Application Granular Controls
Application Granular Controls enables you to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application.
To create an HTTP policy with Application Granular Controls:
- In Zero Trust ↗, go to Gateway > Firewall policies. Select HTTP.
- Select Add a policy.
- Give your policy a name (for example, "Block Google Drive Uploads”) and a description.
- In the expression builder, define the scope of your policy. In the Traffic section, add a condition and specify the Application selector.
- Select the “is” Operator (application granular controls are specific to an application so the condition must reference a single application using the is operator).
- In the Value field, the applications that support granular controls are grouped in the categories at the top of the list for example “File Sharing (with Granular Controls)”. Select the required application (for example Google Drive).
- A fourth Controls field will appear, allowing you to select one or more Application Controls or individual Operations (see below for an explanation of these terms).
- Complete your policy expression with any other conditions, select an Action and configure any desired policy settings.
- Select Create policy to save and activate your policy.
The policy will appear in the list of HTTP policies. Here, the order of precedence can be changed and the policy can be disabled or enabled.
Application Granular Controls can be defined at two levels of granularity:
- Application Controls are pre-defined controls which represent user intent for example Upload or Download. They are defined by Cloudflare and consist of a set of operations (see below) that have been deemed to be related to that intent. Using application controls within a policy is a quick way of enforcing common controls. For the mapping of operations to application controls, see Application Controls.
- Operations: These are the individual API-level actions that an app uses. Defining controls at operation level allows for more fine-grained policies to support advanced use cases for example block only certain types of downloads, or to define controls where there is not an existing application control that covers the required intent for example block comments. However, because each SaaS application uses a unique set of operations each of which has its own scope, nuances and behaviors, the use of operation level controls often requires analysis to determine applicability for the desired use case. Operation-level controls can also be used in cases where variations to the Cloudflare-defined application controls are needed for example to include or exclude certain operations.
Operation Groups are groupings of operations that are defined by the application vendor. Typically these are based on a categorization of the application's capabilities - different functional areas of the application for example signature requests - or the entities that the application defines for example files or folders. These definitions vary by application. In the Gateway policy builder, operations are shown grouped into these operation groups to facilitate correlating the operations with available vendor API documentation.
The Contains Payload column in Application Controls indicates whether a given operation is likely to contain content that is suitable for DLP scanning. This includes operations that contain the content of uploaded or downloaded files, or AI prompts. When a user performs a file upload for example, a sequence of API operations may result, for example setting up the file metadata, uploading the file content, and then finalizing the upload. From a DLP perspective, it can be advantageous to specifically target the operation that contains the file content; the contains payload column identifies which operation that is.
SaaS applications typically provide multiple APIs to interact with. For each application, we may support the following API types:
- Web Application API: these APIs are consumed by the web application that users interact with through their browser.
- Platform API: these APIs are exposed to users to allow for programmatic interaction with the SaaS application. These are typically used by automations, scripts, or even other applications.
When building your HTTP rules using Operations, if both API types are available, you should select Operations that align to the API being used, or include both for greater coverage.
Application controls include Operations for both API types.
With Application Granular Controls, you can choose specific actions and operations to match application traffic.
ChatGPT (app ID 1199)
1199)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 8004 | Prompt | 1652 | ✅ | Chat | 1650 |
| UploadFile | 8008 | Upload | 1653 | — | Chat | 1650 |
| UploadFilePayload | 8013 | Upload | 1653 | ✅ | Chat | 1650 |
| ShareResponse | 8006 | Share | 1654 | — | Chat | 1650 |
| ShareCanvas | 8007 | Share | 1654 | — | Chat | 1650 |
| TranscribeVoice | 8011 | Voice | 1655 | — | Chat | 1650 |
| EnableVoiceMode | 8003 | Voice | 1655 | — | Chat | 1650 |
| AllowTraining | 8009 | — | Settings | 1651 | ||
| AllowVoiceTraining | 8010 | — | Settings | 1651 | ||
| AllowVideoTraining | 8016 | — | Settings | 1651 | ||
| ExportData | 8020 | — | Settings | 1651 |
Google Gemini (app ID 1340)
1340)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 8021 | Prompt | 1657 | ✅ | Chat | 1656 |
| UploadFile | 8022 | Upload | 1658 | — | Chat | 1656 |
| UploadFilePayload | 8023 | Upload | 1658 | ✅ | Chat | 1656 |
| TranscribeVoice | 8025 | Voice | 1659 | — | Chat | 1656 |
Perplexity (app ID 1937)
1937)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 11947 | Prompt | 2598 | ✅ | Chat | 2596 |
| ClarifyingPrompt | 11951 | Prompt | 2598 | ✅ | Chat | 2596 |
| CreateUploadUrl | 11948 | Upload | 2599 | — | Chat | 2596 |
| UploadFile | 11955 | Upload | 2599 | ✅ | Chat | 2596 |
| UploadOrganizationFile | 11950 | Upload | 2599 | — | Settings | 2597 |
| ShareChat | 11952 | Share | 2600 | — | Chat | 2596 |
| VoiceTranscription | 11953 | Voice | 2601 | — | Chat | 2596 |
| ExportChat | 11949 | — | Chat | 2596 | ||
| DeleteThread | 11954 | — | Chat | 2596 | ||
| DeleteOrganizationFile | 11956 | — | Settings | 2597 |
Claude (app ID 2430)
2430)| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
|---|---|---|---|---|---|---|
| SendPrompt | 10048 | Prompt | 2127 | ✅ | Chat | 2126 |
| PromptCompletion | 10050 | Prompt | 2127 | ✅ | Chat | 2126 |
| RetryPromptCompletion | 10040 | Prompt | 2127 | ✅ | Chat | 2126 |
| UploadFile | 10039 | Upload | 2128 | ✅ | Chat | 2126 |
| ConvertDocument | 10041 | Upload | 2128 | ✅ | Chat | 2126 |
| ShareConversation | 10043 | Share | 2129 | — | Chat | 2126 |
| GetShares | 10052 | Share | 2129 | — | Chat | 2126 |
| CreateConversation | 10038 | — | Chat | 2126 | ||
| GetConversation | 10046 | — | Chat | 2126 | ||
| UpdateConversation | 10047 | — | Chat | 2126 | ||
| DeleteConversation | 10045 | — | Chat | 2126 | ||
| UpdateAccount | 10036 | — | Settings | 2125 | ||
| InitiateDataExport | 10037 | — | Settings | 2125 | ||
| GiveFeedback | 10042 | — | Chat | 2126 | ||
| SetConversationTitle | 10044 | — | Chat | 2126 | ||
| GetOrganisation | 10049 | — | Settings | 2125 | ||
| GetFilePreview | 10051 | — | Chat | 2126 |
placeholder
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark