues: zpa.PolicyPortalAccessRuleConditionOperandEntryValueArray{
&zpa.PolicyPortalAccessRuleConditionOperandEntryValueArgs{
Rhs: pulumi.String("user1@acme.com"),
Lhs: pulumi.String(emailUserSso.Id),
},
},
},
&zpa.PolicyPortalAccessRuleConditionOperandArgs{
ObjectType: pulumi.String("SCIM_GROUP"),
EntryValues: zpa.PolicyPortalAccessRuleConditionOperandEntryValueArray{
&zpa.PolicyPortalAccessRuleConditionOperandEntryValueArgs{
Rhs: pulumi.String(a000.Id),
Lhs: pulumi.String(this.Id),
},
&zpa.PolicyPortalAccessRuleConditionOperandEntryValueArgs{
Rhs: pulumi.String(b000.Id),
Lhs: pulumi.String(this.Id),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Zpa = Pulumi.Zpa;
using Zpa = zscaler.PulumiPackage.Zpa;
return await Deployment.RunAsync(() =>
{
var emailUserSso = Zpa.GetSAMLAttribute.Invoke(new()
{
Name = "Email_BD_Okta_Users",
IdpName = "BD_Okta_Users",
});
var @this = Zpa.GetIdPController.Invoke(new()
{
Name = "BD_Okta_Users",
});
var a000 = Zpa.GetSCIMGroups.Invoke(new()
{
IdpName = "BD_Okta_Users",
Name = "A000",
});
var b000 = Zpa.GetSCIMGroups.Invoke(new()
{
IdpName = "BD_Okta_Users",
Name = "B000",
});
var example = new Zpa.PolicyPortalAccessRule("example", new()
{
Name = "Portal Access Rule",
Description = "Allow portal access with specific capabilities",
Action = "CHECK_PRIVILEGED_PORTAL_CAPABILITIES",
PrivilegedPortalCapabilities = new Zpa.Inputs.PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs
{
DeleteFile = true,
AccessUninspectedFile = true,
RequestApprovals = true,
ReviewApprovals = true,
},
Conditions = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandArgs
{
ObjectType = "PRIVILEGE_PORTAL",
Values = new[]
{
"216196257331387235",
},
},
},
},
new Zpa.Inputs.PolicyPortalAccessRuleConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandArgs
{
ObjectType = "COUNTRY_CODE",
EntryValues = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandEntryValueArgs
{
Lhs = "BR",
Rhs = "true",
},
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandEntryValueArgs
{
Lhs = "CA",
Rhs = "true",
},
},
},
},
},
new Zpa.Inputs.PolicyPortalAccessRuleConditionArgs
{
Operator = "OR",
Operands = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandArgs
{
ObjectType = "SAML",
EntryValues = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandEntryValueArgs
{
Rhs = "user1@acme.com",
Lhs = emailUserSso.Apply(getSAMLAttributeResult => getSAMLAttributeResult.Id),
},
},
},
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandArgs
{
ObjectType = "SCIM_GROUP",
EntryValues = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandEntryValueArgs
{
Rhs = a000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
Lhs = @this.Apply(@this => @this.Apply(getIdPControllerResult => getIdPControllerResult.Id)),
},
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandEntryValueArgs
{
Rhs = b000.Apply(getSCIMGroupsResult => getSCIMGroupsResult.Id),
Lhs = @this.Apply(@this => @this.Apply(getIdPControllerResult => getIdPControllerResult.Id)),
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.zpa.ZpaFunctions;
import com.pulumi.zpa.inputs.GetSAMLAttributeArgs;
import com.pulumi.zpa.inputs.GetIdPControllerArgs;
import com.pulumi.zpa.inputs.GetSCIMGroupsArgs;
import com.pulumi.zpa.PolicyPortalAccessRule;
import com.pulumi.zpa.PolicyPortalAccessRuleArgs;
import com.pulumi.zpa.inputs.PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs;
import com.pulumi.zpa.inputs.PolicyPortalAccessRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var emailUserSso = ZpaFunctions.getSAMLAttribute(GetSAMLAttributeArgs.builder()
.name("Email_BD_Okta_Users")
.idpName("BD_Okta_Users")
.build());
final var this = ZpaFunctions.getIdPController(GetIdPControllerArgs.builder()
.name("BD_Okta_Users")
.build());
final var a000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
.idpName("BD_Okta_Users")
.name("A000")
.build());
final var b000 = ZpaFunctions.getSCIMGroups(GetSCIMGroupsArgs.builder()
.idpName("BD_Okta_Users")
.name("B000")
.build());
var example = new PolicyPortalAccessRule("example", PolicyPortalAccessRuleArgs.builder()
.name("Portal Access Rule")
.description("Allow portal access with specific capabilities")
.action("CHECK_PRIVILEGED_PORTAL_CAPABILITIES")
.privilegedPortalCapabilities(PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs.builder()
.deleteFile(true)
.accessUninspectedFile(true)
.requestApprovals(true)
.reviewApprovals(true)
.build())
.conditions(
PolicyPortalAccessRuleConditionArgs.builder()
.operator("OR")
.operands(PolicyPortalAccessRuleConditionOperandArgs.builder()
.objectType("PRIVILEGE_PORTAL")
.values("216196257331387235")
.build())
.build(),
PolicyPortalAccessRuleConditionArgs.builder()
.operator("OR")
.operands(PolicyPortalAccessRuleConditionOperandArgs.builder()
.objectType("COUNTRY_CODE")
.entryValues(
PolicyPortalAccessRuleConditionOperandEntryValueArgs.builder()
.lhs("BR")
.rhs("true")
.build(),
PolicyPortalAccessRuleConditionOperandEntryValueArgs.builder()
.lhs("CA")
.rhs("true")
.build())
.build())
.build(),
PolicyPortalAccessRuleConditionArgs.builder()
.operator("OR")
.operands(
PolicyPortalAccessRuleConditionOperandArgs.builder()
.objectType("SAML")
.entryValues(PolicyPortalAccessRuleConditionOperandEntryValueArgs.builder()
.rhs("user1@acme.com")
.lhs(emailUserSso.id())
.build())
.build(),
PolicyPortalAccessRuleConditionOperandArgs.builder()
.objectType("SCIM_GROUP")
.entryValues(
PolicyPortalAccessRuleConditionOperandEntryValueArgs.builder()
.rhs(a000.id())
.lhs(this_.id())
.build(),
PolicyPortalAccessRuleConditionOperandEntryValueArgs.builder()
.rhs(b000.id())
.lhs(this_.id())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: zpa:PolicyPortalAccessRule
properties:
name: Portal Access Rule
description: Allow portal access with specific capabilities
action: CHECK_PRIVILEGED_PORTAL_CAPABILITIES
privilegedPortalCapabilities:
deleteFile: true
accessUninspectedFile: true
requestApprovals: true
reviewApprovals: true
conditions:
- operator: OR
operands:
- objectType: PRIVILEGE_PORTAL
values:
- '216196257331387235'
- operator: OR
operands:
- objectType: COUNTRY_CODE
entryValues:
- lhs: BR
rhs: 'true'
- lhs: CA
rhs: 'true'
- operator: OR
operands:
- objectType: SAML
entryValues:
- rhs: user1@acme.com
lhs: ${emailUserSso.id}
- objectType: SCIM_GROUP
entryValues:
- rhs: ${a000.id}
lhs: ${this.id}
- rhs: ${b000.id}
lhs: ${this.id}
variables:
emailUserSso:
fn::invoke:
function: zpa:getSAMLAttribute
arguments:
name: Email_BD_Okta_Users
idpName: BD_Okta_Users
this:
fn::invoke:
function: zpa:getIdPController
arguments:
name: BD_Okta_Users
a000:
fn::invoke:
function: zpa:getSCIMGroups
arguments:
idpName: BD_Okta_Users
name: A000
b000:
fn::invoke:
function: zpa:getSCIMGroups
arguments:
idpName: BD_Okta_Users
name: B000
LHS and RHS Values
| Object Type | LHS | RHS | VALUES |
|---|---|---|---|
| PRIVILEGE_PORTAL | NA | NA | <span pulumi-lang-nodejs="userPortalId" pulumi-lang-dotnet="UserPortalId" pulumi-lang-go="userPortalId" pulumi-lang-python="user_portal_id" pulumi-lang-yaml="userPortalId" pulumi-lang-java="userPortalId">user_portal_id</span> |
| SAML | <span pulumi-lang-nodejs="samlAttributeId" pulumi-lang-dotnet="SamlAttributeId" pulumi-lang-go="samlAttributeId" pulumi-lang-python="saml_attribute_id" pulumi-lang-yaml="samlAttributeId" pulumi-lang-java="samlAttributeId">saml_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| SCIM | <span pulumi-lang-nodejs="scimAttributeId" pulumi-lang-dotnet="ScimAttributeId" pulumi-lang-go="scimAttributeId" pulumi-lang-python="scim_attribute_id" pulumi-lang-yaml="scimAttributeId" pulumi-lang-java="scimAttributeId">scim_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| SCIM_GROUP | <span pulumi-lang-nodejs="scimGroupAttributeId" pulumi-lang-dotnet="ScimGroupAttributeId" pulumi-lang-go="scimGroupAttributeId" pulumi-lang-python="scim_group_attribute_id" pulumi-lang-yaml="scimGroupAttributeId" pulumi-lang-java="scimGroupAttributeId">scim_group_attribute_id</span> | <span pulumi-lang-nodejs="attributeValueToMatch" pulumi-lang-dotnet="AttributeValueToMatch" pulumi-lang-go="attributeValueToMatch" pulumi-lang-python="attribute_value_to_match" pulumi-lang-yaml="attributeValueToMatch" pulumi-lang-java="attributeValueToMatch">attribute_value_to_match</span> | |
| COUNTRY_CODE | 2 Letter ISO3166 Alpha2 | "true" |
Create PolicyPortalAccessRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PolicyPortalAccessRule(name: string, args?: PolicyPortalAccessRuleArgs, opts?: CustomResourceOptions);@overload
def PolicyPortalAccessRule(resource_name: str,
args: Optional[PolicyPortalAccessRuleArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def PolicyPortalAccessRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
conditions: Optional[Sequence[PolicyPortalAccessRuleConditionArgs]] = None,
description: Optional[str] = None,
microtenant_id: Optional[str] = None,
name: Optional[str] = None,
privileged_portal_capabilities: Optional[PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs] = None)func NewPolicyPortalAccessRule(ctx *Context, name string, args *PolicyPortalAccessRuleArgs, opts ...ResourceOption) (*PolicyPortalAccessRule, error)public PolicyPortalAccessRule(string name, PolicyPortalAccessRuleArgs? args = null, CustomResourceOptions? opts = null)
public PolicyPortalAccessRule(String name, PolicyPortalAccessRuleArgs args)
public PolicyPortalAccessRule(String name, PolicyPortalAccessRuleArgs args, CustomResourceOptions options)
type: zpa:PolicyPortalAccessRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyPortalAccessRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyPortalAccessRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyPortalAccessRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyPortalAccessRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyPortalAccessRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var policyPortalAccessRuleResource = new Zpa.PolicyPortalAccessRule("policyPortalAccessRuleResource", new()
{
Action = "string",
Conditions = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionArgs
{
Id = "string",
Operands = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandArgs
{
EntryValues = new[]
{
new Zpa.Inputs.PolicyPortalAccessRuleConditionOperandEntryValueArgs
{
Lhs = "string",
Rhs = "string",
},
},
ObjectType = "string",
Values = new[]
{
"string",
},
},
},
Operator = "string",
},
},
Description = "string",
MicrotenantId = "string",
Name = "string",
PrivilegedPortalCapabilities = new Zpa.Inputs.PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs
{
AccessUninspectedFile = false,
DeleteFile = false,
RequestApprovals = false,
ReviewApprovals = false,
},
});
example, err := zpa.NewPolicyPortalAccessRule(ctx, "policyPortalAccessRuleResource", &zpa.PolicyPortalAccessRuleArgs{
Action: pulumi.String("string"),
Conditions: zpa.PolicyPortalAccessRuleConditionArray{
&zpa.PolicyPortalAccessRuleConditionArgs{
Id: pulumi.String("string"),
Operands: zpa.PolicyPortalAccessRuleConditionOperandArray{
&zpa.PolicyPortalAccessRuleConditionOperandArgs{
EntryValues: zpa.PolicyPortalAccessRuleConditionOperandEntryValueArray{
&zpa.PolicyPortalAccessRuleConditionOperandEntryValueArgs{
Lhs: pulumi.String("string"),
Rhs: pulumi.String("string"),
},
},
ObjectType: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Operator: pulumi.String("string"),
},
},
Description: pulumi.String("string"),
MicrotenantId: pulumi.String("string"),
Name: pulumi.String("string"),
PrivilegedPortalCapabilities: &zpa.PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs{
AccessUninspectedFile: pulumi.Bool(false),
DeleteFile: pulumi.Bool(false),
RequestApprovals: pulumi.Bool(false),
ReviewApprovals: pulumi.Bool(false),
},
})
var policyPortalAccessRuleResource = new PolicyPortalAccessRule("policyPortalAccessRuleResource", PolicyPortalAccessRuleArgs.builder()
.action("string")
.conditions(PolicyPortalAccessRuleConditionArgs.builder()
.id("string")
.operands(PolicyPortalAccessRuleConditionOperandArgs.builder()
.entryValues(PolicyPortalAccessRuleConditionOperandEntryValueArgs.builder()
.lhs("string")
.rhs("string")
.build())
.objectType("string")
.values("string")
.build())
.operator("string")
.build())
.description("string")
.microtenantId("string")
.name("string")
.privilegedPortalCapabilities(PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs.builder()
.accessUninspectedFile(false)
.deleteFile(false)
.requestApprovals(false)
.reviewApprovals(false)
.build())
.build());
policy_portal_access_rule_resource = zpa.PolicyPortalAccessRule("policyPortalAccessRuleResource",
action="string",
conditions=[{
"id": "string",
"operands": [{
"entry_values": [{
"lhs": "string",
"rhs": "string",
}],
"object_type": "string",
"values": ["string"],
}],
"operator": "string",
}],
description="string",
microtenant_id="string",
name="string",
privileged_portal_capabilities={
"access_uninspected_file": False,
"delete_file": False,
"request_approvals": False,
"review_approvals": False,
})
const policyPortalAccessRuleResource = new zpa.PolicyPortalAccessRule("policyPortalAccessRuleResource", {
action: "string",
conditions: [{
id: "string",
operands: [{
entryValues: [{
lhs: "string",
rhs: "string",
}],
objectType: "string",
values: ["string"],
}],
operator: "string",
}],
description: "string",
microtenantId: "string",
name: "string",
privilegedPortalCapabilities: {
accessUninspectedFile: false,
deleteFile: false,
requestApprovals: false,
reviewApprovals: false,
},
});
type: zpa:PolicyPortalAccessRule
properties:
action: string
conditions:
- id: string
operands:
- entryValues:
- lhs: string
rhs: string
objectType: string
values:
- string
operator: string
description: string
microtenantId: string
name: string
privilegedPortalCapabilities:
accessUninspectedFile: false
deleteFile: false
requestApprovals: false
reviewApprovals: false
PolicyPortalAccessRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PolicyPortalAccessRule resource accepts the following input properties:
- Action string
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - Conditions
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Portal Access Rule Condition> - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy.
- Microtenant
Id string - Name string
- This is the name of the policy rule.
- Privileged
Portal zscaler.Capabilities Pulumi Package. Zpa. Inputs. Policy Portal Access Rule Privileged Portal Capabilities
- Action string
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - Conditions
[]Policy
Portal Access Rule Condition Args - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy.
- Microtenant
Id string - Name string
- This is the name of the policy rule.
- Privileged
Portal PolicyCapabilities Portal Access Rule Privileged Portal Capabilities Args
- action String
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions
List<Policy
Portal Access Rule Condition> - This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy.
- microtenant
Id String - name String
- This is the name of the policy rule.
- privileged
Portal PolicyCapabilities Portal Access Rule Privileged Portal Capabilities
- action string
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions
Policy
Portal Access Rule Condition[] - This is for proviidng the set of conditions for the policy.
- description string
- This is the description of the access policy.
- microtenant
Id string - name string
- This is the name of the policy rule.
- privileged
Portal PolicyCapabilities Portal Access Rule Privileged Portal Capabilities
- action str
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions
Sequence[Policy
Portal Access Rule Condition Args] - This is for proviidng the set of conditions for the policy.
- description str
- This is the description of the access policy.
- microtenant_
id str - name str
- This is the name of the policy rule.
- privileged_
portal_ Policycapabilities Portal Access Rule Privileged Portal Capabilities Args
- action String
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions List<Property Map>
- This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy.
- microtenant
Id String - name String
- This is the name of the policy rule.
- privileged
Portal Property MapCapabilities
Outputs
All input properties are implicitly available as output properties. Additionally, the PolicyPortalAccessRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Set stringId
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Set stringId
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Set StringId
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Set stringId
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
set_ strid
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Set StringId
Look up Existing PolicyPortalAccessRule Resource
Get an existing PolicyPortalAccessRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyPortalAccessRuleState, opts?: CustomResourceOptions): PolicyPortalAccessRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
conditions: Optional[Sequence[PolicyPortalAccessRuleConditionArgs]] = None,
description: Optional[str] = None,
microtenant_id: Optional[str] = None,
name: Optional[str] = None,
policy_set_id: Optional[str] = None,
privileged_portal_capabilities: Optional[PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs] = None) -> PolicyPortalAccessRulefunc GetPolicyPortalAccessRule(ctx *Context, name string, id IDInput, state *PolicyPortalAccessRuleState, opts ...ResourceOption) (*PolicyPortalAccessRule, error)public static PolicyPortalAccessRule Get(string name, Input<string> id, PolicyPortalAccessRuleState? state, CustomResourceOptions? opts = null)public static PolicyPortalAccessRule get(String name, Output<String> id, PolicyPortalAccessRuleState state, CustomResourceOptions options)resources: _: type: zpa:PolicyPortalAccessRule get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - Conditions
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Portal Access Rule Condition> - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy.
- Microtenant
Id string - Name string
- This is the name of the policy rule.
- Policy
Set stringId - Privileged
Portal zscaler.Capabilities Pulumi Package. Zpa. Inputs. Policy Portal Access Rule Privileged Portal Capabilities
- Action string
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - Conditions
[]Policy
Portal Access Rule Condition Args - This is for proviidng the set of conditions for the policy.
- Description string
- This is the description of the access policy.
- Microtenant
Id string - Name string
- This is the name of the policy rule.
- Policy
Set stringId - Privileged
Portal PolicyCapabilities Portal Access Rule Privileged Portal Capabilities Args
- action String
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions
List<Policy
Portal Access Rule Condition> - This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy.
- microtenant
Id String - name String
- This is the name of the policy rule.
- policy
Set StringId - privileged
Portal PolicyCapabilities Portal Access Rule Privileged Portal Capabilities
- action string
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions
Policy
Portal Access Rule Condition[] - This is for proviidng the set of conditions for the policy.
- description string
- This is the description of the access policy.
- microtenant
Id string - name string
- This is the name of the policy rule.
- policy
Set stringId - privileged
Portal PolicyCapabilities Portal Access Rule Privileged Portal Capabilities
- action str
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions
Sequence[Policy
Portal Access Rule Condition Args] - This is for proviidng the set of conditions for the policy.
- description str
- This is the description of the access policy.
- microtenant_
id str - name str
- This is the name of the policy rule.
- policy_
set_ strid - privileged_
portal_ Policycapabilities Portal Access Rule Privileged Portal Capabilities Args
- action String
- This is for providing the rule action. Supported value:
CHECK_CAPABILITIES - conditions List<Property Map>
- This is for proviidng the set of conditions for the policy.
- description String
- This is the description of the access policy.
- microtenant
Id String - name String
- This is the name of the policy rule.
- policy
Set StringId - privileged
Portal Property MapCapabilities
Supporting Types
PolicyPortalAccessRuleCondition, PolicyPortalAccessRuleConditionArgs
- Id string
- Operands
List<zscaler.
Pulumi Package. Zpa. Inputs. Policy Portal Access Rule Condition Operand> - This signifies the various policy criteria.
- Operator string
- Id string
- Operands
[]Policy
Portal Access Rule Condition Operand - This signifies the various policy criteria.
- Operator string
- id String
- operands
List<Policy
Portal Access Rule Condition Operand> - This signifies the various policy criteria.
- operator String
- id string
- operands
Policy
Portal Access Rule Condition Operand[] - This signifies the various policy criteria.
- operator string
- id str
- operands
Sequence[Policy
Portal Access Rule Condition Operand] - This signifies the various policy criteria.
- operator str
- id String
- operands List<Property Map>
- This signifies the various policy criteria.
- operator String
PolicyPortalAccessRuleConditionOperand, PolicyPortalAccessRuleConditionOperandArgs
- Entry
Values List<zscaler.Pulumi Package. Zpa. Inputs. Policy Portal Access Rule Condition Operand Entry Value> - Object
Type string - This is for specifying the policy critiera.
- Values List<string>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- Entry
Values []PolicyPortal Access Rule Condition Operand Entry Value - Object
Type string - This is for specifying the policy critiera.
- Values []string
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values List<PolicyPortal Access Rule Condition Operand Entry Value> - object
Type String - This is for specifying the policy critiera.
- values List<String>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values PolicyPortal Access Rule Condition Operand Entry Value[] - object
Type string - This is for specifying the policy critiera.
- values string[]
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry_
values Sequence[PolicyPortal Access Rule Condition Operand Entry Value] - object_
type str - This is for specifying the policy critiera.
- values Sequence[str]
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
- entry
Values List<Property Map> - object
Type String - This is for specifying the policy critiera.
- values List<String>
- This denotes a list of values for the given object type. The value depend upon the key. If rhs is defined this list will be ignored
PolicyPortalAccessRuleConditionOperandEntryValue, PolicyPortalAccessRuleConditionOperandEntryValueArgs
PolicyPortalAccessRulePrivilegedPortalCapabilities, PolicyPortalAccessRulePrivilegedPortalCapabilitiesArgs
- Access
Uninspected boolFile - Allows a User like an Admin to see all files marked Uninspected from other users in the tenant.
- Delete
File bool - Allows a User to delete files to reclaim space. Allowing deletion will prevent auditing of the file.
- Request
Approvals bool - Allows a User to request approvals
- Review
Approvals bool - Allows a User to review approvals
- Access
Uninspected boolFile - Allows a User like an Admin to see all files marked Uninspected from other users in the tenant.
- Delete
File bool - Allows a User to delete files to reclaim space. Allowing deletion will prevent auditing of the file.
- Request
Approvals bool - Allows a User to request approvals
- Review
Approvals bool - Allows a User to review approvals
- access
Uninspected BooleanFile - Allows a User like an Admin to see all files marked Uninspected from other users in the tenant.
- delete
File Boolean - Allows a User to delete files to reclaim space. Allowing deletion will prevent auditing of the file.
- request
Approvals Boolean - Allows a User to request approvals
- review
Approvals Boolean - Allows a User to review approvals
- access
Uninspected booleanFile - Allows a User like an Admin to see all files marked Uninspected from other users in the tenant.
- delete
File boolean - Allows a User to delete files to reclaim space. Allowing deletion will prevent auditing of the file.
- request
Approvals boolean - Allows a User to request approvals
- review
Approvals boolean - Allows a User to review approvals
- access_
uninspected_ boolfile - Allows a User like an Admin to see all files marked Uninspected from other users in the tenant.
- delete_
file bool - Allows a User to delete files to reclaim space. Allowing deletion will prevent auditing of the file.
- request_
approvals bool - Allows a User to request approvals
- review_
approvals bool - Allows a User to review approvals
- access
Uninspected BooleanFile - Allows a User like an Admin to see all files marked Uninspected from other users in the tenant.
- delete
File Boolean - Allows a User to delete files to reclaim space. Allowing deletion will prevent auditing of the file.
- request
Approvals Boolean - Allows a User to request approvals
- review
Approvals Boolean - Allows a User to review approvals
Import
Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language.
Visit
Policy access capability can be imported by using <RULE ID> as the import ID.
For example:
$ pulumi import zpa:index/policyPortalAccessRule:PolicyPortalAccessRule example <rule_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- zpa zscaler/pulumi-zpa
- License
- MIT
- Notes
- This Pulumi package is based on the
zpaTerraform Provider.
Zscaler Private Access v1.0.3 published on Wednesday, Jan 21, 2026 by Zscaler
