Stay organized with collections
Save and categorize content based on your preferences.
Session controls let you configure how often users must re-authenticate after
being granted access, and whether a full login, password only, or hardware
security key is required.
You can apply session controls to do the following:
Enforce frequent re-authentication for privileged users Require users
with elevated privileges, such as project owners and billing administrators,
to re-authenticate more frequently.
Configure longer sessions for certain applications Allow certain applications, such as context-based
AI applications like Gemini, to have longer session durations
to preserve the large context window required for optimal performance.
Define session length and re-authentication methods
Use the --session-length flag to set the session duration and the
--session-reauth-method flag to specify the re-authentication method. For
example, you can set a session duration time of 30 minutes (30m) and a
LOGIN, PASSWORD, or SECURITY_KEY re-authentication method.
This will be applied to all applications unless overridden by
application-specific settings.
Define scopedAccessSettings in a YAML file to specify session controls
for specific applications using clientId. This lets you override the
default session controls for those applications. You can then pass the YAML
file using the --binding-file flag.
API
Define the sessionLength and sessionReauthMethod fields within the
sessionSettings object in the JSON body of your POST request to create
or update a GcpUserAccessBinding binding. Use scopedAccessSettings to
define application-specific session controls.
See Define configurations for specific applications
for details.
Key considerations when defining session controls:
You cannot specify the Google Cloud console using clientId. To enforce session
controls for the Google Cloud console, define it as a default and then
create exceptions for other applications.
Only the most recently created access binding that matches the request
is used when resolving session control settings.
Example policy configuration
Following is an example that demonstrates how to create a session control that
requires re-authentication every 18 hours by default with LOGIN, and every two
hours for a specific application (SENSITIVE_APP_ID) with SECURITY_KEY.
Default settings
The --level, --session-length, and --session-reauth-method flags in the
Google Cloud CLI command (or the corresponding fields in the JSON body for the
API call) set the default behavior for all applications not explicitly defined
in scopedAccessSettings.
Application-specific settings
The scopedAccessSettings section in the YAML file (or JSON body) lets you
override the default settings for specific applications. In the example, we
set a two hour re-authentication requirement with SECURITY_KEY for the
application with the client ID SENSITIVE_APP_ID.
To exempt certain apps from session control, set the
sessionLength field to 0s or sessionLengthEnabled
to false. The sessionReauthMethod method will then be ignored.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Configure session controls for re-authentication\n\n| **Preview\n| --- Session controls**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nSession controls let you configure how often users must re-authenticate after\nbeing granted access, and whether a full login, password only, or hardware\nsecurity key is required.\n\nYou can apply session controls to do the following:\n\n- **Enforce frequent re-authentication for privileged users** Require users with elevated privileges, such as project owners and billing administrators, to re-authenticate more frequently.\n- **Configure longer sessions for certain applications** Allow certain applications, such as context-based AI applications like Gemini, to have longer session durations to preserve the large context window required for optimal performance.\n\n| **Warning:** If you previously managed session controls within Workspace based on Organizational Units (OUs), session controls defined through Access Context Manager bindings will supersede any OU-based policies.\n\nDefine session length and re-authentication methods\n---------------------------------------------------\n\nYou can define session controls when creating an Access Context Manager binding.\nFor details about the session controls, see [Apply policies to user groups using access bindings](/chrome-enterprise-premium/docs/apply-policies-to-user-groups). \n\n### gcloud\n\n- [**Set default session controls for all applications**](/chrome-enterprise-premium/docs/apply-policies-to-user-groups#use_a_single_configuration_for_all_applications)\n\n Use the `--session-length` flag to set the session duration and the\n `--session-reauth-method` flag to specify the re-authentication method. For\n example, you can set a session duration time of 30 minutes (30m) and a\n `LOGIN`, `PASSWORD`, or `SECURITY_KEY` re-authentication method.\n\n This will be applied to all applications unless overridden by\n application-specific settings.\n- [**Set application-specific session controls**](/chrome-enterprise-premium/docs/apply-policies-to-user-groups#define_configurations_for_specific_applications)\n\n Define `scopedAccessSettings` in a YAML file to specify session controls\n for specific applications using `clientId`. This lets you override the\n default session controls for those applications. You can then pass the YAML\n file using the `--binding-file flag`.\n\n### API\n\nDefine the `sessionLength` and `sessionReauthMethod` fields within the\n`sessionSettings object` in the JSON body of your POST request to create\nor update a `GcpUserAccessBinding` binding. Use `scopedAccessSettings` to\ndefine application-specific session controls.\nSee [Define configurations for specific applications](/chrome-enterprise-premium/docs/apply-policies-to-user-groups#api)\nfor details.\n\nKey considerations when defining session controls:\n\n- You cannot specify the Google Cloud console using `clientId`. To enforce session controls for the Google Cloud console, define it as a default and then create exceptions for other applications.\n- Only the most recently created access binding that matches the request is used when resolving session control settings.\n\nExample policy configuration\n----------------------------\n\nFollowing is an example that demonstrates how to create a session control that\nrequires re-authentication every 18 hours by default with `LOGIN`, and every two\nhours for a specific application (`SENSITIVE_APP_ID`) with `SECURITY_KEY`.\n\n**Default settings**\n\nThe `--level`, `--session-length`, and `--session-reauth-method` flags in the\nGoogle Cloud CLI command (or the corresponding fields in the JSON body for the\nAPI call) set the default behavior for all applications not explicitly defined\nin `scopedAccessSettings`.\n\n**Application-specific settings**\n\nThe `scopedAccessSettings` section in the YAML file (or JSON body) lets you\noverride the default settings for specific applications. In the example, we\nset a two hour re-authentication requirement with `SECURITY_KEY` for the\napplication with the client ID `SENSITIVE_APP_ID`.\n\nTo exempt certain apps from session control, set the\n`sessionLength` field to `0s` or `sessionLengthEnabled`\nto `false`. The `sessionReauthMethod` method will then be ignored. \n\n### gcloud\n\nThe settings configuration: \n\n scopedAccessSettings:\n scope:\n clientScope:\n restrictedClientApplication:\n clientId: SENSITIVE_APP_ID\n activeSettings:\n sessionSettings:\n sessionLength: 7200s\n sessionReauthMethod: SECURITY_KEY\n sessionLengthEnabled: true\n\nCreate the access binding: \n\n gcloud access-context-manager cloud-bindings create \\\n --organization ORG_ID \\\n --group-key GROUP_ID \\\n --binding-file BINDING_FILE_PATH \\\n --level DEFAULT_ACCESS_LEVEL\n --session-length 18h \\\n --session-reauth-method LOGIN\n\n### API\n\nJSON body: \n\n {\n \"groupKey\": \"GROUP_ID\",\n \"accessLevels\": [\n \"accessPolicies/POLICY_ID/accessLevels/DEFAULT_ACCESS_LEVEL\"\n ],\n \"scopedAccessSettings\": [\n {\n \"scope\": {\n \"clientScope\": {\n \"restrictedClientApplication\": {\n \"clientId\": \"SENSITIVE_APP_ID\"\n }\n }\n },\n \"activeSettings\": {\n \"accessLevels\": [\n \"accessPolicies/POLICY_ID/accessLevels/ACCESS_LEVEL_NAME\"\n ],\n \"sessionSettings\": [\n {\n \"sessionLength\": \"2h\",\n \"sessionReauthMethod\": \"SECURITY_KEY\",\n \"sessionLengthEnabled\": true\n }\n ]\n }\n }\n ]\n\nPost request: \n\n POST https://accesscontextmanager.googleapis.com/v1/organizations/ORG_ID/gcpUserAccessBindings"]]