Blame - docs/dyn/dlp_v2.projects.locations.content.html - platform/external/python/google-api-python-client

<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.locations.html">locations</a> . <a href="dlp_v2.projects.locations.content.html">content</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="#deidentify">deidentify(parent, locationId, body=None, x__xgafv=None)</a></code></p>

79

<p class="firstline">De-identifies potentially sensitive info from a ContentItem.</p>

80

81

<code><a href="#inspect">inspect(parent, locationId, body=None, x__xgafv=None)</a></code></p>

82

<p class="firstline">Finds potentially sensitive info in content.</p>

83

84

<code><a href="#reidentify">reidentify(parent, locationId, body=None, x__xgafv=None)</a></code></p>

85

<p class="firstline">Re-identifies content that has been de-identified.</p>

86

<h3>Method Details</h3>

87

88

<code class="details" id="deidentify">deidentify(parent, locationId, body=None, x__xgafv=None)</code>

89

<pre>De-identifies potentially sensitive info from a ContentItem.

90

This method has limits on input size and output size.

91

See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to

92

learn more.

93

94

When no InfoTypes or CustomInfoTypes are specified in this request, the

95

system will automatically choose what detectors to run. By default this may

96

be all types, but may change over time as detectors are updated.

97

98

Args:

99

parent: string, The parent resource name, for example projects/my-project-id. (required)

100

locationId: string, The geographic location to process de-identification. Reserved for future

101

extensions. (required)

102

body: object, The request body.

103

The object takes the form of:

104

105

{ # Request to de-identify a list of items.

106

"item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.

107

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

108

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

109

"data": "A String", # Content data to inspect or redact.

110

},

111

"value": "A String", # String data to inspect or redact.

112

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See

113

# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

114

# learn more.

115

# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

116

# learn more.

117

"rows": [ # Rows of the table.

118

{ # Values of the row.

119

"values": [ # Individual cells.

120

{ # Set of primitive values supported by the system.

121

# Note that for the purposes of inspection or transformation, the number

122

# of bytes considered to comprise a 'Value' is based on its representation

123

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

124

# 123456789, the number of bytes would be counted as 9, even though an

125

# int64 only holds up to 8 bytes of data.

126

"booleanValue": True or False, # boolean

127

"floatValue": 3.14, # float

128

"dayOfWeekValue": "A String", # day of week

129

"timestampValue": "A String", # timestamp

130

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

131

# and time zone are either specified elsewhere or are not significant. The date

132

# is relative to the Proleptic Gregorian Calendar. This can represent:

133

#

134

# * A full date, with non-zero year, month and day values

135

# * A month and day value, with a zero year, e.g. an anniversary

136

# * A year on its own, with zero month and day values

137

# * A year and month value, with a zero day, e.g. a credit card expiration date

138

#

139

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

140

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

141

# a year.

142

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

143

# month and day.

144

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

145

# if specifying a year by itself or a year and month where the day is not

146

# significant.

147

},

148

"stringValue": "A String", # string

149

"integerValue": "A String", # integer

150

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

151

# or are specified elsewhere. An API may choose to allow leap seconds. Related

152

# types are google.type.Date and `google.protobuf.Timestamp`.

153

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

154

# allow the value 60 if it allows leap-seconds.

155

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

156

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

157

# to allow the value "24:00:00" for scenarios like business closing time.

158

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

],

},

],

"headers": [ # Headers of the table.

165

{ # General identifier of a data field in a storage service.

166

"name": "A String", # Name describing the field.

},

],

},

},

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in

172

# inspect_config will override those set in the template. Singular fields

173

# that are set in this request will replace their corresponding fields in the

174

# template. Repeated fields are appended. Singular sub-messages and groups

175

# are recursively merged.

176

"deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in

177

# deidentify_config will override those set in the template. Singular fields

178

# that are set in this request will replace their corresponding fields in the

179

# template. Repeated fields are appended. Singular sub-messages and groups

180

# are recursively merged.

181

"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.

182

# Items specified here will override the template referenced by the

183

# inspect_template_name argument.

184

# When used with redactContent only info_types and min_likelihood are currently

185

# used.

186

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is

187

# included in the response; see Finding.quote.

188

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.

189

# Exclusion rules, contained in the set are executed in the end, other

190

# rules are executed in the order they are specified for each info type.

191

{ # Rule set for modifying a set of infoTypes to alter behavior under certain

192

# circumstances, depending on the specific details of the rules within the set.

193

"infoTypes": [ # List of infoTypes this rule set is applied to.

194

{ # Type of information detected by the API.

195

"name": "A String", # Name of the information type. Either a name of your choosing when

196

# creating a CustomInfoType, or one of the names listed

197

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

198

# a built-in type. InfoType names should conform to the pattern

199

# `[a-zA-Z0-9_]{1,64}`.

200

},

201

],

202

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

203

{ # A single inspection rule to be applied to infoTypes, specified in

204

# `InspectionRuleSet`.

205

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.

206

# proximity of hotwords.

207

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.

208

# part of a detection rule.

209

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of

210

# levels. For example, if a finding would be `POSSIBLE` without the

211

# detection rule and `relative_likelihood` is 1, then it is upgraded to

212

# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.

213

# Likelihood may never drop below `VERY_UNLIKELY` or exceed

214

# `VERY_LIKELY`, so applying an adjustment of 1 followed by an

215

# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in

216

# a final likelihood of `LIKELY`.

217

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

218

},

219

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

220

"groupIndexes": [ # The index of the submatch to extract as findings. When not

221

# specified, the entire match is returned. No more than 3 may be included.

222

42,

223

],

224

"pattern": "A String", # Pattern defining the regular expression. Its syntax

225

# (https://github.com/google/re2/wiki/Syntax) can be found under the

226

# google/re2 repository on GitHub.

227

},

228

"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.

229

# The total length of the window cannot exceed 1000 characters. Note that

230

# the finding itself will be included in the window, so that hotwords may

231

# be used to match substrings of the finding itself. For example, the

232

# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be

233

# adjusted upwards if the area code is known to be the local area code of

234

# a company office using the hotword regex "\(xxx\)", where "xxx"

235

# is the area code in question.

236

# rule.

237

"windowBefore": 42, # Number of characters before the finding to consider.

238

"windowAfter": 42, # Number of characters after the finding to consider.

239

},

240

},

241

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.

242

# `InspectionRuleSet` are removed from results.

243

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.

244

# be used to match sensitive information specific to the data, such as a list

245

# of employee IDs or job titles.

246

#

247

# Dictionary words are case-insensitive and all characters other than letters

248

# and digits in the unicode [Basic Multilingual

249

# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)

250

# will be replaced with whitespace when scanning for matches, so the

251

# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",

252

# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters

253

# surrounding any match must be of a different type than the adjacent

254

# characters within the word, so letters must be next to non-letters and

255

# digits next to non-digits. For example, the dictionary word "jen" will

256

# match the first three letters of the text "jen123" but will return no

257

# matches for "jennifer".

258

#

259

# Dictionary words containing a large number of characters that are not

260

# letters or digits may result in unexpected findings because such characters

261

# are treated as whitespace. The

262

# [limits](https://cloud.google.com/dlp/limits) page contains details about

263

# the size limits of dictionaries. For dictionaries that do not fit within

264

# these constraints, consider using `LargeCustomDictionaryConfig` in the

265

# `StoredInfoType` API.

266

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

267

"words": [ # Words or phrases defining the dictionary. The dictionary must contain

268

# at least one phrase and every phrase must contain at least 2 characters

269

# that are letters or digits. [required]

"A String",

],

},

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file

274

# is accepted.

275

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.

276

# Example: gs://[BUCKET_NAME]/dictionary.txt

277

},

278

},

279

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

280

"groupIndexes": [ # The index of the submatch to extract as findings. When not

281

# specified, the entire match is returned. No more than 3 may be included.

282

42,

283

],

284

"pattern": "A String", # Pattern defining the regular expression. Its syntax

285

# (https://github.com/google/re2/wiki/Syntax) can be found under the

286

# google/re2 repository on GitHub.

287

},

288

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

289

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or

290

# contained within with a finding of an infoType from this list. For

291

# example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and

292

# `exclusion_rule` containing `exclude_info_types.info_types` with

293

# "EMAIL_ADDRESS" the phone number findings are dropped if they overlap

294

# with EMAIL_ADDRESS finding.

295

# That leads to "555-222-2222@example.org" to generate only a single

296

# finding, namely email address.

297

{ # Type of information detected by the API.

298

"name": "A String", # Name of the information type. Either a name of your choosing when

299

# creating a CustomInfoType, or one of the names listed

300

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

301

# a built-in type. InfoType names should conform to the pattern

302

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

},

},

],

},

],

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

313

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.

314

# When set within `InspectJobConfig`,

315

# the maximum returned is 2000 regardless if this is set higher.

316

# When set within `InspectContentRequest`, this field is ignored.

317

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

318

{ # Max findings configuration per infoType, per content item or long

319

# running DlpJob.

320

"maxFindings": 42, # Max findings limit for the given infoType.

321

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per

322

# info_type should be provided. If InfoTypeLimit does not have an

323

# info_type, the DLP API applies the limit against all info_types that

324

# are found but not specified in another InfoTypeLimit.

325

"name": "A String", # Name of the information type. Either a name of your choosing when

326

# creating a CustomInfoType, or one of the names listed

327

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

328

# a built-in type. InfoType names should conform to the pattern

329

# `[a-zA-Z0-9_]{1,64}`.

},

},

],

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.

334

# When set within `InspectContentRequest`, the maximum returned is 2000

335

# regardless if this is set higher.

336

},

337

"contentOptions": [ # List of options defining data content to scan.

338

# If empty, text, images, and other content will be included.

339

"A String",

340

],

341

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to

342

# InfoType values returned by ListInfoTypes or listed at

343

# https://cloud.google.com/dlp/docs/infotypes-reference.

344

#

345

# When no InfoTypes or CustomInfoTypes are specified in a request, the

346

# system may automatically choose what detectors to run. By default this may

347

# be all types, but may change over time as detectors are updated.

348

#

349

# If you need precise control and predictability as to what detectors are

350

# run you should specify specific InfoTypes listed in the reference,

351

# otherwise a default list will be used, which may change over time.

352

{ # Type of information detected by the API.

353

"name": "A String", # Name of the information type. Either a name of your choosing when

354

# creating a CustomInfoType, or one of the names listed

355

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

356

# a built-in type. InfoType names should conform to the pattern

357

# `[a-zA-Z0-9_]{1,64}`.

358

},

359

],

360

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is

361

# POSSIBLE.

362

# See https://cloud.google.com/dlp/docs/likelihood to learn more.

363

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

364

"customInfoTypes": [ # CustomInfoTypes provided by the user. See

365

# https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

366

{ # Custom information type provided by the user. Used to find domain-specific

367

# sensitive information configurable to the data in question.

368

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be

369

# altered by a detection rule if the finding meets the criteria specified by

370

# the rule. Defaults to `VERY_LIKELY` if not specified.

371

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in

372

# infoType, when the name matches one of existing infoTypes and that infoType

373

# is specified in `InspectContent.info_types` field. Specifying the latter

374

# adds findings to the one detected by the system. If built-in info type is

375

# not specified in `InspectContent.info_types` list then the name is treated

376

# as a custom info type.

377

"name": "A String", # Name of the information type. Either a name of your choosing when

378

# creating a CustomInfoType, or one of the names listed

379

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

380

# a built-in type. InfoType names should conform to the pattern

381

# `[a-zA-Z0-9_]{1,64}`.

382

},

383

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

384

"groupIndexes": [ # The index of the submatch to extract as findings. When not

385

# specified, the entire match is returned. No more than 3 may be included.

386

42,

387

],

388

"pattern": "A String", # Pattern defining the regular expression. Its syntax

389

# (https://github.com/google/re2/wiki/Syntax) can be found under the

390

# google/re2 repository on GitHub.

391

},

392

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.

393

# Rules are applied in order that they are specified. Not supported for the

394

# `surrogate_type` CustomInfoType.

395

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a

396

# `CustomInfoType` to alter behavior under certain circumstances, depending

397

# on the specific details of the rule. Not supported for the `surrogate_type`

398

# custom infoType.

399

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.

400

# proximity of hotwords.

401

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.

402

# part of a detection rule.

403

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of

404

# levels. For example, if a finding would be `POSSIBLE` without the

405

# detection rule and `relative_likelihood` is 1, then it is upgraded to

406

# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.

407

# Likelihood may never drop below `VERY_UNLIKELY` or exceed

408

# `VERY_LIKELY`, so applying an adjustment of 1 followed by an

409

# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in

410

# a final likelihood of `LIKELY`.

411

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

412

},

413

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

414

"groupIndexes": [ # The index of the submatch to extract as findings. When not

415

# specified, the entire match is returned. No more than 3 may be included.

416

42,

417

],

418

"pattern": "A String", # Pattern defining the regular expression. Its syntax

419

# (https://github.com/google/re2/wiki/Syntax) can be found under the

420

# google/re2 repository on GitHub.

421

},

422

"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.

423

# The total length of the window cannot exceed 1000 characters. Note that

424

# the finding itself will be included in the window, so that hotwords may

425

# be used to match substrings of the finding itself. For example, the

426

# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be

427

# adjusted upwards if the area code is known to be the local area code of

428

# a company office using the hotword regex "\(xxx\)", where "xxx"

429

# is the area code in question.

430

# rule.

431

"windowBefore": 42, # Number of characters before the finding to consider.

432

"windowAfter": 42, # Number of characters after the finding to consider.

},

},

},

],

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding

438

# to be returned. It still can be used for rules matching.

439

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.

440

# be used to match sensitive information specific to the data, such as a list

441

# of employee IDs or job titles.

442

#

443

# Dictionary words are case-insensitive and all characters other than letters

444

# and digits in the unicode [Basic Multilingual

445

# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)

446

# will be replaced with whitespace when scanning for matches, so the

447

# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",

448

# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters

449

# surrounding any match must be of a different type than the adjacent

450

# characters within the word, so letters must be next to non-letters and

451

# digits next to non-digits. For example, the dictionary word "jen" will

452

# match the first three letters of the text "jen123" but will return no

453

# matches for "jennifer".

454

#

455

# Dictionary words containing a large number of characters that are not

456

# letters or digits may result in unexpected findings because such characters

457

# are treated as whitespace. The

458

# [limits](https://cloud.google.com/dlp/limits) page contains details about

459

# the size limits of dictionaries. For dictionaries that do not fit within

460

# these constraints, consider using `LargeCustomDictionaryConfig` in the

461

# `StoredInfoType` API.

462

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

463

"words": [ # Words or phrases defining the dictionary. The dictionary must contain

464

# at least one phrase and every phrase must contain at least 2 characters

465

# that are letters or digits. [required]

"A String",

],

},

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file

470

# is accepted.

471

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.

472

# Example: gs://[BUCKET_NAME]/dictionary.txt

473

},

474

},

475

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in

476

# `InspectDataSource`. Not currently supported in `InspectContent`.

477

"name": "A String", # Resource name of the requested `StoredInfoType`, for example

478

# `organizations/433245324/storedInfoTypes/432452342` or

479

# `projects/project-id/storedInfoTypes/432452342`.

480

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for

481

# inspection was created. Output-only field, populated by the system.

482

},

483

"surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that

484

# support reversing.

485

# such as

486

# [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).

487

# These types of transformations are

488

# those that perform pseudonymization, thereby producing a "surrogate" as

489

# output. This should be used in conjunction with a field on the

490

# transformation such as `surrogate_info_type`. This CustomInfoType does

491

# not support the use of `detection_rules`.

},

},

],

},

"deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item.

497

# Items specified here will override the template referenced by the

498

# deidentify_template_name argument.

499

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

500

# mode is `TransformationErrorHandling.ThrowError`.

501

# transformation error occurs when the requested transformation is incompatible

502

# with the data. For example, trying to de-identify an IP address using a

503

# `DateShift` transformation would result in a transformation error, since date

504

# info cannot be extracted from an IP address.

505

# Information about any incompatible transformations, and how they were

506

# handled, is returned in the response as part of the

507

# `TransformationOverviews`.

508

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

509

},

510

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

511

# cause an error. For example, if a `DateShift` transformation were applied

512

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

517

# specific locations within structured datasets, such as transforming

518

# a column within a table.

519

# table.

520

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

521

# match any suppression rule are omitted from the output.

522

{ # Configuration to suppress records whose suppression conditions evaluate to

523

# true.

524

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

525

# evaluated to be suppressed from the transformed content.

526

# a field.

527

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

528

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

529

# only supported value is `AND`.

530

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

531

"conditions": [ # A collection of conditions.

532

{ # The field type of `value` and `field` do not need to match to be

533

# considered equal, but not all comparisons are possible.

534

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

535

# but all other comparisons are invalid with incompatible types.

536

# A `value` of type:

537

#

538

# - `string` can be compared against all other types

539

# - `boolean` can only be compared against other booleans

540

# - `integer` can be compared against doubles or a string if the string value

541

# can be parsed as an integer.

542

# - `double` can be compared against integers or a string if the string can

543

# be parsed as a double.

544

# - `Timestamp` can be compared against strings in RFC 3339 date string

545

# format.

546

# - `TimeOfDay` can be compared against timestamps and strings in the format

547

# of 'HH:mm:ss'.

548

#

549

# If we fail to compare do to type mismatch, a warning will be given and

550

# the condition will evaluate to false.

551

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

552

"name": "A String", # Name describing the field.

553

},

554

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

555

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

556

# Note that for the purposes of inspection or transformation, the number

557

# of bytes considered to comprise a 'Value' is based on its representation

558

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

559

# 123456789, the number of bytes would be counted as 9, even though an

560

# int64 only holds up to 8 bytes of data.

561

"booleanValue": True or False, # boolean

562

"floatValue": 3.14, # float

563

"dayOfWeekValue": "A String", # day of week

564

"timestampValue": "A String", # timestamp

565

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

566

# and time zone are either specified elsewhere or are not significant. The date

567

# is relative to the Proleptic Gregorian Calendar. This can represent:

568

#

569

# * A full date, with non-zero year, month and day values

570

# * A month and day value, with a zero year, e.g. an anniversary

571

# * A year on its own, with zero month and day values

572

# * A year and month value, with a zero day, e.g. a credit card expiration date

573

#

574

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

575

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

576

# a year.

577

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

578

# month and day.

579

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

580

# if specifying a year by itself or a year and month where the day is not

581

# significant.

582

},

583

"stringValue": "A String", # string

584

"integerValue": "A String", # integer

585

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

586

# or are specified elsewhere. An API may choose to allow leap seconds. Related

587

# types are google.type.Date and `google.protobuf.Timestamp`.

588

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

589

# allow the value 60 if it allows leap-seconds.

590

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

591

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

592

# to allow the value "24:00:00" for scenarios like business closing time.

593

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

604

{ # The transformation to apply to the field.

605

"fields": [ # Required. Input field(s) to apply the transformation to.

606

{ # General identifier of a data field in a storage service.

607

"name": "A String", # Name describing the field.

608

},

609

],

610

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

611

# transform content that matches an `InfoType`.

612

# apply various `PrimitiveTransformation`s to each finding, where the

613

# transformation is applied to only values that were identified as a specific

614

# info_type.

615

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

616

# for a given infoType.

617

{ # A transformation to apply to text that is identified as a specific

618

# info_type.

619

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

620

# this transformation to apply to all findings that correspond to

621

# infoTypes that were requested in `InspectConfig`.

622

{ # Type of information detected by the API.

623

"name": "A String", # Name of the information type. Either a name of your choosing when

624

# creating a CustomInfoType, or one of the names listed

625

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

626

# a built-in type. InfoType names should conform to the pattern

627

# `[a-zA-Z0-9_]{1,64}`.

628

},

629

],

630

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

631

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

632

# portion of the value.

633

"partToExtract": "A String", # The part of the time to keep.

634

},

635

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

636

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

637

# to learn more.

638

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

639

# If set, must also set cryptoKey. If set, shift will be consistent for the

640

# given context.

641

"name": "A String", # Name describing the field.

642

},

643

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

644

# range (inclusive ends). Negative means shift to earlier in time. Must not

645

# be more than 365250 days (1000 years) each direction.

646

#

647

# For example, 3 means shift date to at most 3 days into the future.

648

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

649

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

650

# results in the same shift for the same context and crypto_key. If

651

# set, must also set context. Can only be applied to table items.

652

# a key encryption key (KEK) stored by KMS).

653

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

654

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

655

# unwrap the data crypto key.

656

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

657

# The wrapped key must be a 128/192/256 bit key.

658

# Authorization requires the following IAM permissions when sending a request

659

# to perform a crypto transformation using a kms-wrapped crypto key:

660

# dlp.kms.encrypt

661

"wrappedKey": "A String", # Required. The wrapped data crypto key.

662

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

663

},

664

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

665

# leaking the key. Choose another type of key if possible.

666

"key": "A String", # Required. A 128/192/256 bit key.

667

},

668

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

669

# It will be discarded after the request finishes.

670

"name": "A String", # Required. Name of the key.

671

# This is an arbitrary string used to differentiate different keys.

672

# A unique key is generated per name: two separate `TransientCryptoKey`

673

# protos share the same generated key if their names are the same.

674

# When the data crypto key is generated, this name is not used in any way

675

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

680

},

681

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

682

# Uses SHA-256.

683

# The key size must be either 32 or 64 bytes.

684

# Outputs a base64 encoded representation of the hashed output

685

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

686

# Currently, only string and integer values can be hashed.

687

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

688

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

689

# a key encryption key (KEK) stored by KMS).

690

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

691

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

692

# unwrap the data crypto key.

693

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

694

# The wrapped key must be a 128/192/256 bit key.

695

# Authorization requires the following IAM permissions when sending a request

696

# to perform a crypto transformation using a kms-wrapped crypto key:

697

# dlp.kms.encrypt

698

"wrappedKey": "A String", # Required. The wrapped data crypto key.

699

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

700

},

701

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

702

# leaking the key. Choose another type of key if possible.

703

"key": "A String", # Required. A 128/192/256 bit key.

704

},

705

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

706

# It will be discarded after the request finishes.

707

"name": "A String", # Required. Name of the key.

708

# This is an arbitrary string used to differentiate different keys.

709

# A unique key is generated per name: two separate `TransientCryptoKey`

710

# protos share the same generated key if their names are the same.

711

# When the data crypto key is generated, this name is not used in any way

712

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

717

# (FPE) with the FFX mode of operation; however when used in the

718

# `ReidentifyContent` API method, it serves the opposite function by reversing

719

# the surrogate back into the original identifier. The identifier must be

720

# encoded as ASCII. For a given crypto key and context, the same identifier

721

# will be replaced with the same surrogate. Identifiers must be at least two

722

# characters long. In the case that the identifier is the empty string, it will

723

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

724

# more.

725

#

726

# Note: We recommend using CryptoDeterministicConfig for all use cases which

727

# do not require preserving the input alphabet space and size, plus warrant

728

# referential integrity.

729

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

730

# that the FFX mode natively supports. This happens before/after

731

# encryption/decryption.

732

# Each character listed must appear only once.

733

# Number of characters must be in the range [2, 95].

734

# This must be encoded as ASCII.

735

# The order of characters does not matter.

736

"commonAlphabet": "A String", # Common alphabets.

737

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

738

# This annotation will be applied to the surrogate by prefixing it with

739

# the name of the custom infoType followed by the number of

740

# characters comprising the surrogate. The following scheme defines the

741

# format: info_type_name(surrogate_character_count):surrogate

742

#

743

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

744

# the surrogate is 'abc', the full replacement value

745

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

746

#

747

# This annotation identifies the surrogate when inspecting content using the

748

# custom infoType

749

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

750

# This facilitates reversal of the surrogate when it occurs in free text.

751

#

752

# In order for inspection to work properly, the name of this infoType must

753

# not occur naturally anywhere in your data; otherwise, inspection may

754

# find a surrogate that does not correspond to an actual identifier.

755

# Therefore, choose your custom infoType name carefully after considering

756

# what your data looks like. One way to select a name that has a high chance

757

# of yielding reliable detection is to include one or more unicode characters

758

# that are highly improbable to exist in your data.

759

# For example, assuming your data is entered from a regular ASCII keyboard,

760

# the symbol with the hex code point 29DD might be used like so:

761

# ⧝MY_TOKEN_TYPE

762

"name": "A String", # Name of the information type. Either a name of your choosing when

763

# creating a CustomInfoType, or one of the names listed

764

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

765

# a built-in type. InfoType names should conform to the pattern

766

# `[a-zA-Z0-9_]{1,64}`.

767

},

768

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

769

# identifier in two different contexts won't be given the same surrogate. If

770

# the context is not set, a default tweak will be used.

771

#

772

# If the context is set but:

773

#

774

# 1. there is no record present when transforming a given value or

775

# 1. the field is not present when transforming a given value,

776

#

777

# a default tweak will be used.

778

#

779

# Note that case (1) is expected when an `InfoTypeTransformation` is

780

# applied to both structured and non-structured `ContentItem`s.

781

# Currently, the referenced field may be of value type integer or string.

782

#

783

# The tweak is constructed as a sequence of bytes in big endian byte order

784

# such that:

785

#

786

# - a 64 bit integer is encoded followed by a single byte of value 1

787

# - a string is encoded in UTF-8 format followed by a single byte of value 2

788

"name": "A String", # Name describing the field.

789

},

790

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

791

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

792

# a key encryption key (KEK) stored by KMS).

793

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

794

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

795

# unwrap the data crypto key.

796

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

797

# The wrapped key must be a 128/192/256 bit key.

798

# Authorization requires the following IAM permissions when sending a request

799

# to perform a crypto transformation using a kms-wrapped crypto key:

800

# dlp.kms.encrypt

801

"wrappedKey": "A String", # Required. The wrapped data crypto key.

802

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

803

},

804

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

805

# leaking the key. Choose another type of key if possible.

806

"key": "A String", # Required. A 128/192/256 bit key.

807

},

808

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

809

# It will be discarded after the request finishes.

810

"name": "A String", # Required. Name of the key.

811

# This is an arbitrary string used to differentiate different keys.

812

# A unique key is generated per name: two separate `TransientCryptoKey`

813

# protos share the same generated key if their names are the same.

814

# When the data crypto key is generated, this name is not used in any way

815

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

820

# input. Outputs a base64 encoded representation of the encrypted output.

821

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

822

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

823

# This annotation will be applied to the surrogate by prefixing it with

824

# the name of the custom info type followed by the number of

825

# characters comprising the surrogate. The following scheme defines the

826

# format: {info type name}({surrogate character count}):{surrogate}

827

#

828

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

829

# the surrogate is 'abc', the full replacement value

830

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

831

#

832

# This annotation identifies the surrogate when inspecting content using the

833

# custom info type 'Surrogate'. This facilitates reversal of the

834

# surrogate when it occurs in free text.

835

#

836

# Note: For record transformations where the entire cell in a table is being

837

# transformed, surrogates are not mandatory. Surrogates are used to denote

838

# the location of the token and are necessary for re-identification in free

839

# form text.

840

#

841

# In order for inspection to work properly, the name of this info type must

842

# not occur naturally anywhere in your data; otherwise, inspection may either

843

#

844

# - reverse a surrogate that does not correspond to an actual identifier

845

# - be unable to parse the surrogate and result in an error

846

#

847

# Therefore, choose your custom info type name carefully after considering

848

# what your data looks like. One way to select a name that has a high chance

849

# of yielding reliable detection is to include one or more unicode characters

850

# that are highly improbable to exist in your data.

851

# For example, assuming your data is entered from a regular ASCII keyboard,

852

# the symbol with the hex code point 29DD might be used like so:

853

# ⧝MY_TOKEN_TYPE.

854

"name": "A String", # Name of the information type. Either a name of your choosing when

855

# creating a CustomInfoType, or one of the names listed

856

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

857

# a built-in type. InfoType names should conform to the pattern

858

# `[a-zA-Z0-9_]{1,64}`.

859

},

860

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

861

# referential integrity such that the same identifier in two different

862

# contexts will be given a distinct surrogate. The context is appended to

863

# plaintext value being encrypted. On decryption the provided context is

864

# validated against the value used during encryption. If a context was

865

# provided during encryption, same context must be provided during decryption

866

# as well.

867

#

868

# If the context is not set, plaintext would be used as is for encryption.

869

# If the context is set but:

870

#

871

# 1. there is no record present when transforming a given value or

872

# 2. the field is not present when transforming a given value,

873

#

874

# plaintext would be used as is for encryption.

875

#

876

# Note that case (1) is expected when an `InfoTypeTransformation` is

877

# applied to both structured and non-structured `ContentItem`s.

878

"name": "A String", # Name describing the field.

879

},

880

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

881

# a key encryption key (KEK) stored by KMS).

882

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

883

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

884

# unwrap the data crypto key.

885

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

886

# The wrapped key must be a 128/192/256 bit key.

887

# Authorization requires the following IAM permissions when sending a request

888

# to perform a crypto transformation using a kms-wrapped crypto key:

889

# dlp.kms.encrypt

890

"wrappedKey": "A String", # Required. The wrapped data crypto key.

891

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

892

},

893

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

894

# leaking the key. Choose another type of key if possible.

895

"key": "A String", # Required. A 128/192/256 bit key.

896

},

897

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

898

# It will be discarded after the request finishes.

899

"name": "A String", # Required. Name of the key.

900

# This is an arbitrary string used to differentiate different keys.

901

# A unique key is generated per name: two separate `TransientCryptoKey`

902

# protos share the same generated key if their names are the same.

903

# When the data crypto key is generated, this name is not used in any way

904

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

909

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

910

# output would be 'My phone number is '.

911

},

912

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

913

# replacement values are dynamically provided by the user for custom behavior,

914

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

915

# This can be used on

916

# data of type: number, long, string, timestamp.

917

# If the bound `Value` type differs from the type of data being transformed, we

918

# will first attempt converting the type of the data to be transformed to match

919

# the type of the bound before comparing.

920

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

921

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

922

{ # Bucket is represented as a range, along with replacement values.

923

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

924

# used.

925

# Note that for the purposes of inspection or transformation, the number

926

# of bytes considered to comprise a 'Value' is based on its representation

927

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

928

# 123456789, the number of bytes would be counted as 9, even though an

929

# int64 only holds up to 8 bytes of data.

930

"booleanValue": True or False, # boolean

931

"floatValue": 3.14, # float

932

"dayOfWeekValue": "A String", # day of week

933

"timestampValue": "A String", # timestamp

934

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

935

# and time zone are either specified elsewhere or are not significant. The date

936

# is relative to the Proleptic Gregorian Calendar. This can represent:

937

#

938

# * A full date, with non-zero year, month and day values

939

# * A month and day value, with a zero year, e.g. an anniversary

940

# * A year on its own, with zero month and day values

941

# * A year and month value, with a zero day, e.g. a credit card expiration date

942

#

943

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

944

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

945

# a year.

946

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

947

# month and day.

948

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

949

# if specifying a year by itself or a year and month where the day is not

950

# significant.

951

},

952

"stringValue": "A String", # string

953

"integerValue": "A String", # integer

954

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

955

# or are specified elsewhere. An API may choose to allow leap seconds. Related

956

# types are google.type.Date and `google.protobuf.Timestamp`.

957

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

958

# allow the value 60 if it allows leap-seconds.

959

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

960

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

961

# to allow the value "24:00:00" for scenarios like business closing time.

962

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

963

},

964

},

965

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

966

# Note that for the purposes of inspection or transformation, the number

967

# of bytes considered to comprise a 'Value' is based on its representation

968

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

969

# 123456789, the number of bytes would be counted as 9, even though an

970

# int64 only holds up to 8 bytes of data.

971

"booleanValue": True or False, # boolean

972

"floatValue": 3.14, # float

973

"dayOfWeekValue": "A String", # day of week

974

"timestampValue": "A String", # timestamp

975

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

976

# and time zone are either specified elsewhere or are not significant. The date

977

# is relative to the Proleptic Gregorian Calendar. This can represent:

978

#

979

# * A full date, with non-zero year, month and day values

980

# * A month and day value, with a zero year, e.g. an anniversary

981

# * A year on its own, with zero month and day values

982

# * A year and month value, with a zero day, e.g. a credit card expiration date

983

#

984

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

985

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

986

# a year.

987

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

988

# month and day.

989

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

990

# if specifying a year by itself or a year and month where the day is not

991

# significant.

992

},

993

"stringValue": "A String", # string

994

"integerValue": "A String", # integer

995

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

996

# or are specified elsewhere. An API may choose to allow leap seconds. Related

997

# types are google.type.Date and `google.protobuf.Timestamp`.

998

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

999

# allow the value 60 if it allows leap-seconds.

1000

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1001

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1002

# to allow the value "24:00:00" for scenarios like business closing time.

1003

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1004

},

1005

},

1006

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1007

# the default behavior will be to hyphenate the min-max range.

1008

# Note that for the purposes of inspection or transformation, the number

1009

# of bytes considered to comprise a 'Value' is based on its representation

1010

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1011

# 123456789, the number of bytes would be counted as 9, even though an

1012

# int64 only holds up to 8 bytes of data.

1013

"booleanValue": True or False, # boolean

1014

"floatValue": 3.14, # float

1015

"dayOfWeekValue": "A String", # day of week

1016

"timestampValue": "A String", # timestamp

1017

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1018

# and time zone are either specified elsewhere or are not significant. The date

1019

# is relative to the Proleptic Gregorian Calendar. This can represent:

1020

#

1021

# * A full date, with non-zero year, month and day values

1022

# * A month and day value, with a zero year, e.g. an anniversary

1023

# * A year on its own, with zero month and day values

1024

# * A year and month value, with a zero day, e.g. a credit card expiration date

1025

#

1026

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1027

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1028

# a year.

1029

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1030

# month and day.

1031

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1032

# if specifying a year by itself or a year and month where the day is not

1033

# significant.

1034

},

1035

"stringValue": "A String", # string

1036

"integerValue": "A String", # integer

1037

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1038

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1039

# types are google.type.Date and `google.protobuf.Timestamp`.

1040

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1041

# allow the value 60 if it allows leap-seconds.

1042

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1043

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1044

# to allow the value "24:00:00" for scenarios like business closing time.

1045

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1052

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1053

# Note that for the purposes of inspection or transformation, the number

1054

# of bytes considered to comprise a 'Value' is based on its representation

1055

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1056

# 123456789, the number of bytes would be counted as 9, even though an

1057

# int64 only holds up to 8 bytes of data.

1058

"booleanValue": True or False, # boolean

1059

"floatValue": 3.14, # float

1060

"dayOfWeekValue": "A String", # day of week

1061

"timestampValue": "A String", # timestamp

1062

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1063

# and time zone are either specified elsewhere or are not significant. The date

1064

# is relative to the Proleptic Gregorian Calendar. This can represent:

1065

#

1066

# * A full date, with non-zero year, month and day values

1067

# * A month and day value, with a zero year, e.g. an anniversary

1068

# * A year on its own, with zero month and day values

1069

# * A year and month value, with a zero day, e.g. a credit card expiration date

1070

#

1071

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1072

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1073

# a year.

1074

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1075

# month and day.

1076

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1077

# if specifying a year by itself or a year and month where the day is not

1078

# significant.

1079

},

1080

"stringValue": "A String", # string

1081

"integerValue": "A String", # integer

1082

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1083

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1084

# types are google.type.Date and `google.protobuf.Timestamp`.

1085

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1086

# allow the value 60 if it allows leap-seconds.

1087

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1088

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1089

# to allow the value "24:00:00" for scenarios like business closing time.

1090

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1095

# fixed character. Masking can start from the beginning or end of the string.

1096

# This can be used on data of any type (numbers, longs, and so on) and when

1097

# de-identifying structured data we'll attempt to preserve the original data's

1098

# type. (This allows you to take a long like 123 and modify it to a string like

1099

# **3.

1100

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1101

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1102

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1103

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

1104

# is `true`, then the string `12345` is masked as `12***`.

1105

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1106

# characters. For example, if the input string is `555-555-5555` and you

1107

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1108

# returns `***-**5-5555`.

1109

{ # Characters to skip when doing deidentification of a value. These will be left

1110

# alone and skipped.

1111

"charactersToSkip": "A String", # Characters to not transform when masking.

1112

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1117

# masked. Skipped characters do not count towards this tally.

1118

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1119

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1120

# code or credit card number. This string must have a length of 1. If not

1121

# supplied, this value defaults to `*` for strings, and `0` for digits.

1122

},

1123

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1124

# Bucketing transformation can provide all of this functionality,

1125

# but requires more configuration. This message is provided as a convenience to

1126

# the user for simple bucketing strategies.

1127

#

1128

# The transformed value will be a hyphenated string of

1129

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1130

# all values that are within this bucket will be replaced with "10-20".

1131

#

1132

# This can be used on data of type: double, long.

1133

#

1134

# If the bound Value type differs from the type of data

1135

# being transformed, we will first attempt converting the type of the data to

1136

# be transformed to match the type of the bound before comparing.

1137

#

1138

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1139

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1140

# grouped together into a single bucket; for example if `lower_bound` = 10,

1141

# then all values less than 10 are replaced with the value "-10".

1142

# Note that for the purposes of inspection or transformation, the number

1143

# of bytes considered to comprise a 'Value' is based on its representation

1144

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1145

# 123456789, the number of bytes would be counted as 9, even though an

1146

# int64 only holds up to 8 bytes of data.

1147

"booleanValue": True or False, # boolean

1148

"floatValue": 3.14, # float

1149

"dayOfWeekValue": "A String", # day of week

1150

"timestampValue": "A String", # timestamp

1151

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1152

# and time zone are either specified elsewhere or are not significant. The date

1153

# is relative to the Proleptic Gregorian Calendar. This can represent:

1154

#

1155

# * A full date, with non-zero year, month and day values

1156

# * A month and day value, with a zero year, e.g. an anniversary

1157

# * A year on its own, with zero month and day values

1158

# * A year and month value, with a zero day, e.g. a credit card expiration date

1159

#

1160

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1161

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1162

# a year.

1163

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1164

# month and day.

1165

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1166

# if specifying a year by itself or a year and month where the day is not

1167

# significant.

1168

},

1169

"stringValue": "A String", # string

1170

"integerValue": "A String", # integer

1171

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1172

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1173

# types are google.type.Date and `google.protobuf.Timestamp`.

1174

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1175

# allow the value 60 if it allows leap-seconds.

1176

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1177

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1178

# to allow the value "24:00:00" for scenarios like business closing time.

1179

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1180

},

1181

},

1182

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1183

# grouped together into a single bucket; for example if `upper_bound` = 89,

1184

# then all values greater than 89 are replaced with the value "89+".

1185

# Note that for the purposes of inspection or transformation, the number

1186

# of bytes considered to comprise a 'Value' is based on its representation

1187

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1188

# 123456789, the number of bytes would be counted as 9, even though an

1189

# int64 only holds up to 8 bytes of data.

1190

"booleanValue": True or False, # boolean

1191

"floatValue": 3.14, # float

1192

"dayOfWeekValue": "A String", # day of week

1193

"timestampValue": "A String", # timestamp

1194

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1195

# and time zone are either specified elsewhere or are not significant. The date

1196

# is relative to the Proleptic Gregorian Calendar. This can represent:

1197

#

1198

# * A full date, with non-zero year, month and day values

1199

# * A month and day value, with a zero year, e.g. an anniversary

1200

# * A year on its own, with zero month and day values

1201

# * A year and month value, with a zero day, e.g. a credit card expiration date

1202

#

1203

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1204

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1205

# a year.

1206

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1207

# month and day.

1208

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1209

# if specifying a year by itself or a year and month where the day is not

1210

# significant.

1211

},

1212

"stringValue": "A String", # string

1213

"integerValue": "A String", # integer

1214

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1215

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1216

# types are google.type.Date and `google.protobuf.Timestamp`.

1217

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1218

# allow the value 60 if it allows leap-seconds.

1219

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1220

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1221

# to allow the value "24:00:00" for scenarios like business closing time.

1222

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1223

},

1224

},

1225

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1226

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1227

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1228

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

1235

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

1236

# portion of the value.

1237

"partToExtract": "A String", # The part of the time to keep.

1238

},

1239

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

1240

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

1241

# to learn more.

1242

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

1243

# If set, must also set cryptoKey. If set, shift will be consistent for the

1244

# given context.

1245

"name": "A String", # Name describing the field.

1246

},

1247

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

1248

# range (inclusive ends). Negative means shift to earlier in time. Must not

1249

# be more than 365250 days (1000 years) each direction.

1250

#

1251

# For example, 3 means shift date to at most 3 days into the future.

1252

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1253

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

1254

# results in the same shift for the same context and crypto_key. If

1255

# set, must also set context. Can only be applied to table items.

1256

# a key encryption key (KEK) stored by KMS).

1257

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1258

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1259

# unwrap the data crypto key.

1260

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1261

# The wrapped key must be a 128/192/256 bit key.

1262

# Authorization requires the following IAM permissions when sending a request

1263

# to perform a crypto transformation using a kms-wrapped crypto key:

1264

# dlp.kms.encrypt

1265

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1266

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1267

},

1268

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1269

# leaking the key. Choose another type of key if possible.

1270

"key": "A String", # Required. A 128/192/256 bit key.

1271

},

1272

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1273

# It will be discarded after the request finishes.

1274

"name": "A String", # Required. Name of the key.

1275

# This is an arbitrary string used to differentiate different keys.

1276

# A unique key is generated per name: two separate `TransientCryptoKey`

1277

# protos share the same generated key if their names are the same.

1278

# When the data crypto key is generated, this name is not used in any way

1279

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1284

},

1285

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

1286

# Uses SHA-256.

1287

# The key size must be either 32 or 64 bytes.

1288

# Outputs a base64 encoded representation of the hashed output

1289

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

1290

# Currently, only string and integer values can be hashed.

1291

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

1292

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

1293

# a key encryption key (KEK) stored by KMS).

1294

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1295

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1296

# unwrap the data crypto key.

1297

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1298

# The wrapped key must be a 128/192/256 bit key.

1299

# Authorization requires the following IAM permissions when sending a request

1300

# to perform a crypto transformation using a kms-wrapped crypto key:

1301

# dlp.kms.encrypt

1302

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1303

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1304

},

1305

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1306

# leaking the key. Choose another type of key if possible.

1307

"key": "A String", # Required. A 128/192/256 bit key.

1308

},

1309

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1310

# It will be discarded after the request finishes.

1311

"name": "A String", # Required. Name of the key.

1312

# This is an arbitrary string used to differentiate different keys.

1313

# A unique key is generated per name: two separate `TransientCryptoKey`

1314

# protos share the same generated key if their names are the same.

1315

# When the data crypto key is generated, this name is not used in any way

1316

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

1321

# (FPE) with the FFX mode of operation; however when used in the

1322

# `ReidentifyContent` API method, it serves the opposite function by reversing

1323

# the surrogate back into the original identifier. The identifier must be

1324

# encoded as ASCII. For a given crypto key and context, the same identifier

1325

# will be replaced with the same surrogate. Identifiers must be at least two

1326

# characters long. In the case that the identifier is the empty string, it will

1327

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

1328

# more.

1329

#

1330

# Note: We recommend using CryptoDeterministicConfig for all use cases which

1331

# do not require preserving the input alphabet space and size, plus warrant

1332

# referential integrity.

1333

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

1334

# that the FFX mode natively supports. This happens before/after

1335

# encryption/decryption.

1336

# Each character listed must appear only once.

1337

# Number of characters must be in the range [2, 95].

1338

# This must be encoded as ASCII.

1339

# The order of characters does not matter.

1340

"commonAlphabet": "A String", # Common alphabets.

1341

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

1342

# This annotation will be applied to the surrogate by prefixing it with

1343

# the name of the custom infoType followed by the number of

1344

# characters comprising the surrogate. The following scheme defines the

1345

# format: info_type_name(surrogate_character_count):surrogate

1346

#

1347

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

1348

# the surrogate is 'abc', the full replacement value

1349

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1350

#

1351

# This annotation identifies the surrogate when inspecting content using the

1352

# custom infoType

1353

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

1354

# This facilitates reversal of the surrogate when it occurs in free text.

1355

#

1356

# In order for inspection to work properly, the name of this infoType must

1357

# not occur naturally anywhere in your data; otherwise, inspection may

1358

# find a surrogate that does not correspond to an actual identifier.

1359

# Therefore, choose your custom infoType name carefully after considering

1360

# what your data looks like. One way to select a name that has a high chance

1361

# of yielding reliable detection is to include one or more unicode characters

1362

# that are highly improbable to exist in your data.

1363

# For example, assuming your data is entered from a regular ASCII keyboard,

1364

# the symbol with the hex code point 29DD might be used like so:

1365

# ⧝MY_TOKEN_TYPE

1366

"name": "A String", # Name of the information type. Either a name of your choosing when

1367

# creating a CustomInfoType, or one of the names listed

1368

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1369

# a built-in type. InfoType names should conform to the pattern

1370

# `[a-zA-Z0-9_]{1,64}`.

1371

},

1372

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1373

# identifier in two different contexts won't be given the same surrogate. If

1374

# the context is not set, a default tweak will be used.

1375

#

1376

# If the context is set but:

1377

#

1378

# 1. there is no record present when transforming a given value or

1379

# 1. the field is not present when transforming a given value,

1380

#

1381

# a default tweak will be used.

1382

#

1383

# Note that case (1) is expected when an `InfoTypeTransformation` is

1384

# applied to both structured and non-structured `ContentItem`s.

1385

# Currently, the referenced field may be of value type integer or string.

1386

#

1387

# The tweak is constructed as a sequence of bytes in big endian byte order

1388

# such that:

1389

#

1390

# - a 64 bit integer is encoded followed by a single byte of value 1

1391

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1392

"name": "A String", # Name describing the field.

1393

},

1394

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1395

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1396

# a key encryption key (KEK) stored by KMS).

1397

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1398

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1399

# unwrap the data crypto key.

1400

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1401

# The wrapped key must be a 128/192/256 bit key.

1402

# Authorization requires the following IAM permissions when sending a request

1403

# to perform a crypto transformation using a kms-wrapped crypto key:

1404

# dlp.kms.encrypt

1405

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1406

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1407

},

1408

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1409

# leaking the key. Choose another type of key if possible.

1410

"key": "A String", # Required. A 128/192/256 bit key.

1411

},

1412

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1413

# It will be discarded after the request finishes.

1414

"name": "A String", # Required. Name of the key.

1415

# This is an arbitrary string used to differentiate different keys.

1416

# A unique key is generated per name: two separate `TransientCryptoKey`

1417

# protos share the same generated key if their names are the same.

1418

# When the data crypto key is generated, this name is not used in any way

1419

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1424

# input. Outputs a base64 encoded representation of the encrypted output.

1425

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1426

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1427

# This annotation will be applied to the surrogate by prefixing it with

1428

# the name of the custom info type followed by the number of

1429

# characters comprising the surrogate. The following scheme defines the

1430

# format: {info type name}({surrogate character count}):{surrogate}

1431

#

1432

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1433

# the surrogate is 'abc', the full replacement value

1434

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1435

#

1436

# This annotation identifies the surrogate when inspecting content using the

1437

# custom info type 'Surrogate'. This facilitates reversal of the

1438

# surrogate when it occurs in free text.

1439

#

1440

# Note: For record transformations where the entire cell in a table is being

1441

# transformed, surrogates are not mandatory. Surrogates are used to denote

1442

# the location of the token and are necessary for re-identification in free

1443

# form text.

1444

#

1445

# In order for inspection to work properly, the name of this info type must

1446

# not occur naturally anywhere in your data; otherwise, inspection may either

1447

#

1448

# - reverse a surrogate that does not correspond to an actual identifier

1449

# - be unable to parse the surrogate and result in an error

1450

#

1451

# Therefore, choose your custom info type name carefully after considering

1452

# what your data looks like. One way to select a name that has a high chance

1453

# of yielding reliable detection is to include one or more unicode characters

1454

# that are highly improbable to exist in your data.

1455

# For example, assuming your data is entered from a regular ASCII keyboard,

1456

# the symbol with the hex code point 29DD might be used like so:

1457

# ⧝MY_TOKEN_TYPE.

1458

"name": "A String", # Name of the information type. Either a name of your choosing when

1459

# creating a CustomInfoType, or one of the names listed

1460

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1461

# a built-in type. InfoType names should conform to the pattern

1462

# `[a-zA-Z0-9_]{1,64}`.

1463

},

1464

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1465

# referential integrity such that the same identifier in two different

1466

# contexts will be given a distinct surrogate. The context is appended to

1467

# plaintext value being encrypted. On decryption the provided context is

1468

# validated against the value used during encryption. If a context was

1469

# provided during encryption, same context must be provided during decryption

1470

# as well.

1471

#

1472

# If the context is not set, plaintext would be used as is for encryption.

1473

# If the context is set but:

1474

#

1475

# 1. there is no record present when transforming a given value or

1476

# 2. the field is not present when transforming a given value,

1477

#

1478

# plaintext would be used as is for encryption.

1479

#

1480

# Note that case (1) is expected when an `InfoTypeTransformation` is

1481

# applied to both structured and non-structured `ContentItem`s.

1482

"name": "A String", # Name describing the field.

1483

},

1484

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1485

# a key encryption key (KEK) stored by KMS).

1486

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1487

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1488

# unwrap the data crypto key.

1489

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1490

# The wrapped key must be a 128/192/256 bit key.

1491

# Authorization requires the following IAM permissions when sending a request

1492

# to perform a crypto transformation using a kms-wrapped crypto key:

1493

# dlp.kms.encrypt

1494

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1495

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1496

},

1497

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1498

# leaking the key. Choose another type of key if possible.

1499

"key": "A String", # Required. A 128/192/256 bit key.

1500

},

1501

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1502

# It will be discarded after the request finishes.

1503

"name": "A String", # Required. Name of the key.

1504

# This is an arbitrary string used to differentiate different keys.

1505

# A unique key is generated per name: two separate `TransientCryptoKey`

1506

# protos share the same generated key if their names are the same.

1507

# When the data crypto key is generated, this name is not used in any way

1508

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1513

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1514

# output would be 'My phone number is '.

1515

},

1516

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1517

# replacement values are dynamically provided by the user for custom behavior,

1518

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1519

# This can be used on

1520

# data of type: number, long, string, timestamp.

1521

# If the bound `Value` type differs from the type of data being transformed, we

1522

# will first attempt converting the type of the data to be transformed to match

1523

# the type of the bound before comparing.

1524

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1525

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1526

{ # Bucket is represented as a range, along with replacement values.

1527

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1528

# used.

1529

# Note that for the purposes of inspection or transformation, the number

1530

# of bytes considered to comprise a 'Value' is based on its representation

1531

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1532

# 123456789, the number of bytes would be counted as 9, even though an

1533

# int64 only holds up to 8 bytes of data.

1534

"booleanValue": True or False, # boolean

1535

"floatValue": 3.14, # float

1536

"dayOfWeekValue": "A String", # day of week

1537

"timestampValue": "A String", # timestamp

1538

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1539

# and time zone are either specified elsewhere or are not significant. The date

1540

# is relative to the Proleptic Gregorian Calendar. This can represent:

1541

#

1542

# * A full date, with non-zero year, month and day values

1543

# * A month and day value, with a zero year, e.g. an anniversary

1544

# * A year on its own, with zero month and day values

1545

# * A year and month value, with a zero day, e.g. a credit card expiration date

1546

#

1547

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1548

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1549

# a year.

1550

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1551

# month and day.

1552

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1553

# if specifying a year by itself or a year and month where the day is not

1554

# significant.

1555

},

1556

"stringValue": "A String", # string

1557

"integerValue": "A String", # integer

1558

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1559

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1560

# types are google.type.Date and `google.protobuf.Timestamp`.

1561

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1562

# allow the value 60 if it allows leap-seconds.

1563

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1564

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1565

# to allow the value "24:00:00" for scenarios like business closing time.

1566

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1567

},

1568

},

1569

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1570

# Note that for the purposes of inspection or transformation, the number

1571

# of bytes considered to comprise a 'Value' is based on its representation

1572

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1573

# 123456789, the number of bytes would be counted as 9, even though an

1574

# int64 only holds up to 8 bytes of data.

1575

"booleanValue": True or False, # boolean

1576

"floatValue": 3.14, # float

1577

"dayOfWeekValue": "A String", # day of week

1578

"timestampValue": "A String", # timestamp

1579

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1580

# and time zone are either specified elsewhere or are not significant. The date

1581

# is relative to the Proleptic Gregorian Calendar. This can represent:

1582

#

1583

# * A full date, with non-zero year, month and day values

1584

# * A month and day value, with a zero year, e.g. an anniversary

1585

# * A year on its own, with zero month and day values

1586

# * A year and month value, with a zero day, e.g. a credit card expiration date

1587

#

1588

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1589

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1590

# a year.

1591

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1592

# month and day.

1593

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1594

# if specifying a year by itself or a year and month where the day is not

1595

# significant.

1596

},

1597

"stringValue": "A String", # string

1598

"integerValue": "A String", # integer

1599

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1600

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1601

# types are google.type.Date and `google.protobuf.Timestamp`.

1602

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1603

# allow the value 60 if it allows leap-seconds.

1604

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1605

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1606

# to allow the value "24:00:00" for scenarios like business closing time.

1607

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1608

},

1609

},

1610

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1611

# the default behavior will be to hyphenate the min-max range.

1612

# Note that for the purposes of inspection or transformation, the number

1613

# of bytes considered to comprise a 'Value' is based on its representation

1614

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1615

# 123456789, the number of bytes would be counted as 9, even though an

1616

# int64 only holds up to 8 bytes of data.

1617

"booleanValue": True or False, # boolean

1618

"floatValue": 3.14, # float

1619

"dayOfWeekValue": "A String", # day of week

1620

"timestampValue": "A String", # timestamp

1621

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1622

# and time zone are either specified elsewhere or are not significant. The date

1623

# is relative to the Proleptic Gregorian Calendar. This can represent:

1624

#

1625

# * A full date, with non-zero year, month and day values

1626

# * A month and day value, with a zero year, e.g. an anniversary

1627

# * A year on its own, with zero month and day values

1628

# * A year and month value, with a zero day, e.g. a credit card expiration date

1629

#

1630

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1631

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1632

# a year.

1633

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1634

# month and day.

1635

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1636

# if specifying a year by itself or a year and month where the day is not

1637

# significant.

1638

},

1639

"stringValue": "A String", # string

1640

"integerValue": "A String", # integer

1641

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1642

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1643

# types are google.type.Date and `google.protobuf.Timestamp`.

1644

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1645

# allow the value 60 if it allows leap-seconds.

1646

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1647

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1648

# to allow the value "24:00:00" for scenarios like business closing time.

1649

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1656

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1657

# Note that for the purposes of inspection or transformation, the number

1658

# of bytes considered to comprise a 'Value' is based on its representation

1659

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1660

# 123456789, the number of bytes would be counted as 9, even though an

1661

# int64 only holds up to 8 bytes of data.

1662

"booleanValue": True or False, # boolean

1663

"floatValue": 3.14, # float

1664

"dayOfWeekValue": "A String", # day of week

1665

"timestampValue": "A String", # timestamp

1666

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1667

# and time zone are either specified elsewhere or are not significant. The date

1668

# is relative to the Proleptic Gregorian Calendar. This can represent:

1669

#

1670

# * A full date, with non-zero year, month and day values

1671

# * A month and day value, with a zero year, e.g. an anniversary

1672

# * A year on its own, with zero month and day values

1673

# * A year and month value, with a zero day, e.g. a credit card expiration date

1674

#

1675

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1676

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1677

# a year.

1678

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1679

# month and day.

1680

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1681

# if specifying a year by itself or a year and month where the day is not

1682

# significant.

1683

},

1684

"stringValue": "A String", # string

1685

"integerValue": "A String", # integer

1686

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1687

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1688

# types are google.type.Date and `google.protobuf.Timestamp`.

1689

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1690

# allow the value 60 if it allows leap-seconds.

1691

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1692

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1693

# to allow the value "24:00:00" for scenarios like business closing time.

1694

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1699

# fixed character. Masking can start from the beginning or end of the string.

1700

# This can be used on data of any type (numbers, longs, and so on) and when

1701

# de-identifying structured data we'll attempt to preserve the original data's

1702

# type. (This allows you to take a long like 123 and modify it to a string like

1703

# **3.

1704

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1705

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1706

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1707

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

1708

# is `true`, then the string `12345` is masked as `12***`.

1709

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1710

# characters. For example, if the input string is `555-555-5555` and you

1711

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1712

# returns `***-**5-5555`.

1713

{ # Characters to skip when doing deidentification of a value. These will be left

1714

# alone and skipped.

1715

"charactersToSkip": "A String", # Characters to not transform when masking.

1716

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1721

# masked. Skipped characters do not count towards this tally.

1722

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1723

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1724

# code or credit card number. This string must have a length of 1. If not

1725

# supplied, this value defaults to `*` for strings, and `0` for digits.

1726

},

1727

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1728

# Bucketing transformation can provide all of this functionality,

1729

# but requires more configuration. This message is provided as a convenience to

1730

# the user for simple bucketing strategies.

1731

#

1732

# The transformed value will be a hyphenated string of

1733

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1734

# all values that are within this bucket will be replaced with "10-20".

1735

#

1736

# This can be used on data of type: double, long.

1737

#

1738

# If the bound Value type differs from the type of data

1739

# being transformed, we will first attempt converting the type of the data to

1740

# be transformed to match the type of the bound before comparing.

1741

#

1742

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1743

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1744

# grouped together into a single bucket; for example if `lower_bound` = 10,

1745

# then all values less than 10 are replaced with the value "-10".

1746

# Note that for the purposes of inspection or transformation, the number

1747

# of bytes considered to comprise a 'Value' is based on its representation

1748

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1749

# 123456789, the number of bytes would be counted as 9, even though an

1750

# int64 only holds up to 8 bytes of data.

1751

"booleanValue": True or False, # boolean

1752

"floatValue": 3.14, # float

1753

"dayOfWeekValue": "A String", # day of week

1754

"timestampValue": "A String", # timestamp

1755

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1756

# and time zone are either specified elsewhere or are not significant. The date

1757

# is relative to the Proleptic Gregorian Calendar. This can represent:

1758

#

1759

# * A full date, with non-zero year, month and day values

1760

# * A month and day value, with a zero year, e.g. an anniversary

1761

# * A year on its own, with zero month and day values

1762

# * A year and month value, with a zero day, e.g. a credit card expiration date

1763

#

1764

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1765

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1766

# a year.

1767

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1768

# month and day.

1769

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1770

# if specifying a year by itself or a year and month where the day is not

1771

# significant.

1772

},

1773

"stringValue": "A String", # string

1774

"integerValue": "A String", # integer

1775

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1776

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1777

# types are google.type.Date and `google.protobuf.Timestamp`.

1778

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1779

# allow the value 60 if it allows leap-seconds.

1780

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1781

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1782

# to allow the value "24:00:00" for scenarios like business closing time.

1783

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1784

},

1785

},

1786

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1787

# grouped together into a single bucket; for example if `upper_bound` = 89,

1788

# then all values greater than 89 are replaced with the value "89+".

1789

# Note that for the purposes of inspection or transformation, the number

1790

# of bytes considered to comprise a 'Value' is based on its representation

1791

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1792

# 123456789, the number of bytes would be counted as 9, even though an

1793

# int64 only holds up to 8 bytes of data.

1794

"booleanValue": True or False, # boolean

1795

"floatValue": 3.14, # float

1796

"dayOfWeekValue": "A String", # day of week

1797

"timestampValue": "A String", # timestamp

1798

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1799

# and time zone are either specified elsewhere or are not significant. The date

1800

# is relative to the Proleptic Gregorian Calendar. This can represent:

1801

#

1802

# * A full date, with non-zero year, month and day values

1803

# * A month and day value, with a zero year, e.g. an anniversary

1804

# * A year on its own, with zero month and day values

1805

# * A year and month value, with a zero day, e.g. a credit card expiration date

1806

#

1807

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1808

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1809

# a year.

1810

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1811

# month and day.

1812

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1813

# if specifying a year by itself or a year and month where the day is not

1814

# significant.

1815

},

1816

"stringValue": "A String", # string

1817

"integerValue": "A String", # integer

1818

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1819

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1820

# types are google.type.Date and `google.protobuf.Timestamp`.

1821

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1822

# allow the value 60 if it allows leap-seconds.

1823

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1824

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1825

# to allow the value "24:00:00" for scenarios like business closing time.

1826

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1827

},

1828

},

1829

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1830

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1831

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1832

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1833

},

1834

},

1835

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

1836

# given `RecordCondition`. The conditions are allowed to reference fields

1837

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

1842

# column for the same record is within a specific range.

1843

# - Redact a field if the date of birth field is greater than 85.

1844

# a field.

1845

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

1846

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

1847

# only supported value is `AND`.

1848

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1849

"conditions": [ # A collection of conditions.

1850

{ # The field type of `value` and `field` do not need to match to be

1851

# considered equal, but not all comparisons are possible.

1852

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

1853

# but all other comparisons are invalid with incompatible types.

1854

# A `value` of type:

1855

#

1856

# - `string` can be compared against all other types

1857

# - `boolean` can only be compared against other booleans

1858

# - `integer` can be compared against doubles or a string if the string value

1859

# can be parsed as an integer.

1860

# - `double` can be compared against integers or a string if the string can

1861

# be parsed as a double.

1862

# - `Timestamp` can be compared against strings in RFC 3339 date string

1863

# format.

1864

# - `TimeOfDay` can be compared against timestamps and strings in the format

1865

# of 'HH:mm:ss'.

1866

#

1867

# If we fail to compare do to type mismatch, a warning will be given and

1868

# the condition will evaluate to false.

1869

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1870

"name": "A String", # Name describing the field.

1871

},

1872

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1873

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

1874

# Note that for the purposes of inspection or transformation, the number

1875

# of bytes considered to comprise a 'Value' is based on its representation

1876

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1877

# 123456789, the number of bytes would be counted as 9, even though an

1878

# int64 only holds up to 8 bytes of data.

1879

"booleanValue": True or False, # boolean

1880

"floatValue": 3.14, # float

1881

"dayOfWeekValue": "A String", # day of week

1882

"timestampValue": "A String", # timestamp

1883

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1884

# and time zone are either specified elsewhere or are not significant. The date

1885

# is relative to the Proleptic Gregorian Calendar. This can represent:

1886

#

1887

# * A full date, with non-zero year, month and day values

1888

# * A month and day value, with a zero year, e.g. an anniversary

1889

# * A year on its own, with zero month and day values

1890

# * A year and month value, with a zero day, e.g. a credit card expiration date

1891

#

1892

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1893

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1894

# a year.

1895

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1896

# month and day.

1897

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1898

# if specifying a year by itself or a year and month where the day is not

1899

# significant.

1900

},

1901

"stringValue": "A String", # string

1902

"integerValue": "A String", # integer

1903

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1904

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1905

# types are google.type.Date and `google.protobuf.Timestamp`.

1906

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1907

# allow the value 60 if it allows leap-seconds.

1908

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1909

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1910

# to allow the value "24:00:00" for scenarios like business closing time.

1911

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

1923

# transformation everywhere.

1924

# apply various `PrimitiveTransformation`s to each finding, where the

1925

# transformation is applied to only values that were identified as a specific

1926

# info_type.

1927

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

1928

# for a given infoType.

1929

{ # A transformation to apply to text that is identified as a specific

1930

# info_type.

1931

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

1932

# this transformation to apply to all findings that correspond to

1933

# infoTypes that were requested in `InspectConfig`.

1934

{ # Type of information detected by the API.

1935

"name": "A String", # Name of the information type. Either a name of your choosing when

1936

# creating a CustomInfoType, or one of the names listed

1937

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1938

# a built-in type. InfoType names should conform to the pattern

1939

# `[a-zA-Z0-9_]{1,64}`.

1940

},

1941

],

1942

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

1943

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

1944

# portion of the value.

1945

"partToExtract": "A String", # The part of the time to keep.

1946

},

1947

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

1948

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

1949

# to learn more.

1950

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

1951

# If set, must also set cryptoKey. If set, shift will be consistent for the

1952

# given context.

1953

"name": "A String", # Name describing the field.

1954

},

1955

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

1956

# range (inclusive ends). Negative means shift to earlier in time. Must not

1957

# be more than 365250 days (1000 years) each direction.

1958

#

1959

# For example, 3 means shift date to at most 3 days into the future.

1960

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1961

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

1962

# results in the same shift for the same context and crypto_key. If

1963

# set, must also set context. Can only be applied to table items.

1964

# a key encryption key (KEK) stored by KMS).

1965

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1966

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1967

# unwrap the data crypto key.

1968

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1969

# The wrapped key must be a 128/192/256 bit key.

1970

# Authorization requires the following IAM permissions when sending a request

1971

# to perform a crypto transformation using a kms-wrapped crypto key:

1972

# dlp.kms.encrypt

1973

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1974

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1975

},

1976

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1977

# leaking the key. Choose another type of key if possible.

1978

"key": "A String", # Required. A 128/192/256 bit key.

1979

},

1980

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1981

# It will be discarded after the request finishes.

1982

"name": "A String", # Required. Name of the key.

1983

# This is an arbitrary string used to differentiate different keys.

1984

# A unique key is generated per name: two separate `TransientCryptoKey`

1985

# protos share the same generated key if their names are the same.

1986

# When the data crypto key is generated, this name is not used in any way

1987

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1992

},

1993

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

1994

# Uses SHA-256.

1995

# The key size must be either 32 or 64 bytes.

1996

# Outputs a base64 encoded representation of the hashed output

1997

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

1998

# Currently, only string and integer values can be hashed.

1999

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2000

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2001

# a key encryption key (KEK) stored by KMS).

2002

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2003

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2004

# unwrap the data crypto key.

2005

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2006

# The wrapped key must be a 128/192/256 bit key.

2007

# Authorization requires the following IAM permissions when sending a request

2008

# to perform a crypto transformation using a kms-wrapped crypto key:

2009

# dlp.kms.encrypt

2010

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2011

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2012

},

2013

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2014

# leaking the key. Choose another type of key if possible.

2015

"key": "A String", # Required. A 128/192/256 bit key.

2016

},

2017

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2018

# It will be discarded after the request finishes.

2019

"name": "A String", # Required. Name of the key.

2020

# This is an arbitrary string used to differentiate different keys.

2021

# A unique key is generated per name: two separate `TransientCryptoKey`

2022

# protos share the same generated key if their names are the same.

2023

# When the data crypto key is generated, this name is not used in any way

2024

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2029

# (FPE) with the FFX mode of operation; however when used in the

2030

# `ReidentifyContent` API method, it serves the opposite function by reversing

2031

# the surrogate back into the original identifier. The identifier must be

2032

# encoded as ASCII. For a given crypto key and context, the same identifier

2033

# will be replaced with the same surrogate. Identifiers must be at least two

2034

# characters long. In the case that the identifier is the empty string, it will

2035

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2036

# more.

2037

#

2038

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2039

# do not require preserving the input alphabet space and size, plus warrant

2040

# referential integrity.

2041

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

2042

# that the FFX mode natively supports. This happens before/after

2043

# encryption/decryption.

2044

# Each character listed must appear only once.

2045

# Number of characters must be in the range [2, 95].

2046

# This must be encoded as ASCII.

2047

# The order of characters does not matter.

2048

"commonAlphabet": "A String", # Common alphabets.

2049

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2050

# This annotation will be applied to the surrogate by prefixing it with

2051

# the name of the custom infoType followed by the number of

2052

# characters comprising the surrogate. The following scheme defines the

2053

# format: info_type_name(surrogate_character_count):surrogate

2054

#

2055

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2056

# the surrogate is 'abc', the full replacement value

2057

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2058

#

2059

# This annotation identifies the surrogate when inspecting content using the

2060

# custom infoType

2061

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2062

# This facilitates reversal of the surrogate when it occurs in free text.

2063

#

2064

# In order for inspection to work properly, the name of this infoType must

2065

# not occur naturally anywhere in your data; otherwise, inspection may

2066

# find a surrogate that does not correspond to an actual identifier.

2067

# Therefore, choose your custom infoType name carefully after considering

2068

# what your data looks like. One way to select a name that has a high chance

2069

# of yielding reliable detection is to include one or more unicode characters

2070

# that are highly improbable to exist in your data.

2071

# For example, assuming your data is entered from a regular ASCII keyboard,

2072

# the symbol with the hex code point 29DD might be used like so:

2073

# ⧝MY_TOKEN_TYPE

2074

"name": "A String", # Name of the information type. Either a name of your choosing when

2075

# creating a CustomInfoType, or one of the names listed

2076

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2077

# a built-in type. InfoType names should conform to the pattern

2078

# `[a-zA-Z0-9_]{1,64}`.

2079

},

2080

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2081

# identifier in two different contexts won't be given the same surrogate. If

2082

# the context is not set, a default tweak will be used.

2083

#

2084

# If the context is set but:

2085

#

2086

# 1. there is no record present when transforming a given value or

2087

# 1. the field is not present when transforming a given value,

2088

#

2089

# a default tweak will be used.

2090

#

2091

# Note that case (1) is expected when an `InfoTypeTransformation` is

2092

# applied to both structured and non-structured `ContentItem`s.

2093

# Currently, the referenced field may be of value type integer or string.

2094

#

2095

# The tweak is constructed as a sequence of bytes in big endian byte order

2096

# such that:

2097

#

2098

# - a 64 bit integer is encoded followed by a single byte of value 1

2099

# - a string is encoded in UTF-8 format followed by a single byte of value 2

2100

"name": "A String", # Name describing the field.

2101

},

2102

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2103

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

2104

# a key encryption key (KEK) stored by KMS).

2105

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2106

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2107

# unwrap the data crypto key.

2108

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2109

# The wrapped key must be a 128/192/256 bit key.

2110

# Authorization requires the following IAM permissions when sending a request

2111

# to perform a crypto transformation using a kms-wrapped crypto key:

2112

# dlp.kms.encrypt

2113

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2114

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2115

},

2116

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2117

# leaking the key. Choose another type of key if possible.

2118

"key": "A String", # Required. A 128/192/256 bit key.

2119

},

2120

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2121

# It will be discarded after the request finishes.

2122

"name": "A String", # Required. Name of the key.

2123

# This is an arbitrary string used to differentiate different keys.

2124

# A unique key is generated per name: two separate `TransientCryptoKey`

2125

# protos share the same generated key if their names are the same.

2126

# When the data crypto key is generated, this name is not used in any way

2127

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

2132

# input. Outputs a base64 encoded representation of the encrypted output.

2133

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

2134

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

2135

# This annotation will be applied to the surrogate by prefixing it with

2136

# the name of the custom info type followed by the number of

2137

# characters comprising the surrogate. The following scheme defines the

2138

# format: {info type name}({surrogate character count}):{surrogate}

2139

#

2140

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

2141

# the surrogate is 'abc', the full replacement value

2142

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2143

#

2144

# This annotation identifies the surrogate when inspecting content using the

2145

# custom info type 'Surrogate'. This facilitates reversal of the

2146

# surrogate when it occurs in free text.

2147

#

2148

# Note: For record transformations where the entire cell in a table is being

2149

# transformed, surrogates are not mandatory. Surrogates are used to denote

2150

# the location of the token and are necessary for re-identification in free

2151

# form text.

2152

#

2153

# In order for inspection to work properly, the name of this info type must

2154

# not occur naturally anywhere in your data; otherwise, inspection may either

2155

#

2156

# - reverse a surrogate that does not correspond to an actual identifier

2157

# - be unable to parse the surrogate and result in an error

2158

#

2159

# Therefore, choose your custom info type name carefully after considering

2160

# what your data looks like. One way to select a name that has a high chance

2161

# of yielding reliable detection is to include one or more unicode characters

2162

# that are highly improbable to exist in your data.

2163

# For example, assuming your data is entered from a regular ASCII keyboard,

2164

# the symbol with the hex code point 29DD might be used like so:

2165

# ⧝MY_TOKEN_TYPE.

2166

"name": "A String", # Name of the information type. Either a name of your choosing when

2167

# creating a CustomInfoType, or one of the names listed

2168

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2169

# a built-in type. InfoType names should conform to the pattern

2170

# `[a-zA-Z0-9_]{1,64}`.

2171

},

2172

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

2173

# referential integrity such that the same identifier in two different

2174

# contexts will be given a distinct surrogate. The context is appended to

2175

# plaintext value being encrypted. On decryption the provided context is

2176

# validated against the value used during encryption. If a context was

2177

# provided during encryption, same context must be provided during decryption

2178

# as well.

2179

#

2180

# If the context is not set, plaintext would be used as is for encryption.

2181

# If the context is set but:

2182

#

2183

# 1. there is no record present when transforming a given value or

2184

# 2. the field is not present when transforming a given value,

2185

#

2186

# plaintext would be used as is for encryption.

2187

#

2188

# Note that case (1) is expected when an `InfoTypeTransformation` is

2189

# applied to both structured and non-structured `ContentItem`s.

2190

"name": "A String", # Name describing the field.

2191

},

2192

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

2193

# a key encryption key (KEK) stored by KMS).

2194

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2195

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2196

# unwrap the data crypto key.

2197

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2198

# The wrapped key must be a 128/192/256 bit key.

2199

# Authorization requires the following IAM permissions when sending a request

2200

# to perform a crypto transformation using a kms-wrapped crypto key:

2201

# dlp.kms.encrypt

2202

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2203

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2204

},

2205

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2206

# leaking the key. Choose another type of key if possible.

2207

"key": "A String", # Required. A 128/192/256 bit key.

2208

},

2209

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2210

# It will be discarded after the request finishes.

2211

"name": "A String", # Required. Name of the key.

2212

# This is an arbitrary string used to differentiate different keys.

2213

# A unique key is generated per name: two separate `TransientCryptoKey`

2214

# protos share the same generated key if their names are the same.

2215

# When the data crypto key is generated, this name is not used in any way

2216

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

2221

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

2222

# output would be 'My phone number is '.

2223

},

2224

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

2225

# replacement values are dynamically provided by the user for custom behavior,

2226

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

2227

# This can be used on

2228

# data of type: number, long, string, timestamp.

2229

# If the bound `Value` type differs from the type of data being transformed, we

2230

# will first attempt converting the type of the data to be transformed to match

2231

# the type of the bound before comparing.

2232

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2233

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2234

{ # Bucket is represented as a range, along with replacement values.

2235

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

2236

# used.

2237

# Note that for the purposes of inspection or transformation, the number

2238

# of bytes considered to comprise a 'Value' is based on its representation

2239

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2240

# 123456789, the number of bytes would be counted as 9, even though an

2241

# int64 only holds up to 8 bytes of data.

2242

"booleanValue": True or False, # boolean

2243

"floatValue": 3.14, # float

2244

"dayOfWeekValue": "A String", # day of week

2245

"timestampValue": "A String", # timestamp

2246

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2247

# and time zone are either specified elsewhere or are not significant. The date

2248

# is relative to the Proleptic Gregorian Calendar. This can represent:

2249

#

2250

# * A full date, with non-zero year, month and day values

2251

# * A month and day value, with a zero year, e.g. an anniversary

2252

# * A year on its own, with zero month and day values

2253

# * A year and month value, with a zero day, e.g. a credit card expiration date

2254

#

2255

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2256

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2257

# a year.

2258

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2259

# month and day.

2260

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2261

# if specifying a year by itself or a year and month where the day is not

2262

# significant.

2263

},

2264

"stringValue": "A String", # string

2265

"integerValue": "A String", # integer

2266

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2267

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2268

# types are google.type.Date and `google.protobuf.Timestamp`.

2269

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2270

# allow the value 60 if it allows leap-seconds.

2271

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2272

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2273

# to allow the value "24:00:00" for scenarios like business closing time.

2274

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2275

},

2276

},

2277

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

2278

# Note that for the purposes of inspection or transformation, the number

2279

# of bytes considered to comprise a 'Value' is based on its representation

2280

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2281

# 123456789, the number of bytes would be counted as 9, even though an

2282

# int64 only holds up to 8 bytes of data.

2283

"booleanValue": True or False, # boolean

2284

"floatValue": 3.14, # float

2285

"dayOfWeekValue": "A String", # day of week

2286

"timestampValue": "A String", # timestamp

2287

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2288

# and time zone are either specified elsewhere or are not significant. The date

2289

# is relative to the Proleptic Gregorian Calendar. This can represent:

2290

#

2291

# * A full date, with non-zero year, month and day values

2292

# * A month and day value, with a zero year, e.g. an anniversary

2293

# * A year on its own, with zero month and day values

2294

# * A year and month value, with a zero day, e.g. a credit card expiration date

2295

#

2296

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2297

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2298

# a year.

2299

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2300

# month and day.

2301

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2302

# if specifying a year by itself or a year and month where the day is not

2303

# significant.

2304

},

2305

"stringValue": "A String", # string

2306

"integerValue": "A String", # integer

2307

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2308

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2309

# types are google.type.Date and `google.protobuf.Timestamp`.

2310

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2311

# allow the value 60 if it allows leap-seconds.

2312

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2313

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2314

# to allow the value "24:00:00" for scenarios like business closing time.

2315

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2316

},

2317

},

2318

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

2319

# the default behavior will be to hyphenate the min-max range.

2320

# Note that for the purposes of inspection or transformation, the number

2321

# of bytes considered to comprise a 'Value' is based on its representation

2322

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2323

# 123456789, the number of bytes would be counted as 9, even though an

2324

# int64 only holds up to 8 bytes of data.

2325

"booleanValue": True or False, # boolean

2326

"floatValue": 3.14, # float

2327

"dayOfWeekValue": "A String", # day of week

2328

"timestampValue": "A String", # timestamp

2329

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2330

# and time zone are either specified elsewhere or are not significant. The date

2331

# is relative to the Proleptic Gregorian Calendar. This can represent:

2332

#

2333

# * A full date, with non-zero year, month and day values

2334

# * A month and day value, with a zero year, e.g. an anniversary

2335

# * A year on its own, with zero month and day values

2336

# * A year and month value, with a zero day, e.g. a credit card expiration date

2337

#

2338

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2339

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2340

# a year.

2341

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2342

# month and day.

2343

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2344

# if specifying a year by itself or a year and month where the day is not

2345

# significant.

2346

},

2347

"stringValue": "A String", # string

2348

"integerValue": "A String", # integer

2349

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2350

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2351

# types are google.type.Date and `google.protobuf.Timestamp`.

2352

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2353

# allow the value 60 if it allows leap-seconds.

2354

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2355

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2356

# to allow the value "24:00:00" for scenarios like business closing time.

2357

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2364

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

2365

# Note that for the purposes of inspection or transformation, the number

2366

# of bytes considered to comprise a 'Value' is based on its representation

2367

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2368

# 123456789, the number of bytes would be counted as 9, even though an

2369

# int64 only holds up to 8 bytes of data.

2370

"booleanValue": True or False, # boolean

2371

"floatValue": 3.14, # float

2372

"dayOfWeekValue": "A String", # day of week

2373

"timestampValue": "A String", # timestamp

2374

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2375

# and time zone are either specified elsewhere or are not significant. The date

2376

# is relative to the Proleptic Gregorian Calendar. This can represent:

2377

#

2378

# * A full date, with non-zero year, month and day values

2379

# * A month and day value, with a zero year, e.g. an anniversary

2380

# * A year on its own, with zero month and day values

2381

# * A year and month value, with a zero day, e.g. a credit card expiration date

2382

#

2383

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2384

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2385

# a year.

2386

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2387

# month and day.

2388

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2389

# if specifying a year by itself or a year and month where the day is not

2390

# significant.

2391

},

2392

"stringValue": "A String", # string

2393

"integerValue": "A String", # integer

2394

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2395

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2396

# types are google.type.Date and `google.protobuf.Timestamp`.

2397

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2398

# allow the value 60 if it allows leap-seconds.

2399

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2400

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2401

# to allow the value "24:00:00" for scenarios like business closing time.

2402

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2407

# fixed character. Masking can start from the beginning or end of the string.

2408

# This can be used on data of any type (numbers, longs, and so on) and when

2409

# de-identifying structured data we'll attempt to preserve the original data's

2410

# type. (This allows you to take a long like 123 and modify it to a string like

2411

# **3.

2412

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2413

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2414

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2415

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2416

# is `true`, then the string `12345` is masked as `12***`.

2417

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2418

# characters. For example, if the input string is `555-555-5555` and you

2419

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2420

# returns `***-**5-5555`.

2421

{ # Characters to skip when doing deidentification of a value. These will be left

2422

# alone and skipped.

2423

"charactersToSkip": "A String", # Characters to not transform when masking.

2424

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2429

# masked. Skipped characters do not count towards this tally.

2430

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2431

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2432

# code or credit card number. This string must have a length of 1. If not

2433

# supplied, this value defaults to `*` for strings, and `0` for digits.

2434

},

2435

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2436

# Bucketing transformation can provide all of this functionality,

2437

# but requires more configuration. This message is provided as a convenience to

2438

# the user for simple bucketing strategies.

2439

#

2440

# The transformed value will be a hyphenated string of

2441

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2442

# all values that are within this bucket will be replaced with "10-20".

2443

#

2444

# This can be used on data of type: double, long.

2445

#

2446

# If the bound Value type differs from the type of data

2447

# being transformed, we will first attempt converting the type of the data to

2448

# be transformed to match the type of the bound before comparing.

2449

#

2450

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2451

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2452

# grouped together into a single bucket; for example if `lower_bound` = 10,

2453

# then all values less than 10 are replaced with the value "-10".

2454

# Note that for the purposes of inspection or transformation, the number

2455

# of bytes considered to comprise a 'Value' is based on its representation

2456

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2457

# 123456789, the number of bytes would be counted as 9, even though an

2458

# int64 only holds up to 8 bytes of data.

2459

"booleanValue": True or False, # boolean

2460

"floatValue": 3.14, # float

2461

"dayOfWeekValue": "A String", # day of week

2462

"timestampValue": "A String", # timestamp

2463

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2464

# and time zone are either specified elsewhere or are not significant. The date

2465

# is relative to the Proleptic Gregorian Calendar. This can represent:

2466

#

2467

# * A full date, with non-zero year, month and day values

2468

# * A month and day value, with a zero year, e.g. an anniversary

2469

# * A year on its own, with zero month and day values

2470

# * A year and month value, with a zero day, e.g. a credit card expiration date

2471

#

2472

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2473

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2474

# a year.

2475

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2476

# month and day.

2477

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2478

# if specifying a year by itself or a year and month where the day is not

2479

# significant.

2480

},

2481

"stringValue": "A String", # string

2482

"integerValue": "A String", # integer

2483

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2484

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2485

# types are google.type.Date and `google.protobuf.Timestamp`.

2486

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2487

# allow the value 60 if it allows leap-seconds.

2488

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2489

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2490

# to allow the value "24:00:00" for scenarios like business closing time.

2491

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2492

},

2493

},

2494

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2495

# grouped together into a single bucket; for example if `upper_bound` = 89,

2496

# then all values greater than 89 are replaced with the value "89+".

2497

# Note that for the purposes of inspection or transformation, the number

2498

# of bytes considered to comprise a 'Value' is based on its representation

2499

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2500

# 123456789, the number of bytes would be counted as 9, even though an

2501

# int64 only holds up to 8 bytes of data.

2502

"booleanValue": True or False, # boolean

2503

"floatValue": 3.14, # float

2504

"dayOfWeekValue": "A String", # day of week

2505

"timestampValue": "A String", # timestamp

2506

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2507

# and time zone are either specified elsewhere or are not significant. The date

2508

# is relative to the Proleptic Gregorian Calendar. This can represent:

2509

#

2510

# * A full date, with non-zero year, month and day values

2511

# * A month and day value, with a zero year, e.g. an anniversary

2512

# * A year on its own, with zero month and day values

2513

# * A year and month value, with a zero day, e.g. a credit card expiration date

2514

#

2515

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2516

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2517

# a year.

2518

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2519

# month and day.

2520

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2521

# if specifying a year by itself or a year and month where the day is not

2522

# significant.

2523

},

2524

"stringValue": "A String", # string

2525

"integerValue": "A String", # integer

2526

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2527

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2528

# types are google.type.Date and `google.protobuf.Timestamp`.

2529

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2530

# allow the value 60 if it allows leap-seconds.

2531

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2532

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2533

# to allow the value "24:00:00" for scenarios like business closing time.

2534

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2535

},

2536

},

2537

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2538

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2539

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2540

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

"locationId": "A String", # The geographic location to process de-identification. Reserved for future

# extensions.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2558

2559

{ # Results of de-identifying a ContentItem.

2560

"item": { # Container structure for the content to inspect. # The de-identified item.

2561

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

2562

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

2563

"data": "A String", # Content data to inspect or redact.

2564

},

2565

"value": "A String", # String data to inspect or redact.

2566

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See

2567

# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

2568

# learn more.

2569

# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

2570

# learn more.

2571

"rows": [ # Rows of the table.

2572

{ # Values of the row.

2573

"values": [ # Individual cells.

2574

{ # Set of primitive values supported by the system.

2575

# Note that for the purposes of inspection or transformation, the number

2576

# of bytes considered to comprise a 'Value' is based on its representation

2577

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2578

# 123456789, the number of bytes would be counted as 9, even though an

2579

# int64 only holds up to 8 bytes of data.

2580

"booleanValue": True or False, # boolean

2581

"floatValue": 3.14, # float

2582

"dayOfWeekValue": "A String", # day of week

2583

"timestampValue": "A String", # timestamp

2584

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2585

# and time zone are either specified elsewhere or are not significant. The date

2586

# is relative to the Proleptic Gregorian Calendar. This can represent:

2587

#

2588

# * A full date, with non-zero year, month and day values

2589

# * A month and day value, with a zero year, e.g. an anniversary

2590

# * A year on its own, with zero month and day values

2591

# * A year and month value, with a zero day, e.g. a credit card expiration date

2592

#

2593

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2594

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2595

# a year.

2596

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2597

# month and day.

2598

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2599

# if specifying a year by itself or a year and month where the day is not

2600

# significant.

2601

},

2602

"stringValue": "A String", # string

2603

"integerValue": "A String", # integer

2604

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2605

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2606

# types are google.type.Date and `google.protobuf.Timestamp`.

2607

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2608

# allow the value 60 if it allows leap-seconds.

2609

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2610

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2611

# to allow the value "24:00:00" for scenarios like business closing time.

2612

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

],

},

],

"headers": [ # Headers of the table.

2619

{ # General identifier of a data field in a storage service.

2620

"name": "A String", # Name describing the field.

},

],

},

},

"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`.

2626

"transformationSummaries": [ # Transformations applied to the dataset.

2627

{ # Summary of a single transformation.

2628

# Only one of 'transformation', 'field_transformation', or 'record_suppress'

2629

# will be set.

2630

"fieldTransformations": [ # The field transformation that was applied.

2631

# If multiple field transformations are requested for a single field,

2632

# this list will contain all of them; otherwise, only one is supplied.

2633

{ # The transformation to apply to the field.

2634

"fields": [ # Required. Input field(s) to apply the transformation to.

2635

{ # General identifier of a data field in a storage service.

2636

"name": "A String", # Name describing the field.

2637

},

2638

],

2639

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

2640

# transform content that matches an `InfoType`.

2641

# apply various `PrimitiveTransformation`s to each finding, where the

2642

# transformation is applied to only values that were identified as a specific

2643

# info_type.

2644

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

2645

# for a given infoType.

2646

{ # A transformation to apply to text that is identified as a specific

2647

# info_type.

2648

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

2649

# this transformation to apply to all findings that correspond to

2650

# infoTypes that were requested in `InspectConfig`.

2651

{ # Type of information detected by the API.

2652

"name": "A String", # Name of the information type. Either a name of your choosing when

2653

# creating a CustomInfoType, or one of the names listed

2654

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2655

# a built-in type. InfoType names should conform to the pattern

2656

# `[a-zA-Z0-9_]{1,64}`.

2657

},

2658

],

2659

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2660

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2661

# portion of the value.

2662

"partToExtract": "A String", # The part of the time to keep.

2663

},

2664

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2665

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2666

# to learn more.

2667

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2668

# If set, must also set cryptoKey. If set, shift will be consistent for the

2669

# given context.

2670

"name": "A String", # Name describing the field.

2671

},

2672

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2673

# range (inclusive ends). Negative means shift to earlier in time. Must not

2674

# be more than 365250 days (1000 years) each direction.

2675

#

2676

# For example, 3 means shift date to at most 3 days into the future.

2677

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2678

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2679

# results in the same shift for the same context and crypto_key. If

2680

# set, must also set context. Can only be applied to table items.

2681

# a key encryption key (KEK) stored by KMS).

2682

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2683

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2684

# unwrap the data crypto key.

2685

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2686

# The wrapped key must be a 128/192/256 bit key.

2687

# Authorization requires the following IAM permissions when sending a request

2688

# to perform a crypto transformation using a kms-wrapped crypto key:

2689

# dlp.kms.encrypt

2690

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2691

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2692

},

2693

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2694

# leaking the key. Choose another type of key if possible.

2695

"key": "A String", # Required. A 128/192/256 bit key.

2696

},

2697

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2698

# It will be discarded after the request finishes.

2699

"name": "A String", # Required. Name of the key.

2700

# This is an arbitrary string used to differentiate different keys.

2701

# A unique key is generated per name: two separate `TransientCryptoKey`

2702

# protos share the same generated key if their names are the same.

2703

# When the data crypto key is generated, this name is not used in any way

2704

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2709

},

2710

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2711

# Uses SHA-256.

2712

# The key size must be either 32 or 64 bytes.

2713

# Outputs a base64 encoded representation of the hashed output

2714

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2715

# Currently, only string and integer values can be hashed.

2716

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2717

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2718

# a key encryption key (KEK) stored by KMS).

2719

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2720

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2721

# unwrap the data crypto key.

2722

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2723

# The wrapped key must be a 128/192/256 bit key.

2724

# Authorization requires the following IAM permissions when sending a request

2725

# to perform a crypto transformation using a kms-wrapped crypto key:

2726

# dlp.kms.encrypt

2727

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2728

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2729

},

2730

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2731

# leaking the key. Choose another type of key if possible.

2732

"key": "A String", # Required. A 128/192/256 bit key.

2733

},

2734

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2735

# It will be discarded after the request finishes.

2736

"name": "A String", # Required. Name of the key.

2737

# This is an arbitrary string used to differentiate different keys.

2738

# A unique key is generated per name: two separate `TransientCryptoKey`

2739

# protos share the same generated key if their names are the same.

2740

# When the data crypto key is generated, this name is not used in any way

2741

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2746

# (FPE) with the FFX mode of operation; however when used in the

2747

# `ReidentifyContent` API method, it serves the opposite function by reversing

2748

# the surrogate back into the original identifier. The identifier must be

2749

# encoded as ASCII. For a given crypto key and context, the same identifier

2750

# will be replaced with the same surrogate. Identifiers must be at least two

2751

# characters long. In the case that the identifier is the empty string, it will

2752

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2753

# more.

2754

#

2755

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2756

# do not require preserving the input alphabet space and size, plus warrant

2757

# referential integrity.

2758

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

2759

# that the FFX mode natively supports. This happens before/after

2760

# encryption/decryption.

2761

# Each character listed must appear only once.

2762

# Number of characters must be in the range [2, 95].

2763

# This must be encoded as ASCII.

2764

# The order of characters does not matter.

2765

"commonAlphabet": "A String", # Common alphabets.

2766

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2767

# This annotation will be applied to the surrogate by prefixing it with

2768

# the name of the custom infoType followed by the number of

2769

# characters comprising the surrogate. The following scheme defines the

2770

# format: info_type_name(surrogate_character_count):surrogate

2771

#

2772

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2773

# the surrogate is 'abc', the full replacement value

2774

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2775

#

2776

# This annotation identifies the surrogate when inspecting content using the

2777

# custom infoType

2778

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2779

# This facilitates reversal of the surrogate when it occurs in free text.

2780

#

2781

# In order for inspection to work properly, the name of this infoType must

2782

# not occur naturally anywhere in your data; otherwise, inspection may

2783

# find a surrogate that does not correspond to an actual identifier.

2784

# Therefore, choose your custom infoType name carefully after considering

2785

# what your data looks like. One way to select a name that has a high chance

2786

# of yielding reliable detection is to include one or more unicode characters

2787

# that are highly improbable to exist in your data.

2788

# For example, assuming your data is entered from a regular ASCII keyboard,

2789

# the symbol with the hex code point 29DD might be used like so:

2790

# ⧝MY_TOKEN_TYPE

2791

"name": "A String", # Name of the information type. Either a name of your choosing when

2792

# creating a CustomInfoType, or one of the names listed

2793

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2794

# a built-in type. InfoType names should conform to the pattern

2795

# `[a-zA-Z0-9_]{1,64}`.

2796

},

2797

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2798

# identifier in two different contexts won't be given the same surrogate. If

2799

# the context is not set, a default tweak will be used.

2800

#

2801

# If the context is set but:

2802

#

2803

# 1. there is no record present when transforming a given value or

2804

# 1. the field is not present when transforming a given value,

2805

#

2806

# a default tweak will be used.

2807

#

2808

# Note that case (1) is expected when an `InfoTypeTransformation` is

2809

# applied to both structured and non-structured `ContentItem`s.

2810

# Currently, the referenced field may be of value type integer or string.

2811

#

2812

# The tweak is constructed as a sequence of bytes in big endian byte order

2813

# such that:

2814

#

2815

# - a 64 bit integer is encoded followed by a single byte of value 1

2816

# - a string is encoded in UTF-8 format followed by a single byte of value 2

2817

"name": "A String", # Name describing the field.

2818

},

2819

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2820

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

2821

# a key encryption key (KEK) stored by KMS).

2822

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2823

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2824

# unwrap the data crypto key.

2825

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2826

# The wrapped key must be a 128/192/256 bit key.

2827

# Authorization requires the following IAM permissions when sending a request

2828

# to perform a crypto transformation using a kms-wrapped crypto key:

2829

# dlp.kms.encrypt

2830

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2831

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2832

},

2833

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2834

# leaking the key. Choose another type of key if possible.

2835

"key": "A String", # Required. A 128/192/256 bit key.

2836

},

2837

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2838

# It will be discarded after the request finishes.

2839

"name": "A String", # Required. Name of the key.

2840

# This is an arbitrary string used to differentiate different keys.

2841

# A unique key is generated per name: two separate `TransientCryptoKey`

2842

# protos share the same generated key if their names are the same.

2843

# When the data crypto key is generated, this name is not used in any way

2844

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

2849

# input. Outputs a base64 encoded representation of the encrypted output.

2850

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

2851

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

2852

# This annotation will be applied to the surrogate by prefixing it with

2853

# the name of the custom info type followed by the number of

2854

# characters comprising the surrogate. The following scheme defines the

2855

# format: {info type name}({surrogate character count}):{surrogate}

2856

#

2857

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

2858

# the surrogate is 'abc', the full replacement value

2859

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2860

#

2861

# This annotation identifies the surrogate when inspecting content using the

2862

# custom info type 'Surrogate'. This facilitates reversal of the

2863

# surrogate when it occurs in free text.

2864

#

2865

# Note: For record transformations where the entire cell in a table is being

2866

# transformed, surrogates are not mandatory. Surrogates are used to denote

2867

# the location of the token and are necessary for re-identification in free

2868

# form text.

2869

#

2870

# In order for inspection to work properly, the name of this info type must

2871

# not occur naturally anywhere in your data; otherwise, inspection may either

2872

#

2873

# - reverse a surrogate that does not correspond to an actual identifier

2874

# - be unable to parse the surrogate and result in an error

2875

#

2876

# Therefore, choose your custom info type name carefully after considering

2877

# what your data looks like. One way to select a name that has a high chance

2878

# of yielding reliable detection is to include one or more unicode characters

2879

# that are highly improbable to exist in your data.

2880

# For example, assuming your data is entered from a regular ASCII keyboard,

2881

# the symbol with the hex code point 29DD might be used like so:

2882

# ⧝MY_TOKEN_TYPE.

2883

"name": "A String", # Name of the information type. Either a name of your choosing when

2884

# creating a CustomInfoType, or one of the names listed

2885

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2886

# a built-in type. InfoType names should conform to the pattern

2887

# `[a-zA-Z0-9_]{1,64}`.

2888

},

2889

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

2890

# referential integrity such that the same identifier in two different

2891

# contexts will be given a distinct surrogate. The context is appended to

2892

# plaintext value being encrypted. On decryption the provided context is

2893

# validated against the value used during encryption. If a context was

2894

# provided during encryption, same context must be provided during decryption

2895

# as well.

2896

#

2897

# If the context is not set, plaintext would be used as is for encryption.

2898

# If the context is set but:

2899

#

2900

# 1. there is no record present when transforming a given value or

2901

# 2. the field is not present when transforming a given value,

2902

#

2903

# plaintext would be used as is for encryption.

2904

#

2905

# Note that case (1) is expected when an `InfoTypeTransformation` is

2906

# applied to both structured and non-structured `ContentItem`s.

2907

"name": "A String", # Name describing the field.

2908

},

2909

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

2910

# a key encryption key (KEK) stored by KMS).

2911

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2912

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2913

# unwrap the data crypto key.

2914

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2915

# The wrapped key must be a 128/192/256 bit key.

2916

# Authorization requires the following IAM permissions when sending a request

2917

# to perform a crypto transformation using a kms-wrapped crypto key:

2918

# dlp.kms.encrypt

2919

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2920

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2921

},

2922

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2923

# leaking the key. Choose another type of key if possible.

2924

"key": "A String", # Required. A 128/192/256 bit key.

2925

},

2926

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2927

# It will be discarded after the request finishes.

2928

"name": "A String", # Required. Name of the key.

2929

# This is an arbitrary string used to differentiate different keys.

2930

# A unique key is generated per name: two separate `TransientCryptoKey`

2931

# protos share the same generated key if their names are the same.

2932

# When the data crypto key is generated, this name is not used in any way

2933

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

2938

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

2939

# output would be 'My phone number is '.

2940

},

2941

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

2942

# replacement values are dynamically provided by the user for custom behavior,

2943

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

2944

# This can be used on

2945

# data of type: number, long, string, timestamp.

2946

# If the bound `Value` type differs from the type of data being transformed, we

2947

# will first attempt converting the type of the data to be transformed to match

2948

# the type of the bound before comparing.

2949

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2950

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2951

{ # Bucket is represented as a range, along with replacement values.

2952

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

2953

# used.

2954

# Note that for the purposes of inspection or transformation, the number

2955

# of bytes considered to comprise a 'Value' is based on its representation

2956

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2957

# 123456789, the number of bytes would be counted as 9, even though an

2958

# int64 only holds up to 8 bytes of data.

2959

"booleanValue": True or False, # boolean

2960

"floatValue": 3.14, # float

2961

"dayOfWeekValue": "A String", # day of week

2962

"timestampValue": "A String", # timestamp

2963

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2964

# and time zone are either specified elsewhere or are not significant. The date

2965

# is relative to the Proleptic Gregorian Calendar. This can represent:

2966

#

2967

# * A full date, with non-zero year, month and day values

2968

# * A month and day value, with a zero year, e.g. an anniversary

2969

# * A year on its own, with zero month and day values

2970

# * A year and month value, with a zero day, e.g. a credit card expiration date

2971

#

2972

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2973

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2974

# a year.

2975

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2976

# month and day.

2977

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2978

# if specifying a year by itself or a year and month where the day is not

2979

# significant.

2980

},

2981

"stringValue": "A String", # string

2982

"integerValue": "A String", # integer

2983

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2984

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2985

# types are google.type.Date and `google.protobuf.Timestamp`.

2986

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2987

# allow the value 60 if it allows leap-seconds.

2988

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2989

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2990

# to allow the value "24:00:00" for scenarios like business closing time.

2991

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2992

},

2993

},

2994

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

2995

# Note that for the purposes of inspection or transformation, the number

2996

# of bytes considered to comprise a 'Value' is based on its representation

2997

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2998

# 123456789, the number of bytes would be counted as 9, even though an

2999

# int64 only holds up to 8 bytes of data.

3000

"booleanValue": True or False, # boolean

3001

"floatValue": 3.14, # float

3002

"dayOfWeekValue": "A String", # day of week

3003

"timestampValue": "A String", # timestamp

3004

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3005

# and time zone are either specified elsewhere or are not significant. The date

3006

# is relative to the Proleptic Gregorian Calendar. This can represent:

3007

#

3008

# * A full date, with non-zero year, month and day values

3009

# * A month and day value, with a zero year, e.g. an anniversary

3010

# * A year on its own, with zero month and day values

3011

# * A year and month value, with a zero day, e.g. a credit card expiration date

3012

#

3013

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3014

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3015

# a year.

3016

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3017

# month and day.

3018

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3019

# if specifying a year by itself or a year and month where the day is not

3020

# significant.

3021

},

3022

"stringValue": "A String", # string

3023

"integerValue": "A String", # integer

3024

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3025

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3026

# types are google.type.Date and `google.protobuf.Timestamp`.

3027

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3028

# allow the value 60 if it allows leap-seconds.

3029

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3030

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3031

# to allow the value "24:00:00" for scenarios like business closing time.

3032

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3033

},

3034

},

3035

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3036

# the default behavior will be to hyphenate the min-max range.

3037

# Note that for the purposes of inspection or transformation, the number

3038

# of bytes considered to comprise a 'Value' is based on its representation

3039

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3040

# 123456789, the number of bytes would be counted as 9, even though an

3041

# int64 only holds up to 8 bytes of data.

3042

"booleanValue": True or False, # boolean

3043

"floatValue": 3.14, # float

3044

"dayOfWeekValue": "A String", # day of week

3045

"timestampValue": "A String", # timestamp

3046

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3047

# and time zone are either specified elsewhere or are not significant. The date

3048

# is relative to the Proleptic Gregorian Calendar. This can represent:

3049

#

3050

# * A full date, with non-zero year, month and day values

3051

# * A month and day value, with a zero year, e.g. an anniversary

3052

# * A year on its own, with zero month and day values

3053

# * A year and month value, with a zero day, e.g. a credit card expiration date

3054

#

3055

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3056

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3057

# a year.

3058

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3059

# month and day.

3060

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3061

# if specifying a year by itself or a year and month where the day is not

3062

# significant.

3063

},

3064

"stringValue": "A String", # string

3065

"integerValue": "A String", # integer

3066

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3067

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3068

# types are google.type.Date and `google.protobuf.Timestamp`.

3069

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3070

# allow the value 60 if it allows leap-seconds.

3071

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3072

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3073

# to allow the value "24:00:00" for scenarios like business closing time.

3074

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3081

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3082

# Note that for the purposes of inspection or transformation, the number

3083

# of bytes considered to comprise a 'Value' is based on its representation

3084

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3085

# 123456789, the number of bytes would be counted as 9, even though an

3086

# int64 only holds up to 8 bytes of data.

3087

"booleanValue": True or False, # boolean

3088

"floatValue": 3.14, # float

3089

"dayOfWeekValue": "A String", # day of week

3090

"timestampValue": "A String", # timestamp

3091

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3092

# and time zone are either specified elsewhere or are not significant. The date

3093

# is relative to the Proleptic Gregorian Calendar. This can represent:

3094

#

3095

# * A full date, with non-zero year, month and day values

3096

# * A month and day value, with a zero year, e.g. an anniversary

3097

# * A year on its own, with zero month and day values

3098

# * A year and month value, with a zero day, e.g. a credit card expiration date

3099

#

3100

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3101

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3102

# a year.

3103

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3104

# month and day.

3105

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3106

# if specifying a year by itself or a year and month where the day is not

3107

# significant.

3108

},

3109

"stringValue": "A String", # string

3110

"integerValue": "A String", # integer

3111

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3112

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3113

# types are google.type.Date and `google.protobuf.Timestamp`.

3114

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3115

# allow the value 60 if it allows leap-seconds.

3116

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3117

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3118

# to allow the value "24:00:00" for scenarios like business closing time.

3119

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

3124

# fixed character. Masking can start from the beginning or end of the string.

3125

# This can be used on data of any type (numbers, longs, and so on) and when

3126

# de-identifying structured data we'll attempt to preserve the original data's

3127

# type. (This allows you to take a long like 123 and modify it to a string like

3128

# **3.

3129

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

3130

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

3131

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

3132

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

3133

# is `true`, then the string `12345` is masked as `12***`.

3134

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

3135

# characters. For example, if the input string is `555-555-5555` and you

3136

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

3137

# returns `***-**5-5555`.

3138

{ # Characters to skip when doing deidentification of a value. These will be left

3139

# alone and skipped.

3140

"charactersToSkip": "A String", # Characters to not transform when masking.

3141

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

3146

# masked. Skipped characters do not count towards this tally.

3147

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

3148

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

3149

# code or credit card number. This string must have a length of 1. If not

3150

# supplied, this value defaults to `*` for strings, and `0` for digits.

3151

},

3152

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3153

# Bucketing transformation can provide all of this functionality,

3154

# but requires more configuration. This message is provided as a convenience to

3155

# the user for simple bucketing strategies.

3156

#

3157

# The transformed value will be a hyphenated string of

3158

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3159

# all values that are within this bucket will be replaced with "10-20".

3160

#

3161

# This can be used on data of type: double, long.

3162

#

3163

# If the bound Value type differs from the type of data

3164

# being transformed, we will first attempt converting the type of the data to

3165

# be transformed to match the type of the bound before comparing.

3166

#

3167

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3168

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

3169

# grouped together into a single bucket; for example if `lower_bound` = 10,

3170

# then all values less than 10 are replaced with the value "-10".

3171

# Note that for the purposes of inspection or transformation, the number

3172

# of bytes considered to comprise a 'Value' is based on its representation

3173

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3174

# 123456789, the number of bytes would be counted as 9, even though an

3175

# int64 only holds up to 8 bytes of data.

3176

"booleanValue": True or False, # boolean

3177

"floatValue": 3.14, # float

3178

"dayOfWeekValue": "A String", # day of week

3179

"timestampValue": "A String", # timestamp

3180

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3181

# and time zone are either specified elsewhere or are not significant. The date

3182

# is relative to the Proleptic Gregorian Calendar. This can represent:

3183

#

3184

# * A full date, with non-zero year, month and day values

3185

# * A month and day value, with a zero year, e.g. an anniversary

3186

# * A year on its own, with zero month and day values

3187

# * A year and month value, with a zero day, e.g. a credit card expiration date

3188

#

3189

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3190

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3191

# a year.

3192

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3193

# month and day.

3194

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3195

# if specifying a year by itself or a year and month where the day is not

3196

# significant.

3197

},

3198

"stringValue": "A String", # string

3199

"integerValue": "A String", # integer

3200

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3201

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3202

# types are google.type.Date and `google.protobuf.Timestamp`.

3203

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3204

# allow the value 60 if it allows leap-seconds.

3205

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3206

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3207

# to allow the value "24:00:00" for scenarios like business closing time.

3208

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3209

},

3210

},

3211

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3212

# grouped together into a single bucket; for example if `upper_bound` = 89,

3213

# then all values greater than 89 are replaced with the value "89+".

3214

# Note that for the purposes of inspection or transformation, the number

3215

# of bytes considered to comprise a 'Value' is based on its representation

3216

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3217

# 123456789, the number of bytes would be counted as 9, even though an

3218

# int64 only holds up to 8 bytes of data.

3219

"booleanValue": True or False, # boolean

3220

"floatValue": 3.14, # float

3221

"dayOfWeekValue": "A String", # day of week

3222

"timestampValue": "A String", # timestamp

3223

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3224

# and time zone are either specified elsewhere or are not significant. The date

3225

# is relative to the Proleptic Gregorian Calendar. This can represent:

3226

#

3227

# * A full date, with non-zero year, month and day values

3228

# * A month and day value, with a zero year, e.g. an anniversary

3229

# * A year on its own, with zero month and day values

3230

# * A year and month value, with a zero day, e.g. a credit card expiration date

3231

#

3232

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3233

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3234

# a year.

3235

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3236

# month and day.

3237

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3238

# if specifying a year by itself or a year and month where the day is not

3239

# significant.

3240

},

3241

"stringValue": "A String", # string

3242

"integerValue": "A String", # integer

3243

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3244

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3245

# types are google.type.Date and `google.protobuf.Timestamp`.

3246

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3247

# allow the value 60 if it allows leap-seconds.

3248

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3249

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3250

# to allow the value "24:00:00" for scenarios like business closing time.

3251

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3252

},

3253

},

3254

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3255

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

3256

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

3257

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

3264

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

3265

# portion of the value.

3266

"partToExtract": "A String", # The part of the time to keep.

3267

},

3268

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

3269

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

3270

# to learn more.

3271

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

3272

# If set, must also set cryptoKey. If set, shift will be consistent for the

3273

# given context.

3274

"name": "A String", # Name describing the field.

3275

},

3276

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

3277

# range (inclusive ends). Negative means shift to earlier in time. Must not

3278

# be more than 365250 days (1000 years) each direction.

3279

#

3280

# For example, 3 means shift date to at most 3 days into the future.

3281

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3282

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

3283

# results in the same shift for the same context and crypto_key. If

3284

# set, must also set context. Can only be applied to table items.

3285

# a key encryption key (KEK) stored by KMS).

3286

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3287

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3288

# unwrap the data crypto key.

3289

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3290

# The wrapped key must be a 128/192/256 bit key.

3291

# Authorization requires the following IAM permissions when sending a request

3292

# to perform a crypto transformation using a kms-wrapped crypto key:

3293

# dlp.kms.encrypt

3294

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3295

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3296

},

3297

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3298

# leaking the key. Choose another type of key if possible.

3299

"key": "A String", # Required. A 128/192/256 bit key.

3300

},

3301

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3302

# It will be discarded after the request finishes.

3303

"name": "A String", # Required. Name of the key.

3304

# This is an arbitrary string used to differentiate different keys.

3305

# A unique key is generated per name: two separate `TransientCryptoKey`

3306

# protos share the same generated key if their names are the same.

3307

# When the data crypto key is generated, this name is not used in any way

3308

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3313

},

3314

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

3315

# Uses SHA-256.

3316

# The key size must be either 32 or 64 bytes.

3317

# Outputs a base64 encoded representation of the hashed output

3318

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

3319

# Currently, only string and integer values can be hashed.

3320

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

3321

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

3322

# a key encryption key (KEK) stored by KMS).

3323

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3324

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3325

# unwrap the data crypto key.

3326

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3327

# The wrapped key must be a 128/192/256 bit key.

3328

# Authorization requires the following IAM permissions when sending a request

3329

# to perform a crypto transformation using a kms-wrapped crypto key:

3330

# dlp.kms.encrypt

3331

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3332

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3333

},

3334

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3335

# leaking the key. Choose another type of key if possible.

3336

"key": "A String", # Required. A 128/192/256 bit key.

3337

},

3338

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3339

# It will be discarded after the request finishes.

3340

"name": "A String", # Required. Name of the key.

3341

# This is an arbitrary string used to differentiate different keys.

3342

# A unique key is generated per name: two separate `TransientCryptoKey`

3343

# protos share the same generated key if their names are the same.

3344

# When the data crypto key is generated, this name is not used in any way

3345

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3350

# (FPE) with the FFX mode of operation; however when used in the

3351

# `ReidentifyContent` API method, it serves the opposite function by reversing

3352

# the surrogate back into the original identifier. The identifier must be

3353

# encoded as ASCII. For a given crypto key and context, the same identifier

3354

# will be replaced with the same surrogate. Identifiers must be at least two

3355

# characters long. In the case that the identifier is the empty string, it will

3356

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3357

# more.

3358

#

3359

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3360

# do not require preserving the input alphabet space and size, plus warrant

3361

# referential integrity.

3362

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3363

# that the FFX mode natively supports. This happens before/after

3364

# encryption/decryption.

3365

# Each character listed must appear only once.

3366

# Number of characters must be in the range [2, 95].

3367

# This must be encoded as ASCII.

3368

# The order of characters does not matter.

3369

"commonAlphabet": "A String", # Common alphabets.

3370

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3371

# This annotation will be applied to the surrogate by prefixing it with

3372

# the name of the custom infoType followed by the number of

3373

# characters comprising the surrogate. The following scheme defines the

3374

# format: info_type_name(surrogate_character_count):surrogate

3375

#

3376

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3377

# the surrogate is 'abc', the full replacement value

3378

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3379

#

3380

# This annotation identifies the surrogate when inspecting content using the

3381

# custom infoType

3382

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3383

# This facilitates reversal of the surrogate when it occurs in free text.

3384

#

3385

# In order for inspection to work properly, the name of this infoType must

3386

# not occur naturally anywhere in your data; otherwise, inspection may

3387

# find a surrogate that does not correspond to an actual identifier.

3388

# Therefore, choose your custom infoType name carefully after considering

3389

# what your data looks like. One way to select a name that has a high chance

3390

# of yielding reliable detection is to include one or more unicode characters

3391

# that are highly improbable to exist in your data.

3392

# For example, assuming your data is entered from a regular ASCII keyboard,

3393

# the symbol with the hex code point 29DD might be used like so:

3394

# ⧝MY_TOKEN_TYPE

3395

"name": "A String", # Name of the information type. Either a name of your choosing when

3396

# creating a CustomInfoType, or one of the names listed

3397

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3398

# a built-in type. InfoType names should conform to the pattern

3399

# `[a-zA-Z0-9_]{1,64}`.

3400

},

3401

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3402

# identifier in two different contexts won't be given the same surrogate. If

3403

# the context is not set, a default tweak will be used.

3404

#

3405

# If the context is set but:

3406

#

3407

# 1. there is no record present when transforming a given value or

3408

# 1. the field is not present when transforming a given value,

3409

#

3410

# a default tweak will be used.

3411

#

3412

# Note that case (1) is expected when an `InfoTypeTransformation` is

3413

# applied to both structured and non-structured `ContentItem`s.

3414

# Currently, the referenced field may be of value type integer or string.

3415

#

3416

# The tweak is constructed as a sequence of bytes in big endian byte order

3417

# such that:

3418

#

3419

# - a 64 bit integer is encoded followed by a single byte of value 1

3420

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3421

"name": "A String", # Name describing the field.

3422

},

3423

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3424

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3425

# a key encryption key (KEK) stored by KMS).

3426

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3427

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3428

# unwrap the data crypto key.

3429

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3430

# The wrapped key must be a 128/192/256 bit key.

3431

# Authorization requires the following IAM permissions when sending a request

3432

# to perform a crypto transformation using a kms-wrapped crypto key:

3433

# dlp.kms.encrypt

3434

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3435

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3436

},

3437

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3438

# leaking the key. Choose another type of key if possible.

3439

"key": "A String", # Required. A 128/192/256 bit key.

3440

},

3441

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3442

# It will be discarded after the request finishes.

3443

"name": "A String", # Required. Name of the key.

3444

# This is an arbitrary string used to differentiate different keys.

3445

# A unique key is generated per name: two separate `TransientCryptoKey`

3446

# protos share the same generated key if their names are the same.

3447

# When the data crypto key is generated, this name is not used in any way

3448

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3453

# input. Outputs a base64 encoded representation of the encrypted output.

3454

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3455

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3456

# This annotation will be applied to the surrogate by prefixing it with

3457

# the name of the custom info type followed by the number of

3458

# characters comprising the surrogate. The following scheme defines the

3459

# format: {info type name}({surrogate character count}):{surrogate}

3460

#

3461

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3462

# the surrogate is 'abc', the full replacement value

3463

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3464

#

3465

# This annotation identifies the surrogate when inspecting content using the

3466

# custom info type 'Surrogate'. This facilitates reversal of the

3467

# surrogate when it occurs in free text.

3468

#

3469

# Note: For record transformations where the entire cell in a table is being

3470

# transformed, surrogates are not mandatory. Surrogates are used to denote

3471

# the location of the token and are necessary for re-identification in free

3472

# form text.

3473

#

3474

# In order for inspection to work properly, the name of this info type must

3475

# not occur naturally anywhere in your data; otherwise, inspection may either

3476

#

3477

# - reverse a surrogate that does not correspond to an actual identifier

3478

# - be unable to parse the surrogate and result in an error

3479

#

3480

# Therefore, choose your custom info type name carefully after considering

3481

# what your data looks like. One way to select a name that has a high chance

3482

# of yielding reliable detection is to include one or more unicode characters

3483

# that are highly improbable to exist in your data.

3484

# For example, assuming your data is entered from a regular ASCII keyboard,

3485

# the symbol with the hex code point 29DD might be used like so:

3486

# ⧝MY_TOKEN_TYPE.

3487

"name": "A String", # Name of the information type. Either a name of your choosing when

3488

# creating a CustomInfoType, or one of the names listed

3489

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3490

# a built-in type. InfoType names should conform to the pattern

3491

# `[a-zA-Z0-9_]{1,64}`.

3492

},

3493

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3494

# referential integrity such that the same identifier in two different

3495

# contexts will be given a distinct surrogate. The context is appended to

3496

# plaintext value being encrypted. On decryption the provided context is

3497

# validated against the value used during encryption. If a context was

3498

# provided during encryption, same context must be provided during decryption

3499

# as well.

3500

#

3501

# If the context is not set, plaintext would be used as is for encryption.

3502

# If the context is set but:

3503

#

3504

# 1. there is no record present when transforming a given value or

3505

# 2. the field is not present when transforming a given value,

3506

#

3507

# plaintext would be used as is for encryption.

3508

#

3509

# Note that case (1) is expected when an `InfoTypeTransformation` is

3510

# applied to both structured and non-structured `ContentItem`s.

3511

"name": "A String", # Name describing the field.

3512

},

3513

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3514

# a key encryption key (KEK) stored by KMS).

3515

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3516

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3517

# unwrap the data crypto key.

3518

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3519

# The wrapped key must be a 128/192/256 bit key.

3520

# Authorization requires the following IAM permissions when sending a request

3521

# to perform a crypto transformation using a kms-wrapped crypto key:

3522

# dlp.kms.encrypt

3523

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3524

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3525

},

3526

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3527

# leaking the key. Choose another type of key if possible.

3528

"key": "A String", # Required. A 128/192/256 bit key.

3529

},

3530

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3531

# It will be discarded after the request finishes.

3532

"name": "A String", # Required. Name of the key.

3533

# This is an arbitrary string used to differentiate different keys.

3534

# A unique key is generated per name: two separate `TransientCryptoKey`

3535

# protos share the same generated key if their names are the same.

3536

# When the data crypto key is generated, this name is not used in any way

3537

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3542

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3543

# output would be 'My phone number is '.

3544

},

3545

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3546

# replacement values are dynamically provided by the user for custom behavior,

3547

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3548

# This can be used on

3549

# data of type: number, long, string, timestamp.

3550

# If the bound `Value` type differs from the type of data being transformed, we

3551

# will first attempt converting the type of the data to be transformed to match

3552

# the type of the bound before comparing.

3553

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3554

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3555

{ # Bucket is represented as a range, along with replacement values.

3556

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3557

# used.

3558

# Note that for the purposes of inspection or transformation, the number

3559

# of bytes considered to comprise a 'Value' is based on its representation

3560

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3561

# 123456789, the number of bytes would be counted as 9, even though an

3562

# int64 only holds up to 8 bytes of data.

3563

"booleanValue": True or False, # boolean

3564

"floatValue": 3.14, # float

3565

"dayOfWeekValue": "A String", # day of week

3566

"timestampValue": "A String", # timestamp

3567

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3568

# and time zone are either specified elsewhere or are not significant. The date

3569

# is relative to the Proleptic Gregorian Calendar. This can represent:

3570

#

3571

# * A full date, with non-zero year, month and day values

3572

# * A month and day value, with a zero year, e.g. an anniversary

3573

# * A year on its own, with zero month and day values

3574

# * A year and month value, with a zero day, e.g. a credit card expiration date

3575

#

3576

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3577

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3578

# a year.

3579

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3580

# month and day.

3581

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3582

# if specifying a year by itself or a year and month where the day is not

3583

# significant.

3584

},

3585

"stringValue": "A String", # string

3586

"integerValue": "A String", # integer

3587

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3588

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3589

# types are google.type.Date and `google.protobuf.Timestamp`.

3590

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3591

# allow the value 60 if it allows leap-seconds.

3592

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3593

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3594

# to allow the value "24:00:00" for scenarios like business closing time.

3595

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3596

},

3597

},

3598

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3599

# Note that for the purposes of inspection or transformation, the number

3600

# of bytes considered to comprise a 'Value' is based on its representation

3601

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3602

# 123456789, the number of bytes would be counted as 9, even though an

3603

# int64 only holds up to 8 bytes of data.

3604

"booleanValue": True or False, # boolean

3605

"floatValue": 3.14, # float

3606

"dayOfWeekValue": "A String", # day of week

3607

"timestampValue": "A String", # timestamp

3608

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3609

# and time zone are either specified elsewhere or are not significant. The date

3610

# is relative to the Proleptic Gregorian Calendar. This can represent:

3611

#

3612

# * A full date, with non-zero year, month and day values

3613

# * A month and day value, with a zero year, e.g. an anniversary

3614

# * A year on its own, with zero month and day values

3615

# * A year and month value, with a zero day, e.g. a credit card expiration date

3616

#

3617

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3618

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3619

# a year.

3620

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3621

# month and day.

3622

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3623

# if specifying a year by itself or a year and month where the day is not

3624

# significant.

3625

},

3626

"stringValue": "A String", # string

3627

"integerValue": "A String", # integer

3628

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3629

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3630

# types are google.type.Date and `google.protobuf.Timestamp`.

3631

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3632

# allow the value 60 if it allows leap-seconds.

3633

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3634

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3635

# to allow the value "24:00:00" for scenarios like business closing time.

3636

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3637

},

3638

},

3639

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3640

# the default behavior will be to hyphenate the min-max range.

3641

# Note that for the purposes of inspection or transformation, the number

3642

# of bytes considered to comprise a 'Value' is based on its representation

3643

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3644

# 123456789, the number of bytes would be counted as 9, even though an

3645

# int64 only holds up to 8 bytes of data.

3646

"booleanValue": True or False, # boolean

3647

"floatValue": 3.14, # float

3648

"dayOfWeekValue": "A String", # day of week

3649

"timestampValue": "A String", # timestamp

3650

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3651

# and time zone are either specified elsewhere or are not significant. The date

3652

# is relative to the Proleptic Gregorian Calendar. This can represent:

3653

#

3654

# * A full date, with non-zero year, month and day values

3655

# * A month and day value, with a zero year, e.g. an anniversary

3656

# * A year on its own, with zero month and day values

3657

# * A year and month value, with a zero day, e.g. a credit card expiration date

3658

#

3659

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3660

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3661

# a year.

3662

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3663

# month and day.

3664

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3665

# if specifying a year by itself or a year and month where the day is not

3666

# significant.

3667

},

3668

"stringValue": "A String", # string

3669

"integerValue": "A String", # integer

3670

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3671

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3672

# types are google.type.Date and `google.protobuf.Timestamp`.

3673

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3674

# allow the value 60 if it allows leap-seconds.

3675

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3676

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3677

# to allow the value "24:00:00" for scenarios like business closing time.

3678

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3685

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3686

# Note that for the purposes of inspection or transformation, the number

3687

# of bytes considered to comprise a 'Value' is based on its representation

3688

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3689

# 123456789, the number of bytes would be counted as 9, even though an

3690

# int64 only holds up to 8 bytes of data.

3691

"booleanValue": True or False, # boolean

3692

"floatValue": 3.14, # float

3693

"dayOfWeekValue": "A String", # day of week

3694

"timestampValue": "A String", # timestamp

3695

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3696

# and time zone are either specified elsewhere or are not significant. The date

3697

# is relative to the Proleptic Gregorian Calendar. This can represent:

3698

#

3699

# * A full date, with non-zero year, month and day values

3700

# * A month and day value, with a zero year, e.g. an anniversary

3701

# * A year on its own, with zero month and day values

3702

# * A year and month value, with a zero day, e.g. a credit card expiration date

3703

#

3704

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3705

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3706

# a year.

3707

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3708

# month and day.

3709

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3710

# if specifying a year by itself or a year and month where the day is not

3711

# significant.

3712

},

3713

"stringValue": "A String", # string

3714

"integerValue": "A String", # integer

3715

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3716

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3717

# types are google.type.Date and `google.protobuf.Timestamp`.

3718

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3719

# allow the value 60 if it allows leap-seconds.

3720

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3721

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3722

# to allow the value "24:00:00" for scenarios like business closing time.

3723

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

3728

# fixed character. Masking can start from the beginning or end of the string.

3729

# This can be used on data of any type (numbers, longs, and so on) and when

3730

# de-identifying structured data we'll attempt to preserve the original data's

3731

# type. (This allows you to take a long like 123 and modify it to a string like

3732

# **3.

3733

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

3734

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

3735

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

3736

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

3737

# is `true`, then the string `12345` is masked as `12***`.

3738

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

3739

# characters. For example, if the input string is `555-555-5555` and you

3740

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

3741

# returns `***-**5-5555`.

3742

{ # Characters to skip when doing deidentification of a value. These will be left

3743

# alone and skipped.

3744

"charactersToSkip": "A String", # Characters to not transform when masking.

3745

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

3750

# masked. Skipped characters do not count towards this tally.

3751

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

3752

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

3753

# code or credit card number. This string must have a length of 1. If not

3754

# supplied, this value defaults to `*` for strings, and `0` for digits.

3755

},

3756

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3757

# Bucketing transformation can provide all of this functionality,

3758

# but requires more configuration. This message is provided as a convenience to

3759

# the user for simple bucketing strategies.

3760

#

3761

# The transformed value will be a hyphenated string of

3762

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3763

# all values that are within this bucket will be replaced with "10-20".

3764

#

3765

# This can be used on data of type: double, long.

3766

#

3767

# If the bound Value type differs from the type of data

3768

# being transformed, we will first attempt converting the type of the data to

3769

# be transformed to match the type of the bound before comparing.

3770

#

3771

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3772

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

3773

# grouped together into a single bucket; for example if `lower_bound` = 10,

3774

# then all values less than 10 are replaced with the value "-10".

3775

# Note that for the purposes of inspection or transformation, the number

3776

# of bytes considered to comprise a 'Value' is based on its representation

3777

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3778

# 123456789, the number of bytes would be counted as 9, even though an

3779

# int64 only holds up to 8 bytes of data.

3780

"booleanValue": True or False, # boolean

3781

"floatValue": 3.14, # float

3782

"dayOfWeekValue": "A String", # day of week

3783

"timestampValue": "A String", # timestamp

3784

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3785

# and time zone are either specified elsewhere or are not significant. The date

3786

# is relative to the Proleptic Gregorian Calendar. This can represent:

3787

#

3788

# * A full date, with non-zero year, month and day values

3789

# * A month and day value, with a zero year, e.g. an anniversary

3790

# * A year on its own, with zero month and day values

3791

# * A year and month value, with a zero day, e.g. a credit card expiration date

3792

#

3793

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3794

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3795

# a year.

3796

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3797

# month and day.

3798

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3799

# if specifying a year by itself or a year and month where the day is not

3800

# significant.

3801

},

3802

"stringValue": "A String", # string

3803

"integerValue": "A String", # integer

3804

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3805

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3806

# types are google.type.Date and `google.protobuf.Timestamp`.

3807

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3808

# allow the value 60 if it allows leap-seconds.

3809

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3810

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3811

# to allow the value "24:00:00" for scenarios like business closing time.

3812

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3813

},

3814

},

3815

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3816

# grouped together into a single bucket; for example if `upper_bound` = 89,

3817

# then all values greater than 89 are replaced with the value "89+".

3818

# Note that for the purposes of inspection or transformation, the number

3819

# of bytes considered to comprise a 'Value' is based on its representation

3820

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3821

# 123456789, the number of bytes would be counted as 9, even though an

3822

# int64 only holds up to 8 bytes of data.

3823

"booleanValue": True or False, # boolean

3824

"floatValue": 3.14, # float

3825

"dayOfWeekValue": "A String", # day of week

3826

"timestampValue": "A String", # timestamp

3827

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3828

# and time zone are either specified elsewhere or are not significant. The date

3829

# is relative to the Proleptic Gregorian Calendar. This can represent:

3830

#

3831

# * A full date, with non-zero year, month and day values

3832

# * A month and day value, with a zero year, e.g. an anniversary

3833

# * A year on its own, with zero month and day values

3834

# * A year and month value, with a zero day, e.g. a credit card expiration date

3835

#

3836

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3837

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3838

# a year.

3839

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3840

# month and day.

3841

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3842

# if specifying a year by itself or a year and month where the day is not

3843

# significant.

3844

},

3845

"stringValue": "A String", # string

3846

"integerValue": "A String", # integer

3847

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3848

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3849

# types are google.type.Date and `google.protobuf.Timestamp`.

3850

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3851

# allow the value 60 if it allows leap-seconds.

3852

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3853

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3854

# to allow the value "24:00:00" for scenarios like business closing time.

3855

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3856

},

3857

},

3858

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3859

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

3860

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

3861

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3862

},

3863

},

3864

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

3865

# given `RecordCondition`. The conditions are allowed to reference fields

3866

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

3871

# column for the same record is within a specific range.

3872

# - Redact a field if the date of birth field is greater than 85.

3873

# a field.

3874

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

3875

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

3876

# only supported value is `AND`.

3877

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3878

"conditions": [ # A collection of conditions.

3879

{ # The field type of `value` and `field` do not need to match to be

3880

# considered equal, but not all comparisons are possible.

3881

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

3882

# but all other comparisons are invalid with incompatible types.

3883

# A `value` of type:

3884

#

3885

# - `string` can be compared against all other types

3886

# - `boolean` can only be compared against other booleans

3887

# - `integer` can be compared against doubles or a string if the string value

3888

# can be parsed as an integer.

3889

# - `double` can be compared against integers or a string if the string can

3890

# be parsed as a double.

3891

# - `Timestamp` can be compared against strings in RFC 3339 date string

3892

# format.

3893

# - `TimeOfDay` can be compared against timestamps and strings in the format

3894

# of 'HH:mm:ss'.

3895

#

3896

# If we fail to compare do to type mismatch, a warning will be given and

3897

# the condition will evaluate to false.

3898

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3899

"name": "A String", # Name describing the field.

3900

},

3901

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

3902

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

3903

# Note that for the purposes of inspection or transformation, the number

3904

# of bytes considered to comprise a 'Value' is based on its representation

3905

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3906

# 123456789, the number of bytes would be counted as 9, even though an

3907

# int64 only holds up to 8 bytes of data.

3908

"booleanValue": True or False, # boolean

3909

"floatValue": 3.14, # float

3910

"dayOfWeekValue": "A String", # day of week

3911

"timestampValue": "A String", # timestamp

3912

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3913

# and time zone are either specified elsewhere or are not significant. The date

3914

# is relative to the Proleptic Gregorian Calendar. This can represent:

3915

#

3916

# * A full date, with non-zero year, month and day values

3917

# * A month and day value, with a zero year, e.g. an anniversary

3918

# * A year on its own, with zero month and day values

3919

# * A year and month value, with a zero day, e.g. a credit card expiration date

3920

#

3921

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3922

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3923

# a year.

3924

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3925

# month and day.

3926

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3927

# if specifying a year by itself or a year and month where the day is not

3928

# significant.

3929

},

3930

"stringValue": "A String", # string

3931

"integerValue": "A String", # integer

3932

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3933

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3934

# types are google.type.Date and `google.protobuf.Timestamp`.

3935

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3936

# allow the value 60 if it allows leap-seconds.

3937

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3938

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3939

# to allow the value "24:00:00" for scenarios like business closing time.

3940

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.

3951

"name": "A String", # Name describing the field.

3952

},

3953

"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.

3954

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

3955

# portion of the value.

3956

"partToExtract": "A String", # The part of the time to keep.

3957

},

3958

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

3959

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

3960

# to learn more.

3961

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

3962

# If set, must also set cryptoKey. If set, shift will be consistent for the

3963

# given context.

3964

"name": "A String", # Name describing the field.

3965

},

3966

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

3967

# range (inclusive ends). Negative means shift to earlier in time. Must not

3968

# be more than 365250 days (1000 years) each direction.

3969

#

3970

# For example, 3 means shift date to at most 3 days into the future.

3971

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3972

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

3973

# results in the same shift for the same context and crypto_key. If

3974

# set, must also set context. Can only be applied to table items.

3975

# a key encryption key (KEK) stored by KMS).

3976

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3977

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3978

# unwrap the data crypto key.

3979

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3980

# The wrapped key must be a 128/192/256 bit key.

3981

# Authorization requires the following IAM permissions when sending a request

3982

# to perform a crypto transformation using a kms-wrapped crypto key:

3983

# dlp.kms.encrypt

3984

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3985

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3986

},

3987

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3988

# leaking the key. Choose another type of key if possible.

3989

"key": "A String", # Required. A 128/192/256 bit key.

3990

},

3991

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3992

# It will be discarded after the request finishes.

3993

"name": "A String", # Required. Name of the key.

3994

# This is an arbitrary string used to differentiate different keys.

3995

# A unique key is generated per name: two separate `TransientCryptoKey`

3996

# protos share the same generated key if their names are the same.

3997

# When the data crypto key is generated, this name is not used in any way

3998

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

4003

},

4004

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

4005

# Uses SHA-256.

4006

# The key size must be either 32 or 64 bytes.

4007

# Outputs a base64 encoded representation of the hashed output

4008

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

4009

# Currently, only string and integer values can be hashed.

4010

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

4011

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

4012

# a key encryption key (KEK) stored by KMS).

4013

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4014

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4015

# unwrap the data crypto key.

4016

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4017

# The wrapped key must be a 128/192/256 bit key.

4018

# Authorization requires the following IAM permissions when sending a request

4019

# to perform a crypto transformation using a kms-wrapped crypto key:

4020

# dlp.kms.encrypt

4021

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4022

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4023

},

4024

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4025

# leaking the key. Choose another type of key if possible.

4026

"key": "A String", # Required. A 128/192/256 bit key.

4027

},

4028

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4029

# It will be discarded after the request finishes.

4030

"name": "A String", # Required. Name of the key.

4031

# This is an arbitrary string used to differentiate different keys.

4032

# A unique key is generated per name: two separate `TransientCryptoKey`

4033

# protos share the same generated key if their names are the same.

4034

# When the data crypto key is generated, this name is not used in any way

4035

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

4040

# (FPE) with the FFX mode of operation; however when used in the

4041

# `ReidentifyContent` API method, it serves the opposite function by reversing

4042

# the surrogate back into the original identifier. The identifier must be

4043

# encoded as ASCII. For a given crypto key and context, the same identifier

4044

# will be replaced with the same surrogate. Identifiers must be at least two

4045

# characters long. In the case that the identifier is the empty string, it will

4046

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

4047

# more.

4048

#

4049

# Note: We recommend using CryptoDeterministicConfig for all use cases which

4050

# do not require preserving the input alphabet space and size, plus warrant

4051

# referential integrity.

4052

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

4053

# that the FFX mode natively supports. This happens before/after

4054

# encryption/decryption.

4055

# Each character listed must appear only once.

4056

# Number of characters must be in the range [2, 95].

4057

# This must be encoded as ASCII.

4058

# The order of characters does not matter.

4059

"commonAlphabet": "A String", # Common alphabets.

4060

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

4061

# This annotation will be applied to the surrogate by prefixing it with

4062

# the name of the custom infoType followed by the number of

4063

# characters comprising the surrogate. The following scheme defines the

4064

# format: info_type_name(surrogate_character_count):surrogate

4065

#

4066

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

4067

# the surrogate is 'abc', the full replacement value

4068

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4069

#

4070

# This annotation identifies the surrogate when inspecting content using the

4071

# custom infoType

4072

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

4073

# This facilitates reversal of the surrogate when it occurs in free text.

4074

#

4075

# In order for inspection to work properly, the name of this infoType must

4076

# not occur naturally anywhere in your data; otherwise, inspection may

4077

# find a surrogate that does not correspond to an actual identifier.

4078

# Therefore, choose your custom infoType name carefully after considering

4079

# what your data looks like. One way to select a name that has a high chance

4080

# of yielding reliable detection is to include one or more unicode characters

4081

# that are highly improbable to exist in your data.

4082

# For example, assuming your data is entered from a regular ASCII keyboard,

4083

# the symbol with the hex code point 29DD might be used like so:

4084

# ⧝MY_TOKEN_TYPE

4085

"name": "A String", # Name of the information type. Either a name of your choosing when

4086

# creating a CustomInfoType, or one of the names listed

4087

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4088

# a built-in type. InfoType names should conform to the pattern

4089

# `[a-zA-Z0-9_]{1,64}`.

4090

},

4091

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

4092

# identifier in two different contexts won't be given the same surrogate. If

4093

# the context is not set, a default tweak will be used.

4094

#

4095

# If the context is set but:

4096

#

4097

# 1. there is no record present when transforming a given value or

4098

# 1. the field is not present when transforming a given value,

4099

#

4100

# a default tweak will be used.

4101

#

4102

# Note that case (1) is expected when an `InfoTypeTransformation` is

4103

# applied to both structured and non-structured `ContentItem`s.

4104

# Currently, the referenced field may be of value type integer or string.

4105

#

4106

# The tweak is constructed as a sequence of bytes in big endian byte order

4107

# such that:

4108

#

4109

# - a 64 bit integer is encoded followed by a single byte of value 1

4110

# - a string is encoded in UTF-8 format followed by a single byte of value 2

4111

"name": "A String", # Name describing the field.

4112

},

4113

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

4114

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

4115

# a key encryption key (KEK) stored by KMS).

4116

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4117

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4118

# unwrap the data crypto key.

4119

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4120

# The wrapped key must be a 128/192/256 bit key.

4121

# Authorization requires the following IAM permissions when sending a request

4122

# to perform a crypto transformation using a kms-wrapped crypto key:

4123

# dlp.kms.encrypt

4124

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4125

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4126

},

4127

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4128

# leaking the key. Choose another type of key if possible.

4129

"key": "A String", # Required. A 128/192/256 bit key.

4130

},

4131

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4132

# It will be discarded after the request finishes.

4133

"name": "A String", # Required. Name of the key.

4134

# This is an arbitrary string used to differentiate different keys.

4135

# A unique key is generated per name: two separate `TransientCryptoKey`

4136

# protos share the same generated key if their names are the same.

4137

# When the data crypto key is generated, this name is not used in any way

4138

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

4143

# input. Outputs a base64 encoded representation of the encrypted output.

4144

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

4145

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

4146

# This annotation will be applied to the surrogate by prefixing it with

4147

# the name of the custom info type followed by the number of

4148

# characters comprising the surrogate. The following scheme defines the

4149

# format: {info type name}({surrogate character count}):{surrogate}

4150

#

4151

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

4152

# the surrogate is 'abc', the full replacement value

4153

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4154

#

4155

# This annotation identifies the surrogate when inspecting content using the

4156

# custom info type 'Surrogate'. This facilitates reversal of the

4157

# surrogate when it occurs in free text.

4158

#

4159

# Note: For record transformations where the entire cell in a table is being

4160

# transformed, surrogates are not mandatory. Surrogates are used to denote

4161

# the location of the token and are necessary for re-identification in free

4162

# form text.

4163

#

4164

# In order for inspection to work properly, the name of this info type must

4165

# not occur naturally anywhere in your data; otherwise, inspection may either

4166

#

4167

# - reverse a surrogate that does not correspond to an actual identifier

4168

# - be unable to parse the surrogate and result in an error

4169

#

4170

# Therefore, choose your custom info type name carefully after considering

4171

# what your data looks like. One way to select a name that has a high chance

4172

# of yielding reliable detection is to include one or more unicode characters

4173

# that are highly improbable to exist in your data.

4174

# For example, assuming your data is entered from a regular ASCII keyboard,

4175

# the symbol with the hex code point 29DD might be used like so:

4176

# ⧝MY_TOKEN_TYPE.

4177

"name": "A String", # Name of the information type. Either a name of your choosing when

4178

# creating a CustomInfoType, or one of the names listed

4179

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4180

# a built-in type. InfoType names should conform to the pattern

4181

# `[a-zA-Z0-9_]{1,64}`.

4182

},

4183

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

4184

# referential integrity such that the same identifier in two different

4185

# contexts will be given a distinct surrogate. The context is appended to

4186

# plaintext value being encrypted. On decryption the provided context is

4187

# validated against the value used during encryption. If a context was

4188

# provided during encryption, same context must be provided during decryption

4189

# as well.

4190

#

4191

# If the context is not set, plaintext would be used as is for encryption.

4192

# If the context is set but:

4193

#

4194

# 1. there is no record present when transforming a given value or

4195

# 2. the field is not present when transforming a given value,

4196

#

4197

# plaintext would be used as is for encryption.

4198

#

4199

# Note that case (1) is expected when an `InfoTypeTransformation` is

4200

# applied to both structured and non-structured `ContentItem`s.

4201

"name": "A String", # Name describing the field.

4202

},

4203

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

4204

# a key encryption key (KEK) stored by KMS).

4205

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4206

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4207

# unwrap the data crypto key.

4208

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4209

# The wrapped key must be a 128/192/256 bit key.

4210

# Authorization requires the following IAM permissions when sending a request

4211

# to perform a crypto transformation using a kms-wrapped crypto key:

4212

# dlp.kms.encrypt

4213

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4214

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4215

},

4216

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4217

# leaking the key. Choose another type of key if possible.

4218

"key": "A String", # Required. A 128/192/256 bit key.

4219

},

4220

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4221

# It will be discarded after the request finishes.

4222

"name": "A String", # Required. Name of the key.

4223

# This is an arbitrary string used to differentiate different keys.

4224

# A unique key is generated per name: two separate `TransientCryptoKey`

4225

# protos share the same generated key if their names are the same.

4226

# When the data crypto key is generated, this name is not used in any way

4227

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

4232

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

4233

# output would be 'My phone number is '.

4234

},

4235

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

4236

# replacement values are dynamically provided by the user for custom behavior,

4237

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

4238

# This can be used on

4239

# data of type: number, long, string, timestamp.

4240

# If the bound `Value` type differs from the type of data being transformed, we

4241

# will first attempt converting the type of the data to be transformed to match

4242

# the type of the bound before comparing.

4243

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4244

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

4245

{ # Bucket is represented as a range, along with replacement values.

4246

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

4247

# used.

4248

# Note that for the purposes of inspection or transformation, the number

4249

# of bytes considered to comprise a 'Value' is based on its representation

4250

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4251

# 123456789, the number of bytes would be counted as 9, even though an

4252

# int64 only holds up to 8 bytes of data.

4253

"booleanValue": True or False, # boolean

4254

"floatValue": 3.14, # float

4255

"dayOfWeekValue": "A String", # day of week

4256

"timestampValue": "A String", # timestamp

4257

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4258

# and time zone are either specified elsewhere or are not significant. The date

4259

# is relative to the Proleptic Gregorian Calendar. This can represent:

4260

#

4261

# * A full date, with non-zero year, month and day values

4262

# * A month and day value, with a zero year, e.g. an anniversary

4263

# * A year on its own, with zero month and day values

4264

# * A year and month value, with a zero day, e.g. a credit card expiration date

4265

#

4266

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4267

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4268

# a year.

4269

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4270

# month and day.

4271

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4272

# if specifying a year by itself or a year and month where the day is not

4273

# significant.

4274

},

4275

"stringValue": "A String", # string

4276

"integerValue": "A String", # integer

4277

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4278

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4279

# types are google.type.Date and `google.protobuf.Timestamp`.

4280

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4281

# allow the value 60 if it allows leap-seconds.

4282

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4283

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4284

# to allow the value "24:00:00" for scenarios like business closing time.

4285

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4286

},

4287

},

4288

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

4289

# Note that for the purposes of inspection or transformation, the number

4290

# of bytes considered to comprise a 'Value' is based on its representation

4291

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4292

# 123456789, the number of bytes would be counted as 9, even though an

4293

# int64 only holds up to 8 bytes of data.

4294

"booleanValue": True or False, # boolean

4295

"floatValue": 3.14, # float

4296

"dayOfWeekValue": "A String", # day of week

4297

"timestampValue": "A String", # timestamp

4298

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4299

# and time zone are either specified elsewhere or are not significant. The date

4300

# is relative to the Proleptic Gregorian Calendar. This can represent:

4301

#

4302

# * A full date, with non-zero year, month and day values

4303

# * A month and day value, with a zero year, e.g. an anniversary

4304

# * A year on its own, with zero month and day values

4305

# * A year and month value, with a zero day, e.g. a credit card expiration date

4306

#

4307

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4308

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4309

# a year.

4310

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4311

# month and day.

4312

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4313

# if specifying a year by itself or a year and month where the day is not

4314

# significant.

4315

},

4316

"stringValue": "A String", # string

4317

"integerValue": "A String", # integer

4318

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4319

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4320

# types are google.type.Date and `google.protobuf.Timestamp`.

4321

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4322

# allow the value 60 if it allows leap-seconds.

4323

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4324

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4325

# to allow the value "24:00:00" for scenarios like business closing time.

4326

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4327

},

4328

},

4329

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4330

# the default behavior will be to hyphenate the min-max range.

4331

# Note that for the purposes of inspection or transformation, the number

4332

# of bytes considered to comprise a 'Value' is based on its representation

4333

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4334

# 123456789, the number of bytes would be counted as 9, even though an

4335

# int64 only holds up to 8 bytes of data.

4336

"booleanValue": True or False, # boolean

4337

"floatValue": 3.14, # float

4338

"dayOfWeekValue": "A String", # day of week

4339

"timestampValue": "A String", # timestamp

4340

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4341

# and time zone are either specified elsewhere or are not significant. The date

4342

# is relative to the Proleptic Gregorian Calendar. This can represent:

4343

#

4344

# * A full date, with non-zero year, month and day values

4345

# * A month and day value, with a zero year, e.g. an anniversary

4346

# * A year on its own, with zero month and day values

4347

# * A year and month value, with a zero day, e.g. a credit card expiration date

4348

#

4349

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4350

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4351

# a year.

4352

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4353

# month and day.

4354

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4355

# if specifying a year by itself or a year and month where the day is not

4356

# significant.

4357

},

4358

"stringValue": "A String", # string

4359

"integerValue": "A String", # integer

4360

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4361

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4362

# types are google.type.Date and `google.protobuf.Timestamp`.

4363

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4364

# allow the value 60 if it allows leap-seconds.

4365

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4366

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4367

# to allow the value "24:00:00" for scenarios like business closing time.

4368

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4375

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

4376

# Note that for the purposes of inspection or transformation, the number

4377

# of bytes considered to comprise a 'Value' is based on its representation

4378

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4379

# 123456789, the number of bytes would be counted as 9, even though an

4380

# int64 only holds up to 8 bytes of data.

4381

"booleanValue": True or False, # boolean

4382

"floatValue": 3.14, # float

4383

"dayOfWeekValue": "A String", # day of week

4384

"timestampValue": "A String", # timestamp

4385

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4386

# and time zone are either specified elsewhere or are not significant. The date

4387

# is relative to the Proleptic Gregorian Calendar. This can represent:

4388

#

4389

# * A full date, with non-zero year, month and day values

4390

# * A month and day value, with a zero year, e.g. an anniversary

4391

# * A year on its own, with zero month and day values

4392

# * A year and month value, with a zero day, e.g. a credit card expiration date

4393

#

4394

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4395

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4396

# a year.

4397

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4398

# month and day.

4399

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4400

# if specifying a year by itself or a year and month where the day is not

4401

# significant.

4402

},

4403

"stringValue": "A String", # string

4404

"integerValue": "A String", # integer

4405

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4406

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4407

# types are google.type.Date and `google.protobuf.Timestamp`.

4408

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4409

# allow the value 60 if it allows leap-seconds.

4410

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4411

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4412

# to allow the value "24:00:00" for scenarios like business closing time.

4413

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4418

# fixed character. Masking can start from the beginning or end of the string.

4419

# This can be used on data of any type (numbers, longs, and so on) and when

4420

# de-identifying structured data we'll attempt to preserve the original data's

4421

# type. (This allows you to take a long like 123 and modify it to a string like

4422

# **3.

4423

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4424

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4425

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4426

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4427

# is `true`, then the string `12345` is masked as `12***`.

4428

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4429

# characters. For example, if the input string is `555-555-5555` and you

4430

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4431

# returns `***-**5-5555`.

4432

{ # Characters to skip when doing deidentification of a value. These will be left

4433

# alone and skipped.

4434

"charactersToSkip": "A String", # Characters to not transform when masking.

4435

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4440

# masked. Skipped characters do not count towards this tally.

4441

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4442

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4443

# code or credit card number. This string must have a length of 1. If not

4444

# supplied, this value defaults to `*` for strings, and `0` for digits.

4445

},

4446

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4447

# Bucketing transformation can provide all of this functionality,

4448

# but requires more configuration. This message is provided as a convenience to

4449

# the user for simple bucketing strategies.

4450

#

4451

# The transformed value will be a hyphenated string of

4452

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4453

# all values that are within this bucket will be replaced with "10-20".

4454

#

4455

# This can be used on data of type: double, long.

4456

#

4457

# If the bound Value type differs from the type of data

4458

# being transformed, we will first attempt converting the type of the data to

4459

# be transformed to match the type of the bound before comparing.

4460

#

4461

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4462

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4463

# grouped together into a single bucket; for example if `lower_bound` = 10,

4464

# then all values less than 10 are replaced with the value "-10".

4465

# Note that for the purposes of inspection or transformation, the number

4466

# of bytes considered to comprise a 'Value' is based on its representation

4467

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4468

# 123456789, the number of bytes would be counted as 9, even though an

4469

# int64 only holds up to 8 bytes of data.

4470

"booleanValue": True or False, # boolean

4471

"floatValue": 3.14, # float

4472

"dayOfWeekValue": "A String", # day of week

4473

"timestampValue": "A String", # timestamp

4474

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4475

# and time zone are either specified elsewhere or are not significant. The date

4476

# is relative to the Proleptic Gregorian Calendar. This can represent:

4477

#

4478

# * A full date, with non-zero year, month and day values

4479

# * A month and day value, with a zero year, e.g. an anniversary

4480

# * A year on its own, with zero month and day values

4481

# * A year and month value, with a zero day, e.g. a credit card expiration date

4482

#

4483

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4484

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4485

# a year.

4486

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4487

# month and day.

4488

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4489

# if specifying a year by itself or a year and month where the day is not

4490

# significant.

4491

},

4492

"stringValue": "A String", # string

4493

"integerValue": "A String", # integer

4494

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4495

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4496

# types are google.type.Date and `google.protobuf.Timestamp`.

4497

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4498

# allow the value 60 if it allows leap-seconds.

4499

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4500

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4501

# to allow the value "24:00:00" for scenarios like business closing time.

4502

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4503

},

4504

},

4505

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4506

# grouped together into a single bucket; for example if `upper_bound` = 89,

4507

# then all values greater than 89 are replaced with the value "89+".

4508

# Note that for the purposes of inspection or transformation, the number

4509

# of bytes considered to comprise a 'Value' is based on its representation

4510

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4511

# 123456789, the number of bytes would be counted as 9, even though an

4512

# int64 only holds up to 8 bytes of data.

4513

"booleanValue": True or False, # boolean

4514

"floatValue": 3.14, # float

4515

"dayOfWeekValue": "A String", # day of week

4516

"timestampValue": "A String", # timestamp

4517

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4518

# and time zone are either specified elsewhere or are not significant. The date

4519

# is relative to the Proleptic Gregorian Calendar. This can represent:

4520

#

4521

# * A full date, with non-zero year, month and day values

4522

# * A month and day value, with a zero year, e.g. an anniversary

4523

# * A year on its own, with zero month and day values

4524

# * A year and month value, with a zero day, e.g. a credit card expiration date

4525

#

4526

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4527

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4528

# a year.

4529

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4530

# month and day.

4531

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4532

# if specifying a year by itself or a year and month where the day is not

4533

# significant.

4534

},

4535

"stringValue": "A String", # string

4536

"integerValue": "A String", # integer

4537

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4538

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4539

# types are google.type.Date and `google.protobuf.Timestamp`.

4540

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4541

# allow the value 60 if it allows leap-seconds.

4542

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4543

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4544

# to allow the value "24:00:00" for scenarios like business closing time.

4545

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4546

},

4547

},

4548

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

4549

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4550

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4551

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

4552

},

4553

},

4554

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

4555

"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.

4556

# true.

4557

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

4558

# evaluated to be suppressed from the transformed content.

4559

# a field.

4560

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4561

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4562

# only supported value is `AND`.

4563

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4564

"conditions": [ # A collection of conditions.

4565

{ # The field type of `value` and `field` do not need to match to be

4566

# considered equal, but not all comparisons are possible.

4567

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4568

# but all other comparisons are invalid with incompatible types.

4569

# A `value` of type:

4570

#

4571

# - `string` can be compared against all other types

4572

# - `boolean` can only be compared against other booleans

4573

# - `integer` can be compared against doubles or a string if the string value

4574

# can be parsed as an integer.

4575

# - `double` can be compared against integers or a string if the string can

4576

# be parsed as a double.

4577

# - `Timestamp` can be compared against strings in RFC 3339 date string

4578

# format.

4579

# - `TimeOfDay` can be compared against timestamps and strings in the format

4580

# of 'HH:mm:ss'.

4581

#

4582

# If we fail to compare do to type mismatch, a warning will be given and

4583

# the condition will evaluate to false.

4584

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4585

"name": "A String", # Name describing the field.

4586

},

4587

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

4588

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

4589

# Note that for the purposes of inspection or transformation, the number

4590

# of bytes considered to comprise a 'Value' is based on its representation

4591

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4592

# 123456789, the number of bytes would be counted as 9, even though an

4593

# int64 only holds up to 8 bytes of data.

4594

"booleanValue": True or False, # boolean

4595

"floatValue": 3.14, # float

4596

"dayOfWeekValue": "A String", # day of week

4597

"timestampValue": "A String", # timestamp

4598

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4599

# and time zone are either specified elsewhere or are not significant. The date

4600

# is relative to the Proleptic Gregorian Calendar. This can represent:

4601

#

4602

# * A full date, with non-zero year, month and day values

4603

# * A month and day value, with a zero year, e.g. an anniversary

4604

# * A year on its own, with zero month and day values

4605

# * A year and month value, with a zero day, e.g. a credit card expiration date

4606

#

4607

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4608

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4609

# a year.

4610

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4611

# month and day.

4612

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4613

# if specifying a year by itself or a year and month where the day is not

4614

# significant.

4615

},

4616

"stringValue": "A String", # string

4617

"integerValue": "A String", # integer

4618

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4619

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4620

# types are google.type.Date and `google.protobuf.Timestamp`.

4621

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4622

# allow the value 60 if it allows leap-seconds.

4623

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4624

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4625

# to allow the value "24:00:00" for scenarios like business closing time.

4626

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.

4636

"name": "A String", # Name of the information type. Either a name of your choosing when

4637

# creating a CustomInfoType, or one of the names listed

4638

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4639

# a built-in type. InfoType names should conform to the pattern

4640

# `[a-zA-Z0-9_]{1,64}`.

4641

},

4642

"results": [ # Collection of all transformations that took place or had an error.

4643

{ # A collection that informs the user the number of times a particular

4644

# `TransformationResultCode` and error details occurred.

4645

"code": "A String", # Outcome of the transformation.

4646

"count": "A String", # Number of transformations counted by this result.

4647

"details": "A String", # A place for warnings or errors to show up if a transformation didn't

# work as expected.

},

],

},

],

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

},

}</pre>

</div>

<code class="details" id="inspect">inspect(parent, locationId, body=None, x__xgafv=None)</code>

4660

<pre>Finds potentially sensitive info in content.

4661

This method has limits on input size, processing time, and output size.

4662

4663

When no InfoTypes or CustomInfoTypes are specified in this request, the

4664

system will automatically choose what detectors to run. By default this may

4665

be all types, but may change over time as detectors are updated.

4666

4667

For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images

4668

and https://cloud.google.com/dlp/docs/inspecting-text,

4669

4670

Args:

4671

parent: string, The parent resource name, for example projects/my-project-id. (required)

4672

locationId: string, The geographic location to process content inspection. Reserved for future

4673

extensions.

4674

When inspecting images location is restricted to 'global', 'us', 'asia',

4675

and 'europe'. (required)

4676

body: object, The request body.

4677

The object takes the form of:

4678

4679

{ # Request to search for potentially sensitive info in a ContentItem.

4680

"item": { # Container structure for the content to inspect. # The item to inspect.

4681

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

4682

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

4683

"data": "A String", # Content data to inspect or redact.

4684

},

4685

"value": "A String", # String data to inspect or redact.

4686

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See

4687

# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

4688

# learn more.

4689

# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

4690

# learn more.

4691

"rows": [ # Rows of the table.

4692

{ # Values of the row.

4693

"values": [ # Individual cells.

4694

{ # Set of primitive values supported by the system.

4695

# Note that for the purposes of inspection or transformation, the number

4696

# of bytes considered to comprise a 'Value' is based on its representation

4697

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4698

# 123456789, the number of bytes would be counted as 9, even though an

4699

# int64 only holds up to 8 bytes of data.

4700

"booleanValue": True or False, # boolean

4701

"floatValue": 3.14, # float

4702

"dayOfWeekValue": "A String", # day of week

4703

"timestampValue": "A String", # timestamp

4704

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4705

# and time zone are either specified elsewhere or are not significant. The date

4706

# is relative to the Proleptic Gregorian Calendar. This can represent:

4707

#

4708

# * A full date, with non-zero year, month and day values

4709

# * A month and day value, with a zero year, e.g. an anniversary

4710

# * A year on its own, with zero month and day values

4711

# * A year and month value, with a zero day, e.g. a credit card expiration date

4712

#

4713

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4714

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4715

# a year.

4716

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4717

# month and day.

4718

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4719

# if specifying a year by itself or a year and month where the day is not

4720

# significant.

4721

},

4722

"stringValue": "A String", # string

4723

"integerValue": "A String", # integer

4724

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4725

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4726

# types are google.type.Date and `google.protobuf.Timestamp`.

4727

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4728

# allow the value 60 if it allows leap-seconds.

4729

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4730

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4731

# to allow the value "24:00:00" for scenarios like business closing time.

4732

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

],

},

],

"headers": [ # Headers of the table.

4739

{ # General identifier of a data field in a storage service.

4740

"name": "A String", # Name describing the field.

},

],

},

},

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in

4746

# inspect_config will override those set in the template. Singular fields

4747

# that are set in this request will replace their corresponding fields in the

4748

# template. Repeated fields are appended. Singular sub-messages and groups

4749

# are recursively merged.

4750

"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector. What specified here will override

4751

# the template referenced by the inspect_template_name argument.

4752

# When used with redactContent only info_types and min_likelihood are currently

4753

# used.

4754

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is

4755

# included in the response; see Finding.quote.

4756

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.

4757

# Exclusion rules, contained in the set are executed in the end, other

4758

# rules are executed in the order they are specified for each info type.

4759

{ # Rule set for modifying a set of infoTypes to alter behavior under certain

4760

# circumstances, depending on the specific details of the rules within the set.

4761

"infoTypes": [ # List of infoTypes this rule set is applied to.

4762

{ # Type of information detected by the API.

4763

"name": "A String", # Name of the information type. Either a name of your choosing when

4764

# creating a CustomInfoType, or one of the names listed

4765

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4766

# a built-in type. InfoType names should conform to the pattern

4767

# `[a-zA-Z0-9_]{1,64}`.

4768

},

4769

],

4770

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

4771

{ # A single inspection rule to be applied to infoTypes, specified in

4772

# `InspectionRuleSet`.

4773

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.

4774

# proximity of hotwords.

4775

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.

4776

# part of a detection rule.

4777

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of

4778

# levels. For example, if a finding would be `POSSIBLE` without the

4779

# detection rule and `relative_likelihood` is 1, then it is upgraded to

4780

# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.

4781

# Likelihood may never drop below `VERY_UNLIKELY` or exceed

4782

# `VERY_LIKELY`, so applying an adjustment of 1 followed by an

4783

# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in

4784

# a final likelihood of `LIKELY`.

4785

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

4786

},

4787

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

4788

"groupIndexes": [ # The index of the submatch to extract as findings. When not

4789

# specified, the entire match is returned. No more than 3 may be included.

4790

42,

4791

],

4792

"pattern": "A String", # Pattern defining the regular expression. Its syntax

4793

# (https://github.com/google/re2/wiki/Syntax) can be found under the

4794

# google/re2 repository on GitHub.

4795

},

4796

"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.

4797

# The total length of the window cannot exceed 1000 characters. Note that

4798

# the finding itself will be included in the window, so that hotwords may

4799

# be used to match substrings of the finding itself. For example, the

4800

# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be

4801

# adjusted upwards if the area code is known to be the local area code of

4802

# a company office using the hotword regex "\(xxx\)", where "xxx"

4803

# is the area code in question.

4804

# rule.

4805

"windowBefore": 42, # Number of characters before the finding to consider.

4806

"windowAfter": 42, # Number of characters after the finding to consider.

4807

},

4808

},

4809

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.

4810

# `InspectionRuleSet` are removed from results.

4811

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.

4812

# be used to match sensitive information specific to the data, such as a list

4813

# of employee IDs or job titles.

4814

#

4815

# Dictionary words are case-insensitive and all characters other than letters

4816

# and digits in the unicode [Basic Multilingual

4817

# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)

4818

# will be replaced with whitespace when scanning for matches, so the

4819

# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",

4820

# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters

4821

# surrounding any match must be of a different type than the adjacent

4822

# characters within the word, so letters must be next to non-letters and

4823

# digits next to non-digits. For example, the dictionary word "jen" will

4824

# match the first three letters of the text "jen123" but will return no

4825

# matches for "jennifer".

4826

#

4827

# Dictionary words containing a large number of characters that are not

4828

# letters or digits may result in unexpected findings because such characters

4829

# are treated as whitespace. The

4830

# [limits](https://cloud.google.com/dlp/limits) page contains details about

4831

# the size limits of dictionaries. For dictionaries that do not fit within

4832

# these constraints, consider using `LargeCustomDictionaryConfig` in the

4833

# `StoredInfoType` API.

4834

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

4835

"words": [ # Words or phrases defining the dictionary. The dictionary must contain

4836

# at least one phrase and every phrase must contain at least 2 characters

4837

# that are letters or digits. [required]

"A String",

],

},

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file

4842

# is accepted.

4843

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.

4844

# Example: gs://[BUCKET_NAME]/dictionary.txt

4845

},

4846

},

4847

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

4848

"groupIndexes": [ # The index of the submatch to extract as findings. When not

4849

# specified, the entire match is returned. No more than 3 may be included.

4850

42,

4851

],

4852

"pattern": "A String", # Pattern defining the regular expression. Its syntax

4853

# (https://github.com/google/re2/wiki/Syntax) can be found under the

4854

# google/re2 repository on GitHub.

4855

},

4856

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

4857

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or

4858

# contained within with a finding of an infoType from this list. For

4859

# example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and

4860

# `exclusion_rule` containing `exclude_info_types.info_types` with

4861

# "EMAIL_ADDRESS" the phone number findings are dropped if they overlap

4862

# with EMAIL_ADDRESS finding.

4863

# That leads to "555-222-2222@example.org" to generate only a single

4864

# finding, namely email address.

4865

{ # Type of information detected by the API.

4866

"name": "A String", # Name of the information type. Either a name of your choosing when

4867

# creating a CustomInfoType, or one of the names listed

4868

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4869

# a built-in type. InfoType names should conform to the pattern

4870

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

},

},

],

},

],

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

4881

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.

4882

# When set within `InspectJobConfig`,

4883

# the maximum returned is 2000 regardless if this is set higher.

4884

# When set within `InspectContentRequest`, this field is ignored.

4885

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

4886

{ # Max findings configuration per infoType, per content item or long

4887

# running DlpJob.

4888

"maxFindings": 42, # Max findings limit for the given infoType.

4889

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per

4890

# info_type should be provided. If InfoTypeLimit does not have an

4891

# info_type, the DLP API applies the limit against all info_types that

4892

# are found but not specified in another InfoTypeLimit.

4893

"name": "A String", # Name of the information type. Either a name of your choosing when

4894

# creating a CustomInfoType, or one of the names listed

4895

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4896

# a built-in type. InfoType names should conform to the pattern

4897

# `[a-zA-Z0-9_]{1,64}`.

},

},

],

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.

4902

# When set within `InspectContentRequest`, the maximum returned is 2000

4903

# regardless if this is set higher.

4904

},

4905

"contentOptions": [ # List of options defining data content to scan.

4906

# If empty, text, images, and other content will be included.

4907

"A String",

4908

],

4909

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to

4910

# InfoType values returned by ListInfoTypes or listed at

4911

# https://cloud.google.com/dlp/docs/infotypes-reference.

4912

#

4913

# When no InfoTypes or CustomInfoTypes are specified in a request, the

4914

# system may automatically choose what detectors to run. By default this may

4915

# be all types, but may change over time as detectors are updated.

4916

#

4917

# If you need precise control and predictability as to what detectors are

4918

# run you should specify specific InfoTypes listed in the reference,

4919

# otherwise a default list will be used, which may change over time.

4920

{ # Type of information detected by the API.

4921

"name": "A String", # Name of the information type. Either a name of your choosing when

4922

# creating a CustomInfoType, or one of the names listed

4923

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4924

# a built-in type. InfoType names should conform to the pattern

4925

# `[a-zA-Z0-9_]{1,64}`.

4926

},

4927

],

4928

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is

4929

# POSSIBLE.

4930

# See https://cloud.google.com/dlp/docs/likelihood to learn more.

4931

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

4932

"customInfoTypes": [ # CustomInfoTypes provided by the user. See

4933

# https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

4934

{ # Custom information type provided by the user. Used to find domain-specific

4935

# sensitive information configurable to the data in question.

4936

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be

4937

# altered by a detection rule if the finding meets the criteria specified by

4938

# the rule. Defaults to `VERY_LIKELY` if not specified.

4939

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in

4940

# infoType, when the name matches one of existing infoTypes and that infoType

4941

# is specified in `InspectContent.info_types` field. Specifying the latter

4942

# adds findings to the one detected by the system. If built-in info type is

4943

# not specified in `InspectContent.info_types` list then the name is treated

4944

# as a custom info type.

4945

"name": "A String", # Name of the information type. Either a name of your choosing when

4946

# creating a CustomInfoType, or one of the names listed

4947

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4948

# a built-in type. InfoType names should conform to the pattern

4949

# `[a-zA-Z0-9_]{1,64}`.

4950

},

4951

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

4952

"groupIndexes": [ # The index of the submatch to extract as findings. When not

4953

# specified, the entire match is returned. No more than 3 may be included.

4954

42,

4955

],

4956

"pattern": "A String", # Pattern defining the regular expression. Its syntax

4957

# (https://github.com/google/re2/wiki/Syntax) can be found under the

4958

# google/re2 repository on GitHub.

4959

},

4960

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.

4961

# Rules are applied in order that they are specified. Not supported for the

4962

# `surrogate_type` CustomInfoType.

4963

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a

4964

# `CustomInfoType` to alter behavior under certain circumstances, depending

4965

# on the specific details of the rule. Not supported for the `surrogate_type`

4966

# custom infoType.

4967

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.

4968

# proximity of hotwords.

4969

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.

4970

# part of a detection rule.

4971

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of

4972

# levels. For example, if a finding would be `POSSIBLE` without the

4973

# detection rule and `relative_likelihood` is 1, then it is upgraded to

4974

# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.

4975

# Likelihood may never drop below `VERY_UNLIKELY` or exceed

4976

# `VERY_LIKELY`, so applying an adjustment of 1 followed by an

4977

# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in

4978

# a final likelihood of `LIKELY`.

4979

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

4980

},

4981

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

4982

"groupIndexes": [ # The index of the submatch to extract as findings. When not

4983

# specified, the entire match is returned. No more than 3 may be included.

4984

42,

4985

],

4986

"pattern": "A String", # Pattern defining the regular expression. Its syntax

4987

# (https://github.com/google/re2/wiki/Syntax) can be found under the

4988

# google/re2 repository on GitHub.

4989

},

4990

"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.

4991

# The total length of the window cannot exceed 1000 characters. Note that

4992

# the finding itself will be included in the window, so that hotwords may

4993

# be used to match substrings of the finding itself. For example, the

4994

# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be

4995

# adjusted upwards if the area code is known to be the local area code of

4996

# a company office using the hotword regex "\(xxx\)", where "xxx"

4997

# is the area code in question.

4998

# rule.

4999

"windowBefore": 42, # Number of characters before the finding to consider.

5000

"windowAfter": 42, # Number of characters after the finding to consider.

},

},

},

],

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding

5006

# to be returned. It still can be used for rules matching.

5007

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.

5008

# be used to match sensitive information specific to the data, such as a list

5009

# of employee IDs or job titles.

5010

#

5011

# Dictionary words are case-insensitive and all characters other than letters

5012

# and digits in the unicode [Basic Multilingual

5013

# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)

5014

# will be replaced with whitespace when scanning for matches, so the

5015

# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",

5016

# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters

5017

# surrounding any match must be of a different type than the adjacent

5018

# characters within the word, so letters must be next to non-letters and

5019

# digits next to non-digits. For example, the dictionary word "jen" will

5020

# match the first three letters of the text "jen123" but will return no

5021

# matches for "jennifer".

5022

#

5023

# Dictionary words containing a large number of characters that are not

5024

# letters or digits may result in unexpected findings because such characters

5025

# are treated as whitespace. The

5026

# [limits](https://cloud.google.com/dlp/limits) page contains details about

5027

# the size limits of dictionaries. For dictionaries that do not fit within

5028

# these constraints, consider using `LargeCustomDictionaryConfig` in the

5029

# `StoredInfoType` API.

5030

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

5031

"words": [ # Words or phrases defining the dictionary. The dictionary must contain

5032

# at least one phrase and every phrase must contain at least 2 characters

5033

# that are letters or digits. [required]

"A String",

],

},

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file

5038

# is accepted.

5039

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.

5040

# Example: gs://[BUCKET_NAME]/dictionary.txt

5041

},

5042

},

5043

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in

5044

# `InspectDataSource`. Not currently supported in `InspectContent`.

5045

"name": "A String", # Resource name of the requested `StoredInfoType`, for example

5046

# `organizations/433245324/storedInfoTypes/432452342` or

5047

# `projects/project-id/storedInfoTypes/432452342`.

5048

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for

5049

# inspection was created. Output-only field, populated by the system.

5050

},

5051

"surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that

5052

# support reversing.

5053

# such as

5054

# [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).

5055

# These types of transformations are

5056

# those that perform pseudonymization, thereby producing a "surrogate" as

5057

# output. This should be used in conjunction with a field on the

5058

# transformation such as `surrogate_info_type`. This CustomInfoType does

5059

# not support the use of `detection_rules`.

},

},

],

},

"locationId": "A String", # The geographic location to process content inspection. Reserved for future

5065

# extensions.

5066

# When inspecting images location is restricted to 'global', 'us', 'asia',

# and 'europe'.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5077

5078

{ # Results of inspecting an item.

5079

"result": { # All the findings for a single scanned item. # The findings.

5080

"findings": [ # List of findings for an item.

5081

{ # Represents a piece of potentially sensitive content.

5082

"resourceName": "A String", # The job that stored the finding.

5083

"triggerName": "A String", # Job trigger name, if applicable, for this finding.

5084

"jobCreateTime": "A String", # Time the job started that produced this finding.

5085

"quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set

5086

# to true and a supported infoType was requested. Currently supported

5087

# infoTypes: DATE, DATE_OF_BIRTH and TIME.

5088

"dateTime": { # Message for a date time object. # The date time indicated by the quote.

5089

# e.g. 2018-01-01, 5th August.

5090

"date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # One or more of the following must be set.

5091

# Must be a valid date or time value.

5092

# and time zone are either specified elsewhere or are not significant. The date

5093

# is relative to the Proleptic Gregorian Calendar. This can represent:

5094

#

5095

# * A full date, with non-zero year, month and day values

5096

# * A month and day value, with a zero year, e.g. an anniversary

5097

# * A year on its own, with zero month and day values

5098

# * A year and month value, with a zero day, e.g. a credit card expiration date

5099

#

5100

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5101

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5102

# a year.

5103

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5104

# month and day.

5105

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5106

# if specifying a year by itself or a year and month where the day is not

5107

# significant.

5108

},

5109

"timeZone": { # Time zone of the date time object. # Time zone

5110

"offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC.

5111

# E.g. For "UTC-9", this value is -540.

5112

},

5113

"dayOfWeek": "A String", # Day of week

5114

"time": { # Represents a time of day. The date and time zone are either not significant # Time of day

5115

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5116

# types are google.type.Date and `google.protobuf.Timestamp`.

5117

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5118

# allow the value 60 if it allows leap-seconds.

5119

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5120

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5121

# to allow the value "24:00:00" for scenarios like business closing time.

5122

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"labels": { # The labels associated with this `Finding`.

5127

#

5128

# Label keys must be between 1 and 63 characters long and must conform

5129

# to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`.

5130

#

5131

# Label values must be between 0 and 63 characters long and must conform

5132

# to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`.

5133

#

5134

# No more than 10 labels can be associated with a given finding.

5135

#

5136

# Examples:

5137

# * `"environment" : "production"`

5138

# * `"pipeline" : "etl"`

5139

"a_key": "A String",

5140

},

5141

"infoType": { # Type of information detected by the API. # The type of content that might have been found.

5142

# Provided if `excluded_types` is false.

5143

"name": "A String", # Name of the information type. Either a name of your choosing when

5144

# creating a CustomInfoType, or one of the names listed

5145

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5146

# a built-in type. InfoType names should conform to the pattern

5147

# `[a-zA-Z0-9_]{1,64}`.

5148

},

5149

"likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.

5150

"name": "A String", # Resource name in format

5151

# projects/{project}/locations/{location}/findings/{finding} Populated only

5152

# when viewing persisted findings.

5153

"location": { # Specifies the location of the finding. # Where the content was found.

5154

"codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding.

5155

# These are relative to the finding's containing element.

5156

# Provided when the content is text.

5157

"start": "A String", # Index of the first character of the range (inclusive).

5158

"end": "A String", # Index of the last character of the range (exclusive).

5159

},

5160

"byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding.

5161

# These are relative to the finding's containing element.

5162

# Note that when the content is not textual, this references

5163

# the UTF-8 encoded textual representation of the content.

5164

# Omitted if content is an image.

5165

"start": "A String", # Index of the first character of the range (inclusive).

5166

"end": "A String", # Index of the last character of the range (exclusive).

5167

},

5168

"container": { # Represents a container that may contain DLP findings. # Information about the container where this finding occurred, if available.

5169

# Examples of a container include a file, table, or database record.

5170

"fullPath": "A String", # A string representation of the full container name.

5171

# Examples:

5172

# - BigQuery: 'Project:DataSetId.TableId'

5173

# - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'

5174

"type": "A String", # Container type, for example BigQuery or Google Cloud Storage.

5175

"updateTime": "A String", # Findings container modification timestamp, if applicable.

5176

# For Google Cloud Storage contains last file modification timestamp.

5177

# For BigQuery table contains last_modified_time property.

5178

# For Datastore - not populated.

5179

"rootPath": "A String", # The root of the container.

5180

# Examples:

5181

# - For BigQuery table `project_id:dataset_id.table_id`, the root is

5182

# `dataset_id`

5183

# - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root

5184

# is `gs://bucket`

5185

"projectId": "A String", # Project where the finding was found.

5186

# Can be different from the project that owns the finding.

5187

"relativePath": "A String", # The rest of the path after the root.

5188

# Examples:

5189

# - For BigQuery table `project_id:dataset_id.table_id`, the relative path is

5190

# `table_id`

5191

# - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative

5192

# path is `folder/filename.txt`

5193

"version": "A String", # Findings container version, if available

5194

# ("generation" for Google Cloud Storage).

5195

},

5196

"contentLocations": [ # List of nested objects pointing to the precise location of the finding

5197

# within the file or record.

5198

{ # Precise location of the finding within a document, record, image, or metadata

5199

# container.

5200

"containerName": "A String", # Name of the container where the finding is located.

5201

# The top level name is the source file name or table name. Names of some

5202

# common storage containers are formatted as follows:

5203

#

5204

# * BigQuery tables: `{project_id}:{dataset_id}.{table_id}`

5205

# * Cloud Storage files: `gs://{bucket}/{path}`

5206

# * Datastore namespace: {namespace}

5207

#

5208

# Nested names could be absent if the embedded object has no string

5209

# identifier (for an example an image contained within a document).

5210

"documentLocation": { # Location of a finding within a document. # Location data for document files.

5211

"fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding

5212

# is located.

5213

},

5214

"recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.

5215

"fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.

5216

"name": "A String", # Name describing the field.

5217

},

5218

"tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.

5219

"rowIndex": "A String", # The zero-based index of the row where the finding is located. Only

5220

# populated for resources that have a natural ordering, not BigQuery. In

5221

# BigQuery, to identify the row a finding came from, populate

5222

# BigQueryOptions.identifying_fields with your primary key column names and

5223

# when you store the findings the value of those columns will be stored

5224

# inside of Finding.

5225

},

5226

"recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.

5227

"idValues": [ # Values of identifying columns in the given row. Order of values matches

5228

# the order of `identifying_fields` specified in the scanning request.

5229

"A String",

5230

],

5231

"datastoreKey": { # Record key for a finding in Cloud Datastore.

5232

"entityKey": { # A unique identifier for a Datastore entity. # Datastore entity key.

5233

# If a key's partition ID or any of its path kinds or names are

5234

# reserved/read-only, the key is reserved/read-only.

5235

# A reserved/read-only key is forbidden in certain documented contexts.

5236

"path": [ # The entity path.

5237

# An entity path consists of one or more elements composed of a kind and a

5238

# string or numerical identifier, which identify entities. The first

5239

# element identifies a _root entity_, the second element identifies

5240

# a _child_ of the root entity, the third element identifies a child of the

5241

# second entity, and so forth. The entities identified by all prefixes of

5242

# the path are called the element's _ancestors_.

5243

#

5244

# A path can never be empty, and a path can have at most 100 elements.

5245

{ # A (kind, ID/name) pair used to construct a key path.

5246

#

5247

# If either name or ID is set, the element is complete.

5248

# If neither is set, the element is incomplete.

5249

"kind": "A String", # The kind of the entity.

5250

# A kind matching regex `__.*__` is reserved/read-only.

5251

# A kind must not contain more than 1500 bytes when UTF-8 encoded.

5252

# Cannot be `""`.

5253

"id": "A String", # The auto-allocated ID of the entity.

5254

# Never equal to zero. Values less than zero are discouraged and may not

5255

# be supported in the future.

5256

"name": "A String", # The name of the entity.

5257

# A name matching regex `__.*__` is reserved/read-only.

5258

# A name must not be more than 1500 bytes when UTF-8 encoded.

# Cannot be `""`.

},

],

"partitionId": { # Datastore partition ID. # Entities are partitioned into subsets, currently identified by a project

5263

# ID and namespace ID.

5264

# Queries are scoped to a single partition.

5265

# A partition ID identifies a grouping of entities. The grouping is always

5266

# by project and namespace, however the namespace ID may be empty.

5267

#

5268

# A partition ID contains several dimensions:

5269

# project ID and namespace ID.

5270

"namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.

5271

"projectId": "A String", # The ID of the project to which the entities belong.

},

},

},

"bigQueryKey": { # Row key for identifying a record in BigQuery table.

5276

"tableReference": { # Message defining the location of a BigQuery table. A table is uniquely # Complete BigQuery table reference.

5277

# identified by its project_id, dataset_id, and table_name. Within a query

5278

# a table is often referenced with a string in the format of:

5279

# `<project_id>:<dataset_id>.<table_id>` or

5280

# `<project_id>.<dataset_id>.<table_id>`.

5281

"projectId": "A String", # The Google Cloud Platform project ID of the project containing the table.

5282

# If omitted, project ID is inferred from the API call.

5283

"datasetId": "A String", # Dataset ID of the table.

5284

"tableId": "A String", # Name of the table.

5285

},

5286

"rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is

5287

# nondeterministic, cannot be queried, and may be null for inspection

5288

# jobs. To locate findings within a table, specify

5289

# `inspect_job.storage_config.big_query_options.identifying_fields` in

5290

# `CreateDlpJobRequest`.

},

},

},

"containerTimestamp": "A String", # Findings container modification timestamp, if applicable.

5295

# For Google Cloud Storage contains last file modification timestamp.

5296

# For BigQuery table contains last_modified_time property.

5297

# For Datastore - not populated.

5298

"metadataLocation": { # Metadata Location # Location within the metadata for inspected content.

5299

"storageLabel": { # Storage metadata label to indicate which metadata entry contains findings. # Storage metadata.

5300

"key": "A String",

5301

},

5302

"type": "A String", # Type of metadata containing the finding.

5303

},

5304

"imageLocation": { # Location of the finding within an image. # Location within an image's pixels.

5305

"boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.

5306

{ # Bounding box encompassing detected text within an image.

5307

"top": 42, # Top coordinate of the bounding box. (0,0) is upper left.

5308

"width": 42, # Width of the bounding box in pixels.

5309

"height": 42, # Height of the bounding box in pixels.

5310

"left": 42, # Left coordinate of the bounding box. (0,0) is upper left.

},

],

},

"containerVersion": "A String", # Findings container version, if available

5315

# ("generation" for Google Cloud Storage).

},

],

},

"quote": "A String", # The content that was found. Even if the content is not textual, it

5320

# may be converted to a textual representation here.

5321

# Provided if `include_quote` is true and the finding is

5322

# less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes

5323

# in length, the quote may be omitted.

5324

"createTime": "A String", # Timestamp when finding was detected.

5325

"jobName": "A String", # The job that stored the finding.

5326

},

5327

],

5328

"findingsTruncated": True or False, # If true, then this item might have more findings than were returned,

5329

# and the findings returned are an arbitrary subset of all findings.

5330

# The findings list might be truncated because the input items were too

5331

# large, or because the server reached the maximum amount of resources

5332

# allowed for a single API call. For best results, divide the input into

# smaller batches.

},

}</pre>

</div>

<code class="details" id="reidentify">reidentify(parent, locationId, body=None, x__xgafv=None)</code>

5340

<pre>Re-identifies content that has been de-identified.

5341

See

5342

https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example

to learn more.

Args:

parent: string, Required. The parent resource name. (required)

5347

locationId: string, The geographic location to process content reidentification. Reserved for

5348

future extensions. (required)

5349

body: object, The request body.

5350

The object takes the form of:

5351

5352

{ # Request to re-identify an item.

5353

"item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.

5354

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

5355

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

5356

"data": "A String", # Content data to inspect or redact.

5357

},

5358

"value": "A String", # String data to inspect or redact.

5359

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See

5360

# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

5361

# learn more.

5362

# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

5363

# learn more.

5364

"rows": [ # Rows of the table.

5365

{ # Values of the row.

5366

"values": [ # Individual cells.

5367

{ # Set of primitive values supported by the system.

5368

# Note that for the purposes of inspection or transformation, the number

5369

# of bytes considered to comprise a 'Value' is based on its representation

5370

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5371

# 123456789, the number of bytes would be counted as 9, even though an

5372

# int64 only holds up to 8 bytes of data.

5373

"booleanValue": True or False, # boolean

5374

"floatValue": 3.14, # float

5375

"dayOfWeekValue": "A String", # day of week

5376

"timestampValue": "A String", # timestamp

5377

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5378

# and time zone are either specified elsewhere or are not significant. The date

5379

# is relative to the Proleptic Gregorian Calendar. This can represent:

5380

#

5381

# * A full date, with non-zero year, month and day values

5382

# * A month and day value, with a zero year, e.g. an anniversary

5383

# * A year on its own, with zero month and day values

5384

# * A year and month value, with a zero day, e.g. a credit card expiration date

5385

#

5386

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5387

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5388

# a year.

5389

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5390

# month and day.

5391

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5392

# if specifying a year by itself or a year and month where the day is not

5393

# significant.

5394

},

5395

"stringValue": "A String", # string

5396

"integerValue": "A String", # integer

5397

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5398

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5399

# types are google.type.Date and `google.protobuf.Timestamp`.

5400

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5401

# allow the value 60 if it allows leap-seconds.

5402

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5403

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5404

# to allow the value "24:00:00" for scenarios like business closing time.

5405

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

],

},

],

"headers": [ # Headers of the table.

5412

{ # General identifier of a data field in a storage service.

5413

"name": "A String", # Name describing the field.

},

],

},

},

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in

5419

# `inspect_config` will override those set in the template. Singular fields

5420

# that are set in this request will replace their corresponding fields in the

5421

# template. Repeated fields are appended. Singular sub-messages and groups

5422

# are recursively merged.

5423

"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.

5424

# When used with redactContent only info_types and min_likelihood are currently

5425

# used.

5426

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is

5427

# included in the response; see Finding.quote.

5428

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.

5429

# Exclusion rules, contained in the set are executed in the end, other

5430

# rules are executed in the order they are specified for each info type.

5431

{ # Rule set for modifying a set of infoTypes to alter behavior under certain

5432

# circumstances, depending on the specific details of the rules within the set.

5433

"infoTypes": [ # List of infoTypes this rule set is applied to.

5434

{ # Type of information detected by the API.

5435

"name": "A String", # Name of the information type. Either a name of your choosing when

5436

# creating a CustomInfoType, or one of the names listed

5437

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5438

# a built-in type. InfoType names should conform to the pattern

5439

# `[a-zA-Z0-9_]{1,64}`.

5440

},

5441

],

5442

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

5443

{ # A single inspection rule to be applied to infoTypes, specified in

5444

# `InspectionRuleSet`.

5445

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.

5446

# proximity of hotwords.

5447

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.

5448

# part of a detection rule.

5449

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of

5450

# levels. For example, if a finding would be `POSSIBLE` without the

5451

# detection rule and `relative_likelihood` is 1, then it is upgraded to

5452

# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.

5453

# Likelihood may never drop below `VERY_UNLIKELY` or exceed

5454

# `VERY_LIKELY`, so applying an adjustment of 1 followed by an

5455

# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in

5456

# a final likelihood of `LIKELY`.

5457

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

5458

},

5459

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

5460

"groupIndexes": [ # The index of the submatch to extract as findings. When not

5461

# specified, the entire match is returned. No more than 3 may be included.

5462

42,

5463

],

5464

"pattern": "A String", # Pattern defining the regular expression. Its syntax

5465

# (https://github.com/google/re2/wiki/Syntax) can be found under the

5466

# google/re2 repository on GitHub.

5467

},

5468

"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.

5469

# The total length of the window cannot exceed 1000 characters. Note that

5470

# the finding itself will be included in the window, so that hotwords may

5471

# be used to match substrings of the finding itself. For example, the

5472

# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be

5473

# adjusted upwards if the area code is known to be the local area code of

5474

# a company office using the hotword regex "\(xxx\)", where "xxx"

5475

# is the area code in question.

5476

# rule.

5477

"windowBefore": 42, # Number of characters before the finding to consider.

5478

"windowAfter": 42, # Number of characters after the finding to consider.

5479

},

5480

},

5481

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.

5482

# `InspectionRuleSet` are removed from results.

5483

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.

5484

# be used to match sensitive information specific to the data, such as a list

5485

# of employee IDs or job titles.

5486

#

5487

# Dictionary words are case-insensitive and all characters other than letters

5488

# and digits in the unicode [Basic Multilingual

5489

# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)

5490

# will be replaced with whitespace when scanning for matches, so the

5491

# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",

5492

# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters

5493

# surrounding any match must be of a different type than the adjacent

5494

# characters within the word, so letters must be next to non-letters and

5495

# digits next to non-digits. For example, the dictionary word "jen" will

5496

# match the first three letters of the text "jen123" but will return no

5497

# matches for "jennifer".

5498

#

5499

# Dictionary words containing a large number of characters that are not

5500

# letters or digits may result in unexpected findings because such characters

5501

# are treated as whitespace. The

5502

# [limits](https://cloud.google.com/dlp/limits) page contains details about

5503

# the size limits of dictionaries. For dictionaries that do not fit within

5504

# these constraints, consider using `LargeCustomDictionaryConfig` in the

5505

# `StoredInfoType` API.

5506

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

5507

"words": [ # Words or phrases defining the dictionary. The dictionary must contain

5508

# at least one phrase and every phrase must contain at least 2 characters

5509

# that are letters or digits. [required]

"A String",

],

},

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file

5514

# is accepted.

5515

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.

5516

# Example: gs://[BUCKET_NAME]/dictionary.txt

5517

},

5518

},

5519

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

5520

"groupIndexes": [ # The index of the submatch to extract as findings. When not

5521

# specified, the entire match is returned. No more than 3 may be included.

5522

42,

5523

],

5524

"pattern": "A String", # Pattern defining the regular expression. Its syntax

5525

# (https://github.com/google/re2/wiki/Syntax) can be found under the

5526

# google/re2 repository on GitHub.

5527

},

5528

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

5529

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or

5530

# contained within with a finding of an infoType from this list. For

5531

# example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and

5532

# `exclusion_rule` containing `exclude_info_types.info_types` with

5533

# "EMAIL_ADDRESS" the phone number findings are dropped if they overlap

5534

# with EMAIL_ADDRESS finding.

5535

# That leads to "555-222-2222@example.org" to generate only a single

5536

# finding, namely email address.

5537

{ # Type of information detected by the API.

5538

"name": "A String", # Name of the information type. Either a name of your choosing when

5539

# creating a CustomInfoType, or one of the names listed

5540

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5541

# a built-in type. InfoType names should conform to the pattern

5542

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

},

},

],

},

],

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

5553

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.

5554

# When set within `InspectJobConfig`,

5555

# the maximum returned is 2000 regardless if this is set higher.

5556

# When set within `InspectContentRequest`, this field is ignored.

5557

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

5558

{ # Max findings configuration per infoType, per content item or long

5559

# running DlpJob.

5560

"maxFindings": 42, # Max findings limit for the given infoType.

5561

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per

5562

# info_type should be provided. If InfoTypeLimit does not have an

5563

# info_type, the DLP API applies the limit against all info_types that

5564

# are found but not specified in another InfoTypeLimit.

5565

"name": "A String", # Name of the information type. Either a name of your choosing when

5566

# creating a CustomInfoType, or one of the names listed

5567

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5568

# a built-in type. InfoType names should conform to the pattern

5569

# `[a-zA-Z0-9_]{1,64}`.

},

},

],

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.

5574

# When set within `InspectContentRequest`, the maximum returned is 2000

5575

# regardless if this is set higher.

5576

},

5577

"contentOptions": [ # List of options defining data content to scan.

5578

# If empty, text, images, and other content will be included.

5579

"A String",

5580

],

5581

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to

5582

# InfoType values returned by ListInfoTypes or listed at

5583

# https://cloud.google.com/dlp/docs/infotypes-reference.

5584

#

5585

# When no InfoTypes or CustomInfoTypes are specified in a request, the

5586

# system may automatically choose what detectors to run. By default this may

5587

# be all types, but may change over time as detectors are updated.

5588

#

5589

# If you need precise control and predictability as to what detectors are

5590

# run you should specify specific InfoTypes listed in the reference,

5591

# otherwise a default list will be used, which may change over time.

5592

{ # Type of information detected by the API.

5593

"name": "A String", # Name of the information type. Either a name of your choosing when

5594

# creating a CustomInfoType, or one of the names listed

5595

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5596

# a built-in type. InfoType names should conform to the pattern

5597

# `[a-zA-Z0-9_]{1,64}`.

5598

},

5599

],

5600

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is

5601

# POSSIBLE.

5602

# See https://cloud.google.com/dlp/docs/likelihood to learn more.

5603

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

5604

"customInfoTypes": [ # CustomInfoTypes provided by the user. See

5605

# https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

5606

{ # Custom information type provided by the user. Used to find domain-specific

5607

# sensitive information configurable to the data in question.

5608

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be

5609

# altered by a detection rule if the finding meets the criteria specified by

5610

# the rule. Defaults to `VERY_LIKELY` if not specified.

5611

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in

5612

# infoType, when the name matches one of existing infoTypes and that infoType

5613

# is specified in `InspectContent.info_types` field. Specifying the latter

5614

# adds findings to the one detected by the system. If built-in info type is

5615

# not specified in `InspectContent.info_types` list then the name is treated

5616

# as a custom info type.

5617

"name": "A String", # Name of the information type. Either a name of your choosing when

5618

# creating a CustomInfoType, or one of the names listed

5619

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5620

# a built-in type. InfoType names should conform to the pattern

5621

# `[a-zA-Z0-9_]{1,64}`.

5622

},

5623

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

5624

"groupIndexes": [ # The index of the submatch to extract as findings. When not

5625

# specified, the entire match is returned. No more than 3 may be included.

5626

42,

5627

],

5628

"pattern": "A String", # Pattern defining the regular expression. Its syntax

5629

# (https://github.com/google/re2/wiki/Syntax) can be found under the

5630

# google/re2 repository on GitHub.

5631

},

5632

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.

5633

# Rules are applied in order that they are specified. Not supported for the

5634

# `surrogate_type` CustomInfoType.

5635

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a

5636

# `CustomInfoType` to alter behavior under certain circumstances, depending

5637

# on the specific details of the rule. Not supported for the `surrogate_type`

5638

# custom infoType.

5639

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.

5640

# proximity of hotwords.

5641

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.

5642

# part of a detection rule.

5643

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of

5644

# levels. For example, if a finding would be `POSSIBLE` without the

5645

# detection rule and `relative_likelihood` is 1, then it is upgraded to

5646

# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.

5647

# Likelihood may never drop below `VERY_UNLIKELY` or exceed

5648

# `VERY_LIKELY`, so applying an adjustment of 1 followed by an

5649

# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in

5650

# a final likelihood of `LIKELY`.

5651

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

5652

},

5653

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

5654

"groupIndexes": [ # The index of the submatch to extract as findings. When not

5655

# specified, the entire match is returned. No more than 3 may be included.

5656

42,

5657

],

5658

"pattern": "A String", # Pattern defining the regular expression. Its syntax

5659

# (https://github.com/google/re2/wiki/Syntax) can be found under the

5660

# google/re2 repository on GitHub.

5661

},

5662

"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.

5663

# The total length of the window cannot exceed 1000 characters. Note that

5664

# the finding itself will be included in the window, so that hotwords may

5665

# be used to match substrings of the finding itself. For example, the

5666

# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be

5667

# adjusted upwards if the area code is known to be the local area code of

5668

# a company office using the hotword regex "\(xxx\)", where "xxx"

5669

# is the area code in question.

5670

# rule.

5671

"windowBefore": 42, # Number of characters before the finding to consider.

5672

"windowAfter": 42, # Number of characters after the finding to consider.

},

},

},

],

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding

5678

# to be returned. It still can be used for rules matching.

5679

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.

5680

# be used to match sensitive information specific to the data, such as a list

5681

# of employee IDs or job titles.

5682

#

5683

# Dictionary words are case-insensitive and all characters other than letters

5684

# and digits in the unicode [Basic Multilingual

5685

# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)

5686

# will be replaced with whitespace when scanning for matches, so the

5687

# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",

5688

# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters

5689

# surrounding any match must be of a different type than the adjacent

5690

# characters within the word, so letters must be next to non-letters and

5691

# digits next to non-digits. For example, the dictionary word "jen" will

5692

# match the first three letters of the text "jen123" but will return no

5693

# matches for "jennifer".

5694

#

5695

# Dictionary words containing a large number of characters that are not

5696

# letters or digits may result in unexpected findings because such characters

5697

# are treated as whitespace. The

5698

# [limits](https://cloud.google.com/dlp/limits) page contains details about

5699

# the size limits of dictionaries. For dictionaries that do not fit within

5700

# these constraints, consider using `LargeCustomDictionaryConfig` in the

5701

# `StoredInfoType` API.

5702

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

5703

"words": [ # Words or phrases defining the dictionary. The dictionary must contain

5704

# at least one phrase and every phrase must contain at least 2 characters

5705

# that are letters or digits. [required]

"A String",

],

},

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file

5710

# is accepted.

5711

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.

5712

# Example: gs://[BUCKET_NAME]/dictionary.txt

5713

},

5714

},

5715

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in

5716

# `InspectDataSource`. Not currently supported in `InspectContent`.

5717

"name": "A String", # Resource name of the requested `StoredInfoType`, for example

5718

# `organizations/433245324/storedInfoTypes/432452342` or

5719

# `projects/project-id/storedInfoTypes/432452342`.

5720

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for

5721

# inspection was created. Output-only field, populated by the system.

5722

},

5723

"surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that

5724

# support reversing.

5725

# such as

5726

# [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).

5727

# These types of transformations are

5728

# those that perform pseudonymization, thereby producing a "surrogate" as

5729

# output. This should be used in conjunction with a field on the

5730

# transformation such as `surrogate_info_type`. This CustomInfoType does

5731

# not support the use of `detection_rules`.

},

},

],

},

"locationId": "A String", # The geographic location to process content reidentification. Reserved for

5737

# future extensions.

5738

"reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`.

5739

# Any configuration directly specified in `reidentify_config` or

5740

# `inspect_config` will override those set in the template. Singular fields

5741

# that are set in this request will replace their corresponding fields in the

5742

# template. Repeated fields are appended. Singular sub-messages and groups

5743

# are recursively merged.

5744

"reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item.

5745

# This field shares the same proto message type that is used for

5746

# de-identification, however its usage here is for the reversal of the

5747

# previous de-identification. Re-identification is performed by examining

5748

# the transformations used to de-identify the items and executing the

5749

# reverse. This requires that only reversible transformations

5750

# be provided here. The reversible transformations are:

5751

#

5752

# - `CryptoDeterministicConfig`

5753

# - `CryptoReplaceFfxFpeConfig`

5754

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

5755

# mode is `TransformationErrorHandling.ThrowError`.

5756

# transformation error occurs when the requested transformation is incompatible

5757

# with the data. For example, trying to de-identify an IP address using a

5758

# `DateShift` transformation would result in a transformation error, since date

5759

# info cannot be extracted from an IP address.

5760

# Information about any incompatible transformations, and how they were

5761

# handled, is returned in the response as part of the

5762

# `TransformationOverviews`.

5763

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

5764

},

5765

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

5766

# cause an error. For example, if a `DateShift` transformation were applied

5767

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

5772

# specific locations within structured datasets, such as transforming

5773

# a column within a table.

5774

# table.

5775

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

5776

# match any suppression rule are omitted from the output.

5777

{ # Configuration to suppress records whose suppression conditions evaluate to

5778

# true.

5779

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

5780

# evaluated to be suppressed from the transformed content.

5781

# a field.

5782

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

5783

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

5784

# only supported value is `AND`.

5785

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

5786

"conditions": [ # A collection of conditions.

5787

{ # The field type of `value` and `field` do not need to match to be

5788

# considered equal, but not all comparisons are possible.

5789

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

5790

# but all other comparisons are invalid with incompatible types.

5791

# A `value` of type:

5792

#

5793

# - `string` can be compared against all other types

5794

# - `boolean` can only be compared against other booleans

5795

# - `integer` can be compared against doubles or a string if the string value

5796

# can be parsed as an integer.

5797

# - `double` can be compared against integers or a string if the string can

5798

# be parsed as a double.

5799

# - `Timestamp` can be compared against strings in RFC 3339 date string

5800

# format.

5801

# - `TimeOfDay` can be compared against timestamps and strings in the format

5802

# of 'HH:mm:ss'.

5803

#

5804

# If we fail to compare do to type mismatch, a warning will be given and

5805

# the condition will evaluate to false.

5806

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

5807

"name": "A String", # Name describing the field.

5808

},

5809

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

5810

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

5811

# Note that for the purposes of inspection or transformation, the number

5812

# of bytes considered to comprise a 'Value' is based on its representation

5813

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5814

# 123456789, the number of bytes would be counted as 9, even though an

5815

# int64 only holds up to 8 bytes of data.

5816

"booleanValue": True or False, # boolean

5817

"floatValue": 3.14, # float

5818

"dayOfWeekValue": "A String", # day of week

5819

"timestampValue": "A String", # timestamp

5820

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5821

# and time zone are either specified elsewhere or are not significant. The date

5822

# is relative to the Proleptic Gregorian Calendar. This can represent:

5823

#

5824

# * A full date, with non-zero year, month and day values

5825

# * A month and day value, with a zero year, e.g. an anniversary

5826

# * A year on its own, with zero month and day values

5827

# * A year and month value, with a zero day, e.g. a credit card expiration date

5828

#

5829

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5830

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5831

# a year.

5832

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5833

# month and day.

5834

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5835

# if specifying a year by itself or a year and month where the day is not

5836

# significant.

5837

},

5838

"stringValue": "A String", # string

5839

"integerValue": "A String", # integer

5840

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5841

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5842

# types are google.type.Date and `google.protobuf.Timestamp`.

5843

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5844

# allow the value 60 if it allows leap-seconds.

5845

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5846

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5847

# to allow the value "24:00:00" for scenarios like business closing time.

5848

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

5859

{ # The transformation to apply to the field.

5860

"fields": [ # Required. Input field(s) to apply the transformation to.

5861

{ # General identifier of a data field in a storage service.

5862

"name": "A String", # Name describing the field.

5863

},

5864

],

5865

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

5866

# transform content that matches an `InfoType`.

5867

# apply various `PrimitiveTransformation`s to each finding, where the

5868

# transformation is applied to only values that were identified as a specific

5869

# info_type.

5870

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

5871

# for a given infoType.

5872

{ # A transformation to apply to text that is identified as a specific

5873

# info_type.

5874

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

5875

# this transformation to apply to all findings that correspond to

5876

# infoTypes that were requested in `InspectConfig`.

5877

{ # Type of information detected by the API.

5878

"name": "A String", # Name of the information type. Either a name of your choosing when

5879

# creating a CustomInfoType, or one of the names listed

5880

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5881

# a built-in type. InfoType names should conform to the pattern

5882

# `[a-zA-Z0-9_]{1,64}`.

5883

},

5884

],

5885

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

5886

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5887

# portion of the value.

5888

"partToExtract": "A String", # The part of the time to keep.

5889

},

5890

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5891

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5892

# to learn more.

5893

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5894

# If set, must also set cryptoKey. If set, shift will be consistent for the

5895

# given context.

5896

"name": "A String", # Name describing the field.

5897

},

5898

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5899

# range (inclusive ends). Negative means shift to earlier in time. Must not

5900

# be more than 365250 days (1000 years) each direction.

5901

#

5902

# For example, 3 means shift date to at most 3 days into the future.

5903

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5904

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5905

# results in the same shift for the same context and crypto_key. If

5906

# set, must also set context. Can only be applied to table items.

5907

# a key encryption key (KEK) stored by KMS).

5908

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5909

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5910

# unwrap the data crypto key.

5911

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5912

# The wrapped key must be a 128/192/256 bit key.

5913

# Authorization requires the following IAM permissions when sending a request

5914

# to perform a crypto transformation using a kms-wrapped crypto key:

5915

# dlp.kms.encrypt

5916

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5917

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5918

},

5919

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5920

# leaking the key. Choose another type of key if possible.

5921

"key": "A String", # Required. A 128/192/256 bit key.

5922

},

5923

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5924

# It will be discarded after the request finishes.

5925

"name": "A String", # Required. Name of the key.

5926

# This is an arbitrary string used to differentiate different keys.

5927

# A unique key is generated per name: two separate `TransientCryptoKey`

5928

# protos share the same generated key if their names are the same.

5929

# When the data crypto key is generated, this name is not used in any way

5930

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5935

},

5936

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5937

# Uses SHA-256.

5938

# The key size must be either 32 or 64 bytes.

5939

# Outputs a base64 encoded representation of the hashed output

5940

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5941

# Currently, only string and integer values can be hashed.

5942

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5943

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5944

# a key encryption key (KEK) stored by KMS).

5945

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5946

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5947

# unwrap the data crypto key.

5948

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5949

# The wrapped key must be a 128/192/256 bit key.

5950

# Authorization requires the following IAM permissions when sending a request

5951

# to perform a crypto transformation using a kms-wrapped crypto key:

5952

# dlp.kms.encrypt

5953

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5954

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5955

},

5956

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5957

# leaking the key. Choose another type of key if possible.

5958

"key": "A String", # Required. A 128/192/256 bit key.

5959

},

5960

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5961

# It will be discarded after the request finishes.

5962

"name": "A String", # Required. Name of the key.

5963

# This is an arbitrary string used to differentiate different keys.

5964

# A unique key is generated per name: two separate `TransientCryptoKey`

5965

# protos share the same generated key if their names are the same.

5966

# When the data crypto key is generated, this name is not used in any way

5967

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5972

# (FPE) with the FFX mode of operation; however when used in the

5973

# `ReidentifyContent` API method, it serves the opposite function by reversing

5974

# the surrogate back into the original identifier. The identifier must be

5975

# encoded as ASCII. For a given crypto key and context, the same identifier

5976

# will be replaced with the same surrogate. Identifiers must be at least two

5977

# characters long. In the case that the identifier is the empty string, it will

5978

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5979

# more.

5980

#

5981

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5982

# do not require preserving the input alphabet space and size, plus warrant

5983

# referential integrity.

5984

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5985

# that the FFX mode natively supports. This happens before/after

5986

# encryption/decryption.

5987

# Each character listed must appear only once.

5988

# Number of characters must be in the range [2, 95].

5989

# This must be encoded as ASCII.

5990

# The order of characters does not matter.

5991

"commonAlphabet": "A String", # Common alphabets.

5992

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5993

# This annotation will be applied to the surrogate by prefixing it with

5994

# the name of the custom infoType followed by the number of

5995

# characters comprising the surrogate. The following scheme defines the

5996

# format: info_type_name(surrogate_character_count):surrogate

5997

#

5998

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5999

# the surrogate is 'abc', the full replacement value

6000

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6001

#

6002

# This annotation identifies the surrogate when inspecting content using the

6003

# custom infoType

6004

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

6005

# This facilitates reversal of the surrogate when it occurs in free text.

6006

#

6007

# In order for inspection to work properly, the name of this infoType must

6008

# not occur naturally anywhere in your data; otherwise, inspection may

6009

# find a surrogate that does not correspond to an actual identifier.

6010

# Therefore, choose your custom infoType name carefully after considering

6011

# what your data looks like. One way to select a name that has a high chance

6012

# of yielding reliable detection is to include one or more unicode characters

6013

# that are highly improbable to exist in your data.

6014

# For example, assuming your data is entered from a regular ASCII keyboard,

6015

# the symbol with the hex code point 29DD might be used like so:

6016

# ⧝MY_TOKEN_TYPE

6017

"name": "A String", # Name of the information type. Either a name of your choosing when

6018

# creating a CustomInfoType, or one of the names listed

6019

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6020

# a built-in type. InfoType names should conform to the pattern

6021

# `[a-zA-Z0-9_]{1,64}`.

6022

},

6023

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

6024

# identifier in two different contexts won't be given the same surrogate. If

6025

# the context is not set, a default tweak will be used.

6026

#

6027

# If the context is set but:

6028

#

6029

# 1. there is no record present when transforming a given value or

6030

# 1. the field is not present when transforming a given value,

6031

#

6032

# a default tweak will be used.

6033

#

6034

# Note that case (1) is expected when an `InfoTypeTransformation` is

6035

# applied to both structured and non-structured `ContentItem`s.

6036

# Currently, the referenced field may be of value type integer or string.

6037

#

6038

# The tweak is constructed as a sequence of bytes in big endian byte order

6039

# such that:

6040

#

6041

# - a 64 bit integer is encoded followed by a single byte of value 1

6042

# - a string is encoded in UTF-8 format followed by a single byte of value 2

6043

"name": "A String", # Name describing the field.

6044

},

6045

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

6046

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

6047

# a key encryption key (KEK) stored by KMS).

6048

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6049

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6050

# unwrap the data crypto key.

6051

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6052

# The wrapped key must be a 128/192/256 bit key.

6053

# Authorization requires the following IAM permissions when sending a request

6054

# to perform a crypto transformation using a kms-wrapped crypto key:

6055

# dlp.kms.encrypt

6056

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6057

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6058

},

6059

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6060

# leaking the key. Choose another type of key if possible.

6061

"key": "A String", # Required. A 128/192/256 bit key.

6062

},

6063

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6064

# It will be discarded after the request finishes.

6065

"name": "A String", # Required. Name of the key.

6066

# This is an arbitrary string used to differentiate different keys.

6067

# A unique key is generated per name: two separate `TransientCryptoKey`

6068

# protos share the same generated key if their names are the same.

6069

# When the data crypto key is generated, this name is not used in any way

6070

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

6075

# input. Outputs a base64 encoded representation of the encrypted output.

6076

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

6077

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

6078

# This annotation will be applied to the surrogate by prefixing it with

6079

# the name of the custom info type followed by the number of

6080

# characters comprising the surrogate. The following scheme defines the

6081

# format: {info type name}({surrogate character count}):{surrogate}

6082

#

6083

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

6084

# the surrogate is 'abc', the full replacement value

6085

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6086

#

6087

# This annotation identifies the surrogate when inspecting content using the

6088

# custom info type 'Surrogate'. This facilitates reversal of the

6089

# surrogate when it occurs in free text.

6090

#

6091

# Note: For record transformations where the entire cell in a table is being

6092

# transformed, surrogates are not mandatory. Surrogates are used to denote

6093

# the location of the token and are necessary for re-identification in free

6094

# form text.

6095

#

6096

# In order for inspection to work properly, the name of this info type must

6097

# not occur naturally anywhere in your data; otherwise, inspection may either

6098

#

6099

# - reverse a surrogate that does not correspond to an actual identifier

6100

# - be unable to parse the surrogate and result in an error

6101

#

6102

# Therefore, choose your custom info type name carefully after considering

6103

# what your data looks like. One way to select a name that has a high chance

6104

# of yielding reliable detection is to include one or more unicode characters

6105

# that are highly improbable to exist in your data.

6106

# For example, assuming your data is entered from a regular ASCII keyboard,

6107

# the symbol with the hex code point 29DD might be used like so:

6108

# ⧝MY_TOKEN_TYPE.

6109

"name": "A String", # Name of the information type. Either a name of your choosing when

6110

# creating a CustomInfoType, or one of the names listed

6111

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6112

# a built-in type. InfoType names should conform to the pattern

6113

# `[a-zA-Z0-9_]{1,64}`.

6114

},

6115

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

6116

# referential integrity such that the same identifier in two different

6117

# contexts will be given a distinct surrogate. The context is appended to

6118

# plaintext value being encrypted. On decryption the provided context is

6119

# validated against the value used during encryption. If a context was

6120

# provided during encryption, same context must be provided during decryption

6121

# as well.

6122

#

6123

# If the context is not set, plaintext would be used as is for encryption.

6124

# If the context is set but:

6125

#

6126

# 1. there is no record present when transforming a given value or

6127

# 2. the field is not present when transforming a given value,

6128

#

6129

# plaintext would be used as is for encryption.

6130

#

6131

# Note that case (1) is expected when an `InfoTypeTransformation` is

6132

# applied to both structured and non-structured `ContentItem`s.

6133

"name": "A String", # Name describing the field.

6134

},

6135

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6136

# a key encryption key (KEK) stored by KMS).

6137

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6138

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6139

# unwrap the data crypto key.

6140

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6141

# The wrapped key must be a 128/192/256 bit key.

6142

# Authorization requires the following IAM permissions when sending a request

6143

# to perform a crypto transformation using a kms-wrapped crypto key:

6144

# dlp.kms.encrypt

6145

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6146

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6147

},

6148

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6149

# leaking the key. Choose another type of key if possible.

6150

"key": "A String", # Required. A 128/192/256 bit key.

6151

},

6152

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6153

# It will be discarded after the request finishes.

6154

"name": "A String", # Required. Name of the key.

6155

# This is an arbitrary string used to differentiate different keys.

6156

# A unique key is generated per name: two separate `TransientCryptoKey`

6157

# protos share the same generated key if their names are the same.

6158

# When the data crypto key is generated, this name is not used in any way

6159

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6164

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6165

# output would be 'My phone number is '.

6166

},

6167

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6168

# replacement values are dynamically provided by the user for custom behavior,

6169

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6170

# This can be used on

6171

# data of type: number, long, string, timestamp.

6172

# If the bound `Value` type differs from the type of data being transformed, we

6173

# will first attempt converting the type of the data to be transformed to match

6174

# the type of the bound before comparing.

6175

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6176

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6177

{ # Bucket is represented as a range, along with replacement values.

6178

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6179

# used.

6180

# Note that for the purposes of inspection or transformation, the number

6181

# of bytes considered to comprise a 'Value' is based on its representation

6182

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6183

# 123456789, the number of bytes would be counted as 9, even though an

6184

# int64 only holds up to 8 bytes of data.

6185

"booleanValue": True or False, # boolean

6186

"floatValue": 3.14, # float

6187

"dayOfWeekValue": "A String", # day of week

6188

"timestampValue": "A String", # timestamp

6189

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6190

# and time zone are either specified elsewhere or are not significant. The date

6191

# is relative to the Proleptic Gregorian Calendar. This can represent:

6192

#

6193

# * A full date, with non-zero year, month and day values

6194

# * A month and day value, with a zero year, e.g. an anniversary

6195

# * A year on its own, with zero month and day values

6196

# * A year and month value, with a zero day, e.g. a credit card expiration date

6197

#

6198

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6199

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6200

# a year.

6201

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6202

# month and day.

6203

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6204

# if specifying a year by itself or a year and month where the day is not

6205

# significant.

6206

},

6207

"stringValue": "A String", # string

6208

"integerValue": "A String", # integer

6209

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6210

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6211

# types are google.type.Date and `google.protobuf.Timestamp`.

6212

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6213

# allow the value 60 if it allows leap-seconds.

6214

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6215

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6216

# to allow the value "24:00:00" for scenarios like business closing time.

6217

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6218

},

6219

},

6220

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6221

# Note that for the purposes of inspection or transformation, the number

6222

# of bytes considered to comprise a 'Value' is based on its representation

6223

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6224

# 123456789, the number of bytes would be counted as 9, even though an

6225

# int64 only holds up to 8 bytes of data.

6226

"booleanValue": True or False, # boolean

6227

"floatValue": 3.14, # float

6228

"dayOfWeekValue": "A String", # day of week

6229

"timestampValue": "A String", # timestamp

6230

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6231

# and time zone are either specified elsewhere or are not significant. The date

6232

# is relative to the Proleptic Gregorian Calendar. This can represent:

6233

#

6234

# * A full date, with non-zero year, month and day values

6235

# * A month and day value, with a zero year, e.g. an anniversary

6236

# * A year on its own, with zero month and day values

6237

# * A year and month value, with a zero day, e.g. a credit card expiration date

6238

#

6239

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6240

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6241

# a year.

6242

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6243

# month and day.

6244

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6245

# if specifying a year by itself or a year and month where the day is not

6246

# significant.

6247

},

6248

"stringValue": "A String", # string

6249

"integerValue": "A String", # integer

6250

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6251

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6252

# types are google.type.Date and `google.protobuf.Timestamp`.

6253

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6254

# allow the value 60 if it allows leap-seconds.

6255

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6256

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6257

# to allow the value "24:00:00" for scenarios like business closing time.

6258

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6259

},

6260

},

6261

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6262

# the default behavior will be to hyphenate the min-max range.

6263

# Note that for the purposes of inspection or transformation, the number

6264

# of bytes considered to comprise a 'Value' is based on its representation

6265

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6266

# 123456789, the number of bytes would be counted as 9, even though an

6267

# int64 only holds up to 8 bytes of data.

6268

"booleanValue": True or False, # boolean

6269

"floatValue": 3.14, # float

6270

"dayOfWeekValue": "A String", # day of week

6271

"timestampValue": "A String", # timestamp

6272

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6273

# and time zone are either specified elsewhere or are not significant. The date

6274

# is relative to the Proleptic Gregorian Calendar. This can represent:

6275

#

6276

# * A full date, with non-zero year, month and day values

6277

# * A month and day value, with a zero year, e.g. an anniversary

6278

# * A year on its own, with zero month and day values

6279

# * A year and month value, with a zero day, e.g. a credit card expiration date

6280

#

6281

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6282

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6283

# a year.

6284

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6285

# month and day.

6286

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6287

# if specifying a year by itself or a year and month where the day is not

6288

# significant.

6289

},

6290

"stringValue": "A String", # string

6291

"integerValue": "A String", # integer

6292

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6293

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6294

# types are google.type.Date and `google.protobuf.Timestamp`.

6295

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6296

# allow the value 60 if it allows leap-seconds.

6297

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6298

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6299

# to allow the value "24:00:00" for scenarios like business closing time.

6300

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6307

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6308

# Note that for the purposes of inspection or transformation, the number

6309

# of bytes considered to comprise a 'Value' is based on its representation

6310

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6311

# 123456789, the number of bytes would be counted as 9, even though an

6312

# int64 only holds up to 8 bytes of data.

6313

"booleanValue": True or False, # boolean

6314

"floatValue": 3.14, # float

6315

"dayOfWeekValue": "A String", # day of week

6316

"timestampValue": "A String", # timestamp

6317

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6318

# and time zone are either specified elsewhere or are not significant. The date

6319

# is relative to the Proleptic Gregorian Calendar. This can represent:

6320

#

6321

# * A full date, with non-zero year, month and day values

6322

# * A month and day value, with a zero year, e.g. an anniversary

6323

# * A year on its own, with zero month and day values

6324

# * A year and month value, with a zero day, e.g. a credit card expiration date

6325

#

6326

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6327

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6328

# a year.

6329

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6330

# month and day.

6331

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6332

# if specifying a year by itself or a year and month where the day is not

6333

# significant.

6334

},

6335

"stringValue": "A String", # string

6336

"integerValue": "A String", # integer

6337

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6338

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6339

# types are google.type.Date and `google.protobuf.Timestamp`.

6340

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6341

# allow the value 60 if it allows leap-seconds.

6342

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6343

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6344

# to allow the value "24:00:00" for scenarios like business closing time.

6345

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6350

# fixed character. Masking can start from the beginning or end of the string.

6351

# This can be used on data of any type (numbers, longs, and so on) and when

6352

# de-identifying structured data we'll attempt to preserve the original data's

6353

# type. (This allows you to take a long like 123 and modify it to a string like

6354

# **3.

6355

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

6356

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

6357

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

6358

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

6359

# is `true`, then the string `12345` is masked as `12***`.

6360

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

6361

# characters. For example, if the input string is `555-555-5555` and you

6362

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

6363

# returns `***-**5-5555`.

6364

{ # Characters to skip when doing deidentification of a value. These will be left

6365

# alone and skipped.

6366

"charactersToSkip": "A String", # Characters to not transform when masking.

6367

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

6372

# masked. Skipped characters do not count towards this tally.

6373

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

6374

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

6375

# code or credit card number. This string must have a length of 1. If not

6376

# supplied, this value defaults to `*` for strings, and `0` for digits.

6377

},

6378

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6379

# Bucketing transformation can provide all of this functionality,

6380

# but requires more configuration. This message is provided as a convenience to

6381

# the user for simple bucketing strategies.

6382

#

6383

# The transformed value will be a hyphenated string of

6384

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6385

# all values that are within this bucket will be replaced with "10-20".

6386

#

6387

# This can be used on data of type: double, long.

6388

#

6389

# If the bound Value type differs from the type of data

6390

# being transformed, we will first attempt converting the type of the data to

6391

# be transformed to match the type of the bound before comparing.

6392

#

6393

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6394

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6395

# grouped together into a single bucket; for example if `lower_bound` = 10,

6396

# then all values less than 10 are replaced with the value "-10".

6397

# Note that for the purposes of inspection or transformation, the number

6398

# of bytes considered to comprise a 'Value' is based on its representation

6399

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6400

# 123456789, the number of bytes would be counted as 9, even though an

6401

# int64 only holds up to 8 bytes of data.

6402

"booleanValue": True or False, # boolean

6403

"floatValue": 3.14, # float

6404

"dayOfWeekValue": "A String", # day of week

6405

"timestampValue": "A String", # timestamp

6406

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6407

# and time zone are either specified elsewhere or are not significant. The date

6408

# is relative to the Proleptic Gregorian Calendar. This can represent:

6409

#

6410

# * A full date, with non-zero year, month and day values

6411

# * A month and day value, with a zero year, e.g. an anniversary

6412

# * A year on its own, with zero month and day values

6413

# * A year and month value, with a zero day, e.g. a credit card expiration date

6414

#

6415

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6416

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6417

# a year.

6418

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6419

# month and day.

6420

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6421

# if specifying a year by itself or a year and month where the day is not

6422

# significant.

6423

},

6424

"stringValue": "A String", # string

6425

"integerValue": "A String", # integer

6426

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6427

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6428

# types are google.type.Date and `google.protobuf.Timestamp`.

6429

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6430

# allow the value 60 if it allows leap-seconds.

6431

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6432

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6433

# to allow the value "24:00:00" for scenarios like business closing time.

6434

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6435

},

6436

},

6437

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6438

# grouped together into a single bucket; for example if `upper_bound` = 89,

6439

# then all values greater than 89 are replaced with the value "89+".

6440

# Note that for the purposes of inspection or transformation, the number

6441

# of bytes considered to comprise a 'Value' is based on its representation

6442

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6443

# 123456789, the number of bytes would be counted as 9, even though an

6444

# int64 only holds up to 8 bytes of data.

6445

"booleanValue": True or False, # boolean

6446

"floatValue": 3.14, # float

6447

"dayOfWeekValue": "A String", # day of week

6448

"timestampValue": "A String", # timestamp

6449

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6450

# and time zone are either specified elsewhere or are not significant. The date

6451

# is relative to the Proleptic Gregorian Calendar. This can represent:

6452

#

6453

# * A full date, with non-zero year, month and day values

6454

# * A month and day value, with a zero year, e.g. an anniversary

6455

# * A year on its own, with zero month and day values

6456

# * A year and month value, with a zero day, e.g. a credit card expiration date

6457

#

6458

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6459

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6460

# a year.

6461

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6462

# month and day.

6463

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6464

# if specifying a year by itself or a year and month where the day is not

6465

# significant.

6466

},

6467

"stringValue": "A String", # string

6468

"integerValue": "A String", # integer

6469

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6470

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6471

# types are google.type.Date and `google.protobuf.Timestamp`.

6472

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6473

# allow the value 60 if it allows leap-seconds.

6474

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6475

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6476

# to allow the value "24:00:00" for scenarios like business closing time.

6477

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6478

},

6479

},

6480

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6481

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6482

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6483

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

6490

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

6491

# portion of the value.

6492

"partToExtract": "A String", # The part of the time to keep.

6493

},

6494

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

6495

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

6496

# to learn more.

6497

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

6498

# If set, must also set cryptoKey. If set, shift will be consistent for the

6499

# given context.

6500

"name": "A String", # Name describing the field.

6501

},

6502

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

6503

# range (inclusive ends). Negative means shift to earlier in time. Must not

6504

# be more than 365250 days (1000 years) each direction.

6505

#

6506

# For example, 3 means shift date to at most 3 days into the future.

6507

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

6508

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

6509

# results in the same shift for the same context and crypto_key. If

6510

# set, must also set context. Can only be applied to table items.

6511

# a key encryption key (KEK) stored by KMS).

6512

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6513

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6514

# unwrap the data crypto key.

6515

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6516

# The wrapped key must be a 128/192/256 bit key.

6517

# Authorization requires the following IAM permissions when sending a request

6518

# to perform a crypto transformation using a kms-wrapped crypto key:

6519

# dlp.kms.encrypt

6520

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6521

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6522

},

6523

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6524

# leaking the key. Choose another type of key if possible.

6525

"key": "A String", # Required. A 128/192/256 bit key.

6526

},

6527

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6528

# It will be discarded after the request finishes.

6529

"name": "A String", # Required. Name of the key.

6530

# This is an arbitrary string used to differentiate different keys.

6531

# A unique key is generated per name: two separate `TransientCryptoKey`

6532

# protos share the same generated key if their names are the same.

6533

# When the data crypto key is generated, this name is not used in any way

6534

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

6539

},

6540

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

6541

# Uses SHA-256.

6542

# The key size must be either 32 or 64 bytes.

6543

# Outputs a base64 encoded representation of the hashed output

6544

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

6545

# Currently, only string and integer values can be hashed.

6546

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

6547

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

6548

# a key encryption key (KEK) stored by KMS).

6549

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6550

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6551

# unwrap the data crypto key.

6552

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6553

# The wrapped key must be a 128/192/256 bit key.

6554

# Authorization requires the following IAM permissions when sending a request

6555

# to perform a crypto transformation using a kms-wrapped crypto key:

6556

# dlp.kms.encrypt

6557

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6558

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6559

},

6560

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6561

# leaking the key. Choose another type of key if possible.

6562

"key": "A String", # Required. A 128/192/256 bit key.

6563

},

6564

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6565

# It will be discarded after the request finishes.

6566

"name": "A String", # Required. Name of the key.

6567

# This is an arbitrary string used to differentiate different keys.

6568

# A unique key is generated per name: two separate `TransientCryptoKey`

6569

# protos share the same generated key if their names are the same.

6570

# When the data crypto key is generated, this name is not used in any way

6571

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

6576

# (FPE) with the FFX mode of operation; however when used in the

6577

# `ReidentifyContent` API method, it serves the opposite function by reversing

6578

# the surrogate back into the original identifier. The identifier must be

6579

# encoded as ASCII. For a given crypto key and context, the same identifier

6580

# will be replaced with the same surrogate. Identifiers must be at least two

6581

# characters long. In the case that the identifier is the empty string, it will

6582

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

6583

# more.

6584

#

6585

# Note: We recommend using CryptoDeterministicConfig for all use cases which

6586

# do not require preserving the input alphabet space and size, plus warrant

6587

# referential integrity.

6588

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

6589

# that the FFX mode natively supports. This happens before/after

6590

# encryption/decryption.

6591

# Each character listed must appear only once.

6592

# Number of characters must be in the range [2, 95].

6593

# This must be encoded as ASCII.

6594

# The order of characters does not matter.

6595

"commonAlphabet": "A String", # Common alphabets.

6596

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

6597

# This annotation will be applied to the surrogate by prefixing it with

6598

# the name of the custom infoType followed by the number of

6599

# characters comprising the surrogate. The following scheme defines the

6600

# format: info_type_name(surrogate_character_count):surrogate

6601

#

6602

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

6603

# the surrogate is 'abc', the full replacement value

6604

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6605

#

6606

# This annotation identifies the surrogate when inspecting content using the

6607

# custom infoType

6608

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

6609

# This facilitates reversal of the surrogate when it occurs in free text.

6610

#

6611

# In order for inspection to work properly, the name of this infoType must

6612

# not occur naturally anywhere in your data; otherwise, inspection may

6613

# find a surrogate that does not correspond to an actual identifier.

6614

# Therefore, choose your custom infoType name carefully after considering

6615

# what your data looks like. One way to select a name that has a high chance

6616

# of yielding reliable detection is to include one or more unicode characters

6617

# that are highly improbable to exist in your data.

6618

# For example, assuming your data is entered from a regular ASCII keyboard,

6619

# the symbol with the hex code point 29DD might be used like so:

6620

# ⧝MY_TOKEN_TYPE

6621

"name": "A String", # Name of the information type. Either a name of your choosing when

6622

# creating a CustomInfoType, or one of the names listed

6623

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6624

# a built-in type. InfoType names should conform to the pattern

6625

# `[a-zA-Z0-9_]{1,64}`.

6626

},

6627

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

6628

# identifier in two different contexts won't be given the same surrogate. If

6629

# the context is not set, a default tweak will be used.

6630

#

6631

# If the context is set but:

6632

#

6633

# 1. there is no record present when transforming a given value or

6634

# 1. the field is not present when transforming a given value,

6635

#

6636

# a default tweak will be used.

6637

#

6638

# Note that case (1) is expected when an `InfoTypeTransformation` is

6639

# applied to both structured and non-structured `ContentItem`s.

6640

# Currently, the referenced field may be of value type integer or string.

6641

#

6642

# The tweak is constructed as a sequence of bytes in big endian byte order

6643

# such that:

6644

#

6645

# - a 64 bit integer is encoded followed by a single byte of value 1

6646

# - a string is encoded in UTF-8 format followed by a single byte of value 2

6647

"name": "A String", # Name describing the field.

6648

},

6649

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

6650

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

6651

# a key encryption key (KEK) stored by KMS).

6652

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6653

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6654

# unwrap the data crypto key.

6655

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6656

# The wrapped key must be a 128/192/256 bit key.

6657

# Authorization requires the following IAM permissions when sending a request

6658

# to perform a crypto transformation using a kms-wrapped crypto key:

6659

# dlp.kms.encrypt

6660

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6661

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6662

},

6663

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6664

# leaking the key. Choose another type of key if possible.

6665

"key": "A String", # Required. A 128/192/256 bit key.

6666

},

6667

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6668

# It will be discarded after the request finishes.

6669

"name": "A String", # Required. Name of the key.

6670

# This is an arbitrary string used to differentiate different keys.

6671

# A unique key is generated per name: two separate `TransientCryptoKey`

6672

# protos share the same generated key if their names are the same.

6673

# When the data crypto key is generated, this name is not used in any way

6674

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

6679

# input. Outputs a base64 encoded representation of the encrypted output.

6680

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

6681

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

6682

# This annotation will be applied to the surrogate by prefixing it with

6683

# the name of the custom info type followed by the number of

6684

# characters comprising the surrogate. The following scheme defines the

6685

# format: {info type name}({surrogate character count}):{surrogate}

6686

#

6687

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

6688

# the surrogate is 'abc', the full replacement value

6689

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6690

#

6691

# This annotation identifies the surrogate when inspecting content using the

6692

# custom info type 'Surrogate'. This facilitates reversal of the

6693

# surrogate when it occurs in free text.

6694

#

6695

# Note: For record transformations where the entire cell in a table is being

6696

# transformed, surrogates are not mandatory. Surrogates are used to denote

6697

# the location of the token and are necessary for re-identification in free

6698

# form text.

6699

#

6700

# In order for inspection to work properly, the name of this info type must

6701

# not occur naturally anywhere in your data; otherwise, inspection may either

6702

#

6703

# - reverse a surrogate that does not correspond to an actual identifier

6704

# - be unable to parse the surrogate and result in an error

6705

#

6706

# Therefore, choose your custom info type name carefully after considering

6707

# what your data looks like. One way to select a name that has a high chance

6708

# of yielding reliable detection is to include one or more unicode characters

6709

# that are highly improbable to exist in your data.

6710

# For example, assuming your data is entered from a regular ASCII keyboard,

6711

# the symbol with the hex code point 29DD might be used like so:

6712

# ⧝MY_TOKEN_TYPE.

6713

"name": "A String", # Name of the information type. Either a name of your choosing when

6714

# creating a CustomInfoType, or one of the names listed

6715

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6716

# a built-in type. InfoType names should conform to the pattern

6717

# `[a-zA-Z0-9_]{1,64}`.

6718

},

6719

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

6720

# referential integrity such that the same identifier in two different

6721

# contexts will be given a distinct surrogate. The context is appended to

6722

# plaintext value being encrypted. On decryption the provided context is

6723

# validated against the value used during encryption. If a context was

6724

# provided during encryption, same context must be provided during decryption

6725

# as well.

6726

#

6727

# If the context is not set, plaintext would be used as is for encryption.

6728

# If the context is set but:

6729

#

6730

# 1. there is no record present when transforming a given value or

6731

# 2. the field is not present when transforming a given value,

6732

#

6733

# plaintext would be used as is for encryption.

6734

#

6735

# Note that case (1) is expected when an `InfoTypeTransformation` is

6736

# applied to both structured and non-structured `ContentItem`s.

6737

"name": "A String", # Name describing the field.

6738

},

6739

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6740

# a key encryption key (KEK) stored by KMS).

6741

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6742

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6743

# unwrap the data crypto key.

6744

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6745

# The wrapped key must be a 128/192/256 bit key.

6746

# Authorization requires the following IAM permissions when sending a request

6747

# to perform a crypto transformation using a kms-wrapped crypto key:

6748

# dlp.kms.encrypt

6749

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6750

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6751

},

6752

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6753

# leaking the key. Choose another type of key if possible.

6754

"key": "A String", # Required. A 128/192/256 bit key.

6755

},

6756

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6757

# It will be discarded after the request finishes.

6758

"name": "A String", # Required. Name of the key.

6759

# This is an arbitrary string used to differentiate different keys.

6760

# A unique key is generated per name: two separate `TransientCryptoKey`

6761

# protos share the same generated key if their names are the same.

6762

# When the data crypto key is generated, this name is not used in any way

6763

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6768

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6769

# output would be 'My phone number is '.

6770

},

6771

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6772

# replacement values are dynamically provided by the user for custom behavior,

6773

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6774

# This can be used on

6775

# data of type: number, long, string, timestamp.

6776

# If the bound `Value` type differs from the type of data being transformed, we

6777

# will first attempt converting the type of the data to be transformed to match

6778

# the type of the bound before comparing.

6779

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6780

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6781

{ # Bucket is represented as a range, along with replacement values.

6782

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6783

# used.

6784

# Note that for the purposes of inspection or transformation, the number

6785

# of bytes considered to comprise a 'Value' is based on its representation

6786

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6787

# 123456789, the number of bytes would be counted as 9, even though an

6788

# int64 only holds up to 8 bytes of data.

6789

"booleanValue": True or False, # boolean

6790

"floatValue": 3.14, # float

6791

"dayOfWeekValue": "A String", # day of week

6792

"timestampValue": "A String", # timestamp

6793

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6794

# and time zone are either specified elsewhere or are not significant. The date

6795

# is relative to the Proleptic Gregorian Calendar. This can represent:

6796

#

6797

# * A full date, with non-zero year, month and day values

6798

# * A month and day value, with a zero year, e.g. an anniversary

6799

# * A year on its own, with zero month and day values

6800

# * A year and month value, with a zero day, e.g. a credit card expiration date

6801

#

6802

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6803

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6804

# a year.

6805

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6806

# month and day.

6807

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6808

# if specifying a year by itself or a year and month where the day is not

6809

# significant.

6810

},

6811

"stringValue": "A String", # string

6812

"integerValue": "A String", # integer

6813

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6814

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6815

# types are google.type.Date and `google.protobuf.Timestamp`.

6816

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6817

# allow the value 60 if it allows leap-seconds.

6818

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6819

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6820

# to allow the value "24:00:00" for scenarios like business closing time.

6821

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6822

},

6823

},

6824

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6825

# Note that for the purposes of inspection or transformation, the number

6826

# of bytes considered to comprise a 'Value' is based on its representation

6827

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6828

# 123456789, the number of bytes would be counted as 9, even though an

6829

# int64 only holds up to 8 bytes of data.

6830

"booleanValue": True or False, # boolean

6831

"floatValue": 3.14, # float

6832

"dayOfWeekValue": "A String", # day of week

6833

"timestampValue": "A String", # timestamp

6834

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6835

# and time zone are either specified elsewhere or are not significant. The date

6836

# is relative to the Proleptic Gregorian Calendar. This can represent:

6837

#

6838

# * A full date, with non-zero year, month and day values

6839

# * A month and day value, with a zero year, e.g. an anniversary

6840

# * A year on its own, with zero month and day values

6841

# * A year and month value, with a zero day, e.g. a credit card expiration date

6842

#

6843

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6844

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6845

# a year.

6846

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6847

# month and day.

6848

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6849

# if specifying a year by itself or a year and month where the day is not

6850

# significant.

6851

},

6852

"stringValue": "A String", # string

6853

"integerValue": "A String", # integer

6854

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6855

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6856

# types are google.type.Date and `google.protobuf.Timestamp`.

6857

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6858

# allow the value 60 if it allows leap-seconds.

6859

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6860

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6861

# to allow the value "24:00:00" for scenarios like business closing time.

6862

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6863

},

6864

},

6865

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6866

# the default behavior will be to hyphenate the min-max range.

6867

# Note that for the purposes of inspection or transformation, the number

6868

# of bytes considered to comprise a 'Value' is based on its representation

6869

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6870

# 123456789, the number of bytes would be counted as 9, even though an

6871

# int64 only holds up to 8 bytes of data.

6872

"booleanValue": True or False, # boolean

6873

"floatValue": 3.14, # float

6874

"dayOfWeekValue": "A String", # day of week

6875

"timestampValue": "A String", # timestamp

6876

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6877

# and time zone are either specified elsewhere or are not significant. The date

6878

# is relative to the Proleptic Gregorian Calendar. This can represent:

6879

#

6880

# * A full date, with non-zero year, month and day values

6881

# * A month and day value, with a zero year, e.g. an anniversary

6882

# * A year on its own, with zero month and day values

6883

# * A year and month value, with a zero day, e.g. a credit card expiration date

6884

#

6885

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6886

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6887

# a year.

6888

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6889

# month and day.

6890

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6891

# if specifying a year by itself or a year and month where the day is not

6892

# significant.

6893

},

6894

"stringValue": "A String", # string

6895

"integerValue": "A String", # integer

6896

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6897

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6898

# types are google.type.Date and `google.protobuf.Timestamp`.

6899

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6900

# allow the value 60 if it allows leap-seconds.

6901

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6902

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6903

# to allow the value "24:00:00" for scenarios like business closing time.

6904

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6911

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6912

# Note that for the purposes of inspection or transformation, the number

6913

# of bytes considered to comprise a 'Value' is based on its representation

6914

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6915

# 123456789, the number of bytes would be counted as 9, even though an

6916

# int64 only holds up to 8 bytes of data.

6917

"booleanValue": True or False, # boolean

6918

"floatValue": 3.14, # float

6919

"dayOfWeekValue": "A String", # day of week

6920

"timestampValue": "A String", # timestamp

6921

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6922

# and time zone are either specified elsewhere or are not significant. The date

6923

# is relative to the Proleptic Gregorian Calendar. This can represent:

6924

#

6925

# * A full date, with non-zero year, month and day values

6926

# * A month and day value, with a zero year, e.g. an anniversary

6927

# * A year on its own, with zero month and day values

6928

# * A year and month value, with a zero day, e.g. a credit card expiration date

6929

#

6930

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6931

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6932

# a year.

6933

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6934

# month and day.

6935

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6936

# if specifying a year by itself or a year and month where the day is not

6937

# significant.

6938

},

6939

"stringValue": "A String", # string

6940

"integerValue": "A String", # integer

6941

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6942

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6943

# types are google.type.Date and `google.protobuf.Timestamp`.

6944

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6945

# allow the value 60 if it allows leap-seconds.

6946

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6947

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6948

# to allow the value "24:00:00" for scenarios like business closing time.

6949

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6954

# fixed character. Masking can start from the beginning or end of the string.

6955

# This can be used on data of any type (numbers, longs, and so on) and when

6956

# de-identifying structured data we'll attempt to preserve the original data's

6957

# type. (This allows you to take a long like 123 and modify it to a string like

6958

# **3.

6959

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

6960

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

6961

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

6962

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

6963

# is `true`, then the string `12345` is masked as `12***`.

6964

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

6965

# characters. For example, if the input string is `555-555-5555` and you

6966

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

6967

# returns `***-**5-5555`.

6968

{ # Characters to skip when doing deidentification of a value. These will be left

6969

# alone and skipped.

6970

"charactersToSkip": "A String", # Characters to not transform when masking.

6971

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

6976

# masked. Skipped characters do not count towards this tally.

6977

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

6978

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

6979

# code or credit card number. This string must have a length of 1. If not

6980

# supplied, this value defaults to `*` for strings, and `0` for digits.

6981

},

6982

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6983

# Bucketing transformation can provide all of this functionality,

6984

# but requires more configuration. This message is provided as a convenience to

6985

# the user for simple bucketing strategies.

6986

#

6987

# The transformed value will be a hyphenated string of

6988

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6989

# all values that are within this bucket will be replaced with "10-20".

6990

#

6991

# This can be used on data of type: double, long.

6992

#

6993

# If the bound Value type differs from the type of data

6994

# being transformed, we will first attempt converting the type of the data to

6995

# be transformed to match the type of the bound before comparing.

6996

#

6997

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6998

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6999

# grouped together into a single bucket; for example if `lower_bound` = 10,

7000

# then all values less than 10 are replaced with the value "-10".

7001

# Note that for the purposes of inspection or transformation, the number

7002

# of bytes considered to comprise a 'Value' is based on its representation

7003

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7004

# 123456789, the number of bytes would be counted as 9, even though an

7005

# int64 only holds up to 8 bytes of data.

7006

"booleanValue": True or False, # boolean

7007

"floatValue": 3.14, # float

7008

"dayOfWeekValue": "A String", # day of week

7009

"timestampValue": "A String", # timestamp

7010

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7011

# and time zone are either specified elsewhere or are not significant. The date

7012

# is relative to the Proleptic Gregorian Calendar. This can represent:

7013

#

7014

# * A full date, with non-zero year, month and day values

7015

# * A month and day value, with a zero year, e.g. an anniversary

7016

# * A year on its own, with zero month and day values

7017

# * A year and month value, with a zero day, e.g. a credit card expiration date

7018

#

7019

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7020

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7021

# a year.

7022

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7023

# month and day.

7024

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7025

# if specifying a year by itself or a year and month where the day is not

7026

# significant.

7027

},

7028

"stringValue": "A String", # string

7029

"integerValue": "A String", # integer

7030

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7031

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7032

# types are google.type.Date and `google.protobuf.Timestamp`.

7033

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7034

# allow the value 60 if it allows leap-seconds.

7035

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7036

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7037

# to allow the value "24:00:00" for scenarios like business closing time.

7038

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7039

},

7040

},

7041

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7042

# grouped together into a single bucket; for example if `upper_bound` = 89,

7043

# then all values greater than 89 are replaced with the value "89+".

7044

# Note that for the purposes of inspection or transformation, the number

7045

# of bytes considered to comprise a 'Value' is based on its representation

7046

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7047

# 123456789, the number of bytes would be counted as 9, even though an

7048

# int64 only holds up to 8 bytes of data.

7049

"booleanValue": True or False, # boolean

7050

"floatValue": 3.14, # float

7051

"dayOfWeekValue": "A String", # day of week

7052

"timestampValue": "A String", # timestamp

7053

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7054

# and time zone are either specified elsewhere or are not significant. The date

7055

# is relative to the Proleptic Gregorian Calendar. This can represent:

7056

#

7057

# * A full date, with non-zero year, month and day values

7058

# * A month and day value, with a zero year, e.g. an anniversary

7059

# * A year on its own, with zero month and day values

7060

# * A year and month value, with a zero day, e.g. a credit card expiration date

7061

#

7062

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7063

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7064

# a year.

7065

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7066

# month and day.

7067

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7068

# if specifying a year by itself or a year and month where the day is not

7069

# significant.

7070

},

7071

"stringValue": "A String", # string

7072

"integerValue": "A String", # integer

7073

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7074

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7075

# types are google.type.Date and `google.protobuf.Timestamp`.

7076

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7077

# allow the value 60 if it allows leap-seconds.

7078

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7079

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7080

# to allow the value "24:00:00" for scenarios like business closing time.

7081

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7082

},

7083

},

7084

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7085

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7086

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7087

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

7088

},

7089

},

7090

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

7091

# given `RecordCondition`. The conditions are allowed to reference fields

7092

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

7097

# column for the same record is within a specific range.

7098

# - Redact a field if the date of birth field is greater than 85.

7099

# a field.

7100

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

7101

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

7102

# only supported value is `AND`.

7103

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

7104

"conditions": [ # A collection of conditions.

7105

{ # The field type of `value` and `field` do not need to match to be

7106

# considered equal, but not all comparisons are possible.

7107

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

7108

# but all other comparisons are invalid with incompatible types.

7109

# A `value` of type:

7110

#

7111

# - `string` can be compared against all other types

7112

# - `boolean` can only be compared against other booleans

7113

# - `integer` can be compared against doubles or a string if the string value

7114

# can be parsed as an integer.

7115

# - `double` can be compared against integers or a string if the string can

7116

# be parsed as a double.

7117

# - `Timestamp` can be compared against strings in RFC 3339 date string

7118

# format.

7119

# - `TimeOfDay` can be compared against timestamps and strings in the format

7120

# of 'HH:mm:ss'.

7121

#

7122

# If we fail to compare do to type mismatch, a warning will be given and

7123

# the condition will evaluate to false.

7124

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

7125

"name": "A String", # Name describing the field.

7126

},

7127

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

7128

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

7129

# Note that for the purposes of inspection or transformation, the number

7130

# of bytes considered to comprise a 'Value' is based on its representation

7131

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7132

# 123456789, the number of bytes would be counted as 9, even though an

7133

# int64 only holds up to 8 bytes of data.

7134

"booleanValue": True or False, # boolean

7135

"floatValue": 3.14, # float

7136

"dayOfWeekValue": "A String", # day of week

7137

"timestampValue": "A String", # timestamp

7138

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7139

# and time zone are either specified elsewhere or are not significant. The date

7140

# is relative to the Proleptic Gregorian Calendar. This can represent:

7141

#

7142

# * A full date, with non-zero year, month and day values

7143

# * A month and day value, with a zero year, e.g. an anniversary

7144

# * A year on its own, with zero month and day values

7145

# * A year and month value, with a zero day, e.g. a credit card expiration date

7146

#

7147

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7148

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7149

# a year.

7150

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7151

# month and day.

7152

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7153

# if specifying a year by itself or a year and month where the day is not

7154

# significant.

7155

},

7156

"stringValue": "A String", # string

7157

"integerValue": "A String", # integer

7158

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7159

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7160

# types are google.type.Date and `google.protobuf.Timestamp`.

7161

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7162

# allow the value 60 if it allows leap-seconds.

7163

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7164

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7165

# to allow the value "24:00:00" for scenarios like business closing time.

7166

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

7178

# transformation everywhere.

7179

# apply various `PrimitiveTransformation`s to each finding, where the

7180

# transformation is applied to only values that were identified as a specific

7181

# info_type.

7182

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

7183

# for a given infoType.

7184

{ # A transformation to apply to text that is identified as a specific

7185

# info_type.

7186

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7187

# this transformation to apply to all findings that correspond to

7188

# infoTypes that were requested in `InspectConfig`.

7189

{ # Type of information detected by the API.

7190

"name": "A String", # Name of the information type. Either a name of your choosing when

7191

# creating a CustomInfoType, or one of the names listed

7192

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7193

# a built-in type. InfoType names should conform to the pattern

7194

# `[a-zA-Z0-9_]{1,64}`.

7195

},

7196

],

7197

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

7198

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7199

# portion of the value.

7200

"partToExtract": "A String", # The part of the time to keep.

7201

},

7202

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7203

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7204

# to learn more.

7205

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7206

# If set, must also set cryptoKey. If set, shift will be consistent for the

7207

# given context.

7208

"name": "A String", # Name describing the field.

7209

},

7210

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7211

# range (inclusive ends). Negative means shift to earlier in time. Must not

7212

# be more than 365250 days (1000 years) each direction.

7213

#

7214

# For example, 3 means shift date to at most 3 days into the future.

7215

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7216

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7217

# results in the same shift for the same context and crypto_key. If

7218

# set, must also set context. Can only be applied to table items.

7219

# a key encryption key (KEK) stored by KMS).

7220

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7221

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7222

# unwrap the data crypto key.

7223

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7224

# The wrapped key must be a 128/192/256 bit key.

7225

# Authorization requires the following IAM permissions when sending a request

7226

# to perform a crypto transformation using a kms-wrapped crypto key:

7227

# dlp.kms.encrypt

7228

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7229

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7230

},

7231

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7232

# leaking the key. Choose another type of key if possible.

7233

"key": "A String", # Required. A 128/192/256 bit key.

7234

},

7235

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7236

# It will be discarded after the request finishes.

7237

"name": "A String", # Required. Name of the key.

7238

# This is an arbitrary string used to differentiate different keys.

7239

# A unique key is generated per name: two separate `TransientCryptoKey`

7240

# protos share the same generated key if their names are the same.

7241

# When the data crypto key is generated, this name is not used in any way

7242

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7247

},

7248

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7249

# Uses SHA-256.

7250

# The key size must be either 32 or 64 bytes.

7251

# Outputs a base64 encoded representation of the hashed output

7252

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7253

# Currently, only string and integer values can be hashed.

7254

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7255

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7256

# a key encryption key (KEK) stored by KMS).

7257

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7258

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7259

# unwrap the data crypto key.

7260

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7261

# The wrapped key must be a 128/192/256 bit key.

7262

# Authorization requires the following IAM permissions when sending a request

7263

# to perform a crypto transformation using a kms-wrapped crypto key:

7264

# dlp.kms.encrypt

7265

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7266

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7267

},

7268

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7269

# leaking the key. Choose another type of key if possible.

7270

"key": "A String", # Required. A 128/192/256 bit key.

7271

},

7272

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7273

# It will be discarded after the request finishes.

7274

"name": "A String", # Required. Name of the key.

7275

# This is an arbitrary string used to differentiate different keys.

7276

# A unique key is generated per name: two separate `TransientCryptoKey`

7277

# protos share the same generated key if their names are the same.

7278

# When the data crypto key is generated, this name is not used in any way

7279

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7284

# (FPE) with the FFX mode of operation; however when used in the

7285

# `ReidentifyContent` API method, it serves the opposite function by reversing

7286

# the surrogate back into the original identifier. The identifier must be

7287

# encoded as ASCII. For a given crypto key and context, the same identifier

7288

# will be replaced with the same surrogate. Identifiers must be at least two

7289

# characters long. In the case that the identifier is the empty string, it will

7290

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7291

# more.

7292

#

7293

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7294

# do not require preserving the input alphabet space and size, plus warrant

7295

# referential integrity.

7296

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7297

# that the FFX mode natively supports. This happens before/after

7298

# encryption/decryption.

7299

# Each character listed must appear only once.

7300

# Number of characters must be in the range [2, 95].

7301

# This must be encoded as ASCII.

7302

# The order of characters does not matter.

7303

"commonAlphabet": "A String", # Common alphabets.

7304

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7305

# This annotation will be applied to the surrogate by prefixing it with

7306

# the name of the custom infoType followed by the number of

7307

# characters comprising the surrogate. The following scheme defines the

7308

# format: info_type_name(surrogate_character_count):surrogate

7309

#

7310

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7311

# the surrogate is 'abc', the full replacement value

7312

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7313

#

7314

# This annotation identifies the surrogate when inspecting content using the

7315

# custom infoType

7316

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7317

# This facilitates reversal of the surrogate when it occurs in free text.

7318

#

7319

# In order for inspection to work properly, the name of this infoType must

7320

# not occur naturally anywhere in your data; otherwise, inspection may

7321

# find a surrogate that does not correspond to an actual identifier.

7322

# Therefore, choose your custom infoType name carefully after considering

7323

# what your data looks like. One way to select a name that has a high chance

7324

# of yielding reliable detection is to include one or more unicode characters

7325

# that are highly improbable to exist in your data.

7326

# For example, assuming your data is entered from a regular ASCII keyboard,

7327

# the symbol with the hex code point 29DD might be used like so:

7328

# ⧝MY_TOKEN_TYPE

7329

"name": "A String", # Name of the information type. Either a name of your choosing when

7330

# creating a CustomInfoType, or one of the names listed

7331

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7332

# a built-in type. InfoType names should conform to the pattern

7333

# `[a-zA-Z0-9_]{1,64}`.

7334

},

7335

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7336

# identifier in two different contexts won't be given the same surrogate. If

7337

# the context is not set, a default tweak will be used.

7338

#

7339

# If the context is set but:

7340

#

7341

# 1. there is no record present when transforming a given value or

7342

# 1. the field is not present when transforming a given value,

7343

#

7344

# a default tweak will be used.

7345

#

7346

# Note that case (1) is expected when an `InfoTypeTransformation` is

7347

# applied to both structured and non-structured `ContentItem`s.

7348

# Currently, the referenced field may be of value type integer or string.

7349

#

7350

# The tweak is constructed as a sequence of bytes in big endian byte order

7351

# such that:

7352

#

7353

# - a 64 bit integer is encoded followed by a single byte of value 1

7354

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7355

"name": "A String", # Name describing the field.

7356

},

7357

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7358

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7359

# a key encryption key (KEK) stored by KMS).

7360

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7361

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7362

# unwrap the data crypto key.

7363

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7364

# The wrapped key must be a 128/192/256 bit key.

7365

# Authorization requires the following IAM permissions when sending a request

7366

# to perform a crypto transformation using a kms-wrapped crypto key:

7367

# dlp.kms.encrypt

7368

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7369

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7370

},

7371

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7372

# leaking the key. Choose another type of key if possible.

7373

"key": "A String", # Required. A 128/192/256 bit key.

7374

},

7375

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7376

# It will be discarded after the request finishes.

7377

"name": "A String", # Required. Name of the key.

7378

# This is an arbitrary string used to differentiate different keys.

7379

# A unique key is generated per name: two separate `TransientCryptoKey`

7380

# protos share the same generated key if their names are the same.

7381

# When the data crypto key is generated, this name is not used in any way

7382

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7387

# input. Outputs a base64 encoded representation of the encrypted output.

7388

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7389

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

7390

# This annotation will be applied to the surrogate by prefixing it with

7391

# the name of the custom info type followed by the number of

7392

# characters comprising the surrogate. The following scheme defines the

7393

# format: {info type name}({surrogate character count}):{surrogate}

7394

#

7395

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7396

# the surrogate is 'abc', the full replacement value

7397

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7398

#

7399

# This annotation identifies the surrogate when inspecting content using the

7400

# custom info type 'Surrogate'. This facilitates reversal of the

7401

# surrogate when it occurs in free text.

7402

#

7403

# Note: For record transformations where the entire cell in a table is being

7404

# transformed, surrogates are not mandatory. Surrogates are used to denote

7405

# the location of the token and are necessary for re-identification in free

7406

# form text.

7407

#

7408

# In order for inspection to work properly, the name of this info type must

7409

# not occur naturally anywhere in your data; otherwise, inspection may either

7410

#

7411

# - reverse a surrogate that does not correspond to an actual identifier

7412

# - be unable to parse the surrogate and result in an error

7413

#

7414

# Therefore, choose your custom info type name carefully after considering

7415

# what your data looks like. One way to select a name that has a high chance

7416

# of yielding reliable detection is to include one or more unicode characters

7417

# that are highly improbable to exist in your data.

7418

# For example, assuming your data is entered from a regular ASCII keyboard,

7419

# the symbol with the hex code point 29DD might be used like so:

7420

# ⧝MY_TOKEN_TYPE.

7421

"name": "A String", # Name of the information type. Either a name of your choosing when

7422

# creating a CustomInfoType, or one of the names listed

7423

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7424

# a built-in type. InfoType names should conform to the pattern

7425

# `[a-zA-Z0-9_]{1,64}`.

7426

},

7427

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7428

# referential integrity such that the same identifier in two different

7429

# contexts will be given a distinct surrogate. The context is appended to

7430

# plaintext value being encrypted. On decryption the provided context is

7431

# validated against the value used during encryption. If a context was

7432

# provided during encryption, same context must be provided during decryption

7433

# as well.

7434

#

7435

# If the context is not set, plaintext would be used as is for encryption.

7436

# If the context is set but:

7437

#

7438

# 1. there is no record present when transforming a given value or

7439

# 2. the field is not present when transforming a given value,

7440

#

7441

# plaintext would be used as is for encryption.

7442

#

7443

# Note that case (1) is expected when an `InfoTypeTransformation` is

7444

# applied to both structured and non-structured `ContentItem`s.

7445

"name": "A String", # Name describing the field.

7446

},

7447

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7448

# a key encryption key (KEK) stored by KMS).

7449

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7450

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7451

# unwrap the data crypto key.

7452

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7453

# The wrapped key must be a 128/192/256 bit key.

7454

# Authorization requires the following IAM permissions when sending a request

7455

# to perform a crypto transformation using a kms-wrapped crypto key:

7456

# dlp.kms.encrypt

7457

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7458

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7459

},

7460

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7461

# leaking the key. Choose another type of key if possible.

7462

"key": "A String", # Required. A 128/192/256 bit key.

7463

},

7464

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7465

# It will be discarded after the request finishes.

7466

"name": "A String", # Required. Name of the key.

7467

# This is an arbitrary string used to differentiate different keys.

7468

# A unique key is generated per name: two separate `TransientCryptoKey`

7469

# protos share the same generated key if their names are the same.

7470

# When the data crypto key is generated, this name is not used in any way

7471

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

7476

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

7477

# output would be 'My phone number is '.

7478

},

7479

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

7480

# replacement values are dynamically provided by the user for custom behavior,

7481

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7482

# This can be used on

7483

# data of type: number, long, string, timestamp.

7484

# If the bound `Value` type differs from the type of data being transformed, we

7485

# will first attempt converting the type of the data to be transformed to match

7486

# the type of the bound before comparing.

7487

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7488

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

7489

{ # Bucket is represented as a range, along with replacement values.

7490

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

7491

# used.

7492

# Note that for the purposes of inspection or transformation, the number

7493

# of bytes considered to comprise a 'Value' is based on its representation

7494

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7495

# 123456789, the number of bytes would be counted as 9, even though an

7496

# int64 only holds up to 8 bytes of data.

7497

"booleanValue": True or False, # boolean

7498

"floatValue": 3.14, # float

7499

"dayOfWeekValue": "A String", # day of week

7500

"timestampValue": "A String", # timestamp

7501

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7502

# and time zone are either specified elsewhere or are not significant. The date

7503

# is relative to the Proleptic Gregorian Calendar. This can represent:

7504

#

7505

# * A full date, with non-zero year, month and day values

7506

# * A month and day value, with a zero year, e.g. an anniversary

7507

# * A year on its own, with zero month and day values

7508

# * A year and month value, with a zero day, e.g. a credit card expiration date

7509

#

7510

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7511

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7512

# a year.

7513

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7514

# month and day.

7515

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7516

# if specifying a year by itself or a year and month where the day is not

7517

# significant.

7518

},

7519

"stringValue": "A String", # string

7520

"integerValue": "A String", # integer

7521

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7522

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7523

# types are google.type.Date and `google.protobuf.Timestamp`.

7524

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7525

# allow the value 60 if it allows leap-seconds.

7526

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7527

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7528

# to allow the value "24:00:00" for scenarios like business closing time.

7529

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7530

},

7531

},

7532

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

7533

# Note that for the purposes of inspection or transformation, the number

7534

# of bytes considered to comprise a 'Value' is based on its representation

7535

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7536

# 123456789, the number of bytes would be counted as 9, even though an

7537

# int64 only holds up to 8 bytes of data.

7538

"booleanValue": True or False, # boolean

7539

"floatValue": 3.14, # float

7540

"dayOfWeekValue": "A String", # day of week

7541

"timestampValue": "A String", # timestamp

7542

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7543

# and time zone are either specified elsewhere or are not significant. The date

7544

# is relative to the Proleptic Gregorian Calendar. This can represent:

7545

#

7546

# * A full date, with non-zero year, month and day values

7547

# * A month and day value, with a zero year, e.g. an anniversary

7548

# * A year on its own, with zero month and day values

7549

# * A year and month value, with a zero day, e.g. a credit card expiration date

7550

#

7551

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7552

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7553

# a year.

7554

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7555

# month and day.

7556

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7557

# if specifying a year by itself or a year and month where the day is not

7558

# significant.

7559

},

7560

"stringValue": "A String", # string

7561

"integerValue": "A String", # integer

7562

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7563

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7564

# types are google.type.Date and `google.protobuf.Timestamp`.

7565

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7566

# allow the value 60 if it allows leap-seconds.

7567

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7568

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7569

# to allow the value "24:00:00" for scenarios like business closing time.

7570

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7571

},

7572

},

7573

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7574

# the default behavior will be to hyphenate the min-max range.

7575

# Note that for the purposes of inspection or transformation, the number

7576

# of bytes considered to comprise a 'Value' is based on its representation

7577

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7578

# 123456789, the number of bytes would be counted as 9, even though an

7579

# int64 only holds up to 8 bytes of data.

7580

"booleanValue": True or False, # boolean

7581

"floatValue": 3.14, # float

7582

"dayOfWeekValue": "A String", # day of week

7583

"timestampValue": "A String", # timestamp

7584

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7585

# and time zone are either specified elsewhere or are not significant. The date

7586

# is relative to the Proleptic Gregorian Calendar. This can represent:

7587

#

7588

# * A full date, with non-zero year, month and day values

7589

# * A month and day value, with a zero year, e.g. an anniversary

7590

# * A year on its own, with zero month and day values

7591

# * A year and month value, with a zero day, e.g. a credit card expiration date

7592

#

7593

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7594

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7595

# a year.

7596

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7597

# month and day.

7598

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7599

# if specifying a year by itself or a year and month where the day is not

7600

# significant.

7601

},

7602

"stringValue": "A String", # string

7603

"integerValue": "A String", # integer

7604

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7605

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7606

# types are google.type.Date and `google.protobuf.Timestamp`.

7607

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7608

# allow the value 60 if it allows leap-seconds.

7609

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7610

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7611

# to allow the value "24:00:00" for scenarios like business closing time.

7612

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

7619

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

7620

# Note that for the purposes of inspection or transformation, the number

7621

# of bytes considered to comprise a 'Value' is based on its representation

7622

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7623

# 123456789, the number of bytes would be counted as 9, even though an

7624

# int64 only holds up to 8 bytes of data.

7625

"booleanValue": True or False, # boolean

7626

"floatValue": 3.14, # float

7627

"dayOfWeekValue": "A String", # day of week

7628

"timestampValue": "A String", # timestamp

7629

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7630

# and time zone are either specified elsewhere or are not significant. The date

7631

# is relative to the Proleptic Gregorian Calendar. This can represent:

7632

#

7633

# * A full date, with non-zero year, month and day values

7634

# * A month and day value, with a zero year, e.g. an anniversary

7635

# * A year on its own, with zero month and day values

7636

# * A year and month value, with a zero day, e.g. a credit card expiration date

7637

#

7638

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7639

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7640

# a year.

7641

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7642

# month and day.

7643

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7644

# if specifying a year by itself or a year and month where the day is not

7645

# significant.

7646

},

7647

"stringValue": "A String", # string

7648

"integerValue": "A String", # integer

7649

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7650

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7651

# types are google.type.Date and `google.protobuf.Timestamp`.

7652

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7653

# allow the value 60 if it allows leap-seconds.

7654

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7655

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7656

# to allow the value "24:00:00" for scenarios like business closing time.

7657

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7662

# fixed character. Masking can start from the beginning or end of the string.

7663

# This can be used on data of any type (numbers, longs, and so on) and when

7664

# de-identifying structured data we'll attempt to preserve the original data's

7665

# type. (This allows you to take a long like 123 and modify it to a string like

7666

# **3.

7667

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7668

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7669

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7670

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7671

# is `true`, then the string `12345` is masked as `12***`.

7672

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7673

# characters. For example, if the input string is `555-555-5555` and you

7674

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7675

# returns `***-**5-5555`.

7676

{ # Characters to skip when doing deidentification of a value. These will be left

7677

# alone and skipped.

7678

"charactersToSkip": "A String", # Characters to not transform when masking.

7679

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7684

# masked. Skipped characters do not count towards this tally.

7685

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7686

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7687

# code or credit card number. This string must have a length of 1. If not

7688

# supplied, this value defaults to `*` for strings, and `0` for digits.

7689

},

7690

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7691

# Bucketing transformation can provide all of this functionality,

7692

# but requires more configuration. This message is provided as a convenience to

7693

# the user for simple bucketing strategies.

7694

#

7695

# The transformed value will be a hyphenated string of

7696

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7697

# all values that are within this bucket will be replaced with "10-20".

7698

#

7699

# This can be used on data of type: double, long.

7700

#

7701

# If the bound Value type differs from the type of data

7702

# being transformed, we will first attempt converting the type of the data to

7703

# be transformed to match the type of the bound before comparing.

7704

#

7705

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7706

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7707

# grouped together into a single bucket; for example if `lower_bound` = 10,

7708

# then all values less than 10 are replaced with the value "-10".

7709

# Note that for the purposes of inspection or transformation, the number

7710

# of bytes considered to comprise a 'Value' is based on its representation

7711

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7712

# 123456789, the number of bytes would be counted as 9, even though an

7713

# int64 only holds up to 8 bytes of data.

7714

"booleanValue": True or False, # boolean

7715

"floatValue": 3.14, # float

7716

"dayOfWeekValue": "A String", # day of week

7717

"timestampValue": "A String", # timestamp

7718

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7719

# and time zone are either specified elsewhere or are not significant. The date

7720

# is relative to the Proleptic Gregorian Calendar. This can represent:

7721

#

7722

# * A full date, with non-zero year, month and day values

7723

# * A month and day value, with a zero year, e.g. an anniversary

7724

# * A year on its own, with zero month and day values

7725

# * A year and month value, with a zero day, e.g. a credit card expiration date

7726

#

7727

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7728

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7729

# a year.

7730

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7731

# month and day.

7732

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7733

# if specifying a year by itself or a year and month where the day is not

7734

# significant.

7735

},

7736

"stringValue": "A String", # string

7737

"integerValue": "A String", # integer

7738

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7739

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7740

# types are google.type.Date and `google.protobuf.Timestamp`.

7741

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7742

# allow the value 60 if it allows leap-seconds.

7743

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7744

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7745

# to allow the value "24:00:00" for scenarios like business closing time.

7746

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7747

},

7748

},

7749

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7750

# grouped together into a single bucket; for example if `upper_bound` = 89,

7751

# then all values greater than 89 are replaced with the value "89+".

7752

# Note that for the purposes of inspection or transformation, the number

7753

# of bytes considered to comprise a 'Value' is based on its representation

7754

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7755

# 123456789, the number of bytes would be counted as 9, even though an

7756

# int64 only holds up to 8 bytes of data.

7757

"booleanValue": True or False, # boolean

7758

"floatValue": 3.14, # float

7759

"dayOfWeekValue": "A String", # day of week

7760

"timestampValue": "A String", # timestamp

7761

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7762

# and time zone are either specified elsewhere or are not significant. The date

7763

# is relative to the Proleptic Gregorian Calendar. This can represent:

7764

#

7765

# * A full date, with non-zero year, month and day values

7766

# * A month and day value, with a zero year, e.g. an anniversary

7767

# * A year on its own, with zero month and day values

7768

# * A year and month value, with a zero day, e.g. a credit card expiration date

7769

#

7770

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7771

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7772

# a year.

7773

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7774

# month and day.

7775

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7776

# if specifying a year by itself or a year and month where the day is not

7777

# significant.

7778

},

7779

"stringValue": "A String", # string

7780

"integerValue": "A String", # integer

7781

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7782

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7783

# types are google.type.Date and `google.protobuf.Timestamp`.

7784

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7785

# allow the value 60 if it allows leap-seconds.

7786

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7787

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7788

# to allow the value "24:00:00" for scenarios like business closing time.

7789

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7790

},

7791

},

7792

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7793

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7794

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7795

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

7811

7812

{ # Results of re-identifying a item.

7813

"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.

7814

"transformationSummaries": [ # Transformations applied to the dataset.

7815

{ # Summary of a single transformation.

7816

# Only one of 'transformation', 'field_transformation', or 'record_suppress'

7817

# will be set.

7818

"fieldTransformations": [ # The field transformation that was applied.

7819

# If multiple field transformations are requested for a single field,

7820

# this list will contain all of them; otherwise, only one is supplied.

7821

{ # The transformation to apply to the field.

7822

"fields": [ # Required. Input field(s) to apply the transformation to.

7823

{ # General identifier of a data field in a storage service.

7824

"name": "A String", # Name describing the field.

7825

},

7826

],

7827

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

7828

# transform content that matches an `InfoType`.

7829

# apply various `PrimitiveTransformation`s to each finding, where the

7830

# transformation is applied to only values that were identified as a specific

7831

# info_type.

7832

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

7833

# for a given infoType.

7834

{ # A transformation to apply to text that is identified as a specific

7835

# info_type.

7836

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7837

# this transformation to apply to all findings that correspond to

7838

# infoTypes that were requested in `InspectConfig`.

7839

{ # Type of information detected by the API.

7840

"name": "A String", # Name of the information type. Either a name of your choosing when

7841

# creating a CustomInfoType, or one of the names listed

7842

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7843

# a built-in type. InfoType names should conform to the pattern

7844

# `[a-zA-Z0-9_]{1,64}`.

7845

},

7846

],

7847

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

7848

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7849

# portion of the value.

7850

"partToExtract": "A String", # The part of the time to keep.

7851

},

7852

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7853

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7854

# to learn more.

7855

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7856

# If set, must also set cryptoKey. If set, shift will be consistent for the

7857

# given context.

7858

"name": "A String", # Name describing the field.

7859

},

7860

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7861

# range (inclusive ends). Negative means shift to earlier in time. Must not

7862

# be more than 365250 days (1000 years) each direction.

7863

#

7864

# For example, 3 means shift date to at most 3 days into the future.

7865

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7866

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7867

# results in the same shift for the same context and crypto_key. If

7868

# set, must also set context. Can only be applied to table items.

7869

# a key encryption key (KEK) stored by KMS).

7870

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7871

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7872

# unwrap the data crypto key.

7873

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7874

# The wrapped key must be a 128/192/256 bit key.

7875

# Authorization requires the following IAM permissions when sending a request

7876

# to perform a crypto transformation using a kms-wrapped crypto key:

7877

# dlp.kms.encrypt

7878

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7879

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7880

},

7881

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7882

# leaking the key. Choose another type of key if possible.

7883

"key": "A String", # Required. A 128/192/256 bit key.

7884

},

7885

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7886

# It will be discarded after the request finishes.

7887

"name": "A String", # Required. Name of the key.

7888

# This is an arbitrary string used to differentiate different keys.

7889

# A unique key is generated per name: two separate `TransientCryptoKey`

7890

# protos share the same generated key if their names are the same.

7891

# When the data crypto key is generated, this name is not used in any way

7892

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7897

},

7898

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7899

# Uses SHA-256.

7900

# The key size must be either 32 or 64 bytes.

7901

# Outputs a base64 encoded representation of the hashed output

7902

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7903

# Currently, only string and integer values can be hashed.

7904

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7905

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7906

# a key encryption key (KEK) stored by KMS).

7907

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7908

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7909

# unwrap the data crypto key.

7910

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7911

# The wrapped key must be a 128/192/256 bit key.

7912

# Authorization requires the following IAM permissions when sending a request

7913

# to perform a crypto transformation using a kms-wrapped crypto key:

7914

# dlp.kms.encrypt

7915

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7916

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7917

},

7918

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7919

# leaking the key. Choose another type of key if possible.

7920

"key": "A String", # Required. A 128/192/256 bit key.

7921

},

7922

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7923

# It will be discarded after the request finishes.

7924

"name": "A String", # Required. Name of the key.

7925

# This is an arbitrary string used to differentiate different keys.

7926

# A unique key is generated per name: two separate `TransientCryptoKey`

7927

# protos share the same generated key if their names are the same.

7928

# When the data crypto key is generated, this name is not used in any way

7929

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7934

# (FPE) with the FFX mode of operation; however when used in the

7935

# `ReidentifyContent` API method, it serves the opposite function by reversing

7936

# the surrogate back into the original identifier. The identifier must be

7937

# encoded as ASCII. For a given crypto key and context, the same identifier

7938

# will be replaced with the same surrogate. Identifiers must be at least two

7939

# characters long. In the case that the identifier is the empty string, it will

7940

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7941

# more.

7942

#

7943

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7944

# do not require preserving the input alphabet space and size, plus warrant

7945

# referential integrity.

7946

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7947

# that the FFX mode natively supports. This happens before/after

7948

# encryption/decryption.

7949

# Each character listed must appear only once.

7950

# Number of characters must be in the range [2, 95].

7951

# This must be encoded as ASCII.

7952

# The order of characters does not matter.

7953

"commonAlphabet": "A String", # Common alphabets.

7954

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7955

# This annotation will be applied to the surrogate by prefixing it with

7956

# the name of the custom infoType followed by the number of

7957

# characters comprising the surrogate. The following scheme defines the

7958

# format: info_type_name(surrogate_character_count):surrogate

7959

#

7960

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7961

# the surrogate is 'abc', the full replacement value

7962

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7963

#

7964

# This annotation identifies the surrogate when inspecting content using the

7965

# custom infoType

7966

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7967

# This facilitates reversal of the surrogate when it occurs in free text.

7968

#

7969

# In order for inspection to work properly, the name of this infoType must

7970

# not occur naturally anywhere in your data; otherwise, inspection may

7971

# find a surrogate that does not correspond to an actual identifier.

7972

# Therefore, choose your custom infoType name carefully after considering

7973

# what your data looks like. One way to select a name that has a high chance

7974

# of yielding reliable detection is to include one or more unicode characters

7975

# that are highly improbable to exist in your data.

7976

# For example, assuming your data is entered from a regular ASCII keyboard,

7977

# the symbol with the hex code point 29DD might be used like so:

7978

# ⧝MY_TOKEN_TYPE

7979

"name": "A String", # Name of the information type. Either a name of your choosing when

7980

# creating a CustomInfoType, or one of the names listed

7981

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7982

# a built-in type. InfoType names should conform to the pattern

7983

# `[a-zA-Z0-9_]{1,64}`.

7984

},

7985

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7986

# identifier in two different contexts won't be given the same surrogate. If

7987

# the context is not set, a default tweak will be used.

7988

#

7989

# If the context is set but:

7990

#

7991

# 1. there is no record present when transforming a given value or

7992

# 1. the field is not present when transforming a given value,

7993

#

7994

# a default tweak will be used.

7995

#

7996

# Note that case (1) is expected when an `InfoTypeTransformation` is

7997

# applied to both structured and non-structured `ContentItem`s.

7998

# Currently, the referenced field may be of value type integer or string.

7999

#

8000

# The tweak is constructed as a sequence of bytes in big endian byte order

8001

# such that:

8002

#

8003

# - a 64 bit integer is encoded followed by a single byte of value 1

8004

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8005

"name": "A String", # Name describing the field.

8006

},

8007

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8008

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8009

# a key encryption key (KEK) stored by KMS).

8010

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8011

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8012

# unwrap the data crypto key.

8013

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8014

# The wrapped key must be a 128/192/256 bit key.

8015

# Authorization requires the following IAM permissions when sending a request

8016

# to perform a crypto transformation using a kms-wrapped crypto key:

8017

# dlp.kms.encrypt

8018

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8019

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8020

},

8021

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8022

# leaking the key. Choose another type of key if possible.

8023

"key": "A String", # Required. A 128/192/256 bit key.

8024

},

8025

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8026

# It will be discarded after the request finishes.

8027

"name": "A String", # Required. Name of the key.

8028

# This is an arbitrary string used to differentiate different keys.

8029

# A unique key is generated per name: two separate `TransientCryptoKey`

8030

# protos share the same generated key if their names are the same.

8031

# When the data crypto key is generated, this name is not used in any way

8032

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8037

# input. Outputs a base64 encoded representation of the encrypted output.

8038

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8039

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8040

# This annotation will be applied to the surrogate by prefixing it with

8041

# the name of the custom info type followed by the number of

8042

# characters comprising the surrogate. The following scheme defines the

8043

# format: {info type name}({surrogate character count}):{surrogate}

8044

#

8045

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8046

# the surrogate is 'abc', the full replacement value

8047

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8048

#

8049

# This annotation identifies the surrogate when inspecting content using the

8050

# custom info type 'Surrogate'. This facilitates reversal of the

8051

# surrogate when it occurs in free text.

8052

#

8053

# Note: For record transformations where the entire cell in a table is being

8054

# transformed, surrogates are not mandatory. Surrogates are used to denote

8055

# the location of the token and are necessary for re-identification in free

8056

# form text.

8057

#

8058

# In order for inspection to work properly, the name of this info type must

8059

# not occur naturally anywhere in your data; otherwise, inspection may either

8060

#

8061

# - reverse a surrogate that does not correspond to an actual identifier

8062

# - be unable to parse the surrogate and result in an error

8063

#

8064

# Therefore, choose your custom info type name carefully after considering

8065

# what your data looks like. One way to select a name that has a high chance

8066

# of yielding reliable detection is to include one or more unicode characters

8067

# that are highly improbable to exist in your data.

8068

# For example, assuming your data is entered from a regular ASCII keyboard,

8069

# the symbol with the hex code point 29DD might be used like so:

8070

# ⧝MY_TOKEN_TYPE.

8071

"name": "A String", # Name of the information type. Either a name of your choosing when

8072

# creating a CustomInfoType, or one of the names listed

8073

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8074

# a built-in type. InfoType names should conform to the pattern

8075

# `[a-zA-Z0-9_]{1,64}`.

8076

},

8077

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8078

# referential integrity such that the same identifier in two different

8079

# contexts will be given a distinct surrogate. The context is appended to

8080

# plaintext value being encrypted. On decryption the provided context is

8081

# validated against the value used during encryption. If a context was

8082

# provided during encryption, same context must be provided during decryption

8083

# as well.

8084

#

8085

# If the context is not set, plaintext would be used as is for encryption.

8086

# If the context is set but:

8087

#

8088

# 1. there is no record present when transforming a given value or

8089

# 2. the field is not present when transforming a given value,

8090

#

8091

# plaintext would be used as is for encryption.

8092

#

8093

# Note that case (1) is expected when an `InfoTypeTransformation` is

8094

# applied to both structured and non-structured `ContentItem`s.

8095

"name": "A String", # Name describing the field.

8096

},

8097

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8098

# a key encryption key (KEK) stored by KMS).

8099

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8100

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8101

# unwrap the data crypto key.

8102

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8103

# The wrapped key must be a 128/192/256 bit key.

8104

# Authorization requires the following IAM permissions when sending a request

8105

# to perform a crypto transformation using a kms-wrapped crypto key:

8106

# dlp.kms.encrypt

8107

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8108

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8109

},

8110

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8111

# leaking the key. Choose another type of key if possible.

8112

"key": "A String", # Required. A 128/192/256 bit key.

8113

},

8114

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8115

# It will be discarded after the request finishes.

8116

"name": "A String", # Required. Name of the key.

8117

# This is an arbitrary string used to differentiate different keys.

8118

# A unique key is generated per name: two separate `TransientCryptoKey`

8119

# protos share the same generated key if their names are the same.

8120

# When the data crypto key is generated, this name is not used in any way

8121

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8126

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8127

# output would be 'My phone number is '.

8128

},

8129

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8130

# replacement values are dynamically provided by the user for custom behavior,

8131

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8132

# This can be used on

8133

# data of type: number, long, string, timestamp.

8134

# If the bound `Value` type differs from the type of data being transformed, we

8135

# will first attempt converting the type of the data to be transformed to match

8136

# the type of the bound before comparing.

8137

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8138

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8139

{ # Bucket is represented as a range, along with replacement values.

8140

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8141

# used.

8142

# Note that for the purposes of inspection or transformation, the number

8143

# of bytes considered to comprise a 'Value' is based on its representation

8144

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8145

# 123456789, the number of bytes would be counted as 9, even though an

8146

# int64 only holds up to 8 bytes of data.

8147

"booleanValue": True or False, # boolean

8148

"floatValue": 3.14, # float

8149

"dayOfWeekValue": "A String", # day of week

8150

"timestampValue": "A String", # timestamp

8151

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8152

# and time zone are either specified elsewhere or are not significant. The date

8153

# is relative to the Proleptic Gregorian Calendar. This can represent:

8154

#

8155

# * A full date, with non-zero year, month and day values

8156

# * A month and day value, with a zero year, e.g. an anniversary

8157

# * A year on its own, with zero month and day values

8158

# * A year and month value, with a zero day, e.g. a credit card expiration date

8159

#

8160

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8161

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8162

# a year.

8163

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8164

# month and day.

8165

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8166

# if specifying a year by itself or a year and month where the day is not

8167

# significant.

8168

},

8169

"stringValue": "A String", # string

8170

"integerValue": "A String", # integer

8171

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8172

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8173

# types are google.type.Date and `google.protobuf.Timestamp`.

8174

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8175

# allow the value 60 if it allows leap-seconds.

8176

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8177

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8178

# to allow the value "24:00:00" for scenarios like business closing time.

8179

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8180

},

8181

},

8182

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8183

# Note that for the purposes of inspection or transformation, the number

8184

# of bytes considered to comprise a 'Value' is based on its representation

8185

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8186

# 123456789, the number of bytes would be counted as 9, even though an

8187

# int64 only holds up to 8 bytes of data.

8188

"booleanValue": True or False, # boolean

8189

"floatValue": 3.14, # float

8190

"dayOfWeekValue": "A String", # day of week

8191

"timestampValue": "A String", # timestamp

8192

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8193

# and time zone are either specified elsewhere or are not significant. The date

8194

# is relative to the Proleptic Gregorian Calendar. This can represent:

8195

#

8196

# * A full date, with non-zero year, month and day values

8197

# * A month and day value, with a zero year, e.g. an anniversary

8198

# * A year on its own, with zero month and day values

8199

# * A year and month value, with a zero day, e.g. a credit card expiration date

8200

#

8201

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8202

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8203

# a year.

8204

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8205

# month and day.

8206

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8207

# if specifying a year by itself or a year and month where the day is not

8208

# significant.

8209

},

8210

"stringValue": "A String", # string

8211

"integerValue": "A String", # integer

8212

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8213

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8214

# types are google.type.Date and `google.protobuf.Timestamp`.

8215

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8216

# allow the value 60 if it allows leap-seconds.

8217

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8218

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8219

# to allow the value "24:00:00" for scenarios like business closing time.

8220

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8221

},

8222

},

8223

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

8224

# the default behavior will be to hyphenate the min-max range.

8225

# Note that for the purposes of inspection or transformation, the number

8226

# of bytes considered to comprise a 'Value' is based on its representation

8227

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8228

# 123456789, the number of bytes would be counted as 9, even though an

8229

# int64 only holds up to 8 bytes of data.

8230

"booleanValue": True or False, # boolean

8231

"floatValue": 3.14, # float

8232

"dayOfWeekValue": "A String", # day of week

8233

"timestampValue": "A String", # timestamp

8234

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8235

# and time zone are either specified elsewhere or are not significant. The date

8236

# is relative to the Proleptic Gregorian Calendar. This can represent:

8237

#

8238

# * A full date, with non-zero year, month and day values

8239

# * A month and day value, with a zero year, e.g. an anniversary

8240

# * A year on its own, with zero month and day values

8241

# * A year and month value, with a zero day, e.g. a credit card expiration date

8242

#

8243

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8244

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8245

# a year.

8246

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8247

# month and day.

8248

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8249

# if specifying a year by itself or a year and month where the day is not

8250

# significant.

8251

},

8252

"stringValue": "A String", # string

8253

"integerValue": "A String", # integer

8254

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8255

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8256

# types are google.type.Date and `google.protobuf.Timestamp`.

8257

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8258

# allow the value 60 if it allows leap-seconds.

8259

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8260

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8261

# to allow the value "24:00:00" for scenarios like business closing time.

8262

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8269

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8270

# Note that for the purposes of inspection or transformation, the number

8271

# of bytes considered to comprise a 'Value' is based on its representation

8272

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8273

# 123456789, the number of bytes would be counted as 9, even though an

8274

# int64 only holds up to 8 bytes of data.

8275

"booleanValue": True or False, # boolean

8276

"floatValue": 3.14, # float

8277

"dayOfWeekValue": "A String", # day of week

8278

"timestampValue": "A String", # timestamp

8279

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8280

# and time zone are either specified elsewhere or are not significant. The date

8281

# is relative to the Proleptic Gregorian Calendar. This can represent:

8282

#

8283

# * A full date, with non-zero year, month and day values

8284

# * A month and day value, with a zero year, e.g. an anniversary

8285

# * A year on its own, with zero month and day values

8286

# * A year and month value, with a zero day, e.g. a credit card expiration date

8287

#

8288

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8289

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8290

# a year.

8291

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8292

# month and day.

8293

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8294

# if specifying a year by itself or a year and month where the day is not

8295

# significant.

8296

},

8297

"stringValue": "A String", # string

8298

"integerValue": "A String", # integer

8299

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8300

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8301

# types are google.type.Date and `google.protobuf.Timestamp`.

8302

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8303

# allow the value 60 if it allows leap-seconds.

8304

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8305

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8306

# to allow the value "24:00:00" for scenarios like business closing time.

8307

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

8312

# fixed character. Masking can start from the beginning or end of the string.

8313

# This can be used on data of any type (numbers, longs, and so on) and when

8314

# de-identifying structured data we'll attempt to preserve the original data's

8315

# type. (This allows you to take a long like 123 and modify it to a string like

8316

# **3.

8317

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

8318

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

8319

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

8320

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

8321

# is `true`, then the string `12345` is masked as `12***`.

8322

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

8323

# characters. For example, if the input string is `555-555-5555` and you

8324

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

8325

# returns `***-**5-5555`.

8326

{ # Characters to skip when doing deidentification of a value. These will be left

8327

# alone and skipped.

8328

"charactersToSkip": "A String", # Characters to not transform when masking.

8329

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

8334

# masked. Skipped characters do not count towards this tally.

8335

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

8336

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

8337

# code or credit card number. This string must have a length of 1. If not

8338

# supplied, this value defaults to `*` for strings, and `0` for digits.

8339

},

8340

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8341

# Bucketing transformation can provide all of this functionality,

8342

# but requires more configuration. This message is provided as a convenience to

8343

# the user for simple bucketing strategies.

8344

#

8345

# The transformed value will be a hyphenated string of

8346

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8347

# all values that are within this bucket will be replaced with "10-20".

8348

#

8349

# This can be used on data of type: double, long.

8350

#

8351

# If the bound Value type differs from the type of data

8352

# being transformed, we will first attempt converting the type of the data to

8353

# be transformed to match the type of the bound before comparing.

8354

#

8355

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8356

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

8357

# grouped together into a single bucket; for example if `lower_bound` = 10,

8358

# then all values less than 10 are replaced with the value "-10".

8359

# Note that for the purposes of inspection or transformation, the number

8360

# of bytes considered to comprise a 'Value' is based on its representation

8361

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8362

# 123456789, the number of bytes would be counted as 9, even though an

8363

# int64 only holds up to 8 bytes of data.

8364

"booleanValue": True or False, # boolean

8365

"floatValue": 3.14, # float

8366

"dayOfWeekValue": "A String", # day of week

8367

"timestampValue": "A String", # timestamp

8368

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8369

# and time zone are either specified elsewhere or are not significant. The date

8370

# is relative to the Proleptic Gregorian Calendar. This can represent:

8371

#

8372

# * A full date, with non-zero year, month and day values

8373

# * A month and day value, with a zero year, e.g. an anniversary

8374

# * A year on its own, with zero month and day values

8375

# * A year and month value, with a zero day, e.g. a credit card expiration date

8376

#

8377

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8378

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8379

# a year.

8380

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8381

# month and day.

8382

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8383

# if specifying a year by itself or a year and month where the day is not

8384

# significant.

8385

},

8386

"stringValue": "A String", # string

8387

"integerValue": "A String", # integer

8388

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8389

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8390

# types are google.type.Date and `google.protobuf.Timestamp`.

8391

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8392

# allow the value 60 if it allows leap-seconds.

8393

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8394

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8395

# to allow the value "24:00:00" for scenarios like business closing time.

8396

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8397

},

8398

},

8399

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8400

# grouped together into a single bucket; for example if `upper_bound` = 89,

8401

# then all values greater than 89 are replaced with the value "89+".

8402

# Note that for the purposes of inspection or transformation, the number

8403

# of bytes considered to comprise a 'Value' is based on its representation

8404

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8405

# 123456789, the number of bytes would be counted as 9, even though an

8406

# int64 only holds up to 8 bytes of data.

8407

"booleanValue": True or False, # boolean

8408

"floatValue": 3.14, # float

8409

"dayOfWeekValue": "A String", # day of week

8410

"timestampValue": "A String", # timestamp

8411

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8412

# and time zone are either specified elsewhere or are not significant. The date

8413

# is relative to the Proleptic Gregorian Calendar. This can represent:

8414

#

8415

# * A full date, with non-zero year, month and day values

8416

# * A month and day value, with a zero year, e.g. an anniversary

8417

# * A year on its own, with zero month and day values

8418

# * A year and month value, with a zero day, e.g. a credit card expiration date

8419

#

8420

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8421

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8422

# a year.

8423

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8424

# month and day.

8425

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8426

# if specifying a year by itself or a year and month where the day is not

8427

# significant.

8428

},

8429

"stringValue": "A String", # string

8430

"integerValue": "A String", # integer

8431

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8432

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8433

# types are google.type.Date and `google.protobuf.Timestamp`.

8434

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8435

# allow the value 60 if it allows leap-seconds.

8436

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8437

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8438

# to allow the value "24:00:00" for scenarios like business closing time.

8439

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8440

},

8441

},

8442

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

8443

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

8444

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

8445

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

8452

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

8453

# portion of the value.

8454

"partToExtract": "A String", # The part of the time to keep.

8455

},

8456

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

8457

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

8458

# to learn more.

8459

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

8460

# If set, must also set cryptoKey. If set, shift will be consistent for the

8461

# given context.

8462

"name": "A String", # Name describing the field.

8463

},

8464

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

8465

# range (inclusive ends). Negative means shift to earlier in time. Must not

8466

# be more than 365250 days (1000 years) each direction.

8467

#

8468

# For example, 3 means shift date to at most 3 days into the future.

8469

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

8470

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

8471

# results in the same shift for the same context and crypto_key. If

8472

# set, must also set context. Can only be applied to table items.

8473

# a key encryption key (KEK) stored by KMS).

8474

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8475

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8476

# unwrap the data crypto key.

8477

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8478

# The wrapped key must be a 128/192/256 bit key.

8479

# Authorization requires the following IAM permissions when sending a request

8480

# to perform a crypto transformation using a kms-wrapped crypto key:

8481

# dlp.kms.encrypt

8482

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8483

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8484

},

8485

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8486

# leaking the key. Choose another type of key if possible.

8487

"key": "A String", # Required. A 128/192/256 bit key.

8488

},

8489

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8490

# It will be discarded after the request finishes.

8491

"name": "A String", # Required. Name of the key.

8492

# This is an arbitrary string used to differentiate different keys.

8493

# A unique key is generated per name: two separate `TransientCryptoKey`

8494

# protos share the same generated key if their names are the same.

8495

# When the data crypto key is generated, this name is not used in any way

8496

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

8501

},

8502

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

8503

# Uses SHA-256.

8504

# The key size must be either 32 or 64 bytes.

8505

# Outputs a base64 encoded representation of the hashed output

8506

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

8507

# Currently, only string and integer values can be hashed.

8508

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

8509

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

8510

# a key encryption key (KEK) stored by KMS).

8511

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8512

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8513

# unwrap the data crypto key.

8514

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8515

# The wrapped key must be a 128/192/256 bit key.

8516

# Authorization requires the following IAM permissions when sending a request

8517

# to perform a crypto transformation using a kms-wrapped crypto key:

8518

# dlp.kms.encrypt

8519

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8520

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8521

},

8522

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8523

# leaking the key. Choose another type of key if possible.

8524

"key": "A String", # Required. A 128/192/256 bit key.

8525

},

8526

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8527

# It will be discarded after the request finishes.

8528

"name": "A String", # Required. Name of the key.

8529

# This is an arbitrary string used to differentiate different keys.

8530

# A unique key is generated per name: two separate `TransientCryptoKey`

8531

# protos share the same generated key if their names are the same.

8532

# When the data crypto key is generated, this name is not used in any way

8533

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

8538

# (FPE) with the FFX mode of operation; however when used in the

8539

# `ReidentifyContent` API method, it serves the opposite function by reversing

8540

# the surrogate back into the original identifier. The identifier must be

8541

# encoded as ASCII. For a given crypto key and context, the same identifier

8542

# will be replaced with the same surrogate. Identifiers must be at least two

8543

# characters long. In the case that the identifier is the empty string, it will

8544

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

8545

# more.

8546

#

8547

# Note: We recommend using CryptoDeterministicConfig for all use cases which

8548

# do not require preserving the input alphabet space and size, plus warrant

8549

# referential integrity.

8550

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

8551

# that the FFX mode natively supports. This happens before/after

8552

# encryption/decryption.

8553

# Each character listed must appear only once.

8554

# Number of characters must be in the range [2, 95].

8555

# This must be encoded as ASCII.

8556

# The order of characters does not matter.

8557

"commonAlphabet": "A String", # Common alphabets.

8558

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

8559

# This annotation will be applied to the surrogate by prefixing it with

8560

# the name of the custom infoType followed by the number of

8561

# characters comprising the surrogate. The following scheme defines the

8562

# format: info_type_name(surrogate_character_count):surrogate

8563

#

8564

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

8565

# the surrogate is 'abc', the full replacement value

8566

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8567

#

8568

# This annotation identifies the surrogate when inspecting content using the

8569

# custom infoType

8570

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

8571

# This facilitates reversal of the surrogate when it occurs in free text.

8572

#

8573

# In order for inspection to work properly, the name of this infoType must

8574

# not occur naturally anywhere in your data; otherwise, inspection may

8575

# find a surrogate that does not correspond to an actual identifier.

8576

# Therefore, choose your custom infoType name carefully after considering

8577

# what your data looks like. One way to select a name that has a high chance

8578

# of yielding reliable detection is to include one or more unicode characters

8579

# that are highly improbable to exist in your data.

8580

# For example, assuming your data is entered from a regular ASCII keyboard,

8581

# the symbol with the hex code point 29DD might be used like so:

8582

# ⧝MY_TOKEN_TYPE

8583

"name": "A String", # Name of the information type. Either a name of your choosing when

8584

# creating a CustomInfoType, or one of the names listed

8585

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8586

# a built-in type. InfoType names should conform to the pattern

8587

# `[a-zA-Z0-9_]{1,64}`.

8588

},

8589

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

8590

# identifier in two different contexts won't be given the same surrogate. If

8591

# the context is not set, a default tweak will be used.

8592

#

8593

# If the context is set but:

8594

#

8595

# 1. there is no record present when transforming a given value or

8596

# 1. the field is not present when transforming a given value,

8597

#

8598

# a default tweak will be used.

8599

#

8600

# Note that case (1) is expected when an `InfoTypeTransformation` is

8601

# applied to both structured and non-structured `ContentItem`s.

8602

# Currently, the referenced field may be of value type integer or string.

8603

#

8604

# The tweak is constructed as a sequence of bytes in big endian byte order

8605

# such that:

8606

#

8607

# - a 64 bit integer is encoded followed by a single byte of value 1

8608

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8609

"name": "A String", # Name describing the field.

8610

},

8611

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8612

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8613

# a key encryption key (KEK) stored by KMS).

8614

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8615

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8616

# unwrap the data crypto key.

8617

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8618

# The wrapped key must be a 128/192/256 bit key.

8619

# Authorization requires the following IAM permissions when sending a request

8620

# to perform a crypto transformation using a kms-wrapped crypto key:

8621

# dlp.kms.encrypt

8622

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8623

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8624

},

8625

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8626

# leaking the key. Choose another type of key if possible.

8627

"key": "A String", # Required. A 128/192/256 bit key.

8628

},

8629

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8630

# It will be discarded after the request finishes.

8631

"name": "A String", # Required. Name of the key.

8632

# This is an arbitrary string used to differentiate different keys.

8633

# A unique key is generated per name: two separate `TransientCryptoKey`

8634

# protos share the same generated key if their names are the same.

8635

# When the data crypto key is generated, this name is not used in any way

8636

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8641

# input. Outputs a base64 encoded representation of the encrypted output.

8642

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8643

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8644

# This annotation will be applied to the surrogate by prefixing it with

8645

# the name of the custom info type followed by the number of

8646

# characters comprising the surrogate. The following scheme defines the

8647

# format: {info type name}({surrogate character count}):{surrogate}

8648

#

8649

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8650

# the surrogate is 'abc', the full replacement value

8651

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8652

#

8653

# This annotation identifies the surrogate when inspecting content using the

8654

# custom info type 'Surrogate'. This facilitates reversal of the

8655

# surrogate when it occurs in free text.

8656

#

8657

# Note: For record transformations where the entire cell in a table is being

8658

# transformed, surrogates are not mandatory. Surrogates are used to denote

8659

# the location of the token and are necessary for re-identification in free

8660

# form text.

8661

#

8662

# In order for inspection to work properly, the name of this info type must

8663

# not occur naturally anywhere in your data; otherwise, inspection may either

8664

#

8665

# - reverse a surrogate that does not correspond to an actual identifier

8666

# - be unable to parse the surrogate and result in an error

8667

#

8668

# Therefore, choose your custom info type name carefully after considering

8669

# what your data looks like. One way to select a name that has a high chance

8670

# of yielding reliable detection is to include one or more unicode characters

8671

# that are highly improbable to exist in your data.

8672

# For example, assuming your data is entered from a regular ASCII keyboard,

8673

# the symbol with the hex code point 29DD might be used like so:

8674

# ⧝MY_TOKEN_TYPE.

8675

"name": "A String", # Name of the information type. Either a name of your choosing when

8676

# creating a CustomInfoType, or one of the names listed

8677

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8678

# a built-in type. InfoType names should conform to the pattern

8679

# `[a-zA-Z0-9_]{1,64}`.

8680

},

8681

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8682

# referential integrity such that the same identifier in two different

8683

# contexts will be given a distinct surrogate. The context is appended to

8684

# plaintext value being encrypted. On decryption the provided context is

8685

# validated against the value used during encryption. If a context was

8686

# provided during encryption, same context must be provided during decryption

8687

# as well.

8688

#

8689

# If the context is not set, plaintext would be used as is for encryption.

8690

# If the context is set but:

8691

#

8692

# 1. there is no record present when transforming a given value or

8693

# 2. the field is not present when transforming a given value,

8694

#

8695

# plaintext would be used as is for encryption.

8696

#

8697

# Note that case (1) is expected when an `InfoTypeTransformation` is

8698

# applied to both structured and non-structured `ContentItem`s.

8699

"name": "A String", # Name describing the field.

8700

},

8701

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8702

# a key encryption key (KEK) stored by KMS).

8703

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8704

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8705

# unwrap the data crypto key.

8706

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8707

# The wrapped key must be a 128/192/256 bit key.

8708

# Authorization requires the following IAM permissions when sending a request

8709

# to perform a crypto transformation using a kms-wrapped crypto key:

8710

# dlp.kms.encrypt

8711

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8712

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8713

},

8714

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8715

# leaking the key. Choose another type of key if possible.

8716

"key": "A String", # Required. A 128/192/256 bit key.

8717

},

8718

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8719

# It will be discarded after the request finishes.

8720

"name": "A String", # Required. Name of the key.

8721

# This is an arbitrary string used to differentiate different keys.

8722

# A unique key is generated per name: two separate `TransientCryptoKey`

8723

# protos share the same generated key if their names are the same.

8724

# When the data crypto key is generated, this name is not used in any way

8725

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8730

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8731

# output would be 'My phone number is '.

8732

},

8733

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8734

# replacement values are dynamically provided by the user for custom behavior,

8735

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8736

# This can be used on

8737

# data of type: number, long, string, timestamp.

8738

# If the bound `Value` type differs from the type of data being transformed, we

8739

# will first attempt converting the type of the data to be transformed to match

8740

# the type of the bound before comparing.

8741

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8742

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8743

{ # Bucket is represented as a range, along with replacement values.

8744

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8745

# used.

8746

# Note that for the purposes of inspection or transformation, the number

8747

# of bytes considered to comprise a 'Value' is based on its representation

8748

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8749

# 123456789, the number of bytes would be counted as 9, even though an

8750

# int64 only holds up to 8 bytes of data.

8751

"booleanValue": True or False, # boolean

8752

"floatValue": 3.14, # float

8753

"dayOfWeekValue": "A String", # day of week

8754

"timestampValue": "A String", # timestamp

8755

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8756

# and time zone are either specified elsewhere or are not significant. The date

8757

# is relative to the Proleptic Gregorian Calendar. This can represent:

8758

#

8759

# * A full date, with non-zero year, month and day values

8760

# * A month and day value, with a zero year, e.g. an anniversary

8761

# * A year on its own, with zero month and day values

8762

# * A year and month value, with a zero day, e.g. a credit card expiration date

8763

#

8764

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8765

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8766

# a year.

8767

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8768

# month and day.

8769

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8770

# if specifying a year by itself or a year and month where the day is not

8771

# significant.

8772

},

8773

"stringValue": "A String", # string

8774

"integerValue": "A String", # integer

8775

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8776

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8777

# types are google.type.Date and `google.protobuf.Timestamp`.

8778

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8779

# allow the value 60 if it allows leap-seconds.

8780

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8781

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8782

# to allow the value "24:00:00" for scenarios like business closing time.

8783

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8784

},

8785

},

8786

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8787

# Note that for the purposes of inspection or transformation, the number

8788

# of bytes considered to comprise a 'Value' is based on its representation

8789

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8790

# 123456789, the number of bytes would be counted as 9, even though an

8791

# int64 only holds up to 8 bytes of data.

8792

"booleanValue": True or False, # boolean

8793

"floatValue": 3.14, # float

8794

"dayOfWeekValue": "A String", # day of week

8795

"timestampValue": "A String", # timestamp

8796

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8797

# and time zone are either specified elsewhere or are not significant. The date

8798

# is relative to the Proleptic Gregorian Calendar. This can represent:

8799

#

8800

# * A full date, with non-zero year, month and day values

8801

# * A month and day value, with a zero year, e.g. an anniversary

8802

# * A year on its own, with zero month and day values

8803

# * A year and month value, with a zero day, e.g. a credit card expiration date

8804

#

8805

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8806

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8807

# a year.

8808

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8809

# month and day.

8810

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8811

# if specifying a year by itself or a year and month where the day is not

8812

# significant.

8813

},

8814

"stringValue": "A String", # string

8815

"integerValue": "A String", # integer

8816

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8817

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8818

# types are google.type.Date and `google.protobuf.Timestamp`.

8819

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8820

# allow the value 60 if it allows leap-seconds.

8821

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8822

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8823

# to allow the value "24:00:00" for scenarios like business closing time.

8824

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8825

},

8826

},

8827

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

8828

# the default behavior will be to hyphenate the min-max range.

8829

# Note that for the purposes of inspection or transformation, the number

8830

# of bytes considered to comprise a 'Value' is based on its representation

8831

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8832

# 123456789, the number of bytes would be counted as 9, even though an

8833

# int64 only holds up to 8 bytes of data.

8834

"booleanValue": True or False, # boolean

8835

"floatValue": 3.14, # float

8836

"dayOfWeekValue": "A String", # day of week

8837

"timestampValue": "A String", # timestamp

8838

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8839

# and time zone are either specified elsewhere or are not significant. The date

8840

# is relative to the Proleptic Gregorian Calendar. This can represent:

8841

#

8842

# * A full date, with non-zero year, month and day values

8843

# * A month and day value, with a zero year, e.g. an anniversary

8844

# * A year on its own, with zero month and day values

8845

# * A year and month value, with a zero day, e.g. a credit card expiration date

8846

#

8847

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8848

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8849

# a year.

8850

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8851

# month and day.

8852

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8853

# if specifying a year by itself or a year and month where the day is not

8854

# significant.

8855

},

8856

"stringValue": "A String", # string

8857

"integerValue": "A String", # integer

8858

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8859

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8860

# types are google.type.Date and `google.protobuf.Timestamp`.

8861

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8862

# allow the value 60 if it allows leap-seconds.

8863

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8864

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8865

# to allow the value "24:00:00" for scenarios like business closing time.

8866

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8873

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8874

# Note that for the purposes of inspection or transformation, the number

8875

# of bytes considered to comprise a 'Value' is based on its representation

8876

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8877

# 123456789, the number of bytes would be counted as 9, even though an

8878

# int64 only holds up to 8 bytes of data.

8879

"booleanValue": True or False, # boolean

8880

"floatValue": 3.14, # float

8881

"dayOfWeekValue": "A String", # day of week

8882

"timestampValue": "A String", # timestamp

8883

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8884

# and time zone are either specified elsewhere or are not significant. The date

8885

# is relative to the Proleptic Gregorian Calendar. This can represent:

8886

#

8887

# * A full date, with non-zero year, month and day values

8888

# * A month and day value, with a zero year, e.g. an anniversary

8889

# * A year on its own, with zero month and day values

8890

# * A year and month value, with a zero day, e.g. a credit card expiration date

8891

#

8892

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8893

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8894

# a year.

8895

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8896

# month and day.

8897

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8898

# if specifying a year by itself or a year and month where the day is not

8899

# significant.

8900

},

8901

"stringValue": "A String", # string

8902

"integerValue": "A String", # integer

8903

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8904

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8905

# types are google.type.Date and `google.protobuf.Timestamp`.

8906

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8907

# allow the value 60 if it allows leap-seconds.

8908

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8909

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8910

# to allow the value "24:00:00" for scenarios like business closing time.

8911

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

8916

# fixed character. Masking can start from the beginning or end of the string.

8917

# This can be used on data of any type (numbers, longs, and so on) and when

8918

# de-identifying structured data we'll attempt to preserve the original data's

8919

# type. (This allows you to take a long like 123 and modify it to a string like

8920

# **3.

8921

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

8922

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

8923

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

8924

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

8925

# is `true`, then the string `12345` is masked as `12***`.

8926

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

8927

# characters. For example, if the input string is `555-555-5555` and you

8928

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

8929

# returns `***-**5-5555`.

8930

{ # Characters to skip when doing deidentification of a value. These will be left

8931

# alone and skipped.

8932

"charactersToSkip": "A String", # Characters to not transform when masking.

8933

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

8938

# masked. Skipped characters do not count towards this tally.

8939

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

8940

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

8941

# code or credit card number. This string must have a length of 1. If not

8942

# supplied, this value defaults to `*` for strings, and `0` for digits.

8943

},

8944

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8945

# Bucketing transformation can provide all of this functionality,

8946

# but requires more configuration. This message is provided as a convenience to

8947

# the user for simple bucketing strategies.

8948

#

8949

# The transformed value will be a hyphenated string of

8950

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8951

# all values that are within this bucket will be replaced with "10-20".

8952

#

8953

# This can be used on data of type: double, long.

8954

#

8955

# If the bound Value type differs from the type of data

8956

# being transformed, we will first attempt converting the type of the data to

8957

# be transformed to match the type of the bound before comparing.

8958

#

8959

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8960

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

8961

# grouped together into a single bucket; for example if `lower_bound` = 10,

8962

# then all values less than 10 are replaced with the value "-10".

8963

# Note that for the purposes of inspection or transformation, the number

8964

# of bytes considered to comprise a 'Value' is based on its representation

8965

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8966

# 123456789, the number of bytes would be counted as 9, even though an

8967

# int64 only holds up to 8 bytes of data.

8968

"booleanValue": True or False, # boolean

8969

"floatValue": 3.14, # float

8970

"dayOfWeekValue": "A String", # day of week

8971

"timestampValue": "A String", # timestamp

8972

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8973

# and time zone are either specified elsewhere or are not significant. The date

8974

# is relative to the Proleptic Gregorian Calendar. This can represent:

8975

#

8976

# * A full date, with non-zero year, month and day values

8977

# * A month and day value, with a zero year, e.g. an anniversary

8978

# * A year on its own, with zero month and day values

8979

# * A year and month value, with a zero day, e.g. a credit card expiration date

8980

#

8981

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8982

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8983

# a year.

8984

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8985

# month and day.

8986

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8987

# if specifying a year by itself or a year and month where the day is not

8988

# significant.

8989

},

8990

"stringValue": "A String", # string

8991

"integerValue": "A String", # integer

8992

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8993

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8994

# types are google.type.Date and `google.protobuf.Timestamp`.

8995

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8996

# allow the value 60 if it allows leap-seconds.

8997

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8998

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8999

# to allow the value "24:00:00" for scenarios like business closing time.

9000

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9001

},

9002

},

9003

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9004

# grouped together into a single bucket; for example if `upper_bound` = 89,

9005

# then all values greater than 89 are replaced with the value "89+".

9006

# Note that for the purposes of inspection or transformation, the number

9007

# of bytes considered to comprise a 'Value' is based on its representation

9008

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9009

# 123456789, the number of bytes would be counted as 9, even though an

9010

# int64 only holds up to 8 bytes of data.

9011

"booleanValue": True or False, # boolean

9012

"floatValue": 3.14, # float

9013

"dayOfWeekValue": "A String", # day of week

9014

"timestampValue": "A String", # timestamp

9015

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9016

# and time zone are either specified elsewhere or are not significant. The date

9017

# is relative to the Proleptic Gregorian Calendar. This can represent:

9018

#

9019

# * A full date, with non-zero year, month and day values

9020

# * A month and day value, with a zero year, e.g. an anniversary

9021

# * A year on its own, with zero month and day values

9022

# * A year and month value, with a zero day, e.g. a credit card expiration date

9023

#

9024

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9025

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9026

# a year.

9027

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9028

# month and day.

9029

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9030

# if specifying a year by itself or a year and month where the day is not

9031

# significant.

9032

},

9033

"stringValue": "A String", # string

9034

"integerValue": "A String", # integer

9035

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9036

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9037

# types are google.type.Date and `google.protobuf.Timestamp`.

9038

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9039

# allow the value 60 if it allows leap-seconds.

9040

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9041

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9042

# to allow the value "24:00:00" for scenarios like business closing time.

9043

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9044

},

9045

},

9046

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9047

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9048

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9049

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

9050

},

9051

},

9052

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

9053

# given `RecordCondition`. The conditions are allowed to reference fields

9054

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

9059

# column for the same record is within a specific range.

9060

# - Redact a field if the date of birth field is greater than 85.

9061

# a field.

9062

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

9063

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

9064

# only supported value is `AND`.

9065

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

9066

"conditions": [ # A collection of conditions.

9067

{ # The field type of `value` and `field` do not need to match to be

9068

# considered equal, but not all comparisons are possible.

9069

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

9070

# but all other comparisons are invalid with incompatible types.

9071

# A `value` of type:

9072

#

9073

# - `string` can be compared against all other types

9074

# - `boolean` can only be compared against other booleans

9075

# - `integer` can be compared against doubles or a string if the string value

9076

# can be parsed as an integer.

9077

# - `double` can be compared against integers or a string if the string can

9078

# be parsed as a double.

9079

# - `Timestamp` can be compared against strings in RFC 3339 date string

9080

# format.

9081

# - `TimeOfDay` can be compared against timestamps and strings in the format

9082

# of 'HH:mm:ss'.

9083

#

9084

# If we fail to compare do to type mismatch, a warning will be given and

9085

# the condition will evaluate to false.

9086

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

9087

"name": "A String", # Name describing the field.

9088

},

9089

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

9090

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

9091

# Note that for the purposes of inspection or transformation, the number

9092

# of bytes considered to comprise a 'Value' is based on its representation

9093

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9094

# 123456789, the number of bytes would be counted as 9, even though an

9095

# int64 only holds up to 8 bytes of data.

9096

"booleanValue": True or False, # boolean

9097

"floatValue": 3.14, # float

9098

"dayOfWeekValue": "A String", # day of week

9099

"timestampValue": "A String", # timestamp

9100

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9101

# and time zone are either specified elsewhere or are not significant. The date

9102

# is relative to the Proleptic Gregorian Calendar. This can represent:

9103

#

9104

# * A full date, with non-zero year, month and day values

9105

# * A month and day value, with a zero year, e.g. an anniversary

9106

# * A year on its own, with zero month and day values

9107

# * A year and month value, with a zero day, e.g. a credit card expiration date

9108

#

9109

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9110

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9111

# a year.

9112

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9113

# month and day.

9114

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9115

# if specifying a year by itself or a year and month where the day is not

9116

# significant.

9117

},

9118

"stringValue": "A String", # string

9119

"integerValue": "A String", # integer

9120

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9121

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9122

# types are google.type.Date and `google.protobuf.Timestamp`.

9123

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9124

# allow the value 60 if it allows leap-seconds.

9125

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9126

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9127

# to allow the value "24:00:00" for scenarios like business closing time.

9128

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.

9139

"name": "A String", # Name describing the field.

9140

},

9141

"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.

9142

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9143

# portion of the value.

9144

"partToExtract": "A String", # The part of the time to keep.

9145

},

9146

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9147

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9148

# to learn more.

9149

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9150

# If set, must also set cryptoKey. If set, shift will be consistent for the

9151

# given context.

9152

"name": "A String", # Name describing the field.

9153

},

9154

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9155

# range (inclusive ends). Negative means shift to earlier in time. Must not

9156

# be more than 365250 days (1000 years) each direction.

9157

#

9158

# For example, 3 means shift date to at most 3 days into the future.

9159

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9160

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9161

# results in the same shift for the same context and crypto_key. If

9162

# set, must also set context. Can only be applied to table items.

9163

# a key encryption key (KEK) stored by KMS).

9164

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9165

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9166

# unwrap the data crypto key.

9167

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9168

# The wrapped key must be a 128/192/256 bit key.

9169

# Authorization requires the following IAM permissions when sending a request

9170

# to perform a crypto transformation using a kms-wrapped crypto key:

9171

# dlp.kms.encrypt

9172

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9173

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9174

},

9175

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9176

# leaking the key. Choose another type of key if possible.

9177

"key": "A String", # Required. A 128/192/256 bit key.

9178

},

9179

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9180

# It will be discarded after the request finishes.

9181

"name": "A String", # Required. Name of the key.

9182

# This is an arbitrary string used to differentiate different keys.

9183

# A unique key is generated per name: two separate `TransientCryptoKey`

9184

# protos share the same generated key if their names are the same.

9185

# When the data crypto key is generated, this name is not used in any way

9186

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9191

},

9192

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9193

# Uses SHA-256.

9194

# The key size must be either 32 or 64 bytes.

9195

# Outputs a base64 encoded representation of the hashed output

9196

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9197

# Currently, only string and integer values can be hashed.

9198

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9199

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9200

# a key encryption key (KEK) stored by KMS).

9201

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9202

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9203

# unwrap the data crypto key.

9204

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9205

# The wrapped key must be a 128/192/256 bit key.

9206

# Authorization requires the following IAM permissions when sending a request

9207

# to perform a crypto transformation using a kms-wrapped crypto key:

9208

# dlp.kms.encrypt

9209

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9210

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9211

},

9212

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9213

# leaking the key. Choose another type of key if possible.

9214

"key": "A String", # Required. A 128/192/256 bit key.

9215

},

9216

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9217

# It will be discarded after the request finishes.

9218

"name": "A String", # Required. Name of the key.

9219

# This is an arbitrary string used to differentiate different keys.

9220

# A unique key is generated per name: two separate `TransientCryptoKey`

9221

# protos share the same generated key if their names are the same.

9222

# When the data crypto key is generated, this name is not used in any way

9223

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9228

# (FPE) with the FFX mode of operation; however when used in the

9229

# `ReidentifyContent` API method, it serves the opposite function by reversing

9230

# the surrogate back into the original identifier. The identifier must be

9231

# encoded as ASCII. For a given crypto key and context, the same identifier

9232

# will be replaced with the same surrogate. Identifiers must be at least two

9233

# characters long. In the case that the identifier is the empty string, it will

9234

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9235

# more.

9236

#

9237

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9238

# do not require preserving the input alphabet space and size, plus warrant

9239

# referential integrity.

9240

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9241

# that the FFX mode natively supports. This happens before/after

9242

# encryption/decryption.

9243

# Each character listed must appear only once.

9244

# Number of characters must be in the range [2, 95].

9245

# This must be encoded as ASCII.

9246

# The order of characters does not matter.

9247

"commonAlphabet": "A String", # Common alphabets.

9248

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9249

# This annotation will be applied to the surrogate by prefixing it with

9250

# the name of the custom infoType followed by the number of

9251

# characters comprising the surrogate. The following scheme defines the

9252

# format: info_type_name(surrogate_character_count):surrogate

9253

#

9254

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9255

# the surrogate is 'abc', the full replacement value

9256

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9257

#

9258

# This annotation identifies the surrogate when inspecting content using the

9259

# custom infoType

9260

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9261

# This facilitates reversal of the surrogate when it occurs in free text.

9262

#

9263

# In order for inspection to work properly, the name of this infoType must

9264

# not occur naturally anywhere in your data; otherwise, inspection may

9265

# find a surrogate that does not correspond to an actual identifier.

9266

# Therefore, choose your custom infoType name carefully after considering

9267

# what your data looks like. One way to select a name that has a high chance

9268

# of yielding reliable detection is to include one or more unicode characters

9269

# that are highly improbable to exist in your data.

9270

# For example, assuming your data is entered from a regular ASCII keyboard,

9271

# the symbol with the hex code point 29DD might be used like so:

9272

# ⧝MY_TOKEN_TYPE

9273

"name": "A String", # Name of the information type. Either a name of your choosing when

9274

# creating a CustomInfoType, or one of the names listed

9275

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9276

# a built-in type. InfoType names should conform to the pattern

9277

# `[a-zA-Z0-9_]{1,64}`.

9278

},

9279

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9280

# identifier in two different contexts won't be given the same surrogate. If

9281

# the context is not set, a default tweak will be used.

9282

#

9283

# If the context is set but:

9284

#

9285

# 1. there is no record present when transforming a given value or

9286

# 1. the field is not present when transforming a given value,

9287

#

9288

# a default tweak will be used.

9289

#

9290

# Note that case (1) is expected when an `InfoTypeTransformation` is

9291

# applied to both structured and non-structured `ContentItem`s.

9292

# Currently, the referenced field may be of value type integer or string.

9293

#

9294

# The tweak is constructed as a sequence of bytes in big endian byte order

9295

# such that:

9296

#

9297

# - a 64 bit integer is encoded followed by a single byte of value 1

9298

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9299

"name": "A String", # Name describing the field.

9300

},

9301

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9302

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9303

# a key encryption key (KEK) stored by KMS).

9304

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9305

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9306

# unwrap the data crypto key.

9307

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9308

# The wrapped key must be a 128/192/256 bit key.

9309

# Authorization requires the following IAM permissions when sending a request

9310

# to perform a crypto transformation using a kms-wrapped crypto key:

9311

# dlp.kms.encrypt

9312

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9313

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9314

},

9315

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9316

# leaking the key. Choose another type of key if possible.

9317

"key": "A String", # Required. A 128/192/256 bit key.

9318

},

9319

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9320

# It will be discarded after the request finishes.

9321

"name": "A String", # Required. Name of the key.

9322

# This is an arbitrary string used to differentiate different keys.

9323

# A unique key is generated per name: two separate `TransientCryptoKey`

9324

# protos share the same generated key if their names are the same.

9325

# When the data crypto key is generated, this name is not used in any way

9326

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9331

# input. Outputs a base64 encoded representation of the encrypted output.

9332

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9333

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

9334

# This annotation will be applied to the surrogate by prefixing it with

9335

# the name of the custom info type followed by the number of

9336

# characters comprising the surrogate. The following scheme defines the

9337

# format: {info type name}({surrogate character count}):{surrogate}

9338

#

9339

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9340

# the surrogate is 'abc', the full replacement value

9341

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9342

#

9343

# This annotation identifies the surrogate when inspecting content using the

9344

# custom info type 'Surrogate'. This facilitates reversal of the

9345

# surrogate when it occurs in free text.

9346

#

9347

# Note: For record transformations where the entire cell in a table is being

9348

# transformed, surrogates are not mandatory. Surrogates are used to denote

9349

# the location of the token and are necessary for re-identification in free

9350

# form text.

9351

#

9352

# In order for inspection to work properly, the name of this info type must

9353

# not occur naturally anywhere in your data; otherwise, inspection may either

9354

#

9355

# - reverse a surrogate that does not correspond to an actual identifier

9356

# - be unable to parse the surrogate and result in an error

9357

#

9358

# Therefore, choose your custom info type name carefully after considering

9359

# what your data looks like. One way to select a name that has a high chance

9360

# of yielding reliable detection is to include one or more unicode characters

9361

# that are highly improbable to exist in your data.

9362

# For example, assuming your data is entered from a regular ASCII keyboard,

9363

# the symbol with the hex code point 29DD might be used like so:

9364

# ⧝MY_TOKEN_TYPE.

9365

"name": "A String", # Name of the information type. Either a name of your choosing when

9366

# creating a CustomInfoType, or one of the names listed

9367

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9368

# a built-in type. InfoType names should conform to the pattern

9369

# `[a-zA-Z0-9_]{1,64}`.

9370

},

9371

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

9372

# referential integrity such that the same identifier in two different

9373

# contexts will be given a distinct surrogate. The context is appended to

9374

# plaintext value being encrypted. On decryption the provided context is

9375

# validated against the value used during encryption. If a context was

9376

# provided during encryption, same context must be provided during decryption

9377

# as well.

9378

#

9379

# If the context is not set, plaintext would be used as is for encryption.

9380

# If the context is set but:

9381

#

9382

# 1. there is no record present when transforming a given value or

9383

# 2. the field is not present when transforming a given value,

9384

#

9385

# plaintext would be used as is for encryption.

9386

#

9387

# Note that case (1) is expected when an `InfoTypeTransformation` is

9388

# applied to both structured and non-structured `ContentItem`s.

9389

"name": "A String", # Name describing the field.

9390

},

9391

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

9392

# a key encryption key (KEK) stored by KMS).

9393

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9394

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9395

# unwrap the data crypto key.

9396

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9397

# The wrapped key must be a 128/192/256 bit key.

9398

# Authorization requires the following IAM permissions when sending a request

9399

# to perform a crypto transformation using a kms-wrapped crypto key:

9400

# dlp.kms.encrypt

9401

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9402

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9403

},

9404

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9405

# leaking the key. Choose another type of key if possible.

9406

"key": "A String", # Required. A 128/192/256 bit key.

9407

},

9408

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9409

# It will be discarded after the request finishes.

9410

"name": "A String", # Required. Name of the key.

9411

# This is an arbitrary string used to differentiate different keys.

9412

# A unique key is generated per name: two separate `TransientCryptoKey`

9413

# protos share the same generated key if their names are the same.

9414

# When the data crypto key is generated, this name is not used in any way

9415

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

9420

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

9421

# output would be 'My phone number is '.

9422

},

9423

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

9424

# replacement values are dynamically provided by the user for custom behavior,

9425

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

9426

# This can be used on

9427

# data of type: number, long, string, timestamp.

9428

# If the bound `Value` type differs from the type of data being transformed, we

9429

# will first attempt converting the type of the data to be transformed to match

9430

# the type of the bound before comparing.

9431

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9432

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

9433

{ # Bucket is represented as a range, along with replacement values.

9434

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

9435

# used.

9436

# Note that for the purposes of inspection or transformation, the number

9437

# of bytes considered to comprise a 'Value' is based on its representation

9438

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9439

# 123456789, the number of bytes would be counted as 9, even though an

9440

# int64 only holds up to 8 bytes of data.

9441

"booleanValue": True or False, # boolean

9442

"floatValue": 3.14, # float

9443

"dayOfWeekValue": "A String", # day of week

9444

"timestampValue": "A String", # timestamp

9445

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9446

# and time zone are either specified elsewhere or are not significant. The date

9447

# is relative to the Proleptic Gregorian Calendar. This can represent:

9448

#

9449

# * A full date, with non-zero year, month and day values

9450

# * A month and day value, with a zero year, e.g. an anniversary

9451

# * A year on its own, with zero month and day values

9452

# * A year and month value, with a zero day, e.g. a credit card expiration date

9453

#

9454

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9455

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9456

# a year.

9457

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9458

# month and day.

9459

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9460

# if specifying a year by itself or a year and month where the day is not

9461

# significant.

9462

},

9463

"stringValue": "A String", # string

9464

"integerValue": "A String", # integer

9465

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9466

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9467

# types are google.type.Date and `google.protobuf.Timestamp`.

9468

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9469

# allow the value 60 if it allows leap-seconds.

9470

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9471

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9472

# to allow the value "24:00:00" for scenarios like business closing time.

9473

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9474

},

9475

},

9476

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

9477

# Note that for the purposes of inspection or transformation, the number

9478

# of bytes considered to comprise a 'Value' is based on its representation

9479

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9480

# 123456789, the number of bytes would be counted as 9, even though an

9481

# int64 only holds up to 8 bytes of data.

9482

"booleanValue": True or False, # boolean

9483

"floatValue": 3.14, # float

9484

"dayOfWeekValue": "A String", # day of week

9485

"timestampValue": "A String", # timestamp

9486

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9487

# and time zone are either specified elsewhere or are not significant. The date

9488

# is relative to the Proleptic Gregorian Calendar. This can represent:

9489

#

9490

# * A full date, with non-zero year, month and day values

9491

# * A month and day value, with a zero year, e.g. an anniversary

9492

# * A year on its own, with zero month and day values

9493

# * A year and month value, with a zero day, e.g. a credit card expiration date

9494

#

9495

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9496

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9497

# a year.

9498

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9499

# month and day.

9500

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9501

# if specifying a year by itself or a year and month where the day is not

9502

# significant.

9503

},

9504

"stringValue": "A String", # string

9505

"integerValue": "A String", # integer

9506

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9507

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9508

# types are google.type.Date and `google.protobuf.Timestamp`.

9509

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9510

# allow the value 60 if it allows leap-seconds.

9511

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9512

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9513

# to allow the value "24:00:00" for scenarios like business closing time.

9514

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9515

},

9516

},

9517

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9518

# the default behavior will be to hyphenate the min-max range.

9519

# Note that for the purposes of inspection or transformation, the number

9520

# of bytes considered to comprise a 'Value' is based on its representation

9521

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9522

# 123456789, the number of bytes would be counted as 9, even though an

9523

# int64 only holds up to 8 bytes of data.

9524

"booleanValue": True or False, # boolean

9525

"floatValue": 3.14, # float

9526

"dayOfWeekValue": "A String", # day of week

9527

"timestampValue": "A String", # timestamp

9528

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9529

# and time zone are either specified elsewhere or are not significant. The date

9530

# is relative to the Proleptic Gregorian Calendar. This can represent:

9531

#

9532

# * A full date, with non-zero year, month and day values

9533

# * A month and day value, with a zero year, e.g. an anniversary

9534

# * A year on its own, with zero month and day values

9535

# * A year and month value, with a zero day, e.g. a credit card expiration date

9536

#

9537

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9538

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9539

# a year.

9540

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9541

# month and day.

9542

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9543

# if specifying a year by itself or a year and month where the day is not

9544

# significant.

9545

},

9546

"stringValue": "A String", # string

9547

"integerValue": "A String", # integer

9548

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9549

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9550

# types are google.type.Date and `google.protobuf.Timestamp`.

9551

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9552

# allow the value 60 if it allows leap-seconds.

9553

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9554

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9555

# to allow the value "24:00:00" for scenarios like business closing time.

9556

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9563

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

9564

# Note that for the purposes of inspection or transformation, the number

9565

# of bytes considered to comprise a 'Value' is based on its representation

9566

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9567

# 123456789, the number of bytes would be counted as 9, even though an

9568

# int64 only holds up to 8 bytes of data.

9569

"booleanValue": True or False, # boolean

9570

"floatValue": 3.14, # float

9571

"dayOfWeekValue": "A String", # day of week

9572

"timestampValue": "A String", # timestamp

9573

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9574

# and time zone are either specified elsewhere or are not significant. The date

9575

# is relative to the Proleptic Gregorian Calendar. This can represent:

9576

#

9577

# * A full date, with non-zero year, month and day values

9578

# * A month and day value, with a zero year, e.g. an anniversary

9579

# * A year on its own, with zero month and day values

9580

# * A year and month value, with a zero day, e.g. a credit card expiration date

9581

#

9582

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9583

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9584

# a year.

9585

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9586

# month and day.

9587

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9588

# if specifying a year by itself or a year and month where the day is not

9589

# significant.

9590

},

9591

"stringValue": "A String", # string

9592

"integerValue": "A String", # integer

9593

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9594

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9595

# types are google.type.Date and `google.protobuf.Timestamp`.

9596

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9597

# allow the value 60 if it allows leap-seconds.

9598

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9599

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9600

# to allow the value "24:00:00" for scenarios like business closing time.

9601

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9606

# fixed character. Masking can start from the beginning or end of the string.

9607

# This can be used on data of any type (numbers, longs, and so on) and when

9608

# de-identifying structured data we'll attempt to preserve the original data's

9609

# type. (This allows you to take a long like 123 and modify it to a string like

9610

# **3.

9611

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9612

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9613

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9614

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9615

# is `true`, then the string `12345` is masked as `12***`.

9616

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9617

# characters. For example, if the input string is `555-555-5555` and you

9618

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9619

# returns `***-**5-5555`.

9620

{ # Characters to skip when doing deidentification of a value. These will be left

9621

# alone and skipped.

9622

"charactersToSkip": "A String", # Characters to not transform when masking.

9623

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9628

# masked. Skipped characters do not count towards this tally.

9629

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9630

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9631

# code or credit card number. This string must have a length of 1. If not

9632

# supplied, this value defaults to `*` for strings, and `0` for digits.

9633

},

9634

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9635

# Bucketing transformation can provide all of this functionality,

9636

# but requires more configuration. This message is provided as a convenience to

9637

# the user for simple bucketing strategies.

9638

#

9639

# The transformed value will be a hyphenated string of

9640

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9641

# all values that are within this bucket will be replaced with "10-20".

9642

#

9643

# This can be used on data of type: double, long.

9644

#

9645

# If the bound Value type differs from the type of data

9646

# being transformed, we will first attempt converting the type of the data to

9647

# be transformed to match the type of the bound before comparing.

9648

#

9649

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9650

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9651

# grouped together into a single bucket; for example if `lower_bound` = 10,

9652

# then all values less than 10 are replaced with the value "-10".

9653

# Note that for the purposes of inspection or transformation, the number

9654

# of bytes considered to comprise a 'Value' is based on its representation

9655

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9656

# 123456789, the number of bytes would be counted as 9, even though an

9657

# int64 only holds up to 8 bytes of data.

9658

"booleanValue": True or False, # boolean

9659

"floatValue": 3.14, # float

9660

"dayOfWeekValue": "A String", # day of week

9661

"timestampValue": "A String", # timestamp

9662

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9663

# and time zone are either specified elsewhere or are not significant. The date

9664

# is relative to the Proleptic Gregorian Calendar. This can represent:

9665

#

9666

# * A full date, with non-zero year, month and day values

9667

# * A month and day value, with a zero year, e.g. an anniversary

9668

# * A year on its own, with zero month and day values

9669

# * A year and month value, with a zero day, e.g. a credit card expiration date

9670

#

9671

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9672

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9673

# a year.

9674

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9675

# month and day.

9676

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9677

# if specifying a year by itself or a year and month where the day is not

9678

# significant.

9679

},

9680

"stringValue": "A String", # string

9681

"integerValue": "A String", # integer

9682

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9683

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9684

# types are google.type.Date and `google.protobuf.Timestamp`.

9685

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9686

# allow the value 60 if it allows leap-seconds.

9687

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9688

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9689

# to allow the value "24:00:00" for scenarios like business closing time.

9690

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9691

},

9692

},

9693

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9694

# grouped together into a single bucket; for example if `upper_bound` = 89,

9695

# then all values greater than 89 are replaced with the value "89+".

9696

# Note that for the purposes of inspection or transformation, the number

9697

# of bytes considered to comprise a 'Value' is based on its representation

9698

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9699

# 123456789, the number of bytes would be counted as 9, even though an

9700

# int64 only holds up to 8 bytes of data.

9701

"booleanValue": True or False, # boolean

9702

"floatValue": 3.14, # float

9703

"dayOfWeekValue": "A String", # day of week

9704

"timestampValue": "A String", # timestamp

9705

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9706

# and time zone are either specified elsewhere or are not significant. The date

9707

# is relative to the Proleptic Gregorian Calendar. This can represent:

9708

#

9709

# * A full date, with non-zero year, month and day values

9710

# * A month and day value, with a zero year, e.g. an anniversary

9711

# * A year on its own, with zero month and day values

9712

# * A year and month value, with a zero day, e.g. a credit card expiration date

9713

#

9714

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9715

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9716

# a year.

9717

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9718

# month and day.

9719

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9720

# if specifying a year by itself or a year and month where the day is not

9721

# significant.

9722

},

9723

"stringValue": "A String", # string

9724

"integerValue": "A String", # integer

9725

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9726

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9727

# types are google.type.Date and `google.protobuf.Timestamp`.

9728

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9729

# allow the value 60 if it allows leap-seconds.

9730

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9731

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9732

# to allow the value "24:00:00" for scenarios like business closing time.

9733

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9734

},

9735

},

9736

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9737

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9738

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9739

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

9740

},

9741

},

9742

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

9743

"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.

9744

# true.

9745

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

9746

# evaluated to be suppressed from the transformed content.

9747

# a field.

9748

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

9749

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

9750

# only supported value is `AND`.

9751

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

9752

"conditions": [ # A collection of conditions.

9753

{ # The field type of `value` and `field` do not need to match to be

9754

# considered equal, but not all comparisons are possible.

9755

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

9756

# but all other comparisons are invalid with incompatible types.

9757

# A `value` of type:

9758

#

9759

# - `string` can be compared against all other types

9760

# - `boolean` can only be compared against other booleans

9761

# - `integer` can be compared against doubles or a string if the string value

9762

# can be parsed as an integer.

9763

# - `double` can be compared against integers or a string if the string can

9764

# be parsed as a double.

9765

# - `Timestamp` can be compared against strings in RFC 3339 date string

9766

# format.

9767

# - `TimeOfDay` can be compared against timestamps and strings in the format

9768

# of 'HH:mm:ss'.

9769

#

9770

# If we fail to compare do to type mismatch, a warning will be given and

9771

# the condition will evaluate to false.

9772

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

9773

"name": "A String", # Name describing the field.

9774

},

9775

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

9776

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

9777

# Note that for the purposes of inspection or transformation, the number

9778

# of bytes considered to comprise a 'Value' is based on its representation

9779

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9780

# 123456789, the number of bytes would be counted as 9, even though an

9781

# int64 only holds up to 8 bytes of data.

9782

"booleanValue": True or False, # boolean

9783

"floatValue": 3.14, # float

9784

"dayOfWeekValue": "A String", # day of week

9785

"timestampValue": "A String", # timestamp

9786

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9787

# and time zone are either specified elsewhere or are not significant. The date

9788

# is relative to the Proleptic Gregorian Calendar. This can represent:

9789

#

9790

# * A full date, with non-zero year, month and day values

9791

# * A month and day value, with a zero year, e.g. an anniversary

9792

# * A year on its own, with zero month and day values

9793

# * A year and month value, with a zero day, e.g. a credit card expiration date

9794

#

9795

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9796

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9797

# a year.

9798

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9799

# month and day.

9800

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9801

# if specifying a year by itself or a year and month where the day is not

9802

# significant.

9803

},

9804

"stringValue": "A String", # string

9805

"integerValue": "A String", # integer

9806

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9807

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9808

# types are google.type.Date and `google.protobuf.Timestamp`.

9809

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9810

# allow the value 60 if it allows leap-seconds.

9811

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9812

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9813

# to allow the value "24:00:00" for scenarios like business closing time.

9814

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.

9824

"name": "A String", # Name of the information type. Either a name of your choosing when

9825

# creating a CustomInfoType, or one of the names listed

9826

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9827

# a built-in type. InfoType names should conform to the pattern

9828

# `[a-zA-Z0-9_]{1,64}`.

9829

},

9830

"results": [ # Collection of all transformations that took place or had an error.

9831

{ # A collection that informs the user the number of times a particular

9832

# `TransformationResultCode` and error details occurred.

9833

"code": "A String", # Outcome of the transformation.

9834

"count": "A String", # Number of transformations counted by this result.

9835

"details": "A String", # A place for warnings or errors to show up if a transformation didn't

# work as expected.

},

],

},

],

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

9842

},

9843

"item": { # Container structure for the content to inspect. # The re-identified item.

9844

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

9845

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

9846

"data": "A String", # Content data to inspect or redact.

9847

},

9848

"value": "A String", # String data to inspect or redact.

9849

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See

9850

# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

9851

# learn more.

9852

# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to

9853

# learn more.

9854

"rows": [ # Rows of the table.

9855

{ # Values of the row.

9856

"values": [ # Individual cells.

9857

{ # Set of primitive values supported by the system.

9858

# Note that for the purposes of inspection or transformation, the number

9859

# of bytes considered to comprise a 'Value' is based on its representation

9860

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9861

# 123456789, the number of bytes would be counted as 9, even though an

9862

# int64 only holds up to 8 bytes of data.

9863

"booleanValue": True or False, # boolean

9864

"floatValue": 3.14, # float

9865

"dayOfWeekValue": "A String", # day of week

9866

"timestampValue": "A String", # timestamp

9867

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9868

# and time zone are either specified elsewhere or are not significant. The date

9869

# is relative to the Proleptic Gregorian Calendar. This can represent:

9870

#

9871

# * A full date, with non-zero year, month and day values

9872

# * A month and day value, with a zero year, e.g. an anniversary

9873

# * A year on its own, with zero month and day values

9874

# * A year and month value, with a zero day, e.g. a credit card expiration date

9875

#

9876

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9877

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9878

# a year.

9879

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9880

# month and day.

9881

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9882

# if specifying a year by itself or a year and month where the day is not

9883

# significant.

9884

},

9885

"stringValue": "A String", # string

9886

"integerValue": "A String", # integer

9887

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9888

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9889

# types are google.type.Date and `google.protobuf.Timestamp`.

9890

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9891

# allow the value 60 if it allows leap-seconds.

9892

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9893

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9894

# to allow the value "24:00:00" for scenarios like business closing time.

9895

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

],

},

],

"headers": [ # Headers of the table.

9902

{ # General identifier of a data field in a storage service.

9903

"name": "A String", # Name describing the field.

},

],

},

},

}</pre>

</div>

</body></html>