docs: update generated docs (#981)
diff --git a/docs/dyn/cloudresourcemanager_v1.folders.html b/docs/dyn/cloudresourcemanager_v1.folders.html
index 10c5739..0445c6f 100644
--- a/docs/dyn/cloudresourcemanager_v1.folders.html
+++ b/docs/dyn/cloudresourcemanager_v1.folders.html
@@ -161,6 +161,95 @@
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # A [list of available
+ # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
+ # is available.
+ #
+ # Immutable after creation.
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
@@ -183,7 +272,7 @@
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
@@ -191,9 +280,13 @@
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
- # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
@@ -288,95 +381,6 @@
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- },
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
- },
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # Immutable after creation.
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
- "version": 42, # Version of the `Policy`. Default version is 0;
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
},
}</pre>
</div>
@@ -409,6 +413,95 @@
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # A [list of available
+ # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
+ # is available.
+ #
+ # Immutable after creation.
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
@@ -431,7 +524,7 @@
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
@@ -439,9 +532,13 @@
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
- # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
@@ -536,95 +633,6 @@
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- },
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
- },
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # Immutable after creation.
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
- "version": 42, # Version of the `Policy`. Default version is 0;
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
},
}</pre>
</div>
@@ -638,8 +646,8 @@
body: object, The request body.
The object takes the form of:
-{ # The request sent to the [ListAvailableOrgPolicyConstraints]
- # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method.
+{ # The request sent to the `ListAvailableOrgPolicyConstraints` method on the
+ # project, folder, or organization.
"pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
# and will be ignored. The server may at any point start using this field.
"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
@@ -655,7 +663,7 @@
Returns:
An object of the form:
- { # The response returned from the ListAvailableOrgPolicyConstraints method.
+ { # The response returned from the `ListAvailableOrgPolicyConstraints` method.
# Returns all `Constraints` that could be set at this level of the hierarchy
# (contrast with the response from `ListPolicies`, which returns all policies
# which are set).
@@ -664,18 +672,28 @@
# restricted. For example, it controls which cloud services can be activated
# across an organization, or whether a Compute Engine instance can have
# serial port connections established. `Constraints` can be configured by the
- # organization's policy adminstrator to fit the needs of the organzation by
+ # organization's policy administrator to fit the needs of the organzation by
# setting Policies for `Constraints` at different locations in the
# organization's resource hierarchy. Policies are inherited down the resource
# hierarchy from higher levels, but can also be overridden. For details about
# the inheritance rules please read about
- # Policies.
+ # [Policies](/resource-manager/reference/rest/v1/Policy).
#
# `Constraints` have a default behavior determined by the `constraint_default`
# field, which is the enforcement behavior that is used in the absence of a
# `Policy` being defined or inherited for the resource in question.
+ "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
+ #
+ # For example a constraint `constraints/compute.disableSerialPortAccess`.
+ # If it is enforced on a VM instance, serial port connections will not be
+ # opened to that instance.
+ },
"name": "A String", # Immutable value, required to globally be unique. For example,
# `constraints/serviceuser.services`
+ "displayName": "A String", # The human readable name.
+ #
+ # Mutable.
+ "version": 42, # Version of the `Constraint`. Default version is 0;
"listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint.
# configured by an Organization's policy administrator with a `Policy`.
"suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration
@@ -685,21 +703,11 @@
# example, `"under:folders/123"` would match any resource under the
# 'folders/123' folder.
},
- "version": 42, # Version of the `Constraint`. Default version is 0;
+ "constraintDefault": "A String", # The evaluation behavior of this constraint in the absence of 'Policy'.
"description": "A String", # Detailed description of what this `Constraint` controls as well as how and
# where it is enforced.
#
# Mutable.
- "displayName": "A String", # The human readable name.
- #
- # Mutable.
- "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint.
- #
- # For example a constraint `constraints/compute.disableSerialPortAccess`.
- # If it is enforced on a VM instance, serial port connections will not be
- # opened to that instance.
- },
- "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'.
},
],
"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used.
@@ -730,11 +738,11 @@
The object takes the form of:
{ # The request sent to the ListOrgPolicies method.
- "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
- # and will be ignored. The server may at any point start using this field.
"pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will
# be ignored. The server may at any point start using this field to limit
# page size.
+ "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported
+ # and will be ignored. The server may at any point start using this field.
}
x__xgafv: string, V1 error format.
@@ -745,7 +753,7 @@
Returns:
An object of the form:
- { # The response returned from the ListOrgPolicies method. It will be empty
+ { # The response returned from the `ListOrgPolicies` method. It will be empty
# if no `Policies` are set on the resource.
"nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but
# the server may at any point start supplying a valid token.
@@ -753,6 +761,95 @@
# `Policies` are set.
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # A [list of available
+ # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
+ # is available.
+ #
+ # Immutable after creation.
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
@@ -775,7 +872,7 @@
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
@@ -783,9 +880,13 @@
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
- # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
@@ -880,95 +981,6 @@
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- },
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
- },
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # Immutable after creation.
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
- "version": 42, # Version of the `Policy`. Default version is 0;
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
},
},
],
@@ -1005,6 +1017,95 @@
{ # The request sent to the SetOrgPolicyRequest method.
"policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource.
# for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # A [list of available
+ # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
+ # is available.
+ #
+ # Immutable after creation.
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
@@ -1027,7 +1128,7 @@
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
@@ -1035,9 +1136,13 @@
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
- # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
@@ -1132,95 +1237,6 @@
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- },
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
- },
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # Immutable after creation.
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
- "version": 42, # Version of the `Policy`. Default version is 0;
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
},
},
}
@@ -1235,6 +1251,95 @@
{ # Defines a Cloud Organization `Policy` which is used to specify `Constraints`
# for configurations of Cloud Platform resources.
+ "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
+ # resource.
+ "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
+ # configuration is acceptable.
+ #
+ # Suppose you have a `Constraint`
+ # `constraints/compute.disableSerialPortAccess` with `constraint_default`
+ # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
+ # behavior:
+ # - If the `Policy` at this resource has enforced set to `false`, serial
+ # port connection attempts will be allowed.
+ # - If the `Policy` at this resource has enforced set to `true`, serial
+ # port connection attempts will be refused.
+ # - If the `Policy` at this resource is `RestoreDefault`, serial port
+ # connection attempts will be allowed.
+ # - If no `Policy` is set at this resource or anywhere higher in the
+ # resource hierarchy, serial port connection attempts will be allowed.
+ # - If no `Policy` is set at this resource, but one exists higher in the
+ # resource hierarchy, the behavior is as if the`Policy` were set at
+ # this resource.
+ #
+ # The following examples demonstrate the different possible layerings:
+ #
+ # Example 1 (nearest `Constraint` wins):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has no `Policy` set.
+ # The constraint at `projects/bar` and `organizations/foo` will not be
+ # enforced.
+ #
+ # Example 2 (enforcement gets replaced):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: false}
+ # `projects/bar` has a `Policy` with:
+ # {enforced: true}
+ # The constraint at `organizations/foo` is not enforced.
+ # The constraint at `projects/bar` is enforced.
+ #
+ # Example 3 (RestoreDefault):
+ # `organizations/foo` has a `Policy` with:
+ # {enforced: true}
+ # `projects/bar` has a `Policy` with:
+ # {RestoreDefault: {}}
+ # The constraint at `organizations/foo` is enforced.
+ # The constraint at `projects/bar` is not enforced, because
+ # `constraint_default` for the `Constraint` is `ALLOW`.
+ },
+ "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
+ # `Constraint` type.
+ # `constraint_default` enforcement behavior of the specific `Constraint` at
+ # this resource.
+ #
+ # Suppose that `constraint_default` is set to `ALLOW` for the
+ # `Constraint` `constraints/serviceuser.services`. Suppose that organization
+ # foo.com sets a `Policy` at their Organization resource node that restricts
+ # the allowed service activations to deny all service activations. They
+ # could then set a `Policy` with the `policy_type` `restore_default` on
+ # several experimental projects, restoring the `constraint_default`
+ # enforcement of the `Constraint` for only those projects, allowing those
+ # projects to have all services activated.
+ },
+ "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
+ # server, not specified by the caller, and represents the last time a call to
+ # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
+ # be ignored.
+ "version": 42, # Version of the `Policy`. Default version is 0;
+ "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
+ # concurrency control.
+ #
+ # When the `Policy` is returned from either a `GetPolicy` or a
+ # `ListOrgPolicy` request, this `etag` indicates the version of the current
+ # `Policy` to use when executing a read-modify-write loop.
+ #
+ # When the `Policy` is returned from a `GetEffectivePolicy` request, the
+ # `etag` will be unset.
+ #
+ # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
+ # that was returned from a `GetOrgPolicy` request as part of a
+ # read-modify-write loop for concurrency control. Not setting the `etag`in a
+ # `SetOrgPolicy` request will result in an unconditional write of the
+ # `Policy`.
+ "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
+ # `constraints/serviceuser.services`.
+ #
+ # A [list of available
+ # constraints](/resource-manager/docs/organization-policy/org-policy-constraints)
+ # is available.
+ #
+ # Immutable after creation.
"listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed.
# resource.
#
@@ -1257,7 +1362,7 @@
# values. If `all_values` is set to either `ALLOW` or `DENY`,
# `allowed_values` and `denied_values` must be unset.
"allValues": "A String", # The policy all_values state.
- "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
# is set to `ALL_VALUES_UNSPECIFIED`.
"A String",
],
@@ -1265,9 +1370,13 @@
# that matches the value specified in this `Policy`. If `suggested_value`
# is not set, it will inherit the value specified higher in the hierarchy,
# unless `inherit_from_parent` is `false`.
+ "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values`
+ # is set to `ALL_VALUES_UNSPECIFIED`.
+ "A String",
+ ],
"inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`.
#
- # By default, a `ListPolicy` set at a resource supercedes any `Policy` set
+ # By default, a `ListPolicy` set at a resource supersedes any `Policy` set
# anywhere up the resource hierarchy. However, if `inherit_from_parent` is
# set to `true`, then the values from the effective `Policy` of the parent
# resource are inherited, meaning the values set in this `Policy` are
@@ -1362,95 +1471,6 @@
# `projects/P3`.
# The accepted values at `projects/bar` are `organizations/O1`,
# `folders/F1`, `projects/P1`.
- "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values`
- # is set to `ALL_VALUES_UNSPECIFIED`.
- "A String",
- ],
- },
- "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for
- # concurrency control.
- #
- # When the `Policy` is returned from either a `GetPolicy` or a
- # `ListOrgPolicy` request, this `etag` indicates the version of the current
- # `Policy` to use when executing a read-modify-write loop.
- #
- # When the `Policy` is returned from a `GetEffectivePolicy` request, the
- # `etag` will be unset.
- #
- # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
- # that was returned from a `GetOrgPolicy` request as part of a
- # read-modify-write loop for concurrency control. Not setting the `etag`in a
- # `SetOrgPolicy` request will result in an unconditional write of the
- # `Policy`.
- "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not.
- # resource.
- "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any
- # configuration is acceptable.
- #
- # Suppose you have a `Constraint`
- # `constraints/compute.disableSerialPortAccess` with `constraint_default`
- # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
- # behavior:
- # - If the `Policy` at this resource has enforced set to `false`, serial
- # port connection attempts will be allowed.
- # - If the `Policy` at this resource has enforced set to `true`, serial
- # port connection attempts will be refused.
- # - If the `Policy` at this resource is `RestoreDefault`, serial port
- # connection attempts will be allowed.
- # - If no `Policy` is set at this resource or anywhere higher in the
- # resource hierarchy, serial port connection attempts will be allowed.
- # - If no `Policy` is set at this resource, but one exists higher in the
- # resource hierarchy, the behavior is as if the`Policy` were set at
- # this resource.
- #
- # The following examples demonstrate the different possible layerings:
- #
- # Example 1 (nearest `Constraint` wins):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has no `Policy` set.
- # The constraint at `projects/bar` and `organizations/foo` will not be
- # enforced.
- #
- # Example 2 (enforcement gets replaced):
- # `organizations/foo` has a `Policy` with:
- # {enforced: false}
- # `projects/bar` has a `Policy` with:
- # {enforced: true}
- # The constraint at `organizations/foo` is not enforced.
- # The constraint at `projects/bar` is enforced.
- #
- # Example 3 (RestoreDefault):
- # `organizations/foo` has a `Policy` with:
- # {enforced: true}
- # `projects/bar` has a `Policy` with:
- # {RestoreDefault: {}}
- # The constraint at `organizations/foo` is enforced.
- # The constraint at `projects/bar` is not enforced, because
- # `constraint_default` for the `Constraint` is `ALLOW`.
- },
- "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example,
- # `constraints/serviceuser.services`.
- #
- # Immutable after creation.
- "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the
- # server, not specified by the caller, and represents the last time a call to
- # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
- # be ignored.
- "version": 42, # Version of the `Policy`. Default version is 0;
- "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of
- # `Constraint` type.
- # `constraint_default` enforcement behavior of the specific `Constraint` at
- # this resource.
- #
- # Suppose that `constraint_default` is set to `ALLOW` for the
- # `Constraint` `constraints/serviceuser.services`. Suppose that organization
- # foo.com sets a `Policy` at their Organization resource node that restricts
- # the allowed service activations to deny all service activations. They
- # could then set a `Policy` with the `policy_type` `restore_default` on
- # several experimental projects, restoring the `constraint_default`
- # enforcement of the `Constraint` for only those projects, allowing those
- # projects to have all services activated.
},
}</pre>
</div>