cloudflare · maxvp · Oct 1, 2025 · Sep 30, 2025 · Sep 30, 2025 · Oct 1, 2025
@@ -0,0 +1,17 @@
+---
+title: New granular controls for SaaS applications
+description: Gateway now provides granular control over File Sharing and AI Chat applications
+products:
+  - gateway
+hidden: false
+date: 2025-09-30
+---
+
+Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](/cloudflare-one/policies/gateway/http-policies).
+
+The new feature offers two methods of controlling SaaS applications:
+
+- **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application.
+- **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function.
+
+Get started using [Application Granular Controls](cloudflare-one/policies/gateway/http-policies/granular-controls) and refer to the list of [supported applications](/cloudflare-one/policies/gateway/http-policies/granular-controls/#compatible-applications).
@@ -7,14 +7,15 @@ sidebar:
 
 import { Render, Details } from "~/components";
 
-Application Granular Controls allows you to create [Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application.
+With Application Granular Controls, you can create [Gateway HTTP policies](/cloudflare-one/policies/gateway/http-policies/) to control specific user actions within supported SaaS applications. This allows you to give users access to an application while restricting the actions that they can take within the application.
 
 ## Prerequisites
 
 To use Application Granular Controls, you must:
 
 - Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) on your users' devices.
 - Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
+- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for TCP and UDP traffic](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection).
 
 ## Create a policy with Application Granular Controls
 
@@ -25,7 +26,7 @@ To create a Gateway HTTP policy with Application Granular Controls:
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. Select **HTTP**.
 2. Select **Add a policy**.
 3. Name the policy.
-4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. To use Application Granular Controls, you must use the _Application_ selector with the _is_ operator.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block. Because granular controls are specific to each application, you must use the _Application_ selector with the _is_ operator.
 5. In **Value**, select your desired application.
 6. In **Controls**, choose one or more Application Controls or individual Operations. For example, you can create a policy to block file uploads to ChatGPT:
 
@@ -49,17 +50,15 @@ Application Controls are pre-defined controls which represent user intent, such
 
 Operations are the individual API-level actions that an application uses. Defining controls at operation level allows for more fine-grained policies to support use cases such as blocking only certain types of downloads. You can also define controls where there is not an existing application control that covers the required intent, such as blocking comments. However, because each SaaS application uses a unique set of operations with its own scope and behaviors, the use of operation level controls often requires analysis for each desired use case. You can also use operation-level controls in cases where you need variations to the Cloudflare-defined application controls, such as including or excluding certain operations.
 
-Cloudflare provides Operations based on the [available APIs for an application](#application-apis).
+Cloudflare provides Operations based on the [available APIs for an application](#application-apis). For more information on how Operations map to [Application Controls](#application-controls), refer to [Compatible applications](#compatible-applications).
 
 #### Operation Groups
 
 Operation Groups are groupings of operations defined by the application vendor. Operation Groups are typically based on a categorization of the different functional areas of the application, such as signature requests, or the entities that the application defines, such as files or folders. These definitions vary by application. Gateway groups operations into these operation groups to match the operations with the corresponding vendor API documentation.
 
 ### DLP payloads
 
-Application Granular Controls can apply [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content.
-
-For more information on which operations support DLP payload scanning, refer to the **Contains payload** column in [Compatible applications](#compatible-applications).
+You can use Application Granular Controls with [Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) for operations that contain scannable content. This includes operations that contain the content of uploaded or downloaded files or AI prompts. For example, when a user performs a file upload, a sequence of API operations may result, such as setting up the file metadata, uploading the file content, and finalizing the upload. When applying DLP to your Zero Trust traffic, it can be helpful to specifically target an operation that contains file content.
 
 ## Application APIs
 
@@ -68,10 +67,10 @@ SaaS applications typically provide multiple APIs to interact with. For each app
 - Web Application API: These APIs are consumed by the web application that users interact with through their browser.
 - Platform API: These APIs are exposed to users to allow for programmatic interaction with the SaaS application. These are typically used by automations, scripts, or other applications.
 
-[Application Controls](#application-controls) use both API types. If both API types are available when creating HTTP policies using [Operations](#operations), you should select the Operations that align to the API being used, or include both for wider coverage.
+[Application Controls](#application-controls) include Operations of both API types. If both API types are available when creating HTTP policies using [Operations](#operations), you should select the Operations that align to the API being used, or include both for wider coverage.
 
 ## Compatible applications
 
-Application Granular Controls supports matching operations within a number of defined applications.
+Application Granular Controls supports the following applications:
 
 <Render file="gateway/granular-applications" product="cloudflare-one" />