Interface AccessPolicyRuleOrBuilder (1.67.0)

public interface AccessPolicyRuleOrBuilder extends MessageOrBuilder

public abstract boolean containsConditions(String key)

Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

` "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

iam.googleapis.com: Can use CEL` functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];

public abstract Map<String,Expr> getConditions()

Use #getConditionsMap() instead.

public abstract int getConditionsCount()

Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

` "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

iam.googleapis.com: Can use CEL` functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];

public abstract Map<String,Expr> getConditionsMap()

Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

` "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

iam.googleapis.com: Can use CEL` functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];

public abstract Expr getConditionsOrDefault(String key, Expr defaultValue)

Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

` "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

iam.googleapis.com: Can use CEL` functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];

public abstract Expr getConditionsOrThrow(String key)

Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

` "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

iam.googleapis.com: Can use CEL` functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

map<string, .google.type.Expr> conditions = 9 [(.google.api.field_behavior) = OPTIONAL];

public abstract String getDescription()

Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

optional string description = 1 [(.google.api.field_behavior) = OPTIONAL];

public abstract ByteString getDescriptionBytes()

Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

optional string description = 1 [(.google.api.field_behavior) = OPTIONAL];

public abstract AccessPolicyRule.Effect getEffect()

Required. The effect of the rule.

optional .google.iam.v3beta.AccessPolicyRule.Effect effect = 2 [(.google.api.field_behavior) = REQUIRED];

public abstract int getEffectValue()

Required. The effect of the rule.

optional .google.iam.v3beta.AccessPolicyRule.Effect effect = 2 [(.google.api.field_behavior) = REQUIRED];

public abstract String getExcludedPrincipals(int index)

Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];

public abstract ByteString getExcludedPrincipalsBytes(int index)

Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];

public abstract int getExcludedPrincipalsCount()

Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];

public abstract List<String> getExcludedPrincipalsList()

Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

repeated string excluded_principals = 4 [(.google.api.field_behavior) = OPTIONAL];

public abstract AccessPolicyRule.Operation getOperation()

Required. Attributes that are used to determine whether this rule applies to a request.

.google.iam.v3beta.AccessPolicyRule.Operation operation = 10 [(.google.api.field_behavior) = REQUIRED];

public abstract AccessPolicyRule.OperationOrBuilder getOperationOrBuilder()

Required. Attributes that are used to determine whether this rule applies to a request.

.google.iam.v3beta.AccessPolicyRule.Operation operation = 10 [(.google.api.field_behavior) = REQUIRED];

public abstract String getPrincipals(int index)

Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

• principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

• principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

• principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

• principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];

public abstract ByteString getPrincipalsBytes(int index)

Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

• principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

• principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

• principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

• principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];

public abstract int getPrincipalsCount()

Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

• principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

• principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

• principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

• principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];

public abstract List<String> getPrincipalsList()

Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

• principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

• principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

• principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

• principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

• deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

• deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

• deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

repeated string principals = 3 [(.google.api.field_behavior) = REQUIRED];

public abstract boolean hasDescription()

Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

optional string description = 1 [(.google.api.field_behavior) = OPTIONAL];

public abstract boolean hasEffect()

Required. The effect of the rule.

optional .google.iam.v3beta.AccessPolicyRule.Effect effect = 2 [(.google.api.field_behavior) = REQUIRED];

public abstract boolean hasOperation()

Required. Attributes that are used to determine whether this rule applies to a request.

.google.iam.v3beta.AccessPolicyRule.Operation operation = 10 [(.google.api.field_behavior) = REQUIRED];