public final class AccessPolicyRule extends GeneratedMessage implements AccessPolicyRuleOrBuilder
Access Policy Rule that determines the behavior of the policy.
Protobuf type google.iam.v3beta.AccessPolicyRule
Inherited Members
com.google.protobuf.GeneratedMessage.<ContainingT,T>newFileScopedGeneratedExtension(java.lang.Class<?>,com.google.protobuf.Message)
com.google.protobuf.GeneratedMessage.<ContainingT,T>newMessageScopedGeneratedExtension(com.google.protobuf.Message,int,java.lang.Class<?>,com.google.protobuf.Message)
com.google.protobuf.GeneratedMessage.<ListT>makeMutableCopy(ListT)
com.google.protobuf.GeneratedMessage.<ListT>makeMutableCopy(ListT,int)
com.google.protobuf.GeneratedMessage.<T>emptyList(java.lang.Class<T>)
com.google.protobuf.GeneratedMessage.<V>serializeBooleanMapTo(com.google.protobuf.CodedOutputStream,com.google.protobuf.MapField<java.lang.Boolean,V>,com.google.protobuf.MapEntry<java.lang.Boolean,V>,int)
com.google.protobuf.GeneratedMessage.<V>serializeIntegerMapTo(com.google.protobuf.CodedOutputStream,com.google.protobuf.MapField<java.lang.Integer,V>,com.google.protobuf.MapEntry<java.lang.Integer,V>,int)
com.google.protobuf.GeneratedMessage.<V>serializeLongMapTo(com.google.protobuf.CodedOutputStream,com.google.protobuf.MapField<java.lang.Long,V>,com.google.protobuf.MapEntry<java.lang.Long,V>,int)
com.google.protobuf.GeneratedMessage.<V>serializeStringMapTo(com.google.protobuf.CodedOutputStream,com.google.protobuf.MapField<java.lang.String,V>,com.google.protobuf.MapEntry<java.lang.String,V>,int)
com.google.protobuf.GeneratedMessage.canUseUnsafe()
com.google.protobuf.GeneratedMessage.emptyBooleanList()
com.google.protobuf.GeneratedMessage.emptyDoubleList()
com.google.protobuf.GeneratedMessage.emptyFloatList()
com.google.protobuf.GeneratedMessage.emptyIntList()
com.google.protobuf.GeneratedMessage.emptyLongList()
com.google.protobuf.GeneratedMessage.internalGetMapFieldReflection(int)
com.google.protobuf.GeneratedMessage.isStringEmpty(java.lang.Object)
com.google.protobuf.GeneratedMessage.mergeFromAndMakeImmutableInternal(com.google.protobuf.CodedInputStream,com.google.protobuf.ExtensionRegistryLite)
com.google.protobuf.GeneratedMessage.newInstance(com.google.protobuf.GeneratedMessage.UnusedPrivateParameter)
com.google.protobuf.GeneratedMessage.parseUnknownFieldProto3(com.google.protobuf.CodedInputStream,com.google.protobuf.UnknownFieldSet.Builder,com.google.protobuf.ExtensionRegistryLite,int)
Static Fields
CONDITIONS_FIELD_NUMBER
public static final int CONDITIONS_FIELD_NUMBER
| Field Value |
| Type |
Description |
int |
|
DESCRIPTION_FIELD_NUMBER
public static final int DESCRIPTION_FIELD_NUMBER
| Field Value |
| Type |
Description |
int |
|
EFFECT_FIELD_NUMBER
public static final int EFFECT_FIELD_NUMBER
| Field Value |
| Type |
Description |
int |
|
EXCLUDED_PRINCIPALS_FIELD_NUMBER
public static final int EXCLUDED_PRINCIPALS_FIELD_NUMBER
| Field Value |
| Type |
Description |
int |
|
OPERATION_FIELD_NUMBER
public static final int OPERATION_FIELD_NUMBER
| Field Value |
| Type |
Description |
int |
|
PRINCIPALS_FIELD_NUMBER
public static final int PRINCIPALS_FIELD_NUMBER
| Field Value |
| Type |
Description |
int |
|
Static Methods
getDefaultInstance()
public static AccessPolicyRule getDefaultInstance()
getDescriptor()
public static final Descriptors.Descriptor getDescriptor()
newBuilder()
public static AccessPolicyRule.Builder newBuilder()
newBuilder(AccessPolicyRule prototype)
public static AccessPolicyRule.Builder newBuilder(AccessPolicyRule prototype)
public static AccessPolicyRule parseDelimitedFrom(InputStream input)
public static AccessPolicyRule parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
parseFrom(byte[] data)
public static AccessPolicyRule parseFrom(byte[] data)
| Parameter |
| Name |
Description |
data |
byte[]
|
parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
public static AccessPolicyRule parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
parseFrom(ByteString data)
public static AccessPolicyRule parseFrom(ByteString data)
parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public static AccessPolicyRule parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public static AccessPolicyRule parseFrom(CodedInputStream input)
public static AccessPolicyRule parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
public static AccessPolicyRule parseFrom(InputStream input)
public static AccessPolicyRule parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
parseFrom(ByteBuffer data)
public static AccessPolicyRule parseFrom(ByteBuffer data)
parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
public static AccessPolicyRule parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
parser()
public static Parser<AccessPolicyRule> parser()
Methods
containsConditions(String key)
public boolean containsConditions(String key)
Optional. The conditions that determine whether this rule applies to a
request. Conditions are identified by their key, which is the FQDN of the
service that they are relevant to. For example:
`
"conditions": {
"iam.googleapis.com": {
"expression": <cel expression>
}
}
Each rule is evaluated independently. If this rule does not apply
to a request, other rules might still apply.
Currently supported keys are as follows:
eventarc.googleapis.com
: Can use CEL
functions that evaluate
resource fields.
iam.googleapis.com
: Can use CEL` functions that evaluate
resource
tags and
combine them using boolean and logical operators. Other functions and
operators are not supported.
map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];
| Parameter |
| Name |
Description |
key |
String
|
equals(Object obj)
public boolean equals(Object obj)
| Parameter |
| Name |
Description |
obj |
Object
|
Overrides
getConditions() (deprecated)
public Map<String,Expr> getConditions()
| Returns |
| Type |
Description |
Map<String,com.google.type.Expr> |
|
getConditionsCount()
public int getConditionsCount()
Optional. The conditions that determine whether this rule applies to a
request. Conditions are identified by their key, which is the FQDN of the
service that they are relevant to. For example:
`
"conditions": {
"iam.googleapis.com": {
"expression": <cel expression>
}
}
Each rule is evaluated independently. If this rule does not apply
to a request, other rules might still apply.
Currently supported keys are as follows:
eventarc.googleapis.com
: Can use CEL
functions that evaluate
resource fields.
iam.googleapis.com
: Can use CEL` functions that evaluate
resource
tags and
combine them using boolean and logical operators. Other functions and
operators are not supported.
map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];
| Returns |
| Type |
Description |
int |
|
getConditionsMap()
public Map<String,Expr> getConditionsMap()
Optional. The conditions that determine whether this rule applies to a
request. Conditions are identified by their key, which is the FQDN of the
service that they are relevant to. For example:
`
"conditions": {
"iam.googleapis.com": {
"expression": <cel expression>
}
}
Each rule is evaluated independently. If this rule does not apply
to a request, other rules might still apply.
Currently supported keys are as follows:
eventarc.googleapis.com
: Can use CEL
functions that evaluate
resource fields.
iam.googleapis.com
: Can use CEL` functions that evaluate
resource
tags and
combine them using boolean and logical operators. Other functions and
operators are not supported.
map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];
| Returns |
| Type |
Description |
Map<String,com.google.type.Expr> |
|
getConditionsOrDefault(String key, Expr defaultValue)
public Expr getConditionsOrDefault(String key, Expr defaultValue)
Optional. The conditions that determine whether this rule applies to a
request. Conditions are identified by their key, which is the FQDN of the
service that they are relevant to. For example:
`
"conditions": {
"iam.googleapis.com": {
"expression": <cel expression>
}
}
Each rule is evaluated independently. If this rule does not apply
to a request, other rules might still apply.
Currently supported keys are as follows:
eventarc.googleapis.com
: Can use CEL
functions that evaluate
resource fields.
iam.googleapis.com
: Can use CEL` functions that evaluate
resource
tags and
combine them using boolean and logical operators. Other functions and
operators are not supported.
map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];
| Parameters |
| Name |
Description |
key |
String
|
defaultValue |
com.google.type.Expr
|
| Returns |
| Type |
Description |
com.google.type.Expr |
|
getConditionsOrThrow(String key)
public Expr getConditionsOrThrow(String key)
Optional. The conditions that determine whether this rule applies to a
request. Conditions are identified by their key, which is the FQDN of the
service that they are relevant to. For example:
`
"conditions": {
"iam.googleapis.com": {
"expression": <cel expression>
}
}
Each rule is evaluated independently. If this rule does not apply
to a request, other rules might still apply.
Currently supported keys are as follows:
eventarc.googleapis.com
: Can use CEL
functions that evaluate
resource fields.
iam.googleapis.com
: Can use CEL` functions that evaluate
resource
tags and
combine them using boolean and logical operators. Other functions and
operators are not supported.
map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];
| Parameter |
| Name |
Description |
key |
String
|
| Returns |
| Type |
Description |
com.google.type.Expr |
|
getDefaultInstanceForType()
public AccessPolicyRule getDefaultInstanceForType()
getDescription()
public String getDescription()
Optional. Customer specified description of the rule. Must be less than or
equal to 256 characters.
optional string description = 1 [(.google.api.field_behavior) = OPTIONAL];
| Returns |
| Type |
Description |
String |
The description.
|
getDescriptionBytes()
public ByteString getDescriptionBytes()
Optional. Customer specified description of the rule. Must be less than or
equal to 256 characters.
optional string description = 1 [(.google.api.field_behavior) = OPTIONAL];
| Returns |
| Type |
Description |
ByteString |
The bytes for description.
|
getEffect()
public AccessPolicyRule.Effect getEffect()
Required. The effect of the rule.
optional .google.iam.v3beta.AccessPolicyRule.Effect effect = 2 [(.google.api.field_behavior) = REQUIRED];
getEffectValue()
public int getEffectValue()
Required. The effect of the rule.
optional .google.iam.v3beta.AccessPolicyRule.Effect effect = 2 [(.google.api.field_behavior) = REQUIRED];
| Returns |
| Type |
Description |
int |
The enum numeric value on the wire for effect.
|
getExcludedPrincipals(int index)
public String getExcludedPrincipals(int index)
Optional. The identities that are excluded from the access policy rule,
even if they are listed in the principals. For example, you could add a
Google group to the principals, then exclude specific users who belong to
that group.
repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];
| Parameter |
| Name |
Description |
index |
int
The index of the element to return.
|
| Returns |
| Type |
Description |
String |
The excludedPrincipals at the given index.
|
getExcludedPrincipalsBytes(int index)
public ByteString getExcludedPrincipalsBytes(int index)
Optional. The identities that are excluded from the access policy rule,
even if they are listed in the principals. For example, you could add a
Google group to the principals, then exclude specific users who belong to
that group.
repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];
| Parameter |
| Name |
Description |
index |
int
The index of the value to return.
|
| Returns |
| Type |
Description |
ByteString |
The bytes of the excludedPrincipals at the given index.
|
getExcludedPrincipalsCount()
public int getExcludedPrincipalsCount()
Optional. The identities that are excluded from the access policy rule,
even if they are listed in the principals. For example, you could add a
Google group to the principals, then exclude specific users who belong to
that group.
repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];
| Returns |
| Type |
Description |
int |
The count of excludedPrincipals.
|
getExcludedPrincipalsList()
public ProtocolStringList getExcludedPrincipalsList()
Optional. The identities that are excluded from the access policy rule,
even if they are listed in the principals. For example, you could add a
Google group to the principals, then exclude specific users who belong to
that group.
repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];
getOperation()
public AccessPolicyRule.Operation getOperation()
Required. Attributes that are used to determine whether this rule applies
to a request.
.google.iam.v3beta.AccessPolicyRule.Operation operation = 10 [(.google.api.field_behavior) = REQUIRED];
getOperationOrBuilder()
public AccessPolicyRule.OperationOrBuilder getOperationOrBuilder()
Required. Attributes that are used to determine whether this rule applies
to a request.
.google.iam.v3beta.AccessPolicyRule.Operation operation = 10 [(.google.api.field_behavior) = REQUIRED];
getParserForType()
public Parser<AccessPolicyRule> getParserForType()
Overrides
getPrincipals(int index)
public String getPrincipals(int index)
Required. The identities for which this rule's effect governs using one or
more permissions on Google Cloud resources. This field can contain the
following values:
principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example,
principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35.
If an identifier that was previously set on a policy is soft deleted, then
calls to read that policy will return the identifier with a deleted
prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
If the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];
| Parameter |
| Name |
Description |
index |
int
The index of the element to return.
|
| Returns |
| Type |
Description |
String |
The principals at the given index.
|
getPrincipalsBytes(int index)
public ByteString getPrincipalsBytes(int index)
Required. The identities for which this rule's effect governs using one or
more permissions on Google Cloud resources. This field can contain the
following values:
principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example,
principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35.
If an identifier that was previously set on a policy is soft deleted, then
calls to read that policy will return the identifier with a deleted
prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
If the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];
| Parameter |
| Name |
Description |
index |
int
The index of the value to return.
|
| Returns |
| Type |
Description |
ByteString |
The bytes of the principals at the given index.
|
getPrincipalsCount()
public int getPrincipalsCount()
Required. The identities for which this rule's effect governs using one or
more permissions on Google Cloud resources. This field can contain the
following values:
principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example,
principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35.
If an identifier that was previously set on a policy is soft deleted, then
calls to read that policy will return the identifier with a deleted
prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
If the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];
| Returns |
| Type |
Description |
int |
The count of principals.
|
getPrincipalsList()
public ProtocolStringList getPrincipalsList()
Required. The identities for which this rule's effect governs using one or
more permissions on Google Cloud resources. This field can contain the
following values:
principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
principalSet://goog/group/{group_id}: A Google group. For example,
principalSet://goog/group/admins@example.com.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35.
If an identifier that was previously set on a policy is soft deleted, then
calls to read that policy will return the identifier with a deleted
prefix. Users cannot set identifiers with this syntax.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890.
If the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];
getSerializedSize()
public int getSerializedSize()
| Returns |
| Type |
Description |
int |
|
Overrides
hasDescription()
public boolean hasDescription()
Optional. Customer specified description of the rule. Must be less than or
equal to 256 characters.
optional string description = 1 [(.google.api.field_behavior) = OPTIONAL];
| Returns |
| Type |
Description |
boolean |
Whether the description field is set.
|
hasEffect()
public boolean hasEffect()
Required. The effect of the rule.
optional .google.iam.v3beta.AccessPolicyRule.Effect effect = 2 [(.google.api.field_behavior) = REQUIRED];
| Returns |
| Type |
Description |
boolean |
Whether the effect field is set.
|
hasOperation()
public boolean hasOperation()
Required. Attributes that are used to determine whether this rule applies
to a request.
.google.iam.v3beta.AccessPolicyRule.Operation operation = 10 [(.google.api.field_behavior) = REQUIRED];
| Returns |
| Type |
Description |
boolean |
Whether the operation field is set.
|
hashCode()
| Returns |
| Type |
Description |
int |
|
Overrides
internalGetFieldAccessorTable()
protected GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
Overrides
internalGetMapFieldReflection(int number)
protected MapFieldReflectionAccessor internalGetMapFieldReflection(int number)
| Parameter |
| Name |
Description |
number |
int
|
| Returns |
| Type |
Description |
com.google.protobuf.MapFieldReflectionAccessor |
|
Overrides
com.google.protobuf.GeneratedMessage.internalGetMapFieldReflection(int)
isInitialized()
public final boolean isInitialized()
Overrides
newBuilderForType()
public AccessPolicyRule.Builder newBuilderForType()
newBuilderForType(AbstractMessage.BuilderParent parent)
protected AccessPolicyRule.Builder newBuilderForType(AbstractMessage.BuilderParent parent)
Overrides
toBuilder()
public AccessPolicyRule.Builder toBuilder()
writeTo(CodedOutputStream output)
public void writeTo(CodedOutputStream output)
Overrides
