Blame - docs/dyn/healthcare_v1.projects.locations.datasets.html - platform/external/python/google-api-python-client

2020-07-22 17:02:09 -0700

[diff] [blame]

113

<code><a href="#list">list(parent, pageSize=None, pageToken=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

114

<p class="firstline">Lists the health datasets in the current project.</p>

115

116

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

117

<p class="firstline">Retrieves the next page of results.</p>

118

119

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

120

<p class="firstline">Updates dataset metadata.</p>

121

122

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

123

<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>

124

125

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

126

<p class="firstline">Returns permissions that a caller has on the specified resource.</p>

127

<h3>Method Details</h3>

128

129

<code class="details" id="create">create(parent, body=None, datasetId=None, x__xgafv=None)</code>

130

<pre>Creates a new health dataset. Results are returned through the

131

Operation interface which returns either an

132

`Operation.response` which contains a Dataset or

133

`Operation.error`. The metadata

134

field type is OperationMetadata.

135

A Google Cloud Platform project can contain up to 500 datasets across all

regions.

Args:

parent: string, The name of the project where the server creates the dataset. For

140

example, `projects/{project_id}/locations/{location_id}`. (required)

141

body: object, The request body.

142

The object takes the form of:

143

144

{ # A message representing a health dataset.

145

#

146

# A health dataset represents a collection of healthcare data pertaining to one

147

# or more patients. This may include multiple modalities of healthcare data,

148

# such as electronic medical records or medical imaging data.

149

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

150

# time zone name such as "America/New_York" or empty, which defaults to UTC.

151

# This is used for parsing times in resources, such as HL7 messages, where no

152

# explicit timezone is specified.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

153

"name": "A String", # Resource name of the dataset, of the form

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

154

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

155

}

156

157

datasetId: string, The ID of the dataset that is being created.

158

The string must match the following regex: `[\p{L}\p{N}_\-\.]{1,256}`.

159

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

166

167

{ # This resource represents a long-running operation that is the result of a

168

# network API call.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

169

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

170

# different programming environments, including REST APIs and RPC APIs. It is

171

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

172

# three pieces of data: error code, error message, and error details.

173

#

174

# You can find out more about this error model and how to work with it in the

175

# [API Design Guide](https://cloud.google.com/apis/design/errors).

176

"details": [ # A list of messages that carry the error details. There is a common set of

177

# message types for APIs to use.

178

{

179

"a_key": "", # Properties of the object. Contains field @type with type URL.

180

},

181

],

182

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

183

"message": "A String", # A developer-facing error message, which should be in English. Any

184

# user-facing error message should be localized and sent in the

185

# google.rpc.Status.details field, or localized by the client.

186

},

187

"name": "A String", # The server-assigned name, which is only unique within the same service that

188

# originally returns it. If you use the default HTTP mapping, the

189

# `name` should be a resource name ending with `operations/{unique_id}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

190

"response": { # The normal response of the operation in case of success. If the original

191

# method returns no data on success, such as `Delete`, the response is

192

# `google.protobuf.Empty`. If the original method is standard

193

# `Get`/`Create`/`Update`, the response should be the resource. For other

194

# methods, the response should have the type `XxxResponse`, where `Xxx`

195

# is the original method name. For example, if the original method name

196

# is `TakeSnapshot()`, the inferred response type is

197

# `TakeSnapshotResponse`.

198

"a_key": "", # Properties of the object. Contains field @type with type URL.

199

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

200

"done": True or False, # If the value is `false`, it means the operation is still in progress.

201

# If `true`, the operation is completed, and either `error` or `response` is

202

# available.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

203

"metadata": { # Service-specific metadata associated with the operation. It typically

204

# contains progress information and common metadata such as create time.

205

# Some services might not provide such metadata. Any method that returns a

206

# long-running operation should document the metadata type, if any.

207

"a_key": "", # Properties of the object. Contains field @type with type URL.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

}</pre>

</div>

<code class="details" id="deidentify">deidentify(sourceDataset, body=None, x__xgafv=None)</code>

214

<pre>Creates a new dataset containing de-identified data from the source

215

dataset. The metadata field type

216

is OperationMetadata.

217

If the request is successful, the

218

response field type is

219

DeidentifySummary.

220

If errors occur, error is set.

221

The LRO result may still be successful if de-identification fails for some

222

DICOM instances. The new de-identified dataset will not contain these

223

failed resources. Failed resource totals are tracked in

224

Operation.metadata.

225

Error details are also logged to Cloud Logging. For more information,

226

see [Viewing logs](/healthcare/docs/how-tos/logging).

227

228

Args:

229

sourceDataset: string, Source dataset resource name. For example,

230

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

231

body: object, The request body.

232

The object takes the form of:

233

234

{ # Redacts identifying information from the specified dataset.

235

"config": { # Configures de-id options specific to different types of content. # Deidentify configuration.

236

# Each submessage customizes the handling of an

237

# https://tools.ietf.org/html/rfc6838 media type or subtype. Configs are

238

# applied in a nested manner at runtime.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

239

"image": { # Specifies how to handle de-identification of image pixels. # Configures de-identification of image pixels wherever they are found in the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

240

# source_dataset.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

241

"textRedactionMode": "A String", # Determines how to redact text from image.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

242

},

243

"fhir": { # Specifies how to handle de-identification of a FHIR store. # Configures de-id of application/FHIR content.

244

"fieldMetadataList": [ # Specifies FHIR paths to match and how to transform them. Any field that

245

# is not matched by a FieldMetadata is passed through to the output

246

# dataset unmodified. All extensions are removed in the output.

247

{ # Specifies FHIR paths to match, and how to handle de-identification of

248

# matching fields.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

249

"paths": [ # List of paths to FHIR fields to be redacted. Each path is a

250

# period-separated list where each component is either a field name or

251

# FHIR type name, for example: Patient, HumanName.

252

# For "choice" types (those defined in the FHIR spec with the form:

253

# field[x]) we use two separate components. For example,

254

# "deceasedAge.unit" is matched by "Deceased.Age.unit".

255

# Supported types are: AdministrativeGenderCode, Code, Date, DateTime,

256

# Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid,

257

# Xhtml.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

258

# Base64Binary is also supported, but may only be kept as-is or have all

259

# the content removed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

260

"A String",

261

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

262

"action": "A String", # Deidentify action for one field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

263

},

264

],

265

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

266

"text": { # Configures de-identification of text wherever it is found in the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

267

# source_dataset.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

268

"transformations": [ # The transformations to apply to the detected data.

269

{ # A transformation to apply to text that is identified as a specific

270

# info_type.

271

"dateShiftConfig": { # Shift a date forward or backward in time by a random amount which is # Config for date shift.

272

# consistent for a given patient and crypto key combination.

273

"cryptoKey": "A String", # An AES 128/192/256 bit key. Causes the shift to be computed based on this

274

# key and the patient ID. A default key is generated for each

275

# Deidentify operation and is used wherever crypto_key is not specified.

276

},

277

"characterMaskConfig": { # Mask a string by replacing its characters with a fixed character. # Config for character mask.

278

"maskingCharacter": "A String", # Character to mask the sensitive values. If not supplied, defaults to "*".

279

},

280

"replaceWithInfoTypeConfig": { # When using the # Config for replace with InfoType.

281

# INSPECT_AND_TRANSFORM

282

# action, each match is replaced with the name of the info_type. For example,

283

# "My name is Jane" becomes "My name is [PERSON_NAME]." The

284

# TRANSFORM

285

# action is equivalent to redacting.

286

},

287

"redactConfig": { # Define how to redact sensitive values. Default behaviour is erase. # Config for text redaction.

288

# For example, "My name is Jane." becomes "My name is ."

289

},

290

"infoTypes": [ # InfoTypes to apply this transformation to. If this is not specified, the

291

# transformation applies to any info_type.

292

"A String",

293

],

294

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Config for crypto hash.

295

# Uses SHA-256.

296

# Outputs a base64-encoded representation of the hashed output

297

# (for example, `L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=`).

298

"cryptoKey": "A String", # An AES 128/192/256 bit key. Causes the hash to be computed based on this

299

# key. A default key is generated for each Deidentify operation and is used

300

# wherever crypto_key is not specified.

},

},

],

},

"dicom": { # Specifies the parameters needed for de-identification of DICOM stores. # Configures de-id of application/DICOM content.

306

"filterProfile": "A String", # Tag filtering profile that determines which tags to keep/remove.

307

"removeList": { # List of tags to be filtered. # List of tags to remove. Keep all other tags.

308

"tags": [ # Tags to be filtered. Tags must be DICOM Data Elements, File Meta

309

# Elements, or Directory Structuring Elements, as defined at:

310

# http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,.

311

# They may be provided by "Keyword" or "Tag". For example "PatientID",

# "00100010".

"A String",

],

},

"keepList": { # List of tags to be filtered. # List of tags to keep. Remove all other tags.

317

"tags": [ # Tags to be filtered. Tags must be DICOM Data Elements, File Meta

318

# Elements, or Directory Structuring Elements, as defined at:

319

# http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,.

320

# They may be provided by "Keyword" or "Tag". For example "PatientID",

# "00100010".

"A String",

],

},

"skipIdRedaction": True or False, # If true, skip replacing StudyInstanceUID, SeriesInstanceUID,

326

# SOPInstanceUID, and MediaStorageSOPInstanceUID and leave them untouched.

327

# The Cloud Healthcare API regenerates these UIDs by default based on the

328

# DICOM Standard's reasoning: "Whilst these UIDs cannot be mapped directly

329

# to an individual out of context, given access to the original images, or

330

# to a database of the original images containing the UIDs, it would be

331

# possible to recover the individual's identity."

332

# http://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

333

},

334

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

335

"destinationDataset": "A String", # The name of the dataset resource to create and write the redacted data to.

336

#

337

# * The destination dataset must not exist.

338

# * The destination dataset must be in the same project and location as the

339

# source dataset. De-identifying data across multiple projects or locations

340

# is not supported.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

341

}

342

343

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

350

351

{ # This resource represents a long-running operation that is the result of a

352

# network API call.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

353

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

354

# different programming environments, including REST APIs and RPC APIs. It is

355

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

356

# three pieces of data: error code, error message, and error details.

357

#

358

# You can find out more about this error model and how to work with it in the

359

# [API Design Guide](https://cloud.google.com/apis/design/errors).

360

"details": [ # A list of messages that carry the error details. There is a common set of

361

# message types for APIs to use.

362

{

363

"a_key": "", # Properties of the object. Contains field @type with type URL.

364

},

365

],

366

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

367

"message": "A String", # A developer-facing error message, which should be in English. Any

368

# user-facing error message should be localized and sent in the

369

# google.rpc.Status.details field, or localized by the client.

370

},

371

"name": "A String", # The server-assigned name, which is only unique within the same service that

372

# originally returns it. If you use the default HTTP mapping, the

373

# `name` should be a resource name ending with `operations/{unique_id}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

374

"response": { # The normal response of the operation in case of success. If the original

375

# method returns no data on success, such as `Delete`, the response is

376

# `google.protobuf.Empty`. If the original method is standard

377

# `Get`/`Create`/`Update`, the response should be the resource. For other

378

# methods, the response should have the type `XxxResponse`, where `Xxx`

379

# is the original method name. For example, if the original method name

380

# is `TakeSnapshot()`, the inferred response type is

381

# `TakeSnapshotResponse`.

382

"a_key": "", # Properties of the object. Contains field @type with type URL.

383

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

384

"done": True or False, # If the value is `false`, it means the operation is still in progress.

385

# If `true`, the operation is completed, and either `error` or `response` is

386

# available.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

387

"metadata": { # Service-specific metadata associated with the operation. It typically

388

# contains progress information and common metadata such as create time.

389

# Some services might not provide such metadata. Any method that returns a

390

# long-running operation should document the metadata type, if any.

391

"a_key": "", # Properties of the object. Contains field @type with type URL.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

398

<pre>Deletes the specified health dataset and all data contained in the dataset.

399

Deleting a dataset does not affect the sources from which the dataset was

imported (if any).

Args:

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

405

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

412

413

{ # A generic empty message that you can re-use to avoid defining duplicated

414

# empty messages in your APIs. A typical example is to use it as the request

415

# or the response type of an API method. For instance:

416

#

417

# service Foo {

418

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

419

# }

420

#

421

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

427

<pre>Gets any metadata associated with a dataset.

Args:

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

432

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

439

440

{ # A message representing a health dataset.

441

#

442

# A health dataset represents a collection of healthcare data pertaining to one

443

# or more patients. This may include multiple modalities of healthcare data,

444

# such as electronic medical records or medical imaging data.

445

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

446

# time zone name such as "America/New_York" or empty, which defaults to UTC.

447

# This is used for parsing times in resources, such as HL7 messages, where no

448

# explicit timezone is specified.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

449

"name": "A String", # Resource name of the dataset, of the form

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

450

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>

456

<pre>Gets the access control policy for a resource.

457

Returns an empty policy if the resource exists and does not have a policy

set.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

462

See the operation documentation for the appropriate value for this field. (required)

463

options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.

464

465

Valid values are 0, 1, and 3. Requests specifying an invalid value will be

466

rejected.

467

468

Requests for policies with any conditional bindings must specify version 3.

469

Policies without any conditional bindings may specify any valid value or

470

leave the field unset.

471

472

To learn which resources support conditions in their IAM policies, see the

473

[IAM

474

documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

475

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

482

483

{ # An Identity and Access Management (IAM) policy, which specifies access

484

# controls for Google Cloud resources.

485

#

486

#

487

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

488

# `members` to a single `role`. Members can be user accounts, service accounts,

489

# Google groups, and domains (such as G Suite). A `role` is a named list of

490

# permissions; each `role` can be an IAM predefined role or a user-created

491

# custom role.

492

#

493

# For some types of Google Cloud resources, a `binding` can also specify a

494

# `condition`, which is a logical expression that allows access to a resource

495

# only if the expression evaluates to `true`. A condition can add constraints

496

# based on attributes of the request, the resource, or both. To learn which

497

# resources support conditions in their IAM policies, see the

498

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

506

# "members": [

507

# "user:mike@example.com",

508

# "group:admins@example.com",

509

# "domain:google.com",

510

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

515

# "members": [

516

# "user:eve@example.com"

517

# ],

518

# "condition": {

519

# "title": "expirable access",

520

# "description": "Does not grant access after Sep 2020",

521

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

534

# - group:admins@example.com

535

# - domain:google.com

536

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

537

# role: roles/resourcemanager.organizationAdmin

538

# - members:

539

# - user:eve@example.com

540

# role: roles/resourcemanager.organizationViewer

541

# condition:

542

# title: expirable access

543

# description: Does not grant access after Sep 2020

544

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

545

# - etag: BwWWja0YfJA=

546

# - version: 3

547

#

548

# For a description of IAM and its features, see the

549

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

550

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

551

# prevent simultaneous updates of a policy from overwriting each other.

552

# It is strongly suggested that systems make use of the `etag` in the

553

# read-modify-write cycle to perform policy updates in order to avoid race

554

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

555

# systems are expected to put that etag in the request to `setIamPolicy` to

556

# ensure that their change will be applied to the same version of the policy.

557

#

558

# **Important:** If you use IAM Conditions, you must include the `etag` field

559

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

560

# you to overwrite a version `3` policy with a version `1` policy, and all of

561

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

562

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

563

# `condition` that determines how and when the `bindings` are applied. Each

564

# of the `bindings` must contain at least one member.

565

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

566

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

567

#

568

# If the condition evaluates to `true`, then this binding applies to the

569

# current request.

570

#

571

# If the condition evaluates to `false`, then this binding does not apply to

572

# the current request. However, a different role binding might grant the same

573

# role to one or more of the members in this binding.

574

#

575

# To learn which resources support conditions in their IAM policies, see the

576

# [IAM

577

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

578

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

579

# are documented at https://github.com/google/cel-spec.

580

#

581

# Example (Comparison):

582

#

583

# title: "Summary size limit"

584

# description: "Determines if a summary is less than 100 chars"

585

# expression: "document.summary.size() < 100"

586

#

587

# Example (Equality):

588

#

589

# title: "Requestor is owner"

590

# description: "Determines if requestor is the document owner"

591

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

596

# description: "Determine whether the document should be publicly visible"

597

# expression: "document.type != 'private' && document.type != 'internal'"

598

#

599

# Example (Data Manipulation):

600

#

601

# title: "Notification string"

602

# description: "Create a notification string with a timestamp."

603

# expression: "'New message received at ' + string(document.create_time)"

604

#

605

# The exact variables and functions that may be referenced within an expression

606

# are determined by the service that evaluates it. See the service

607

# documentation for additional information.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

608

"expression": "A String", # Textual representation of an expression in Common Expression Language

609

# syntax.

610

"location": "A String", # Optional. String indicating the location of the expression for error

611

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

612

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

613

# its purpose. This can be used e.g. in UIs which allow to enter the

614

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

615

"description": "A String", # Optional. Description of the expression. This is a longer text which

616

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

617

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

618

"role": "A String", # Role that is assigned to `members`.

619

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

620

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

621

# `members` can have the following values:

622

#

623

# * `allUsers`: A special identifier that represents anyone who is

624

# on the internet; with or without a Google account.

625

#

626

# * `allAuthenticatedUsers`: A special identifier that represents anyone

627

# who is authenticated with a Google account or a service account.

628

#

629

# * `user:{emailid}`: An email address that represents a specific Google

630

# account. For example, `alice@example.com` .

631

#

632

#

633

# * `serviceAccount:{emailid}`: An email address that represents a service

634

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

635

#

636

# * `group:{emailid}`: An email address that represents a Google group.

637

# For example, `admins@example.com`.

638

#

639

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

640

# identifier) representing a user that has been recently deleted. For

641

# example, `alice@example.com?uid=123456789012345678901`. If the user is

642

# recovered, this value reverts to `user:{emailid}` and the recovered user

643

# retains the role in the binding.

644

#

645

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

646

# unique identifier) representing a service account that has been recently

647

# deleted. For example,

648

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

649

# If the service account is undeleted, this value reverts to

650

# `serviceAccount:{emailid}` and the undeleted service account retains the

651

# role in the binding.

652

#

653

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

654

# identifier) representing a Google group that has been recently

655

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

656

# the group is recovered, this value reverts to `group:{emailid}` and the

657

# recovered group retains the role in the binding.

658

#

659

#

660

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

661

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

667

"version": 42, # Specifies the format of the policy.

668

#

669

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

670

# are rejected.

671

#

672

# Any operation that affects conditional role bindings must specify version

673

# `3`. This requirement applies to the following operations:

674

#

675

# * Getting a policy that includes a conditional role binding

676

# * Adding a conditional role binding to a policy

677

# * Changing a conditional role binding in a policy

678

# * Removing any role binding, with or without a condition, from a policy

679

# that includes conditions

680

#

681

# **Important:** If you use IAM Conditions, you must include the `etag` field

682

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

683

# you to overwrite a version `3` policy with a version `1` policy, and all of

684

# the conditions in the version `3` policy are lost.

685

#

686

# If a policy does not include any conditions, operations on that policy may

687

# specify any valid version or leave the field unset.

688

#

689

# To learn which resources support conditions in their IAM policies, see the

690

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

691

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

692

{ # Specifies the audit configuration for a service.

693

# The configuration determines which permission types are logged, and what

694

# identities, if any, are exempted from logging.

695

# An AuditConfig must have one or more AuditLogConfigs.

696

#

697

# If there are AuditConfigs for both `allServices` and a specific service,

698

# the union of the two AuditConfigs is used for that service: the log_types

699

# specified in each AuditConfig are enabled, and the exempted_members in each

700

# AuditLogConfig are exempted.

701

#

702

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

707

# "service": "allServices",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

708

# "audit_log_configs": [

709

# {

710

# "log_type": "DATA_READ",

711

# "exempted_members": [

712

# "user:jose@example.com"

713

# ]

714

# },

715

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

716

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

717

# },

718

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

719

# "log_type": "ADMIN_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# },

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

724

# "service": "sampleservice.googleapis.com",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

725

# "audit_log_configs": [

726

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

727

# "log_type": "DATA_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

728

# },

729

# {

730

# "log_type": "DATA_WRITE",

731

# "exempted_members": [

732

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

741

# logging. It also exempts jose@example.com from DATA_READ logging, and

742

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

743

"service": "A String", # Specifies a service that will be enabled for audit logging.

744

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

745

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

746

"auditLogConfigs": [ # The configuration for logging of each type of permission.

747

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

752

# {

753

# "log_type": "DATA_READ",

754

# "exempted_members": [

755

# "user:jose@example.com"

756

# ]

757

# },

758

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

759

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

765

# jose@example.com from DATA_READ logging.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

766

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

767

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

768

# permission.

769

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

780

<code class="details" id="list">list(parent, pageSize=None, pageToken=None, x__xgafv=None)</code>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

781

<pre>Lists the health datasets in the current project.

782

783

Args:

784

parent: string, The name of the project whose datasets should be listed.

785

For example, `projects/{project_id}/locations/{location_id}`. (required)

786

pageSize: integer, The maximum number of items to return. Capped to 100 if not specified.

787

May not be larger than 1000.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

788

pageToken: string, The next_page_token value returned from a previous List request, if any.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

789

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

796

797

{ # Lists the available datasets.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

798

"nextPageToken": "A String", # Token to retrieve the next page of results, or empty if there are no

799

# more results in the list.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

800

"datasets": [ # The first page of datasets.

801

{ # A message representing a health dataset.

802

#

803

# A health dataset represents a collection of healthcare data pertaining to one

804

# or more patients. This may include multiple modalities of healthcare data,

805

# such as electronic medical records or medical imaging data.

806

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

807

# time zone name such as "America/New_York" or empty, which defaults to UTC.

808

# This is used for parsing times in resources, such as HL7 messages, where no

809

# explicit timezone is specified.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

810

"name": "A String", # Resource name of the dataset, of the form

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

811

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

812

},

813

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

819

<pre>Retrieves the next page of results.

820

821

Args:

822

previous_request: The request for the previous page. (required)

823

previous_response: The response from the request for the previous page. (required)

824

825

Returns:

826

A request object that you can call 'execute()' on to request the next

827

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

833

<pre>Updates dataset metadata.

834

835

Args:

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

836

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

837

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

838

body: object, The request body.

839

The object takes the form of:

840

841

{ # A message representing a health dataset.

842

#

843

# A health dataset represents a collection of healthcare data pertaining to one

844

# or more patients. This may include multiple modalities of healthcare data,

845

# such as electronic medical records or medical imaging data.

846

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

847

# time zone name such as "America/New_York" or empty, which defaults to UTC.

848

# This is used for parsing times in resources, such as HL7 messages, where no

849

# explicit timezone is specified.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

850

"name": "A String", # Resource name of the dataset, of the form

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

851

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

852

}

853

854

updateMask: string, The update mask applies to the resource. For the `FieldMask` definition,

855

see

856

https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

857

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

864

865

{ # A message representing a health dataset.

866

#

867

# A health dataset represents a collection of healthcare data pertaining to one

868

# or more patients. This may include multiple modalities of healthcare data,

869

# such as electronic medical records or medical imaging data.

870

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

871

# time zone name such as "America/New_York" or empty, which defaults to UTC.

872

# This is used for parsing times in resources, such as HL7 messages, where no

873

# explicit timezone is specified.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

874

"name": "A String", # Resource name of the dataset, of the form

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

875

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

}</pre>

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

881

<pre>Sets the access control policy on the specified resource. Replaces any

882

existing policy.

883

884

Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.

885

886

Args:

887

resource: string, REQUIRED: The resource for which the policy is being specified.

888

See the operation documentation for the appropriate value for this field. (required)

889

body: object, The request body.

890

The object takes the form of:

891

892

{ # Request message for `SetIamPolicy` method.

893

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

894

# the policy is limited to a few 10s of KB. An empty policy is a

895

# valid policy but certain Cloud Platform services (such as Projects)

896

# might reject them.

897

# controls for Google Cloud resources.

898

#

899

#

900

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

901

# `members` to a single `role`. Members can be user accounts, service accounts,

902

# Google groups, and domains (such as G Suite). A `role` is a named list of

903

# permissions; each `role` can be an IAM predefined role or a user-created

904

# custom role.

905

#

906

# For some types of Google Cloud resources, a `binding` can also specify a

907

# `condition`, which is a logical expression that allows access to a resource

908

# only if the expression evaluates to `true`. A condition can add constraints

909

# based on attributes of the request, the resource, or both. To learn which

910

# resources support conditions in their IAM policies, see the

911

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

919

# "members": [

920

# "user:mike@example.com",

921

# "group:admins@example.com",

922

# "domain:google.com",

923

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

928

# "members": [

929

# "user:eve@example.com"

930

# ],

931

# "condition": {

932

# "title": "expirable access",

933

# "description": "Does not grant access after Sep 2020",

934

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

947

# - group:admins@example.com

948

# - domain:google.com

949

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

950

# role: roles/resourcemanager.organizationAdmin

951

# - members:

952

# - user:eve@example.com

953

# role: roles/resourcemanager.organizationViewer

954

# condition:

955

# title: expirable access

956

# description: Does not grant access after Sep 2020

957

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

958

# - etag: BwWWja0YfJA=

959

# - version: 3

960

#

961

# For a description of IAM and its features, see the

962

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

963

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

964

# prevent simultaneous updates of a policy from overwriting each other.

965

# It is strongly suggested that systems make use of the `etag` in the

966

# read-modify-write cycle to perform policy updates in order to avoid race

967

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

968

# systems are expected to put that etag in the request to `setIamPolicy` to

969

# ensure that their change will be applied to the same version of the policy.

970

#

971

# **Important:** If you use IAM Conditions, you must include the `etag` field

972

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

973

# you to overwrite a version `3` policy with a version `1` policy, and all of

974

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

975

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

976

# `condition` that determines how and when the `bindings` are applied. Each

977

# of the `bindings` must contain at least one member.

978

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

979

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

980

#

981

# If the condition evaluates to `true`, then this binding applies to the

982

# current request.

983

#

984

# If the condition evaluates to `false`, then this binding does not apply to

985

# the current request. However, a different role binding might grant the same

986

# role to one or more of the members in this binding.

987

#

988

# To learn which resources support conditions in their IAM policies, see the

989

# [IAM

990

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

991

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

992

# are documented at https://github.com/google/cel-spec.

993

#

994

# Example (Comparison):

995

#

996

# title: "Summary size limit"

997

# description: "Determines if a summary is less than 100 chars"

998

# expression: "document.summary.size() < 100"

999

#

1000

# Example (Equality):

1001

#

1002

# title: "Requestor is owner"

1003

# description: "Determines if requestor is the document owner"

1004

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1009

# description: "Determine whether the document should be publicly visible"

1010

# expression: "document.type != 'private' && document.type != 'internal'"

1011

#

1012

# Example (Data Manipulation):

1013

#

1014

# title: "Notification string"

1015

# description: "Create a notification string with a timestamp."

1016

# expression: "'New message received at ' + string(document.create_time)"

1017

#

1018

# The exact variables and functions that may be referenced within an expression

1019

# are determined by the service that evaluates it. See the service

1020

# documentation for additional information.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1021

"expression": "A String", # Textual representation of an expression in Common Expression Language

1022

# syntax.

1023

"location": "A String", # Optional. String indicating the location of the expression for error

1024

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1025

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1026

# its purpose. This can be used e.g. in UIs which allow to enter the

1027

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1028

"description": "A String", # Optional. Description of the expression. This is a longer text which

1029

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1030

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1031

"role": "A String", # Role that is assigned to `members`.

1032

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1033

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1034

# `members` can have the following values:

1035

#

1036

# * `allUsers`: A special identifier that represents anyone who is

1037

# on the internet; with or without a Google account.

1038

#

1039

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1040

# who is authenticated with a Google account or a service account.

1041

#

1042

# * `user:{emailid}`: An email address that represents a specific Google

1043

# account. For example, `alice@example.com` .

1044

#

1045

#

1046

# * `serviceAccount:{emailid}`: An email address that represents a service

1047

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1048

#

1049

# * `group:{emailid}`: An email address that represents a Google group.

1050

# For example, `admins@example.com`.

1051

#

1052

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1053

# identifier) representing a user that has been recently deleted. For

1054

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1055

# recovered, this value reverts to `user:{emailid}` and the recovered user

1056

# retains the role in the binding.

1057

#

1058

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1059

# unique identifier) representing a service account that has been recently

1060

# deleted. For example,

1061

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1062

# If the service account is undeleted, this value reverts to

1063

# `serviceAccount:{emailid}` and the undeleted service account retains the

1064

# role in the binding.

1065

#

1066

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1067

# identifier) representing a Google group that has been recently

1068

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1069

# the group is recovered, this value reverts to `group:{emailid}` and the

1070

# recovered group retains the role in the binding.

1071

#

1072

#

1073

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1074

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1080

"version": 42, # Specifies the format of the policy.

1081

#

1082

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1083

# are rejected.

1084

#

1085

# Any operation that affects conditional role bindings must specify version

1086

# `3`. This requirement applies to the following operations:

1087

#

1088

# * Getting a policy that includes a conditional role binding

1089

# * Adding a conditional role binding to a policy

1090

# * Changing a conditional role binding in a policy

1091

# * Removing any role binding, with or without a condition, from a policy

1092

# that includes conditions

1093

#

1094

# **Important:** If you use IAM Conditions, you must include the `etag` field

1095

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1096

# you to overwrite a version `3` policy with a version `1` policy, and all of

1097

# the conditions in the version `3` policy are lost.

1098

#

1099

# If a policy does not include any conditions, operations on that policy may

1100

# specify any valid version or leave the field unset.

1101

#

1102

# To learn which resources support conditions in their IAM policies, see the

1103

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1104

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1105

{ # Specifies the audit configuration for a service.

1106

# The configuration determines which permission types are logged, and what

1107

# identities, if any, are exempted from logging.

1108

# An AuditConfig must have one or more AuditLogConfigs.

1109

#

1110

# If there are AuditConfigs for both `allServices` and a specific service,

1111

# the union of the two AuditConfigs is used for that service: the log_types

1112

# specified in each AuditConfig are enabled, and the exempted_members in each

1113

# AuditLogConfig are exempted.

1114

#

1115

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1120

# "service": "allServices",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1121

# "audit_log_configs": [

1122

# {

1123

# "log_type": "DATA_READ",

1124

# "exempted_members": [

1125

# "user:jose@example.com"

1126

# ]

1127

# },

1128

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1129

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1130

# },

1131

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1132

# "log_type": "ADMIN_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# },

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1137

# "service": "sampleservice.googleapis.com",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1138

# "audit_log_configs": [

1139

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1140

# "log_type": "DATA_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1141

# },

1142

# {

1143

# "log_type": "DATA_WRITE",

1144

# "exempted_members": [

1145

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1154

# logging. It also exempts jose@example.com from DATA_READ logging, and

1155

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1156

"service": "A String", # Specifies a service that will be enabled for audit logging.

1157

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1158

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1159

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1160

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1165

# {

1166

# "log_type": "DATA_READ",

1167

# "exempted_members": [

1168

# "user:jose@example.com"

1169

# ]

1170

# },

1171

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1172

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1178

# jose@example.com from DATA_READ logging.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1179

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1180

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1181

# permission.

1182

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1189

},

1190

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

1191

# the fields in the mask will be modified. If no mask is provided, the

1192

# following default mask is used:

1193

#

1194

# `paths: "bindings, etag"`

1195

}

1196

1197

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1204

1205

{ # An Identity and Access Management (IAM) policy, which specifies access

1206

# controls for Google Cloud resources.

1207

#

1208

#

1209

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1210

# `members` to a single `role`. Members can be user accounts, service accounts,

1211

# Google groups, and domains (such as G Suite). A `role` is a named list of

1212

# permissions; each `role` can be an IAM predefined role or a user-created

1213

# custom role.

1214

#

1215

# For some types of Google Cloud resources, a `binding` can also specify a

1216

# `condition`, which is a logical expression that allows access to a resource

1217

# only if the expression evaluates to `true`. A condition can add constraints

1218

# based on attributes of the request, the resource, or both. To learn which

1219

# resources support conditions in their IAM policies, see the

1220

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

1228

# "members": [

1229

# "user:mike@example.com",

1230

# "group:admins@example.com",

1231

# "domain:google.com",

1232

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

1237

# "members": [

1238

# "user:eve@example.com"

1239

# ],

1240

# "condition": {

1241

# "title": "expirable access",

1242

# "description": "Does not grant access after Sep 2020",

1243

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

1256

# - group:admins@example.com

1257

# - domain:google.com

1258

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1259

# role: roles/resourcemanager.organizationAdmin

1260

# - members:

1261

# - user:eve@example.com

1262

# role: roles/resourcemanager.organizationViewer

1263

# condition:

1264

# title: expirable access

1265

# description: Does not grant access after Sep 2020

1266

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

1267

# - etag: BwWWja0YfJA=

1268

# - version: 3

1269

#

1270

# For a description of IAM and its features, see the

1271

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1272

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1273

# prevent simultaneous updates of a policy from overwriting each other.

1274

# It is strongly suggested that systems make use of the `etag` in the

1275

# read-modify-write cycle to perform policy updates in order to avoid race

1276

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1277

# systems are expected to put that etag in the request to `setIamPolicy` to

1278

# ensure that their change will be applied to the same version of the policy.

1279

#

1280

# **Important:** If you use IAM Conditions, you must include the `etag` field

1281

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1282

# you to overwrite a version `3` policy with a version `1` policy, and all of

1283

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1284

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1285

# `condition` that determines how and when the `bindings` are applied. Each

1286

# of the `bindings` must contain at least one member.

1287

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1288

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1289

#

1290

# If the condition evaluates to `true`, then this binding applies to the

1291

# current request.

1292

#

1293

# If the condition evaluates to `false`, then this binding does not apply to

1294

# the current request. However, a different role binding might grant the same

1295

# role to one or more of the members in this binding.

1296

#

1297

# To learn which resources support conditions in their IAM policies, see the

1298

# [IAM

1299

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1300

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1301

# are documented at https://github.com/google/cel-spec.

1302

#

1303

# Example (Comparison):

1304

#

1305

# title: "Summary size limit"

1306

# description: "Determines if a summary is less than 100 chars"

1307

# expression: "document.summary.size() < 100"

1308

#

1309

# Example (Equality):

1310

#

1311

# title: "Requestor is owner"

1312

# description: "Determines if requestor is the document owner"

1313

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1318

# description: "Determine whether the document should be publicly visible"

1319

# expression: "document.type != 'private' && document.type != 'internal'"

1320

#

1321

# Example (Data Manipulation):

1322

#

1323

# title: "Notification string"

1324

# description: "Create a notification string with a timestamp."

1325

# expression: "'New message received at ' + string(document.create_time)"

1326

#

1327

# The exact variables and functions that may be referenced within an expression

1328

# are determined by the service that evaluates it. See the service

1329

# documentation for additional information.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1330

"expression": "A String", # Textual representation of an expression in Common Expression Language

1331

# syntax.

1332

"location": "A String", # Optional. String indicating the location of the expression for error

1333

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1334

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1335

# its purpose. This can be used e.g. in UIs which allow to enter the

1336

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1337

"description": "A String", # Optional. Description of the expression. This is a longer text which

1338

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1339

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1340

"role": "A String", # Role that is assigned to `members`.

1341

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1342

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1343

# `members` can have the following values:

1344

#

1345

# * `allUsers`: A special identifier that represents anyone who is

1346

# on the internet; with or without a Google account.

1347

#

1348

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1349

# who is authenticated with a Google account or a service account.

1350

#

1351

# * `user:{emailid}`: An email address that represents a specific Google

1352

# account. For example, `alice@example.com` .

1353

#

1354

#

1355

# * `serviceAccount:{emailid}`: An email address that represents a service

1356

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1357

#

1358

# * `group:{emailid}`: An email address that represents a Google group.

1359

# For example, `admins@example.com`.

1360

#

1361

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1362

# identifier) representing a user that has been recently deleted. For

1363

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1364

# recovered, this value reverts to `user:{emailid}` and the recovered user

1365

# retains the role in the binding.

1366

#

1367

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1368

# unique identifier) representing a service account that has been recently

1369

# deleted. For example,

1370

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1371

# If the service account is undeleted, this value reverts to

1372

# `serviceAccount:{emailid}` and the undeleted service account retains the

1373

# role in the binding.

1374

#

1375

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1376

# identifier) representing a Google group that has been recently

1377

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1378

# the group is recovered, this value reverts to `group:{emailid}` and the

1379

# recovered group retains the role in the binding.

1380

#

1381

#

1382

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1383

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1389

"version": 42, # Specifies the format of the policy.

1390

#

1391

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1392

# are rejected.

1393

#

1394

# Any operation that affects conditional role bindings must specify version

1395

# `3`. This requirement applies to the following operations:

1396

#

1397

# * Getting a policy that includes a conditional role binding

1398

# * Adding a conditional role binding to a policy

1399

# * Changing a conditional role binding in a policy

1400

# * Removing any role binding, with or without a condition, from a policy

1401

# that includes conditions

1402

#

1403

# **Important:** If you use IAM Conditions, you must include the `etag` field

1404

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1405

# you to overwrite a version `3` policy with a version `1` policy, and all of

1406

# the conditions in the version `3` policy are lost.

1407

#

1408

# If a policy does not include any conditions, operations on that policy may

1409

# specify any valid version or leave the field unset.

1410

#

1411

# To learn which resources support conditions in their IAM policies, see the

1412

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1413

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1414

{ # Specifies the audit configuration for a service.

1415

# The configuration determines which permission types are logged, and what

1416

# identities, if any, are exempted from logging.

1417

# An AuditConfig must have one or more AuditLogConfigs.

1418

#

1419

# If there are AuditConfigs for both `allServices` and a specific service,

1420

# the union of the two AuditConfigs is used for that service: the log_types

1421

# specified in each AuditConfig are enabled, and the exempted_members in each

1422

# AuditLogConfig are exempted.

1423

#

1424

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1429

# "service": "allServices",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1430

# "audit_log_configs": [

1431

# {

1432

# "log_type": "DATA_READ",

1433

# "exempted_members": [

1434

# "user:jose@example.com"

1435

# ]

1436

# },

1437

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1438

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1439

# },

1440

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1441

# "log_type": "ADMIN_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# },

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1446

# "service": "sampleservice.googleapis.com",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1447

# "audit_log_configs": [

1448

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1449

# "log_type": "DATA_READ"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1450

# },

1451

# {

1452

# "log_type": "DATA_WRITE",

1453

# "exempted_members": [

1454

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1463

# logging. It also exempts jose@example.com from DATA_READ logging, and

1464

# aliya@example.com from DATA_WRITE logging.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1465

"service": "A String", # Specifies a service that will be enabled for audit logging.

1466

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1467

# `allServices` is a special value that covers all services.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1468

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1469

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1474

# {

1475

# "log_type": "DATA_READ",

1476

# "exempted_members": [

1477

# "user:jose@example.com"

1478

# ]

1479

# },

1480

# {

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1481

# "log_type": "DATA_WRITE"

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1487

# jose@example.com from DATA_READ logging.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1488

"logType": "A String", # The log type that this config enables.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1489

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1490

# permission.

1491

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

Bu Sun Kim