zia_list_cloud_app_control_actions
Lists available Cloud App Control actions for a given cloud application, automatically resolving its category to return the full action set. Handles API edge cases by probing other apps in the same category.
Instructions
List the granular Cloud App Control (CAC) actions available for a cloud application — answers 'what actions can I control for ?', 'list actions for Azure DevOps', 'what can I block on Dropbox', 'show me available actions for ChatGPT'. Takes a single cloud_app (canonical enum like AZURE_DEVOPS or friendly name like 'Azure DevOps'); the tool auto-resolves the name, looks up its category (rule type), and returns the category's full action set. Actions are CATEGORY-LEVEL not per-app — every app in SYSTEM_AND_DEVELOPMENT shares the same actions, every app in AI_ML shares its own set, etc. The tool also handles a ZIA API quirk where calling list_available_actions(rule_type, [some_app]) sometimes returns empty because not every app is a 'representative' for its category — when that happens, it transparently walks other apps in the same category until one surfaces the action set. Returns a dict with: cloud_app, resolved_app, category, category_name, actions, actions_surfaced_via (which app finally produced the actions), and probe_attempts. Use the optional rule_type parameter only to override the auto-detected category; use query (JMESPath) to project just the actions list (e.g. 'actions') or filter them (e.g. 'actions[?contains(@, BLOCK)]').
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| cloud_app | Yes | The cloud application the user is asking about. Accepts the canonical ZIA enum (``AZURE_DEVOPS``, ``DROPBOX``, ``CHATGPT_AI``) **or** a friendly display name (``'Azure DevOps'``, ``'dropbox'``, ``'chatgpt'``). The tool resolves the input to its canonical form, looks up the app's category (= rule type), and returns the granular action vocabulary the API supports for Cloud App Control rules in that category. The action vocabulary is *surfaced* at the category level — every app in a category resolves to the same returned list — but the create endpoint validates per (rule_type, application, action) tuple and can still reject a category-level action when paired with a specific app. Treat the returned list as a superset; the create call is the only authoritative validator. | |
| rule_type | No | Optional override for the rule-type category. By default the tool infers the rule type from ``cloud_app``'s ``parent`` field in the policy catalog. Only set this when you want to force a specific category (e.g. when ZIA classifies an app under one category but you want actions for a different one). Must be one of the canonical category enums (``AI_ML``, ``WEBMAIL``, ``FILE_SHARE``, ``SYSTEM_AND_DEVELOPMENT``, ``STREAMING_MEDIA``, ``SOCIAL_NETWORKING``, ``INSTANT_MESSAGING``, ``BUSINESS_PRODUCTIVITY``, ``ENTERPRISE_COLLABORATION``, ``SALES_AND_MARKETING``, ``CONSUMER``, ``HOSTING_PROVIDER``, ``IT_SERVICES``, ``HUMAN_RESOURCES``, ``LEGAL``, ``HEALTH_CARE``, ``FINANCE``, ``DNS_OVER_HTTPS``, ``CUSTOM_CAPP``). | |
| query | No | Optional JMESPath expression applied to the response. Useful for projecting just the actions list (``actions``) or filtering them (``actions[?contains(@, 'BLOCK')]``). | |
| service | No | The service to use. | zia |