Blame - docs/dyn/dlp_v2.projects.content.html - platform/external/python/google-api-python-client

2020-10-06 16:46:05 -0700

[diff] [blame^]

78

<code><a href="#close">close()</a></code></p>

79

<p class="firstline">Close httplib2 connections.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#deidentify">deidentify(parent, body=None, x__xgafv=None)</a></code></p>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

82

<p class="firstline">De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

83

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

84

<code><a href="#inspect">inspect(parent, body=None, x__xgafv=None)</a></code></p>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

85

<p class="firstline">Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

86

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

87

<code><a href="#reidentify">reidentify(parent, body=None, x__xgafv=None)</a></code></p>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

88

<p class="firstline">Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

89

<h3>Method Details</h3>

90

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

91

<code class="details" id="close">close()</code>

92

<pre>Close httplib2 connections.</pre>

93

</div>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

94

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

95

96

<code class="details" id="deidentify">deidentify(parent, body=None, x__xgafv=None)</code>

97

<pre>De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

99

Args:

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

100

parent: string, Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

101

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

102

The object takes the form of:

103

104

{ # Request to de-identify a list of items.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

105

"deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

106

"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.

107

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

108

{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

109

"infoTypes": [ # List of infoTypes this rule set is applied to.

110

{ # Type of information detected by the API.

111

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

112

},

113

],

114

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

115

{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

116

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.

117

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.

118

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

119

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

120

},

121

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

122

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

128

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

129

{ # Type of information detected by the API.

130

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

135

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

136

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

141

},

142

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

143

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

144

"windowAfter": 42, # Number of characters after the finding to consider.

145

"windowBefore": 42, # Number of characters before the finding to consider.

146

},

147

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

148

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

149

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

150

},

151

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

152

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

153

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

},

},

],

},

],

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

163

{ # Type of information detected by the API.

164

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

165

},

166

],

167

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

168

"contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.

169

"A String",

170

],

171

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

172

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

173

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

174

{ # Max findings configuration per infoType, per content item or long running DlpJob.

175

"maxFindings": 42, # Max findings limit for the given infoType.

176

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

177

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

},

],

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

182

},

183

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

184

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

185

"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

186

{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

187

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

188

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

189

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

190

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

191

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

192

"windowAfter": 42, # Number of characters after the finding to consider.

193

"windowBefore": 42, # Number of characters before the finding to consider.

194

},

195

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

196

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

197

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

198

},

199

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

200

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

201

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

},

},

],

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

209

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

210

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

"surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.

215

},

216

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

217

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

218

},

219

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

220

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.

221

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

222

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

223

},

224

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

225

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

231

"name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

232

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

},

},

],

},

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

238

"item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

239

"value": "A String", # String data to inspect or redact.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

240

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

241

"data": "A String", # Content data to inspect or redact.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

242

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

243

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

244

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

245

"headers": [ # Headers of the table.

246

{ # General identifier of a data field in a storage service.

247

"name": "A String", # Name describing the field.

248

},

249

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

250

"rows": [ # Rows of the table.

251

{ # Values of the row.

252

"values": [ # Individual cells.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

253

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

254

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

255

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

256

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

257

"timestampValue": "A String", # timestamp

258

"dayOfWeekValue": "A String", # day of week

259

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

260

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

261

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

262

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

263

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

264

},

265

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

266

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

267

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

268

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

269

},

270

"stringValue": "A String", # string

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

275

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

276

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

277

"deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument.

278

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.

279

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

280

{ # A transformation to apply to text that is identified as a specific info_type.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

281

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

282

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

283

},

284

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

285

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

286

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

287

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

288

"charactersToSkip": "A String", # Characters to not transform when masking.

289

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

290

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

291

],

292

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

293

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

294

},

295

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

296

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

297

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

298

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

299

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

300

"key": "A String", # Required. A 128/192/256 bit key.

301

},

302

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

303

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

304

},

305

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

306

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

307

"wrappedKey": "A String", # Required. The wrapped data crypto key.

308

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

309

},

310

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

311

"name": "A String", # Name describing the field.

312

},

313

},

314

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

315

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

316

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

317

},

318

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

319

"name": "A String", # Name describing the field.

320

},

321

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

322

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

323

"key": "A String", # Required. A 128/192/256 bit key.

324

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

325

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

326

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

327

},

328

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

329

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

330

"wrappedKey": "A String", # Required. The wrapped data crypto key.

331

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

332

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

333

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

334

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

335

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

336

"floatValue": 3.14, # float

337

"integerValue": "A String", # integer

338

"booleanValue": True or False, # boolean

339

"timestampValue": "A String", # timestamp

340

"dayOfWeekValue": "A String", # day of week

341

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

342

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

343

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

344

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

345

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

346

},

347

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

348

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

349

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

350

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

351

},

352

"stringValue": "A String", # string

353

},

354

},

355

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

356

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

357

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

358

},

359

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

360

"name": "A String", # Name describing the field.

361

},

362

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

363

"commonAlphabet": "A String", # Common alphabets.

364

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

365

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

366

"key": "A String", # Required. A 128/192/256 bit key.

367

},

368

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

369

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

370

},

371

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

372

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

373

"wrappedKey": "A String", # Required. The wrapped data crypto key.

374

},

375

},

376

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

377

},

378

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

379

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

380

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

381

"key": "A String", # Required. A 128/192/256 bit key.

382

},

383

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

384

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

385

},

386

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

387

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

388

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

393

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

394

{ # Bucket is represented as a range, along with replacement values.

395

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

396

"floatValue": 3.14, # float

397

"integerValue": "A String", # integer

398

"booleanValue": True or False, # boolean

399

"timestampValue": "A String", # timestamp

400

"dayOfWeekValue": "A String", # day of week

401

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

402

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

403

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

404

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

405

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

406

},

407

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

408

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

409

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

410

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

411

},

412

"stringValue": "A String", # string

413

},

414

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

415

"floatValue": 3.14, # float

416

"integerValue": "A String", # integer

417

"booleanValue": True or False, # boolean

418

"timestampValue": "A String", # timestamp

419

"dayOfWeekValue": "A String", # day of week

420

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

421

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

422

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

423

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

424

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

425

},

426

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

427

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

428

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

429

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

430

},

431

"stringValue": "A String", # string

432

},

433

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

434

"floatValue": 3.14, # float

435

"integerValue": "A String", # integer

436

"booleanValue": True or False, # boolean

437

"timestampValue": "A String", # timestamp

438

"dayOfWeekValue": "A String", # day of week

439

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

440

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

441

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

442

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

443

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

444

},

445

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

446

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

447

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

448

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

449

},

450

"stringValue": "A String", # string

451

},

452

},

453

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

454

},

455

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

456

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

457

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

458

"partToExtract": "A String", # The part of the time to keep.

459

},

460

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

461

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

462

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

463

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

464

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

465

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

466

"timestampValue": "A String", # timestamp

467

"dayOfWeekValue": "A String", # day of week

468

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

469

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

470

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

471

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

472

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

473

},

474

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

475

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

476

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

477

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

478

},

479

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

480

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

481

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

482

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

483

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

484

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

485

"timestampValue": "A String", # timestamp

486

"dayOfWeekValue": "A String", # day of week

487

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

488

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

489

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

490

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

491

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

492

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

493

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

494

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

495

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

496

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

497

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

498

"stringValue": "A String", # string

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

499

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

500

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

501

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

502

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

503

{ # Type of information detected by the API.

504

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

505

},

506

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

507

},

508

],

509

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

510

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.

511

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

512

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

513

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

514

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

515

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

516

"recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

517

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.

518

{ # Configuration to suppress records whose suppression conditions evaluate to true.

519

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

520

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

521

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

522

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

523

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

524

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

525

"name": "A String", # Name describing the field.

526

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

527

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

528

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

529

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

530

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

531

"timestampValue": "A String", # timestamp

532

"dayOfWeekValue": "A String", # day of week

533

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

534

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

535

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

536

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

537

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

538

},

539

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

540

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

541

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

542

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

543

},

544

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

545

},

546

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

547

},

548

],

549

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

550

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

555

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

556

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

557

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

558

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

559

},

560

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

561

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

562

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

563

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

564

"charactersToSkip": "A String", # Characters to not transform when masking.

565

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

566

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

567

],

568

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

569

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

570

},

571

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

572

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

573

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

574

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

575

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

576

"key": "A String", # Required. A 128/192/256 bit key.

577

},

578

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

579

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

580

},

581

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

582

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

583

"wrappedKey": "A String", # Required. The wrapped data crypto key.

584

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

585

},

586

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

587

"name": "A String", # Name describing the field.

588

},

589

},

590

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

591

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

592

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

593

},

594

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

595

"name": "A String", # Name describing the field.

596

},

597

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

598

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

599

"key": "A String", # Required. A 128/192/256 bit key.

600

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

601

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

602

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

603

},

604

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

605

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

606

"wrappedKey": "A String", # Required. The wrapped data crypto key.

607

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

608

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

609

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

610

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

611

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

612

"floatValue": 3.14, # float

613

"integerValue": "A String", # integer

614

"booleanValue": True or False, # boolean

615

"timestampValue": "A String", # timestamp

616

"dayOfWeekValue": "A String", # day of week

617

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

618

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

619

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

620

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

621

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

622

},

623

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

624

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

625

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

626

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

627

},

628

"stringValue": "A String", # string

629

},

630

},

631

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

632

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

633

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

634

},

635

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

636

"name": "A String", # Name describing the field.

637

},

638

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

639

"commonAlphabet": "A String", # Common alphabets.

640

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

641

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

642

"key": "A String", # Required. A 128/192/256 bit key.

643

},

644

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

645

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

646

},

647

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

648

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

649

"wrappedKey": "A String", # Required. The wrapped data crypto key.

650

},

651

},

652

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

653

},

654

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

655

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

656

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

657

"key": "A String", # Required. A 128/192/256 bit key.

658

},

659

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

660

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

661

},

662

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

663

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

664

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

669

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

670

{ # Bucket is represented as a range, along with replacement values.

671

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

672

"floatValue": 3.14, # float

673

"integerValue": "A String", # integer

674

"booleanValue": True or False, # boolean

675

"timestampValue": "A String", # timestamp

676

"dayOfWeekValue": "A String", # day of week

677

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

678

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

679

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

680

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

681

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

682

},

683

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

684

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

685

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

686

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

687

},

688

"stringValue": "A String", # string

689

},

690

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

691

"floatValue": 3.14, # float

692

"integerValue": "A String", # integer

693

"booleanValue": True or False, # boolean

694

"timestampValue": "A String", # timestamp

695

"dayOfWeekValue": "A String", # day of week

696

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

697

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

698

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

699

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

700

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

701

},

702

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

703

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

704

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

705

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

706

},

707

"stringValue": "A String", # string

708

},

709

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

710

"floatValue": 3.14, # float

711

"integerValue": "A String", # integer

712

"booleanValue": True or False, # boolean

713

"timestampValue": "A String", # timestamp

714

"dayOfWeekValue": "A String", # day of week

715

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

716

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

717

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

718

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

719

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

720

},

721

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

722

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

723

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

724

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

725

},

726

"stringValue": "A String", # string

727

},

728

},

729

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

730

},

731

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

732

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

733

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

734

"partToExtract": "A String", # The part of the time to keep.

735

},

736

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

737

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

738

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

739

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

740

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

741

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

742

"timestampValue": "A String", # timestamp

743

"dayOfWeekValue": "A String", # day of week

744

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

745

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

746

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

747

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

748

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

749

},

750

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

751

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

752

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

753

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

754

},

755

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

756

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

757

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

758

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

759

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

760

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

761

"timestampValue": "A String", # timestamp

762

"dayOfWeekValue": "A String", # day of week

763

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

764

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

765

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

766

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

767

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

768

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

769

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

770

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

771

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

772

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

773

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

774

"stringValue": "A String", # string

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

775

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

776

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

777

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

778

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

779

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

780

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

781

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

782

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

783

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

784

"name": "A String", # Name describing the field.

785

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

786

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

787

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

788

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

789

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

790

"timestampValue": "A String", # timestamp

791

"dayOfWeekValue": "A String", # day of week

792

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

793

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

794

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

795

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

796

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

797

},

798

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

799

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

800

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

801

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

802

},

803

"stringValue": "A String", # string

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

804

},

805

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

806

},

807

],

808

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

809

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

810

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

811

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

812

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

813

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

814

{ # A transformation to apply to text that is identified as a specific info_type.

815

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

816

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

817

},

818

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

819

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

820

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

821

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

822

"charactersToSkip": "A String", # Characters to not transform when masking.

823

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

824

},

825

],

826

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

827

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

828

},

829

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

830

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

831

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

832

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

833

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

834

"key": "A String", # Required. A 128/192/256 bit key.

835

},

836

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

837

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

838

},

839

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

840

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

841

"wrappedKey": "A String", # Required. The wrapped data crypto key.

842

},

843

},

844

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

845

"name": "A String", # Name describing the field.

846

},

847

},

848

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

849

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

850

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

851

},

852

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

853

"name": "A String", # Name describing the field.

854

},

855

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

856

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

857

"key": "A String", # Required. A 128/192/256 bit key.

858

},

859

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

860

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

861

},

862

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

863

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

864

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

869

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

870

"floatValue": 3.14, # float

871

"integerValue": "A String", # integer

872

"booleanValue": True or False, # boolean

873

"timestampValue": "A String", # timestamp

874

"dayOfWeekValue": "A String", # day of week

875

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

876

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

877

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

878

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

879

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

880

},

881

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

882

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

883

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

884

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

885

},

886

"stringValue": "A String", # string

887

},

888

},

889

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

890

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

891

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

892

},

893

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

894

"name": "A String", # Name describing the field.

895

},

896

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

897

"commonAlphabet": "A String", # Common alphabets.

898

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

899

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

900

"key": "A String", # Required. A 128/192/256 bit key.

901

},

902

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

903

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

904

},

905

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

906

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

907

"wrappedKey": "A String", # Required. The wrapped data crypto key.

908

},

909

},

910

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

911

},

912

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

913

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

914

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

915

"key": "A String", # Required. A 128/192/256 bit key.

916

},

917

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

918

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

919

},

920

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

921

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

922

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

927

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

928

{ # Bucket is represented as a range, along with replacement values.

929

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

930

"floatValue": 3.14, # float

931

"integerValue": "A String", # integer

932

"booleanValue": True or False, # boolean

933

"timestampValue": "A String", # timestamp

934

"dayOfWeekValue": "A String", # day of week

935

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

936

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

937

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

938

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

939

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

940

},

941

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

942

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

943

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

944

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

945

},

946

"stringValue": "A String", # string

947

},

948

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

949

"floatValue": 3.14, # float

950

"integerValue": "A String", # integer

951

"booleanValue": True or False, # boolean

952

"timestampValue": "A String", # timestamp

953

"dayOfWeekValue": "A String", # day of week

954

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

955

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

956

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

957

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

958

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

959

},

960

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

961

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

962

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

963

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

964

},

965

"stringValue": "A String", # string

966

},

967

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

968

"floatValue": 3.14, # float

969

"integerValue": "A String", # integer

970

"booleanValue": True or False, # boolean

971

"timestampValue": "A String", # timestamp

972

"dayOfWeekValue": "A String", # day of week

973

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

974

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

975

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

976

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

977

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

978

},

979

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

980

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

981

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

982

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

983

},

984

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

990

},

991

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

992

"partToExtract": "A String", # The part of the time to keep.

993

},

994

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

995

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

996

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

997

"floatValue": 3.14, # float

998

"integerValue": "A String", # integer

999

"booleanValue": True or False, # boolean

1000

"timestampValue": "A String", # timestamp

1001

"dayOfWeekValue": "A String", # day of week

1002

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1003

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1004

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1005

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1006

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1007

},

1008

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1009

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1010

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1011

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1012

},

1013

"stringValue": "A String", # string

1014

},

1015

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1016

"floatValue": 3.14, # float

1017

"integerValue": "A String", # integer

1018

"booleanValue": True or False, # boolean

1019

"timestampValue": "A String", # timestamp

1020

"dayOfWeekValue": "A String", # day of week

1021

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1022

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1023

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1024

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1025

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1026

},

1027

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1028

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1029

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1030

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1031

},

1032

"stringValue": "A String", # string

},

},

},

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

1037

{ # Type of information detected by the API.

1038

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1044

"fields": [ # Required. Input field(s) to apply the transformation to.

1045

{ # General identifier of a data field in a storage service.

1046

"name": "A String", # Name describing the field.

1047

},

1048

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1049

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1050

],

1051

},

1052

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1053

"locationId": "A String", # Deprecated. This field has no effect.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1054

}

1055

1056

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1063

1064

{ # Results of de-identifying a ContentItem.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1065

"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1066

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1067

"transformationSummaries": [ # Transformations applied to the dataset.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1068

{ # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.

1069

"fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1070

{ # The transformation to apply to the field.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1071

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1072

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

1073

},

1074

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

1075

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

1076

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

1077

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

1078

"charactersToSkip": "A String", # Characters to not transform when masking.

1079

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1080

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1081

],

1082

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

1083

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

1084

},

1085

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

1086

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1087

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

1088

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

1089

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1090

"key": "A String", # Required. A 128/192/256 bit key.

1091

},

1092

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1093

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1094

},

1095

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1096

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1097

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1098

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1099

},

1100

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

1101

"name": "A String", # Name describing the field.

1102

},

1103

},

1104

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

1105

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

1106

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1107

},

1108

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

1109

"name": "A String", # Name describing the field.

1110

},

1111

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

1112

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1113

"key": "A String", # Required. A 128/192/256 bit key.

1114

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1115

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1116

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1117

},

1118

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1119

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1120

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1121

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1122

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1123

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1124

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1125

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

1126

"floatValue": 3.14, # float

1127

"integerValue": "A String", # integer

1128

"booleanValue": True or False, # boolean

1129

"timestampValue": "A String", # timestamp

1130

"dayOfWeekValue": "A String", # day of week

1131

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1132

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1133

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1134

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1135

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1136

},

1137

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1138

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1139

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1140

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1141

},

1142

"stringValue": "A String", # string

1143

},

1144

},

1145

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

1146

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

1147

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1148

},

1149

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

1150

"name": "A String", # Name describing the field.

1151

},

1152

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

1153

"commonAlphabet": "A String", # Common alphabets.

1154

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

1155

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1156

"key": "A String", # Required. A 128/192/256 bit key.

1157

},

1158

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1159

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1160

},

1161

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1162

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1163

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1164

},

1165

},

1166

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1167

},

1168

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

1169

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

1170

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1171

"key": "A String", # Required. A 128/192/256 bit key.

1172

},

1173

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1174

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1175

},

1176

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1177

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1178

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

1183

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1184

{ # Bucket is represented as a range, along with replacement values.

1185

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

1186

"floatValue": 3.14, # float

1187

"integerValue": "A String", # integer

1188

"booleanValue": True or False, # boolean

1189

"timestampValue": "A String", # timestamp

1190

"dayOfWeekValue": "A String", # day of week

1191

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1192

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1193

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1194

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1195

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1196

},

1197

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1198

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1199

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1200

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1201

},

1202

"stringValue": "A String", # string

1203

},

1204

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

1205

"floatValue": 3.14, # float

1206

"integerValue": "A String", # integer

1207

"booleanValue": True or False, # boolean

1208

"timestampValue": "A String", # timestamp

1209

"dayOfWeekValue": "A String", # day of week

1210

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1211

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1212

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1213

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1214

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1215

},

1216

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1217

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1218

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1219

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1220

},

1221

"stringValue": "A String", # string

1222

},

1223

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

1224

"floatValue": 3.14, # float

1225

"integerValue": "A String", # integer

1226

"booleanValue": True or False, # boolean

1227

"timestampValue": "A String", # timestamp

1228

"dayOfWeekValue": "A String", # day of week

1229

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1230

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1231

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1232

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1233

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1234

},

1235

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1236

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1237

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1238

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1239

},

1240

"stringValue": "A String", # string

1241

},

1242

},

1243

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1244

},

1245

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1246

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1247

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

1248

"partToExtract": "A String", # The part of the time to keep.

1249

},

1250

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

1251

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1252

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1253

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1254

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1255

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1256

"timestampValue": "A String", # timestamp

1257

"dayOfWeekValue": "A String", # day of week

1258

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1259

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1260

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1261

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1262

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1263

},

1264

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1265

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1266

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1267

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1268

},

1269

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1270

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1271

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1272

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1273

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1274

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1275

"timestampValue": "A String", # timestamp

1276

"dayOfWeekValue": "A String", # day of week

1277

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1278

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1279

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1280

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1281

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1282

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1283

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1284

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1285

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1286

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1287

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1288

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1289

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1290

},

1291

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1292

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1293

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

1294

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1295

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1296

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1297

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1298

"name": "A String", # Name describing the field.

1299

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1300

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1301

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1302

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1303

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1304

"timestampValue": "A String", # timestamp

1305

"dayOfWeekValue": "A String", # day of week

1306

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1307

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1308

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1309

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1310

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1311

},

1312

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1313

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1314

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1315

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1316

},

1317

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1318

},

1319

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1320

},

1321

],

1322

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1323

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1324

},

1325

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1326

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

1327

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

1328

{ # A transformation to apply to text that is identified as a specific info_type.

1329

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

1330

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

1331

},

1332

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

1333

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

1334

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

1335

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

1336

"charactersToSkip": "A String", # Characters to not transform when masking.

1337

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

1338

},

1339

],

1340

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

1341

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

1342

},

1343

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

1344

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1345

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

1346

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

1347

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1348

"key": "A String", # Required. A 128/192/256 bit key.

1349

},

1350

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1351

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1352

},

1353

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1354

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1355

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1356

},

1357

},

1358

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

1359

"name": "A String", # Name describing the field.

1360

},

1361

},

1362

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

1363

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

1364

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1365

},

1366

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

1367

"name": "A String", # Name describing the field.

1368

},

1369

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

1370

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1371

"key": "A String", # Required. A 128/192/256 bit key.

1372

},

1373

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1374

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1375

},

1376

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1377

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1378

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1383

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

1384

"floatValue": 3.14, # float

1385

"integerValue": "A String", # integer

1386

"booleanValue": True or False, # boolean

1387

"timestampValue": "A String", # timestamp

1388

"dayOfWeekValue": "A String", # day of week

1389

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1390

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1391

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1392

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1393

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1394

},

1395

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1396

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1397

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1398

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1399

},

1400

"stringValue": "A String", # string

1401

},

1402

},

1403

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

1404

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

1405

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1406

},

1407

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

1408

"name": "A String", # Name describing the field.

1409

},

1410

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

1411

"commonAlphabet": "A String", # Common alphabets.

1412

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

1413

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1414

"key": "A String", # Required. A 128/192/256 bit key.

1415

},

1416

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1417

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1418

},

1419

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1420

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1421

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1422

},

1423

},

1424

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1425

},

1426

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

1427

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

1428

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1429

"key": "A String", # Required. A 128/192/256 bit key.

1430

},

1431

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1432

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1433

},

1434

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1435

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1436

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

1441

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1442

{ # Bucket is represented as a range, along with replacement values.

1443

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

1444

"floatValue": 3.14, # float

1445

"integerValue": "A String", # integer

1446

"booleanValue": True or False, # boolean

1447

"timestampValue": "A String", # timestamp

1448

"dayOfWeekValue": "A String", # day of week

1449

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1450

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1451

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1452

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1453

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1454

},

1455

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1456

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1457

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1458

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1459

},

1460

"stringValue": "A String", # string

1461

},

1462

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

1463

"floatValue": 3.14, # float

1464

"integerValue": "A String", # integer

1465

"booleanValue": True or False, # boolean

1466

"timestampValue": "A String", # timestamp

1467

"dayOfWeekValue": "A String", # day of week

1468

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1469

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1470

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1471

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1472

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1473

},

1474

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1475

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1476

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1477

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1478

},

1479

"stringValue": "A String", # string

1480

},

1481

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

1482

"floatValue": 3.14, # float

1483

"integerValue": "A String", # integer

1484

"booleanValue": True or False, # boolean

1485

"timestampValue": "A String", # timestamp

1486

"dayOfWeekValue": "A String", # day of week

1487

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1488

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1489

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1490

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1491

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1492

},

1493

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1494

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1495

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1496

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1497

},

1498

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1504

},

1505

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

1506

"partToExtract": "A String", # The part of the time to keep.

1507

},

1508

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

1509

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1510

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

1511

"floatValue": 3.14, # float

1512

"integerValue": "A String", # integer

1513

"booleanValue": True or False, # boolean

1514

"timestampValue": "A String", # timestamp

1515

"dayOfWeekValue": "A String", # day of week

1516

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1517

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1518

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1519

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1520

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1521

},

1522

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1523

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1524

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1525

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1526

},

1527

"stringValue": "A String", # string

1528

},

1529

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1530

"floatValue": 3.14, # float

1531

"integerValue": "A String", # integer

1532

"booleanValue": True or False, # boolean

1533

"timestampValue": "A String", # timestamp

1534

"dayOfWeekValue": "A String", # day of week

1535

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1536

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1537

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1538

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1539

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1540

},

1541

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1542

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1543

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1544

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1545

},

1546

"stringValue": "A String", # string

},

},

},

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

1551

{ # Type of information detected by the API.

1552

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1558

"fields": [ # Required. Input field(s) to apply the transformation to.

1559

{ # General identifier of a data field in a storage service.

1560

"name": "A String", # Name describing the field.

},

],

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1565

"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.

1566

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1567

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1568

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1569

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1570

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1571

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1572

"name": "A String", # Name describing the field.

1573

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1574

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1575

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1576

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1577

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1578

"timestampValue": "A String", # timestamp

1579

"dayOfWeekValue": "A String", # day of week

1580

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1581

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1582

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1583

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1584

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1585

},

1586

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1587

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1588

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1589

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1590

},

1591

"stringValue": "A String", # string

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1592

},

1593

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1594

},

1595

],

1596

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1597

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1598

},

1599

},

1600

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1601

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1602

"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.

1603

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1604

},

1605

"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.

1606

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

1607

},

1608

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

1609

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

1610

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

1611

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

1612

"charactersToSkip": "A String", # Characters to not transform when masking.

1613

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

1614

},

1615

],

1616

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

1617

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

1618

},

1619

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

1620

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1621

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

1622

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

1623

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1624

"key": "A String", # Required. A 128/192/256 bit key.

1625

},

1626

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1627

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1628

},

1629

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1630

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1631

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1632

},

1633

},

1634

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

1635

"name": "A String", # Name describing the field.

1636

},

1637

},

1638

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

1639

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

1640

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1641

},

1642

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

1643

"name": "A String", # Name describing the field.

1644

},

1645

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

1646

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1647

"key": "A String", # Required. A 128/192/256 bit key.

1648

},

1649

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1650

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1651

},

1652

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1653

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1654

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1659

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

1660

"floatValue": 3.14, # float

1661

"integerValue": "A String", # integer

1662

"booleanValue": True or False, # boolean

1663

"timestampValue": "A String", # timestamp

1664

"dayOfWeekValue": "A String", # day of week

1665

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1666

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1667

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1668

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1669

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1670

},

1671

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1672

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1673

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1674

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1675

},

1676

"stringValue": "A String", # string

1677

},

1678

},

1679

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

1680

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

1681

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1682

},

1683

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

1684

"name": "A String", # Name describing the field.

1685

},

1686

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

1687

"commonAlphabet": "A String", # Common alphabets.

1688

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

1689

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1690

"key": "A String", # Required. A 128/192/256 bit key.

1691

},

1692

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1693

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1694

},

1695

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1696

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1697

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1698

},

1699

},

1700

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1701

},

1702

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

1703

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

1704

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1705

"key": "A String", # Required. A 128/192/256 bit key.

1706

},

1707

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1708

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1709

},

1710

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1711

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1712

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

1717

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1718

{ # Bucket is represented as a range, along with replacement values.

1719

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

1720

"floatValue": 3.14, # float

1721

"integerValue": "A String", # integer

1722

"booleanValue": True or False, # boolean

1723

"timestampValue": "A String", # timestamp

1724

"dayOfWeekValue": "A String", # day of week

1725

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1726

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1727

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1728

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1729

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1730

},

1731

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1732

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1733

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1734

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1735

},

1736

"stringValue": "A String", # string

1737

},

1738

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

1739

"floatValue": 3.14, # float

1740

"integerValue": "A String", # integer

1741

"booleanValue": True or False, # boolean

1742

"timestampValue": "A String", # timestamp

1743

"dayOfWeekValue": "A String", # day of week

1744

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1745

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1746

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1747

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1748

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1749

},

1750

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1751

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1752

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1753

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1754

},

1755

"stringValue": "A String", # string

1756

},

1757

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

1758

"floatValue": 3.14, # float

1759

"integerValue": "A String", # integer

1760

"booleanValue": True or False, # boolean

1761

"timestampValue": "A String", # timestamp

1762

"dayOfWeekValue": "A String", # day of week

1763

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1764

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1765

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1766

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1767

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1768

},

1769

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1770

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1771

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1772

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1773

},

1774

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1780

},

1781

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

1782

"partToExtract": "A String", # The part of the time to keep.

1783

},

1784

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

1785

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1786

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

1787

"floatValue": 3.14, # float

1788

"integerValue": "A String", # integer

1789

"booleanValue": True or False, # boolean

1790

"timestampValue": "A String", # timestamp

1791

"dayOfWeekValue": "A String", # day of week

1792

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1793

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1794

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1795

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1796

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1797

},

1798

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1799

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1800

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1801

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1802

},

1803

"stringValue": "A String", # string

1804

},

1805

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1806

"floatValue": 3.14, # float

1807

"integerValue": "A String", # integer

1808

"booleanValue": True or False, # boolean

1809

"timestampValue": "A String", # timestamp

1810

"dayOfWeekValue": "A String", # day of week

1811

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1812

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1813

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1814

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1815

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1816

},

1817

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1818

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1819

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1820

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1821

},

1822

"stringValue": "A String", # string

},

},

},

"results": [ # Collection of all transformations that took place or had an error.

1827

{ # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.

1828

"count": "A String", # Number of transformations counted by this result.

1829

"code": "A String", # Outcome of the transformation.

1830

"details": "A String", # A place for warnings or errors to show up if a transformation didn't work as expected.

1831

},

1832

],

1833

"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.

1834

"name": "A String", # Name describing the field.

1835

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1836

},

1837

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1838

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1839

"item": { # Container structure for the content to inspect. # The de-identified item.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1840

"value": "A String", # String data to inspect or redact.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1841

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1842

"data": "A String", # Content data to inspect or redact.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1843

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1844

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1845

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1846

"headers": [ # Headers of the table.

1847

{ # General identifier of a data field in a storage service.

1848

"name": "A String", # Name describing the field.

1849

},

1850

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1851

"rows": [ # Rows of the table.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1852

{ # Values of the row.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1853

"values": [ # Individual cells.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1854

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1855

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1856

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1857

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1858

"timestampValue": "A String", # timestamp

1859

"dayOfWeekValue": "A String", # day of week

1860

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1861

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1862

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1863

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1864

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1865

},

1866

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1867

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

1868

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

1869

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

1870

},

1871

"stringValue": "A String", # string

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

},

},

}</pre>

</div>

<code class="details" id="inspect">inspect(parent, body=None, x__xgafv=None)</code>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1883

<pre>Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1884

1885

Args:

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1886

parent: string, Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1887

body: object, The request body.

1888

The object takes the form of:

1889

1890

{ # Request to search for potentially sensitive info in a ContentItem.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

1891

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

1892

"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. What specified here will override the template referenced by the inspect_template_name argument.

1893

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

1894

{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

1895

"infoTypes": [ # List of infoTypes this rule set is applied to.

1896

{ # Type of information detected by the API.

1897

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1898

},

1899

],

1900

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

1901

{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

1902

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.

1903

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.

1904

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

1905

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

1906

},

1907

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

1908

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

1914

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

1915

{ # Type of information detected by the API.

1916

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

1921

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

1922

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

1927

},

1928

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

1929

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

1930

"windowAfter": 42, # Number of characters after the finding to consider.

1931

"windowBefore": 42, # Number of characters before the finding to consider.

1932

},

1933

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

1934

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

1935

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

1936

},

1937

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

1938

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

1939

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

},

},

],

},

],

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

1949

{ # Type of information detected by the API.

1950

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1951

},

1952

],

1953

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

1954

"contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.

1955

"A String",

1956

],

1957

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

1958

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

1959

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

1960

{ # Max findings configuration per infoType, per content item or long running DlpJob.

1961

"maxFindings": 42, # Max findings limit for the given infoType.

1962

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

1963

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

},

],

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

1968

},

1969

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

1970

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

1971

"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

1972

{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

1973

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

1974

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

1975

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

1976

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

1977

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

1978

"windowAfter": 42, # Number of characters after the finding to consider.

1979

"windowBefore": 42, # Number of characters before the finding to consider.

1980

},

1981

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

1982

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

1983

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

1984

},

1985

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

1986

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

1987

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

},

},

],

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

1995

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

1996

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

"surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.

2001

},

2002

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

2003

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2004

},

2005

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

2006

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.

2007

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

2008

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

2009

},

2010

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

2011

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

2017

"name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

2018

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2023

"item": { # Container structure for the content to inspect. # The item to inspect.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2024

"value": "A String", # String data to inspect or redact.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2025

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

2026

"data": "A String", # Content data to inspect or redact.

2027

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

2028

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2029

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2030

"headers": [ # Headers of the table.

2031

{ # General identifier of a data field in a storage service.

2032

"name": "A String", # Name describing the field.

2033

},

2034

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2035

"rows": [ # Rows of the table.

2036

{ # Values of the row.

2037

"values": [ # Individual cells.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2038

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2039

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2040

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2041

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2042

"timestampValue": "A String", # timestamp

2043

"dayOfWeekValue": "A String", # day of week

2044

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2045

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2046

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2047

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2048

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2049

},

2050

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2051

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2052

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2053

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2054

},

2055

"stringValue": "A String", # string

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2061

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2062

"locationId": "A String", # Deprecated. This field has no effect.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2063

}

2064

2065

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2072

2073

{ # Results of inspecting an item.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2074

"result": { # All the findings for a single scanned item. # The findings.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2075

"findingsTruncated": True or False, # If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2076

"findings": [ # List of findings for an item.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2077

{ # Represents a piece of potentially sensitive content.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2078

"infoType": { # Type of information detected by the API. # The type of content that might have been found. Provided if `excluded_types` is false.

2079

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2080

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2081

"quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.

2082

"dateTime": { # Message for a date time object. e.g. 2018-01-01, 5th August. # The date time indicated by the quote.

2083

"time": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # Time of day

2084

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2085

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2086

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2087

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2088

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2089

"timeZone": { # Time zone of the date time object. # Time zone

2090

"offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2091

},

2092

"dayOfWeek": "A String", # Day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2093

"date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # One or more of the following must be set. Must be a valid date or time value.

2094

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2095

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2096

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2097

},

2098

},

2099

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2100

"quote": "A String", # The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if `include_quote` is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted.

2101

"jobCreateTime": "A String", # Time the job started that produced this finding.

2102

"resourceName": "A String", # The job that stored the finding.

2103

"labels": { # The labels associated with this `Finding`. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label values must be between 0 and 63 characters long and must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`. No more than 10 labels can be associated with a given finding. Examples: * `"environment" : "production"` * `"pipeline" : "etl"`

2104

"a_key": "A String",

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2105

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2106

"createTime": "A String", # Timestamp when finding was detected.

2107

"name": "A String", # Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings.

2108

"triggerName": "A String", # Job trigger name, if applicable, for this finding.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2109

"location": { # Specifies the location of the finding. # Where the content was found.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2110

"contentLocations": [ # List of nested objects pointing to the precise location of the finding within the file or record.

2111

{ # Precise location of the finding within a document, record, image, or metadata container.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2112

"imageLocation": { # Location of the finding within an image. # Location within an image's pixels.

2113

"boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.

2114

{ # Bounding box encompassing detected text within an image.

2115

"left": 42, # Left coordinate of the bounding box. (0,0) is upper left.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2116

"height": 42, # Height of the bounding box in pixels.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2117

"width": 42, # Width of the bounding box in pixels.

2118

"top": 42, # Top coordinate of the bounding box. (0,0) is upper left.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2119

},

2120

],

2121

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2122

"recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2123

"recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2124

"datastoreKey": { # Record key for a finding in Cloud Datastore.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2125

"entityKey": { # A unique identifier for a Datastore entity. If a key's partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts. # Datastore entity key.

2126

"partitionId": { # Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. A partition ID contains several dimensions: project ID and namespace ID. # Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition.

2127

"projectId": "A String", # The ID of the project to which the entities belong.

2128

"namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.

2129

},

2130

"path": [ # The entity path. An entity path consists of one or more elements composed of a kind and a string or numerical identifier, which identify entities. The first element identifies a _root entity_, the second element identifies a _child_ of the root entity, the third element identifies a child of the second entity, and so forth. The entities identified by all prefixes of the path are called the element's _ancestors_. A path can never be empty, and a path can have at most 100 elements.

2131

{ # A (kind, ID/name) pair used to construct a key path. If either name or ID is set, the element is complete. If neither is set, the element is incomplete.

2132

"kind": "A String", # The kind of the entity. A kind matching regex `__.*__` is reserved/read-only. A kind must not contain more than 1500 bytes when UTF-8 encoded. Cannot be `""`.

2133

"id": "A String", # The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future.

2134

"name": "A String", # The name of the entity. A name matching regex `__.*__` is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be `""`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2135

},

2136

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2137

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2138

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2139

"idValues": [ # Values of identifying columns in the given row. Order of values matches the order of `identifying_fields` specified in the scanning request.

2140

"A String",

2141

],

2142

"bigQueryKey": { # Row key for identifying a record in BigQuery table.

2143

"tableReference": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Complete BigQuery table reference.

2144

"datasetId": "A String", # Dataset ID of the table.

2145

"tableId": "A String", # Name of the table.

2146

"projectId": "A String", # The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.

2147

},

2148

"rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify `inspect_job.storage_config.big_query_options.identifying_fields` in `CreateDlpJobRequest`.

2149

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2150

},

2151

"tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2152

"rowIndex": "A String", # The zero-based index of the row where the finding is located. Only populated for resources that have a natural ordering, not BigQuery. In BigQuery, to identify the row a finding came from, populate BigQueryOptions.identifying_fields with your primary key column names and when you store the findings the value of those columns will be stored inside of Finding.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2153

},

2154

"fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.

2155

"name": "A String", # Name describing the field.

2156

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2157

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2158

"containerName": "A String", # Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: * BigQuery tables: `{project_id}:{dataset_id}.{table_id}` * Cloud Storage files: `gs://{bucket}/{path}` * Datastore namespace: {namespace} Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).

2159

"containerTimestamp": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

2160

"containerVersion": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).

2161

"metadataLocation": { # Metadata Location # Location within the metadata for inspected content.

2162

"storageLabel": { # Storage metadata label to indicate which metadata entry contains findings. # Storage metadata.

2163

"key": "A String",

2164

},

2165

"type": "A String", # Type of metadata containing the finding.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2166

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2167

"documentLocation": { # Location of a finding within a document. # Location data for document files.

2168

"fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding is located.

2169

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2170

},

2171

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2172

"codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding. These are relative to the finding's containing element. Provided when the content is text.

2173

"start": "A String", # Index of the first character of the range (inclusive).

2174

"end": "A String", # Index of the last character of the range (exclusive).

2175

},

2176

"container": { # Represents a container that may contain DLP findings. Examples of a container include a file, table, or database record. # Information about the container where this finding occurred, if available.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2177

"type": "A String", # Container type, for example BigQuery or Google Cloud Storage.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2178

"version": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).

2179

"relativePath": "A String", # The rest of the path after the root. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the relative path is `table_id` - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative path is `folder/filename.txt`

2180

"fullPath": "A String", # A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'

2181

"updateTime": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

2182

"rootPath": "A String", # The root of the container. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the root is `dataset_id` - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root is `gs://bucket`

2183

"projectId": "A String", # Project where the finding was found. Can be different from the project that owns the finding.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2184

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2185

"byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2186

"start": "A String", # Index of the first character of the range (inclusive).

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2187

"end": "A String", # Index of the last character of the range (exclusive).

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2188

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2189

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2190

"likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.

2191

"jobName": "A String", # The job that stored the finding.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

},

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2199

<code class="details" id="reidentify">reidentify(parent, body=None, x__xgafv=None)</code>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2200

<pre>Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2201

2202

Args:

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2203

parent: string, Required. Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2204

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2205

The object takes the form of:

2206

2207

{ # Request to re-identify an item.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2208

"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector.

2209

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

2210

{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2211

"infoTypes": [ # List of infoTypes this rule set is applied to.

2212

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2213

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2214

},

2215

],

2216

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2217

{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

2218

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.

2219

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.

2220

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

2221

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2222

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2223

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2224

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2225

"A String",

2226

],

2227

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2228

},

2229

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2230

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2231

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2232

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2233

},

2234

],

2235

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2236

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2237

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

2238

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2239

42,

2240

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2241

},

2242

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

2243

},

2244

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

2245

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

2246

"windowAfter": 42, # Number of characters after the finding to consider.

2247

"windowBefore": 42, # Number of characters before the finding to consider.

2248

},

2249

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

2250

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

2251

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

2252

},

2253

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

2254

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

2255

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

2256

42,

2257

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2258

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2264

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2265

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2266

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2267

},

2268

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2269

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

2270

"contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.

2271

"A String",

2272

],

2273

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

2274

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

2275

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

2276

{ # Max findings configuration per infoType, per content item or long running DlpJob.

2277

"maxFindings": 42, # Max findings limit for the given infoType.

2278

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

2279

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2280

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2281

},

2282

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2283

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2284

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2285

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

2286

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

2287

"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

2288

{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

2289

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

2290

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

2291

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

2292

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

2293

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

2294

"windowAfter": 42, # Number of characters after the finding to consider.

2295

"windowBefore": 42, # Number of characters before the finding to consider.

2296

},

2297

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

2298

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

2299

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

2300

},

2301

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

2302

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

2303

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

},

},

],

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

2311

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

2312

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

42,

],

},

"surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.

2317

},

2318

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

2319

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2320

},

2321

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

2322

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.

2323

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

2324

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

2325

},

2326

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

2327

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

2333

"name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

2334

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

},

},

],

},

"item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.

2340

"value": "A String", # String data to inspect or redact.

2341

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

2342

"data": "A String", # Content data to inspect or redact.

2343

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

2344

},

2345

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

2346

"headers": [ # Headers of the table.

2347

{ # General identifier of a data field in a storage service.

2348

"name": "A String", # Name describing the field.

2349

},

2350

],

2351

"rows": [ # Rows of the table.

2352

{ # Values of the row.

2353

"values": [ # Individual cells.

2354

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

2355

"floatValue": 3.14, # float

2356

"integerValue": "A String", # integer

2357

"booleanValue": True or False, # boolean

2358

"timestampValue": "A String", # timestamp

2359

"dayOfWeekValue": "A String", # day of week

2360

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2361

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2362

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2363

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2364

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2365

},

2366

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2367

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2368

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2369

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2370

},

2371

"stringValue": "A String", # string

},

],

},

],

},

},

"reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item. This field shares the same proto message type that is used for de-identification, however its usage here is for the reversal of the previous de-identification. Re-identification is performed by examining the transformations used to de-identify the items and executing the reverse. This requires that only reversible transformations be provided here. The reversible transformations are: - `CryptoDeterministicConfig` - `CryptoReplaceFfxFpeConfig`

2379

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.

2380

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

2381

{ # A transformation to apply to text that is identified as a specific info_type.

2382

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2383

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

2384

},

2385

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

2386

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

2387

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

2388

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

2389

"charactersToSkip": "A String", # Characters to not transform when masking.

2390

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

2391

},

2392

],

2393

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

2394

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

2395

},

2396

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

2397

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2398

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

2399

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

2400

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2401

"key": "A String", # Required. A 128/192/256 bit key.

2402

},

2403

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2404

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2405

},

2406

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2407

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2408

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2409

},

2410

},

2411

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

2412

"name": "A String", # Name describing the field.

2413

},

2414

},

2415

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

2416

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

2417

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2418

},

2419

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

2420

"name": "A String", # Name describing the field.

2421

},

2422

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

2423

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2424

"key": "A String", # Required. A 128/192/256 bit key.

2425

},

2426

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2427

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2428

},

2429

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2430

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2431

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2436

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

2437

"floatValue": 3.14, # float

2438

"integerValue": "A String", # integer

2439

"booleanValue": True or False, # boolean

2440

"timestampValue": "A String", # timestamp

2441

"dayOfWeekValue": "A String", # day of week

2442

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2443

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2444

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2445

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2446

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2447

},

2448

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2449

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2450

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2451

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2452

},

2453

"stringValue": "A String", # string

2454

},

2455

},

2456

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

2457

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

2458

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2459

},

2460

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

2461

"name": "A String", # Name describing the field.

2462

},

2463

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

2464

"commonAlphabet": "A String", # Common alphabets.

2465

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

2466

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2467

"key": "A String", # Required. A 128/192/256 bit key.

2468

},

2469

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2470

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2471

},

2472

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2473

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2474

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2475

},

2476

},

2477

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2478

},

2479

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

2480

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

2481

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2482

"key": "A String", # Required. A 128/192/256 bit key.

2483

},

2484

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2485

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2486

},

2487

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2488

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2489

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

2494

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2495

{ # Bucket is represented as a range, along with replacement values.

2496

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

2497

"floatValue": 3.14, # float

2498

"integerValue": "A String", # integer

2499

"booleanValue": True or False, # boolean

2500

"timestampValue": "A String", # timestamp

2501

"dayOfWeekValue": "A String", # day of week

2502

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2503

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2504

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2505

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2506

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2507

},

2508

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2509

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2510

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2511

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2512

},

2513

"stringValue": "A String", # string

2514

},

2515

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

2516

"floatValue": 3.14, # float

2517

"integerValue": "A String", # integer

2518

"booleanValue": True or False, # boolean

2519

"timestampValue": "A String", # timestamp

2520

"dayOfWeekValue": "A String", # day of week

2521

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2522

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2523

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2524

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2525

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2526

},

2527

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2528

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2529

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2530

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2531

},

2532

"stringValue": "A String", # string

2533

},

2534

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

2535

"floatValue": 3.14, # float

2536

"integerValue": "A String", # integer

2537

"booleanValue": True or False, # boolean

2538

"timestampValue": "A String", # timestamp

2539

"dayOfWeekValue": "A String", # day of week

2540

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2541

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2542

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2543

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2544

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2545

},

2546

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2547

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2548

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2549

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2550

},

2551

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2557

},

2558

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

2559

"partToExtract": "A String", # The part of the time to keep.

2560

},

2561

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

2562

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2563

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

2564

"floatValue": 3.14, # float

2565

"integerValue": "A String", # integer

2566

"booleanValue": True or False, # boolean

2567

"timestampValue": "A String", # timestamp

2568

"dayOfWeekValue": "A String", # day of week

2569

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2570

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2571

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2572

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2573

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2574

},

2575

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2576

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2577

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2578

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2579

},

2580

"stringValue": "A String", # string

2581

},

2582

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

2583

"floatValue": 3.14, # float

2584

"integerValue": "A String", # integer

2585

"booleanValue": True or False, # boolean

2586

"timestampValue": "A String", # timestamp

2587

"dayOfWeekValue": "A String", # day of week

2588

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2589

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2590

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2591

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2592

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2593

},

2594

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2595

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2596

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2597

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2598

},

2599

"stringValue": "A String", # string

},

},

},

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

2604

{ # Type of information detected by the API.

2605

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.

2612

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2613

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2614

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

2615

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2616

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2617

"recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

2618

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.

2619

{ # Configuration to suppress records whose suppression conditions evaluate to true.

2620

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2621

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2622

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2623

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2624

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2625

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2626

"name": "A String", # Name describing the field.

2627

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2628

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2629

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2630

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2631

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2632

"timestampValue": "A String", # timestamp

2633

"dayOfWeekValue": "A String", # day of week

2634

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2635

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2636

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2637

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2638

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2639

},

2640

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2641

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2642

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2643

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2644

},

2645

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2646

},

2647

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

2648

},

2649

],

2650

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2651

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2656

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2657

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2658

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2659

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

2660

},

2661

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

2662

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

2663

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

2664

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

2665

"charactersToSkip": "A String", # Characters to not transform when masking.

2666

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2667

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2668

],

2669

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

2670

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

2671

},

2672

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

2673

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2674

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

2675

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

2676

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2677

"key": "A String", # Required. A 128/192/256 bit key.

2678

},

2679

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2680

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2681

},

2682

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2683

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2684

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2685

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2686

},

2687

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

2688

"name": "A String", # Name describing the field.

2689

},

2690

},

2691

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

2692

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

2693

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2694

},

2695

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

2696

"name": "A String", # Name describing the field.

2697

},

2698

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

2699

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2700

"key": "A String", # Required. A 128/192/256 bit key.

2701

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2702

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2703

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2704

},

2705

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2706

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2707

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2708

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2709

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2710

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2711

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2712

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

2713

"floatValue": 3.14, # float

2714

"integerValue": "A String", # integer

2715

"booleanValue": True or False, # boolean

2716

"timestampValue": "A String", # timestamp

2717

"dayOfWeekValue": "A String", # day of week

2718

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2719

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2720

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2721

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2722

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2723

},

2724

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2725

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2726

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2727

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2728

},

2729

"stringValue": "A String", # string

2730

},

2731

},

2732

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

2733

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

2734

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2735

},

2736

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

2737

"name": "A String", # Name describing the field.

2738

},

2739

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

2740

"commonAlphabet": "A String", # Common alphabets.

2741

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

2742

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2743

"key": "A String", # Required. A 128/192/256 bit key.

2744

},

2745

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2746

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2747

},

2748

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2749

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2750

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2751

},

2752

},

2753

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2754

},

2755

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

2756

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

2757

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2758

"key": "A String", # Required. A 128/192/256 bit key.

2759

},

2760

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2761

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2762

},

2763

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2764

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2765

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

2770

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2771

{ # Bucket is represented as a range, along with replacement values.

2772

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

2773

"floatValue": 3.14, # float

2774

"integerValue": "A String", # integer

2775

"booleanValue": True or False, # boolean

2776

"timestampValue": "A String", # timestamp

2777

"dayOfWeekValue": "A String", # day of week

2778

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2779

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2780

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2781

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2782

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2783

},

2784

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2785

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2786

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2787

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2788

},

2789

"stringValue": "A String", # string

2790

},

2791

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

2792

"floatValue": 3.14, # float

2793

"integerValue": "A String", # integer

2794

"booleanValue": True or False, # boolean

2795

"timestampValue": "A String", # timestamp

2796

"dayOfWeekValue": "A String", # day of week

2797

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2798

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2799

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2800

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2801

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2802

},

2803

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2804

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2805

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2806

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2807

},

2808

"stringValue": "A String", # string

2809

},

2810

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

2811

"floatValue": 3.14, # float

2812

"integerValue": "A String", # integer

2813

"booleanValue": True or False, # boolean

2814

"timestampValue": "A String", # timestamp

2815

"dayOfWeekValue": "A String", # day of week

2816

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2817

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2818

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2819

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2820

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2821

},

2822

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2823

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2824

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2825

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2826

},

2827

"stringValue": "A String", # string

2828

},

2829

},

2830

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2831

},

2832

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2833

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2834

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

2835

"partToExtract": "A String", # The part of the time to keep.

2836

},

2837

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

2838

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2839

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2840

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2841

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2842

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2843

"timestampValue": "A String", # timestamp

2844

"dayOfWeekValue": "A String", # day of week

2845

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2846

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2847

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2848

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2849

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2850

},

2851

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2852

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2853

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2854

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2855

},

2856

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2857

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2858

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

2859

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2860

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2861

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2862

"timestampValue": "A String", # timestamp

2863

"dayOfWeekValue": "A String", # day of week

2864

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2865

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2866

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2867

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2868

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2869

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2870

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2871

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2872

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2873

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2874

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2875

"stringValue": "A String", # string

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2876

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2877

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2878

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2879

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2880

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2881

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2882

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2883

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2884

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2885

"name": "A String", # Name describing the field.

2886

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2887

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2888

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2889

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2890

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2891

"timestampValue": "A String", # timestamp

2892

"dayOfWeekValue": "A String", # day of week

2893

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2894

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2895

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2896

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2897

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2898

},

2899

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2900

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2901

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2902

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2903

},

2904

"stringValue": "A String", # string

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2905

},

2906

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

2907

},

2908

],

2909

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2910

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2911

},

2912

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

2913

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

2914

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

2915

{ # A transformation to apply to text that is identified as a specific info_type.

2916

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2917

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

2918

},

2919

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

2920

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

2921

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

2922

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

2923

"charactersToSkip": "A String", # Characters to not transform when masking.

2924

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

2925

},

2926

],

2927

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

2928

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

2929

},

2930

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

2931

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2932

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

2933

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

2934

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2935

"key": "A String", # Required. A 128/192/256 bit key.

2936

},

2937

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2938

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2939

},

2940

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2941

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2942

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2943

},

2944

},

2945

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

2946

"name": "A String", # Name describing the field.

2947

},

2948

},

2949

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

2950

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

2951

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2952

},

2953

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

2954

"name": "A String", # Name describing the field.

2955

},

2956

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

2957

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2958

"key": "A String", # Required. A 128/192/256 bit key.

2959

},

2960

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2961

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2962

},

2963

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2964

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2965

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2970

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

2971

"floatValue": 3.14, # float

2972

"integerValue": "A String", # integer

2973

"booleanValue": True or False, # boolean

2974

"timestampValue": "A String", # timestamp

2975

"dayOfWeekValue": "A String", # day of week

2976

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2977

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2978

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2979

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2980

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2981

},

2982

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2983

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

2984

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

2985

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

2986

},

2987

"stringValue": "A String", # string

2988

},

2989

},

2990

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

2991

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

2992

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2993

},

2994

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

2995

"name": "A String", # Name describing the field.

2996

},

2997

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

2998

"commonAlphabet": "A String", # Common alphabets.

2999

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3000

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3001

"key": "A String", # Required. A 128/192/256 bit key.

3002

},

3003

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3004

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3005

},

3006

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3007

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3008

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3009

},

3010

},

3011

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3012

},

3013

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3014

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

3015

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3016

"key": "A String", # Required. A 128/192/256 bit key.

3017

},

3018

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3019

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3020

},

3021

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3022

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3023

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3028

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3029

{ # Bucket is represented as a range, along with replacement values.

3030

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3031

"floatValue": 3.14, # float

3032

"integerValue": "A String", # integer

3033

"booleanValue": True or False, # boolean

3034

"timestampValue": "A String", # timestamp

3035

"dayOfWeekValue": "A String", # day of week

3036

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3037

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3038

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3039

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3040

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3041

},

3042

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3043

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3044

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3045

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3046

},

3047

"stringValue": "A String", # string

3048

},

3049

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3050

"floatValue": 3.14, # float

3051

"integerValue": "A String", # integer

3052

"booleanValue": True or False, # boolean

3053

"timestampValue": "A String", # timestamp

3054

"dayOfWeekValue": "A String", # day of week

3055

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3056

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3057

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3058

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3059

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3060

},

3061

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3062

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3063

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3064

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3065

},

3066

"stringValue": "A String", # string

3067

},

3068

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3069

"floatValue": 3.14, # float

3070

"integerValue": "A String", # integer

3071

"booleanValue": True or False, # boolean

3072

"timestampValue": "A String", # timestamp

3073

"dayOfWeekValue": "A String", # day of week

3074

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3075

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3076

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3077

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3078

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3079

},

3080

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3081

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3082

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3083

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3084

},

3085

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3091

},

3092

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3093

"partToExtract": "A String", # The part of the time to keep.

3094

},

3095

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3096

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3097

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

3098

"floatValue": 3.14, # float

3099

"integerValue": "A String", # integer

3100

"booleanValue": True or False, # boolean

3101

"timestampValue": "A String", # timestamp

3102

"dayOfWeekValue": "A String", # day of week

3103

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3104

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3105

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3106

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3107

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3108

},

3109

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3110

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3111

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3112

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3113

},

3114

"stringValue": "A String", # string

3115

},

3116

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

3117

"floatValue": 3.14, # float

3118

"integerValue": "A String", # integer

3119

"booleanValue": True or False, # boolean

3120

"timestampValue": "A String", # timestamp

3121

"dayOfWeekValue": "A String", # day of week

3122

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3123

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3124

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3125

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3126

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3127

},

3128

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3129

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3130

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3131

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3132

},

3133

"stringValue": "A String", # string

},

},

},

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

3138

{ # Type of information detected by the API.

3139

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3145

"fields": [ # Required. Input field(s) to apply the transformation to.

3146

{ # General identifier of a data field in a storage service.

3147

"name": "A String", # Name describing the field.

3148

},

3149

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3150

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3151

],

3152

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3153

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3154

"locationId": "A String", # Deprecated. This field has no effect.

3155

"reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`. Any configuration directly specified in `reidentify_config` or `inspect_config` will override those set in the template. The `DeidentifyTemplate` used must include only reversible transformations. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

3156

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3157

}

3158

3159

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3166

3167

{ # Results of re-identifying a item.

3168

"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3169

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3170

"transformationSummaries": [ # Transformations applied to the dataset.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3171

{ # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.

3172

"fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3173

{ # The transformation to apply to the field.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3174

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3175

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

3176

},

3177

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

3178

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

3179

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

3180

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

3181

"charactersToSkip": "A String", # Characters to not transform when masking.

3182

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3183

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3184

],

3185

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

3186

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

3187

},

3188

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

3189

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3190

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

3191

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

3192

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3193

"key": "A String", # Required. A 128/192/256 bit key.

3194

},

3195

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3196

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3197

},

3198

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3199

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3200

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3201

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3202

},

3203

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

3204

"name": "A String", # Name describing the field.

3205

},

3206

},

3207

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

3208

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

3209

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3210

},

3211

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

3212

"name": "A String", # Name describing the field.

3213

},

3214

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

3215

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3216

"key": "A String", # Required. A 128/192/256 bit key.

3217

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3218

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3219

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3220

},

3221

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3222

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3223

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3224

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3225

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3226

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3227

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3228

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

3229

"floatValue": 3.14, # float

3230

"integerValue": "A String", # integer

3231

"booleanValue": True or False, # boolean

3232

"timestampValue": "A String", # timestamp

3233

"dayOfWeekValue": "A String", # day of week

3234

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3235

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3236

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3237

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3238

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3239

},

3240

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3241

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3242

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3243

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3244

},

3245

"stringValue": "A String", # string

3246

},

3247

},

3248

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

3249

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

3250

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3251

},

3252

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

3253

"name": "A String", # Name describing the field.

3254

},

3255

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

3256

"commonAlphabet": "A String", # Common alphabets.

3257

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3258

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3259

"key": "A String", # Required. A 128/192/256 bit key.

3260

},

3261

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3262

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3263

},

3264

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3265

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3266

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3267

},

3268

},

3269

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3270

},

3271

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3272

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

3273

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3274

"key": "A String", # Required. A 128/192/256 bit key.

3275

},

3276

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3277

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3278

},

3279

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3280

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3281

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3286

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3287

{ # Bucket is represented as a range, along with replacement values.

3288

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3289

"floatValue": 3.14, # float

3290

"integerValue": "A String", # integer

3291

"booleanValue": True or False, # boolean

3292

"timestampValue": "A String", # timestamp

3293

"dayOfWeekValue": "A String", # day of week

3294

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3295

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3296

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3297

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3298

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3299

},

3300

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3301

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3302

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3303

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3304

},

3305

"stringValue": "A String", # string

3306

},

3307

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3308

"floatValue": 3.14, # float

3309

"integerValue": "A String", # integer

3310

"booleanValue": True or False, # boolean

3311

"timestampValue": "A String", # timestamp

3312

"dayOfWeekValue": "A String", # day of week

3313

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3314

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3315

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3316

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3317

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3318

},

3319

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3320

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3321

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3322

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3323

},

3324

"stringValue": "A String", # string

3325

},

3326

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3327

"floatValue": 3.14, # float

3328

"integerValue": "A String", # integer

3329

"booleanValue": True or False, # boolean

3330

"timestampValue": "A String", # timestamp

3331

"dayOfWeekValue": "A String", # day of week

3332

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3333

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3334

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3335

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3336

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3337

},

3338

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3339

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3340

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3341

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3342

},

3343

"stringValue": "A String", # string

3344

},

3345

},

3346

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3347

},

3348

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3349

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3350

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3351

"partToExtract": "A String", # The part of the time to keep.

3352

},

3353

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3354

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3355

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3356

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3357

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3358

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3359

"timestampValue": "A String", # timestamp

3360

"dayOfWeekValue": "A String", # day of week

3361

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3362

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3363

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3364

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3365

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3366

},

3367

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3368

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3369

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3370

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3371

},

3372

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3373

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3374

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

3375

"floatValue": 3.14, # float

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3376

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3377

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3378

"timestampValue": "A String", # timestamp

3379

"dayOfWeekValue": "A String", # day of week

3380

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3381

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3382

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3383

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3384

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3385

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3386

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3387

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3388

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3389

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3390

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3391

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3392

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3393

},

3394

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3395

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3396

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

3397

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3398

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3399

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3400

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3401

"name": "A String", # Name describing the field.

3402

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3403

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3404

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3405

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3406

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3407

"timestampValue": "A String", # timestamp

3408

"dayOfWeekValue": "A String", # day of week

3409

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3410

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3411

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3412

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3413

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3414

},

3415

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3416

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3417

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3418

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3419

},

3420

"stringValue": "A String", # string

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3421

},

3422

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

3423

},

3424

],

3425

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3426

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3427

},

3428

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3429

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

3430

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

3431

{ # A transformation to apply to text that is identified as a specific info_type.

3432

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

3433

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

3434

},

3435

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

3436

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

3437

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

3438

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

3439

"charactersToSkip": "A String", # Characters to not transform when masking.

3440

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

3441

},

3442

],

3443

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

3444

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

3445

},

3446

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

3447

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3448

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

3449

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

3450

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3451

"key": "A String", # Required. A 128/192/256 bit key.

3452

},

3453

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3454

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3455

},

3456

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3457

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3458

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3459

},

3460

},

3461

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

3462

"name": "A String", # Name describing the field.

3463

},

3464

},

3465

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

3466

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

3467

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3468

},

3469

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

3470

"name": "A String", # Name describing the field.

3471

},

3472

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

3473

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3474

"key": "A String", # Required. A 128/192/256 bit key.

3475

},

3476

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3477

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3478

},

3479

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3480

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3481

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3486

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

3487

"floatValue": 3.14, # float

3488

"integerValue": "A String", # integer

3489

"booleanValue": True or False, # boolean

3490

"timestampValue": "A String", # timestamp

3491

"dayOfWeekValue": "A String", # day of week

3492

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3493

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3494

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3495

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3496

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3497

},

3498

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3499

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3500

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3501

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3502

},

3503

"stringValue": "A String", # string

3504

},

3505

},

3506

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

3507

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

3508

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3509

},

3510

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

3511

"name": "A String", # Name describing the field.

3512

},

3513

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

3514

"commonAlphabet": "A String", # Common alphabets.

3515

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3516

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3517

"key": "A String", # Required. A 128/192/256 bit key.

3518

},

3519

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3520

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3521

},

3522

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3523

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3524

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3525

},

3526

},

3527

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3528

},

3529

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3530

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

3531

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3532

"key": "A String", # Required. A 128/192/256 bit key.

3533

},

3534

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3535

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3536

},

3537

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3538

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3539

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3544

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3545

{ # Bucket is represented as a range, along with replacement values.

3546

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3547

"floatValue": 3.14, # float

3548

"integerValue": "A String", # integer

3549

"booleanValue": True or False, # boolean

3550

"timestampValue": "A String", # timestamp

3551

"dayOfWeekValue": "A String", # day of week

3552

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3553

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3554

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3555

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3556

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3557

},

3558

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3559

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3560

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3561

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3562

},

3563

"stringValue": "A String", # string

3564

},

3565

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3566

"floatValue": 3.14, # float

3567

"integerValue": "A String", # integer

3568

"booleanValue": True or False, # boolean

3569

"timestampValue": "A String", # timestamp

3570

"dayOfWeekValue": "A String", # day of week

3571

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3572

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3573

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3574

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3575

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3576

},

3577

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3578

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3579

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3580

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3581

},

3582

"stringValue": "A String", # string

3583

},

3584

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3585

"floatValue": 3.14, # float

3586

"integerValue": "A String", # integer

3587

"booleanValue": True or False, # boolean

3588

"timestampValue": "A String", # timestamp

3589

"dayOfWeekValue": "A String", # day of week

3590

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3591

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3592

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3593

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3594

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3595

},

3596

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3597

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3598

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3599

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3600

},

3601

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3607

},

3608

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3609

"partToExtract": "A String", # The part of the time to keep.

3610

},

3611

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3612

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3613

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

3614

"floatValue": 3.14, # float

3615

"integerValue": "A String", # integer

3616

"booleanValue": True or False, # boolean

3617

"timestampValue": "A String", # timestamp

3618

"dayOfWeekValue": "A String", # day of week

3619

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3620

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3621

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3622

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3623

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3624

},

3625

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3626

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3627

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3628

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3629

},

3630

"stringValue": "A String", # string

3631

},

3632

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

3633

"floatValue": 3.14, # float

3634

"integerValue": "A String", # integer

3635

"booleanValue": True or False, # boolean

3636

"timestampValue": "A String", # timestamp

3637

"dayOfWeekValue": "A String", # day of week

3638

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3639

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3640

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3641

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3642

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3643

},

3644

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3645

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3646

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3647

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3648

},

3649

"stringValue": "A String", # string

},

},

},

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

3654

{ # Type of information detected by the API.

3655

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3661

"fields": [ # Required. Input field(s) to apply the transformation to.

3662

{ # General identifier of a data field in a storage service.

3663

"name": "A String", # Name describing the field.

},

],

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3668

"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.

3669

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3670

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3671

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3672

"conditions": [ # A collection of conditions.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3673

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3674

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3675

"name": "A String", # Name describing the field.

3676

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3677

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3678

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3679

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3680

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3681

"timestampValue": "A String", # timestamp

3682

"dayOfWeekValue": "A String", # day of week

3683

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3684

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3685

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3686

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3687

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3688

},

3689

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3690

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3691

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3692

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3693

},

3694

"stringValue": "A String", # string

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3695

},

3696

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3697

},

3698

],

3699

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3700

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3701

},

3702

},

3703

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3704

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3705

"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.

3706

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3707

},

3708

"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.

3709

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

3710

},

3711

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

3712

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

3713

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

3714

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

3715

"charactersToSkip": "A String", # Characters to not transform when masking.

3716

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

3717

},

3718

],

3719

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

3720

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

3721

},

3722

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

3723

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3724

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

3725

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

3726

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3727

"key": "A String", # Required. A 128/192/256 bit key.

3728

},

3729

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3730

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3731

},

3732

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3733

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3734

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3735

},

3736

},

3737

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

3738

"name": "A String", # Name describing the field.

3739

},

3740

},

3741

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

3742

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

3743

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3744

},

3745

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

3746

"name": "A String", # Name describing the field.

3747

},

3748

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

3749

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3750

"key": "A String", # Required. A 128/192/256 bit key.

3751

},

3752

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3753

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3754

},

3755

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3756

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3757

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3762

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

3763

"floatValue": 3.14, # float

3764

"integerValue": "A String", # integer

3765

"booleanValue": True or False, # boolean

3766

"timestampValue": "A String", # timestamp

3767

"dayOfWeekValue": "A String", # day of week

3768

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3769

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3770

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3771

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3772

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3773

},

3774

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3775

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3776

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3777

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3778

},

3779

"stringValue": "A String", # string

3780

},

3781

},

3782

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

3783

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

3784

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3785

},

3786

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

3787

"name": "A String", # Name describing the field.

3788

},

3789

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

3790

"commonAlphabet": "A String", # Common alphabets.

3791

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3792

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3793

"key": "A String", # Required. A 128/192/256 bit key.

3794

},

3795

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3796

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3797

},

3798

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3799

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3800

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3801

},

3802

},

3803

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3804

},

3805

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3806

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

3807

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3808

"key": "A String", # Required. A 128/192/256 bit key.

3809

},

3810

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3811

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3812

},

3813

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3814

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3815

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3820

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3821

{ # Bucket is represented as a range, along with replacement values.

3822

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3823

"floatValue": 3.14, # float

3824

"integerValue": "A String", # integer

3825

"booleanValue": True or False, # boolean

3826

"timestampValue": "A String", # timestamp

3827

"dayOfWeekValue": "A String", # day of week

3828

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3829

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3830

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3831

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3832

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3833

},

3834

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3835

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3836

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3837

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3838

},

3839

"stringValue": "A String", # string

3840

},

3841

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3842

"floatValue": 3.14, # float

3843

"integerValue": "A String", # integer

3844

"booleanValue": True or False, # boolean

3845

"timestampValue": "A String", # timestamp

3846

"dayOfWeekValue": "A String", # day of week

3847

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3848

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3849

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3850

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3851

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3852

},

3853

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3854

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3855

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3856

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3857

},

3858

"stringValue": "A String", # string

3859

},

3860

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3861

"floatValue": 3.14, # float

3862

"integerValue": "A String", # integer

3863

"booleanValue": True or False, # boolean

3864

"timestampValue": "A String", # timestamp

3865

"dayOfWeekValue": "A String", # day of week

3866

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3867

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3868

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3869

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3870

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3871

},

3872

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3873

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3874

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3875

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3876

},

3877

"stringValue": "A String", # string

},

},

],

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3883

},

3884

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3885

"partToExtract": "A String", # The part of the time to keep.

3886

},

3887

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3888

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3889

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

3890

"floatValue": 3.14, # float

3891

"integerValue": "A String", # integer

3892

"booleanValue": True or False, # boolean

3893

"timestampValue": "A String", # timestamp

3894

"dayOfWeekValue": "A String", # day of week

3895

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3896

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3897

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3898

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3899

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3900

},

3901

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3902

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3903

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3904

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3905

},

3906

"stringValue": "A String", # string

3907

},

3908

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

3909

"floatValue": 3.14, # float

3910

"integerValue": "A String", # integer

3911

"booleanValue": True or False, # boolean

3912

"timestampValue": "A String", # timestamp

3913

"dayOfWeekValue": "A String", # day of week

3914

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3915

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3916

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3917

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3918

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3919

},

3920

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3921

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3922

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3923

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3924

},

3925

"stringValue": "A String", # string

},

},

},

"results": [ # Collection of all transformations that took place or had an error.

3930

{ # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.

3931

"count": "A String", # Number of transformations counted by this result.

3932

"code": "A String", # Outcome of the transformation.

3933

"details": "A String", # A place for warnings or errors to show up if a transformation didn't work as expected.

3934

},

3935

],

3936

"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.

3937

"name": "A String", # Name describing the field.

3938

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3939

},

3940

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3941

},

3942

"item": { # Container structure for the content to inspect. # The re-identified item.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3943

"value": "A String", # String data to inspect or redact.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3944

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3945

"data": "A String", # Content data to inspect or redact.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3946

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3947

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3948

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3949

"headers": [ # Headers of the table.

3950

{ # General identifier of a data field in a storage service.

3951

"name": "A String", # Name describing the field.

3952

},

3953

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3954

"rows": [ # Rows of the table.

3955

{ # Values of the row.

3956

"values": [ # Individual cells.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3957

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3958

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3959

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3960

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame^]

3961

"timestampValue": "A String", # timestamp

3962

"dayOfWeekValue": "A String", # day of week

3963

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3964

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3965

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3966

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3967

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3968

},

3969

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day and time zone are either specified elsewhere or are not significant. The date is relative to the Proleptic Gregorian Calendar. This can represent: * A full date, with non-zero year, month and day values * A month and day value, with a zero year, e.g. an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, e.g. a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3970

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 if specifying a year by itself or a year and month where the day is not significant.

3971

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without a year.

3972

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a month and day.

3973

},

3974

"stringValue": "A String", # string

Bu Sun Kim