Blame - docs/dyn/dlp_v2.projects.locations.deidentifyTemplates.html - platform/external/python/google-api-python-client

<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.locations.html">locations</a> . <a href="dlp_v2.projects.locations.deidentifyTemplates.html">deidentifyTemplates</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="#create">create(parent, locationId, body=None, x__xgafv=None)</a></code></p>

79

<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>

80

81

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

82

<p class="firstline">Deletes a DeidentifyTemplate.</p>

83

84

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Gets a DeidentifyTemplate.</p>

86

87

<code><a href="#list">list(parent, locationId, pageToken=None, pageSize=None, orderBy=None, x__xgafv=None)</a></code></p>

88

<p class="firstline">Lists DeidentifyTemplates.</p>

89

90

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

91

<p class="firstline">Retrieves the next page of results.</p>

92

93

<code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>

94

<p class="firstline">Updates the DeidentifyTemplate.</p>

95

<h3>Method Details</h3>

96

97

<code class="details" id="create">create(parent, locationId, body=None, x__xgafv=None)</code>

98

<pre>Creates a DeidentifyTemplate for re-using frequently used configuration

99

for de-identifying content, images, and storage.

100

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

parent: string, Required. The parent resource name, for example projects/my-project-id or

105

organizations/my-org-id. (required)

106

locationId: string, The geographic location to store the deidentification template. Reserved

107

for future extensions. (required)

108

body: object, The request body.

109

The object takes the form of:

110

111

{ # Request message for CreateDeidentifyTemplate.

112

"templateId": "A String", # The template id can contain uppercase and lowercase letters,

113

# numbers, and hyphens; that is, it must match the regular

114

# expression: `[a-zA-Z\\d-_]+`. The maximum length is 100

115

# characters. Can be empty to allow the system to generate one.

116

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create.

117

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

118

"name": "A String", # Output only. The template name.

119

#

120

# The template will have one of the following formats:

121

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

122

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

123

"description": "A String", # Short description (max 256 chars).

124

"displayName": "A String", # Display name (max 256 chars).

125

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

126

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

127

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

128

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

129

# mode is `TransformationErrorHandling.ThrowError`.

130

# transformation error occurs when the requested transformation is incompatible

131

# with the data. For example, trying to de-identify an IP address using a

132

# `DateShift` transformation would result in a transformation error, since date

133

# info cannot be extracted from an IP address.

134

# Information about any incompatible transformations, and how they were

135

# handled, is returned in the response as part of the

136

# `TransformationOverviews`.

137

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

138

},

139

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

140

# cause an error. For example, if a `DateShift` transformation were applied

141

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

146

# specific locations within structured datasets, such as transforming

147

# a column within a table.

148

# table.

149

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

150

# match any suppression rule are omitted from the output.

151

{ # Configuration to suppress records whose suppression conditions evaluate to

152

# true.

153

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

154

# evaluated to be suppressed from the transformed content.

155

# a field.

156

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

157

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

158

# only supported value is `AND`.

159

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

160

"conditions": [ # A collection of conditions.

161

{ # The field type of `value` and `field` do not need to match to be

162

# considered equal, but not all comparisons are possible.

163

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

164

# but all other comparisons are invalid with incompatible types.

165

# A `value` of type:

166

#

167

# - `string` can be compared against all other types

168

# - `boolean` can only be compared against other booleans

169

# - `integer` can be compared against doubles or a string if the string value

170

# can be parsed as an integer.

171

# - `double` can be compared against integers or a string if the string can

172

# be parsed as a double.

173

# - `Timestamp` can be compared against strings in RFC 3339 date string

174

# format.

175

# - `TimeOfDay` can be compared against timestamps and strings in the format

176

# of 'HH:mm:ss'.

177

#

178

# If we fail to compare do to type mismatch, a warning will be given and

179

# the condition will evaluate to false.

180

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

181

"name": "A String", # Name describing the field.

182

},

183

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

184

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

185

# Note that for the purposes of inspection or transformation, the number

186

# of bytes considered to comprise a 'Value' is based on its representation

187

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

188

# 123456789, the number of bytes would be counted as 9, even though an

189

# int64 only holds up to 8 bytes of data.

190

"booleanValue": True or False, # boolean

191

"floatValue": 3.14, # float

192

"dayOfWeekValue": "A String", # day of week

193

"timestampValue": "A String", # timestamp

194

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

195

# and time zone are either specified elsewhere or are not significant. The date

196

# is relative to the Proleptic Gregorian Calendar. This can represent:

197

#

198

# * A full date, with non-zero year, month and day values

199

# * A month and day value, with a zero year, e.g. an anniversary

200

# * A year on its own, with zero month and day values

201

# * A year and month value, with a zero day, e.g. a credit card expiration date

202

#

203

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

204

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

205

# a year.

206

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

207

# month and day.

208

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

209

# if specifying a year by itself or a year and month where the day is not

210

# significant.

211

},

212

"stringValue": "A String", # string

213

"integerValue": "A String", # integer

214

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

215

# or are specified elsewhere. An API may choose to allow leap seconds. Related

216

# types are google.type.Date and `google.protobuf.Timestamp`.

217

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

218

# allow the value 60 if it allows leap-seconds.

219

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

220

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

221

# to allow the value "24:00:00" for scenarios like business closing time.

222

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

233

{ # The transformation to apply to the field.

234

"fields": [ # Required. Input field(s) to apply the transformation to.

235

{ # General identifier of a data field in a storage service.

236

"name": "A String", # Name describing the field.

237

},

238

],

239

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

240

# transform content that matches an `InfoType`.

241

# apply various `PrimitiveTransformation`s to each finding, where the

242

# transformation is applied to only values that were identified as a specific

243

# info_type.

244

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

245

# for a given infoType.

246

{ # A transformation to apply to text that is identified as a specific

247

# info_type.

248

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

249

# this transformation to apply to all findings that correspond to

250

# infoTypes that were requested in `InspectConfig`.

251

{ # Type of information detected by the API.

252

"name": "A String", # Name of the information type. Either a name of your choosing when

253

# creating a CustomInfoType, or one of the names listed

254

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

255

# a built-in type. InfoType names should conform to the pattern

256

# `[a-zA-Z0-9_]{1,64}`.

257

},

258

],

259

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

260

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

261

# portion of the value.

262

"partToExtract": "A String", # The part of the time to keep.

263

},

264

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

265

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

266

# to learn more.

267

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

268

# If set, must also set cryptoKey. If set, shift will be consistent for the

269

# given context.

270

"name": "A String", # Name describing the field.

271

},

272

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

273

# range (inclusive ends). Negative means shift to earlier in time. Must not

274

# be more than 365250 days (1000 years) each direction.

275

#

276

# For example, 3 means shift date to at most 3 days into the future.

277

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

278

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

279

# results in the same shift for the same context and crypto_key. If

280

# set, must also set context. Can only be applied to table items.

281

# a key encryption key (KEK) stored by KMS).

282

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

283

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

284

# unwrap the data crypto key.

285

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

286

# The wrapped key must be a 128/192/256 bit key.

287

# Authorization requires the following IAM permissions when sending a request

288

# to perform a crypto transformation using a kms-wrapped crypto key:

289

# dlp.kms.encrypt

290

"wrappedKey": "A String", # Required. The wrapped data crypto key.

291

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

292

},

293

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

294

# leaking the key. Choose another type of key if possible.

295

"key": "A String", # Required. A 128/192/256 bit key.

296

},

297

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

298

# It will be discarded after the request finishes.

299

"name": "A String", # Required. Name of the key.

300

# This is an arbitrary string used to differentiate different keys.

301

# A unique key is generated per name: two separate `TransientCryptoKey`

302

# protos share the same generated key if their names are the same.

303

# When the data crypto key is generated, this name is not used in any way

304

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

309

},

310

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

311

# Uses SHA-256.

312

# The key size must be either 32 or 64 bytes.

313

# Outputs a base64 encoded representation of the hashed output

314

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

315

# Currently, only string and integer values can be hashed.

316

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

317

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

318

# a key encryption key (KEK) stored by KMS).

319

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

320

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

321

# unwrap the data crypto key.

322

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

323

# The wrapped key must be a 128/192/256 bit key.

324

# Authorization requires the following IAM permissions when sending a request

325

# to perform a crypto transformation using a kms-wrapped crypto key:

326

# dlp.kms.encrypt

327

"wrappedKey": "A String", # Required. The wrapped data crypto key.

328

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

329

},

330

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

331

# leaking the key. Choose another type of key if possible.

332

"key": "A String", # Required. A 128/192/256 bit key.

333

},

334

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

335

# It will be discarded after the request finishes.

336

"name": "A String", # Required. Name of the key.

337

# This is an arbitrary string used to differentiate different keys.

338

# A unique key is generated per name: two separate `TransientCryptoKey`

339

# protos share the same generated key if their names are the same.

340

# When the data crypto key is generated, this name is not used in any way

341

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

346

# (FPE) with the FFX mode of operation; however when used in the

347

# `ReidentifyContent` API method, it serves the opposite function by reversing

348

# the surrogate back into the original identifier. The identifier must be

349

# encoded as ASCII. For a given crypto key and context, the same identifier

350

# will be replaced with the same surrogate. Identifiers must be at least two

351

# characters long. In the case that the identifier is the empty string, it will

352

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

353

# more.

354

#

355

# Note: We recommend using CryptoDeterministicConfig for all use cases which

356

# do not require preserving the input alphabet space and size, plus warrant

357

# referential integrity.

358

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

359

# that the FFX mode natively supports. This happens before/after

360

# encryption/decryption.

361

# Each character listed must appear only once.

362

# Number of characters must be in the range [2, 95].

363

# This must be encoded as ASCII.

364

# The order of characters does not matter.

365

"commonAlphabet": "A String", # Common alphabets.

366

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

367

# This annotation will be applied to the surrogate by prefixing it with

368

# the name of the custom infoType followed by the number of

369

# characters comprising the surrogate. The following scheme defines the

370

# format: info_type_name(surrogate_character_count):surrogate

371

#

372

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

373

# the surrogate is 'abc', the full replacement value

374

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

375

#

376

# This annotation identifies the surrogate when inspecting content using the

377

# custom infoType

378

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

379

# This facilitates reversal of the surrogate when it occurs in free text.

380

#

381

# In order for inspection to work properly, the name of this infoType must

382

# not occur naturally anywhere in your data; otherwise, inspection may

383

# find a surrogate that does not correspond to an actual identifier.

384

# Therefore, choose your custom infoType name carefully after considering

385

# what your data looks like. One way to select a name that has a high chance

386

# of yielding reliable detection is to include one or more unicode characters

387

# that are highly improbable to exist in your data.

388

# For example, assuming your data is entered from a regular ASCII keyboard,

389

# the symbol with the hex code point 29DD might be used like so:

390

# ⧝MY_TOKEN_TYPE

391

"name": "A String", # Name of the information type. Either a name of your choosing when

392

# creating a CustomInfoType, or one of the names listed

393

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

394

# a built-in type. InfoType names should conform to the pattern

395

# `[a-zA-Z0-9_]{1,64}`.

396

},

397

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

398

# identifier in two different contexts won't be given the same surrogate. If

399

# the context is not set, a default tweak will be used.

400

#

401

# If the context is set but:

402

#

403

# 1. there is no record present when transforming a given value or

404

# 1. the field is not present when transforming a given value,

405

#

406

# a default tweak will be used.

407

#

408

# Note that case (1) is expected when an `InfoTypeTransformation` is

409

# applied to both structured and non-structured `ContentItem`s.

410

# Currently, the referenced field may be of value type integer or string.

411

#

412

# The tweak is constructed as a sequence of bytes in big endian byte order

413

# such that:

414

#

415

# - a 64 bit integer is encoded followed by a single byte of value 1

416

# - a string is encoded in UTF-8 format followed by a single byte of value 2

417

"name": "A String", # Name describing the field.

418

},

419

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

420

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

421

# a key encryption key (KEK) stored by KMS).

422

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

423

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

424

# unwrap the data crypto key.

425

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

426

# The wrapped key must be a 128/192/256 bit key.

427

# Authorization requires the following IAM permissions when sending a request

428

# to perform a crypto transformation using a kms-wrapped crypto key:

429

# dlp.kms.encrypt

430

"wrappedKey": "A String", # Required. The wrapped data crypto key.

431

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

432

},

433

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

434

# leaking the key. Choose another type of key if possible.

435

"key": "A String", # Required. A 128/192/256 bit key.

436

},

437

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

438

# It will be discarded after the request finishes.

439

"name": "A String", # Required. Name of the key.

440

# This is an arbitrary string used to differentiate different keys.

441

# A unique key is generated per name: two separate `TransientCryptoKey`

442

# protos share the same generated key if their names are the same.

443

# When the data crypto key is generated, this name is not used in any way

444

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

449

# input. Outputs a base64 encoded representation of the encrypted output.

450

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

451

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

452

# This annotation will be applied to the surrogate by prefixing it with

453

# the name of the custom info type followed by the number of

454

# characters comprising the surrogate. The following scheme defines the

455

# format: {info type name}({surrogate character count}):{surrogate}

456

#

457

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

458

# the surrogate is 'abc', the full replacement value

459

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

460

#

461

# This annotation identifies the surrogate when inspecting content using the

462

# custom info type 'Surrogate'. This facilitates reversal of the

463

# surrogate when it occurs in free text.

464

#

465

# Note: For record transformations where the entire cell in a table is being

466

# transformed, surrogates are not mandatory. Surrogates are used to denote

467

# the location of the token and are necessary for re-identification in free

468

# form text.

469

#

470

# In order for inspection to work properly, the name of this info type must

471

# not occur naturally anywhere in your data; otherwise, inspection may either

472

#

473

# - reverse a surrogate that does not correspond to an actual identifier

474

# - be unable to parse the surrogate and result in an error

475

#

476

# Therefore, choose your custom info type name carefully after considering

477

# what your data looks like. One way to select a name that has a high chance

478

# of yielding reliable detection is to include one or more unicode characters

479

# that are highly improbable to exist in your data.

480

# For example, assuming your data is entered from a regular ASCII keyboard,

481

# the symbol with the hex code point 29DD might be used like so:

482

# ⧝MY_TOKEN_TYPE.

483

"name": "A String", # Name of the information type. Either a name of your choosing when

484

# creating a CustomInfoType, or one of the names listed

485

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

486

# a built-in type. InfoType names should conform to the pattern

487

# `[a-zA-Z0-9_]{1,64}`.

488

},

489

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

490

# referential integrity such that the same identifier in two different

491

# contexts will be given a distinct surrogate. The context is appended to

492

# plaintext value being encrypted. On decryption the provided context is

493

# validated against the value used during encryption. If a context was

494

# provided during encryption, same context must be provided during decryption

495

# as well.

496

#

497

# If the context is not set, plaintext would be used as is for encryption.

498

# If the context is set but:

499

#

500

# 1. there is no record present when transforming a given value or

501

# 2. the field is not present when transforming a given value,

502

#

503

# plaintext would be used as is for encryption.

504

#

505

# Note that case (1) is expected when an `InfoTypeTransformation` is

506

# applied to both structured and non-structured `ContentItem`s.

507

"name": "A String", # Name describing the field.

508

},

509

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

510

# a key encryption key (KEK) stored by KMS).

511

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

512

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

513

# unwrap the data crypto key.

514

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

515

# The wrapped key must be a 128/192/256 bit key.

516

# Authorization requires the following IAM permissions when sending a request

517

# to perform a crypto transformation using a kms-wrapped crypto key:

518

# dlp.kms.encrypt

519

"wrappedKey": "A String", # Required. The wrapped data crypto key.

520

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

521

},

522

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

523

# leaking the key. Choose another type of key if possible.

524

"key": "A String", # Required. A 128/192/256 bit key.

525

},

526

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

527

# It will be discarded after the request finishes.

528

"name": "A String", # Required. Name of the key.

529

# This is an arbitrary string used to differentiate different keys.

530

# A unique key is generated per name: two separate `TransientCryptoKey`

531

# protos share the same generated key if their names are the same.

532

# When the data crypto key is generated, this name is not used in any way

533

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

538

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

539

# output would be 'My phone number is '.

540

},

541

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

542

# replacement values are dynamically provided by the user for custom behavior,

543

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

544

# This can be used on

545

# data of type: number, long, string, timestamp.

546

# If the bound `Value` type differs from the type of data being transformed, we

547

# will first attempt converting the type of the data to be transformed to match

548

# the type of the bound before comparing.

549

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

550

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

551

{ # Bucket is represented as a range, along with replacement values.

552

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

553

# used.

554

# Note that for the purposes of inspection or transformation, the number

555

# of bytes considered to comprise a 'Value' is based on its representation

556

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

557

# 123456789, the number of bytes would be counted as 9, even though an

558

# int64 only holds up to 8 bytes of data.

559

"booleanValue": True or False, # boolean

560

"floatValue": 3.14, # float

561

"dayOfWeekValue": "A String", # day of week

562

"timestampValue": "A String", # timestamp

563

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

564

# and time zone are either specified elsewhere or are not significant. The date

565

# is relative to the Proleptic Gregorian Calendar. This can represent:

566

#

567

# * A full date, with non-zero year, month and day values

568

# * A month and day value, with a zero year, e.g. an anniversary

569

# * A year on its own, with zero month and day values

570

# * A year and month value, with a zero day, e.g. a credit card expiration date

571

#

572

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

573

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

574

# a year.

575

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

576

# month and day.

577

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

578

# if specifying a year by itself or a year and month where the day is not

579

# significant.

580

},

581

"stringValue": "A String", # string

582

"integerValue": "A String", # integer

583

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

584

# or are specified elsewhere. An API may choose to allow leap seconds. Related

585

# types are google.type.Date and `google.protobuf.Timestamp`.

586

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

587

# allow the value 60 if it allows leap-seconds.

588

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

589

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

590

# to allow the value "24:00:00" for scenarios like business closing time.

591

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

592

},

593

},

594

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

595

# Note that for the purposes of inspection or transformation, the number

596

# of bytes considered to comprise a 'Value' is based on its representation

597

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

598

# 123456789, the number of bytes would be counted as 9, even though an

599

# int64 only holds up to 8 bytes of data.

600

"booleanValue": True or False, # boolean

601

"floatValue": 3.14, # float

602

"dayOfWeekValue": "A String", # day of week

603

"timestampValue": "A String", # timestamp

604

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

605

# and time zone are either specified elsewhere or are not significant. The date

606

# is relative to the Proleptic Gregorian Calendar. This can represent:

607

#

608

# * A full date, with non-zero year, month and day values

609

# * A month and day value, with a zero year, e.g. an anniversary

610

# * A year on its own, with zero month and day values

611

# * A year and month value, with a zero day, e.g. a credit card expiration date

612

#

613

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

614

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

615

# a year.

616

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

617

# month and day.

618

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

619

# if specifying a year by itself or a year and month where the day is not

620

# significant.

621

},

622

"stringValue": "A String", # string

623

"integerValue": "A String", # integer

624

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

625

# or are specified elsewhere. An API may choose to allow leap seconds. Related

626

# types are google.type.Date and `google.protobuf.Timestamp`.

627

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

628

# allow the value 60 if it allows leap-seconds.

629

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

630

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

631

# to allow the value "24:00:00" for scenarios like business closing time.

632

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

633

},

634

},

635

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

636

# the default behavior will be to hyphenate the min-max range.

637

# Note that for the purposes of inspection or transformation, the number

638

# of bytes considered to comprise a 'Value' is based on its representation

639

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

640

# 123456789, the number of bytes would be counted as 9, even though an

641

# int64 only holds up to 8 bytes of data.

642

"booleanValue": True or False, # boolean

643

"floatValue": 3.14, # float

644

"dayOfWeekValue": "A String", # day of week

645

"timestampValue": "A String", # timestamp

646

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

647

# and time zone are either specified elsewhere or are not significant. The date

648

# is relative to the Proleptic Gregorian Calendar. This can represent:

649

#

650

# * A full date, with non-zero year, month and day values

651

# * A month and day value, with a zero year, e.g. an anniversary

652

# * A year on its own, with zero month and day values

653

# * A year and month value, with a zero day, e.g. a credit card expiration date

654

#

655

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

656

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

657

# a year.

658

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

659

# month and day.

660

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

661

# if specifying a year by itself or a year and month where the day is not

662

# significant.

663

},

664

"stringValue": "A String", # string

665

"integerValue": "A String", # integer

666

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

667

# or are specified elsewhere. An API may choose to allow leap seconds. Related

668

# types are google.type.Date and `google.protobuf.Timestamp`.

669

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

670

# allow the value 60 if it allows leap-seconds.

671

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

672

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

673

# to allow the value "24:00:00" for scenarios like business closing time.

674

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

681

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

682

# Note that for the purposes of inspection or transformation, the number

683

# of bytes considered to comprise a 'Value' is based on its representation

684

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

685

# 123456789, the number of bytes would be counted as 9, even though an

686

# int64 only holds up to 8 bytes of data.

687

"booleanValue": True or False, # boolean

688

"floatValue": 3.14, # float

689

"dayOfWeekValue": "A String", # day of week

690

"timestampValue": "A String", # timestamp

691

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

692

# and time zone are either specified elsewhere or are not significant. The date

693

# is relative to the Proleptic Gregorian Calendar. This can represent:

694

#

695

# * A full date, with non-zero year, month and day values

696

# * A month and day value, with a zero year, e.g. an anniversary

697

# * A year on its own, with zero month and day values

698

# * A year and month value, with a zero day, e.g. a credit card expiration date

699

#

700

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

701

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

702

# a year.

703

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

704

# month and day.

705

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

706

# if specifying a year by itself or a year and month where the day is not

707

# significant.

708

},

709

"stringValue": "A String", # string

710

"integerValue": "A String", # integer

711

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

712

# or are specified elsewhere. An API may choose to allow leap seconds. Related

713

# types are google.type.Date and `google.protobuf.Timestamp`.

714

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

715

# allow the value 60 if it allows leap-seconds.

716

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

717

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

718

# to allow the value "24:00:00" for scenarios like business closing time.

719

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

724

# fixed character. Masking can start from the beginning or end of the string.

725

# This can be used on data of any type (numbers, longs, and so on) and when

726

# de-identifying structured data we'll attempt to preserve the original data's

727

# type. (This allows you to take a long like 123 and modify it to a string like

728

# **3.

729

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

730

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

731

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

732

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

733

# is `true`, then the string `12345` is masked as `12***`.

734

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

735

# characters. For example, if the input string is `555-555-5555` and you

736

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

737

# returns `***-**5-5555`.

738

{ # Characters to skip when doing deidentification of a value. These will be left

739

# alone and skipped.

740

"charactersToSkip": "A String", # Characters to not transform when masking.

741

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

746

# masked. Skipped characters do not count towards this tally.

747

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

748

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

749

# code or credit card number. This string must have a length of 1. If not

750

# supplied, this value defaults to `*` for strings, and `0` for digits.

751

},

752

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

753

# Bucketing transformation can provide all of this functionality,

754

# but requires more configuration. This message is provided as a convenience to

755

# the user for simple bucketing strategies.

756

#

757

# The transformed value will be a hyphenated string of

758

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

759

# all values that are within this bucket will be replaced with "10-20".

760

#

761

# This can be used on data of type: double, long.

762

#

763

# If the bound Value type differs from the type of data

764

# being transformed, we will first attempt converting the type of the data to

765

# be transformed to match the type of the bound before comparing.

766

#

767

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

768

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

769

# grouped together into a single bucket; for example if `lower_bound` = 10,

770

# then all values less than 10 are replaced with the value "-10".

771

# Note that for the purposes of inspection or transformation, the number

772

# of bytes considered to comprise a 'Value' is based on its representation

773

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

774

# 123456789, the number of bytes would be counted as 9, even though an

775

# int64 only holds up to 8 bytes of data.

776

"booleanValue": True or False, # boolean

777

"floatValue": 3.14, # float

778

"dayOfWeekValue": "A String", # day of week

779

"timestampValue": "A String", # timestamp

780

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

781

# and time zone are either specified elsewhere or are not significant. The date

782

# is relative to the Proleptic Gregorian Calendar. This can represent:

783

#

784

# * A full date, with non-zero year, month and day values

785

# * A month and day value, with a zero year, e.g. an anniversary

786

# * A year on its own, with zero month and day values

787

# * A year and month value, with a zero day, e.g. a credit card expiration date

788

#

789

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

790

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

791

# a year.

792

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

793

# month and day.

794

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

795

# if specifying a year by itself or a year and month where the day is not

796

# significant.

797

},

798

"stringValue": "A String", # string

799

"integerValue": "A String", # integer

800

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

801

# or are specified elsewhere. An API may choose to allow leap seconds. Related

802

# types are google.type.Date and `google.protobuf.Timestamp`.

803

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

804

# allow the value 60 if it allows leap-seconds.

805

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

806

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

807

# to allow the value "24:00:00" for scenarios like business closing time.

808

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

809

},

810

},

811

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

812

# grouped together into a single bucket; for example if `upper_bound` = 89,

813

# then all values greater than 89 are replaced with the value "89+".

814

# Note that for the purposes of inspection or transformation, the number

815

# of bytes considered to comprise a 'Value' is based on its representation

816

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

817

# 123456789, the number of bytes would be counted as 9, even though an

818

# int64 only holds up to 8 bytes of data.

819

"booleanValue": True or False, # boolean

820

"floatValue": 3.14, # float

821

"dayOfWeekValue": "A String", # day of week

822

"timestampValue": "A String", # timestamp

823

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

824

# and time zone are either specified elsewhere or are not significant. The date

825

# is relative to the Proleptic Gregorian Calendar. This can represent:

826

#

827

# * A full date, with non-zero year, month and day values

828

# * A month and day value, with a zero year, e.g. an anniversary

829

# * A year on its own, with zero month and day values

830

# * A year and month value, with a zero day, e.g. a credit card expiration date

831

#

832

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

833

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

834

# a year.

835

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

836

# month and day.

837

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

838

# if specifying a year by itself or a year and month where the day is not

839

# significant.

840

},

841

"stringValue": "A String", # string

842

"integerValue": "A String", # integer

843

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

844

# or are specified elsewhere. An API may choose to allow leap seconds. Related

845

# types are google.type.Date and `google.protobuf.Timestamp`.

846

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

847

# allow the value 60 if it allows leap-seconds.

848

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

849

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

850

# to allow the value "24:00:00" for scenarios like business closing time.

851

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

852

},

853

},

854

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

855

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

856

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

857

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

864

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

865

# portion of the value.

866

"partToExtract": "A String", # The part of the time to keep.

867

},

868

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

869

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

870

# to learn more.

871

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

872

# If set, must also set cryptoKey. If set, shift will be consistent for the

873

# given context.

874

"name": "A String", # Name describing the field.

875

},

876

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

877

# range (inclusive ends). Negative means shift to earlier in time. Must not

878

# be more than 365250 days (1000 years) each direction.

879

#

880

# For example, 3 means shift date to at most 3 days into the future.

881

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

882

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

883

# results in the same shift for the same context and crypto_key. If

884

# set, must also set context. Can only be applied to table items.

885

# a key encryption key (KEK) stored by KMS).

886

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

887

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

888

# unwrap the data crypto key.

889

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

890

# The wrapped key must be a 128/192/256 bit key.

891

# Authorization requires the following IAM permissions when sending a request

892

# to perform a crypto transformation using a kms-wrapped crypto key:

893

# dlp.kms.encrypt

894

"wrappedKey": "A String", # Required. The wrapped data crypto key.

895

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

896

},

897

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

898

# leaking the key. Choose another type of key if possible.

899

"key": "A String", # Required. A 128/192/256 bit key.

900

},

901

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

902

# It will be discarded after the request finishes.

903

"name": "A String", # Required. Name of the key.

904

# This is an arbitrary string used to differentiate different keys.

905

# A unique key is generated per name: two separate `TransientCryptoKey`

906

# protos share the same generated key if their names are the same.

907

# When the data crypto key is generated, this name is not used in any way

908

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

913

},

914

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

915

# Uses SHA-256.

916

# The key size must be either 32 or 64 bytes.

917

# Outputs a base64 encoded representation of the hashed output

918

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

919

# Currently, only string and integer values can be hashed.

920

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

921

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

922

# a key encryption key (KEK) stored by KMS).

923

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

924

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

925

# unwrap the data crypto key.

926

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

927

# The wrapped key must be a 128/192/256 bit key.

928

# Authorization requires the following IAM permissions when sending a request

929

# to perform a crypto transformation using a kms-wrapped crypto key:

930

# dlp.kms.encrypt

931

"wrappedKey": "A String", # Required. The wrapped data crypto key.

932

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

933

},

934

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

935

# leaking the key. Choose another type of key if possible.

936

"key": "A String", # Required. A 128/192/256 bit key.

937

},

938

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

939

# It will be discarded after the request finishes.

940

"name": "A String", # Required. Name of the key.

941

# This is an arbitrary string used to differentiate different keys.

942

# A unique key is generated per name: two separate `TransientCryptoKey`

943

# protos share the same generated key if their names are the same.

944

# When the data crypto key is generated, this name is not used in any way

945

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

950

# (FPE) with the FFX mode of operation; however when used in the

951

# `ReidentifyContent` API method, it serves the opposite function by reversing

952

# the surrogate back into the original identifier. The identifier must be

953

# encoded as ASCII. For a given crypto key and context, the same identifier

954

# will be replaced with the same surrogate. Identifiers must be at least two

955

# characters long. In the case that the identifier is the empty string, it will

956

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

957

# more.

958

#

959

# Note: We recommend using CryptoDeterministicConfig for all use cases which

960

# do not require preserving the input alphabet space and size, plus warrant

961

# referential integrity.

962

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

963

# that the FFX mode natively supports. This happens before/after

964

# encryption/decryption.

965

# Each character listed must appear only once.

966

# Number of characters must be in the range [2, 95].

967

# This must be encoded as ASCII.

968

# The order of characters does not matter.

969

"commonAlphabet": "A String", # Common alphabets.

970

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

971

# This annotation will be applied to the surrogate by prefixing it with

972

# the name of the custom infoType followed by the number of

973

# characters comprising the surrogate. The following scheme defines the

974

# format: info_type_name(surrogate_character_count):surrogate

975

#

976

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

977

# the surrogate is 'abc', the full replacement value

978

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

979

#

980

# This annotation identifies the surrogate when inspecting content using the

981

# custom infoType

982

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

983

# This facilitates reversal of the surrogate when it occurs in free text.

984

#

985

# In order for inspection to work properly, the name of this infoType must

986

# not occur naturally anywhere in your data; otherwise, inspection may

987

# find a surrogate that does not correspond to an actual identifier.

988

# Therefore, choose your custom infoType name carefully after considering

989

# what your data looks like. One way to select a name that has a high chance

990

# of yielding reliable detection is to include one or more unicode characters

991

# that are highly improbable to exist in your data.

992

# For example, assuming your data is entered from a regular ASCII keyboard,

993

# the symbol with the hex code point 29DD might be used like so:

994

# ⧝MY_TOKEN_TYPE

995

"name": "A String", # Name of the information type. Either a name of your choosing when

996

# creating a CustomInfoType, or one of the names listed

997

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

998

# a built-in type. InfoType names should conform to the pattern

999

# `[a-zA-Z0-9_]{1,64}`.

1000

},

1001

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1002

# identifier in two different contexts won't be given the same surrogate. If

1003

# the context is not set, a default tweak will be used.

1004

#

1005

# If the context is set but:

1006

#

1007

# 1. there is no record present when transforming a given value or

1008

# 1. the field is not present when transforming a given value,

1009

#

1010

# a default tweak will be used.

1011

#

1012

# Note that case (1) is expected when an `InfoTypeTransformation` is

1013

# applied to both structured and non-structured `ContentItem`s.

1014

# Currently, the referenced field may be of value type integer or string.

1015

#

1016

# The tweak is constructed as a sequence of bytes in big endian byte order

1017

# such that:

1018

#

1019

# - a 64 bit integer is encoded followed by a single byte of value 1

1020

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1021

"name": "A String", # Name describing the field.

1022

},

1023

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1024

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1025

# a key encryption key (KEK) stored by KMS).

1026

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1027

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1028

# unwrap the data crypto key.

1029

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1030

# The wrapped key must be a 128/192/256 bit key.

1031

# Authorization requires the following IAM permissions when sending a request

1032

# to perform a crypto transformation using a kms-wrapped crypto key:

1033

# dlp.kms.encrypt

1034

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1035

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1036

},

1037

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1038

# leaking the key. Choose another type of key if possible.

1039

"key": "A String", # Required. A 128/192/256 bit key.

1040

},

1041

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1042

# It will be discarded after the request finishes.

1043

"name": "A String", # Required. Name of the key.

1044

# This is an arbitrary string used to differentiate different keys.

1045

# A unique key is generated per name: two separate `TransientCryptoKey`

1046

# protos share the same generated key if their names are the same.

1047

# When the data crypto key is generated, this name is not used in any way

1048

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1053

# input. Outputs a base64 encoded representation of the encrypted output.

1054

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1055

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1056

# This annotation will be applied to the surrogate by prefixing it with

1057

# the name of the custom info type followed by the number of

1058

# characters comprising the surrogate. The following scheme defines the

1059

# format: {info type name}({surrogate character count}):{surrogate}

1060

#

1061

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1062

# the surrogate is 'abc', the full replacement value

1063

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1064

#

1065

# This annotation identifies the surrogate when inspecting content using the

1066

# custom info type 'Surrogate'. This facilitates reversal of the

1067

# surrogate when it occurs in free text.

1068

#

1069

# Note: For record transformations where the entire cell in a table is being

1070

# transformed, surrogates are not mandatory. Surrogates are used to denote

1071

# the location of the token and are necessary for re-identification in free

1072

# form text.

1073

#

1074

# In order for inspection to work properly, the name of this info type must

1075

# not occur naturally anywhere in your data; otherwise, inspection may either

1076

#

1077

# - reverse a surrogate that does not correspond to an actual identifier

1078

# - be unable to parse the surrogate and result in an error

1079

#

1080

# Therefore, choose your custom info type name carefully after considering

1081

# what your data looks like. One way to select a name that has a high chance

1082

# of yielding reliable detection is to include one or more unicode characters

1083

# that are highly improbable to exist in your data.

1084

# For example, assuming your data is entered from a regular ASCII keyboard,

1085

# the symbol with the hex code point 29DD might be used like so:

1086

# ⧝MY_TOKEN_TYPE.

1087

"name": "A String", # Name of the information type. Either a name of your choosing when

1088

# creating a CustomInfoType, or one of the names listed

1089

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1090

# a built-in type. InfoType names should conform to the pattern

1091

# `[a-zA-Z0-9_]{1,64}`.

1092

},

1093

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1094

# referential integrity such that the same identifier in two different

1095

# contexts will be given a distinct surrogate. The context is appended to

1096

# plaintext value being encrypted. On decryption the provided context is

1097

# validated against the value used during encryption. If a context was

1098

# provided during encryption, same context must be provided during decryption

1099

# as well.

1100

#

1101

# If the context is not set, plaintext would be used as is for encryption.

1102

# If the context is set but:

1103

#

1104

# 1. there is no record present when transforming a given value or

1105

# 2. the field is not present when transforming a given value,

1106

#

1107

# plaintext would be used as is for encryption.

1108

#

1109

# Note that case (1) is expected when an `InfoTypeTransformation` is

1110

# applied to both structured and non-structured `ContentItem`s.

1111

"name": "A String", # Name describing the field.

1112

},

1113

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1114

# a key encryption key (KEK) stored by KMS).

1115

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1116

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1117

# unwrap the data crypto key.

1118

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1119

# The wrapped key must be a 128/192/256 bit key.

1120

# Authorization requires the following IAM permissions when sending a request

1121

# to perform a crypto transformation using a kms-wrapped crypto key:

1122

# dlp.kms.encrypt

1123

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1124

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1125

},

1126

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1127

# leaking the key. Choose another type of key if possible.

1128

"key": "A String", # Required. A 128/192/256 bit key.

1129

},

1130

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1131

# It will be discarded after the request finishes.

1132

"name": "A String", # Required. Name of the key.

1133

# This is an arbitrary string used to differentiate different keys.

1134

# A unique key is generated per name: two separate `TransientCryptoKey`

1135

# protos share the same generated key if their names are the same.

1136

# When the data crypto key is generated, this name is not used in any way

1137

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1142

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1143

# output would be 'My phone number is '.

1144

},

1145

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1146

# replacement values are dynamically provided by the user for custom behavior,

1147

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1148

# This can be used on

1149

# data of type: number, long, string, timestamp.

1150

# If the bound `Value` type differs from the type of data being transformed, we

1151

# will first attempt converting the type of the data to be transformed to match

1152

# the type of the bound before comparing.

1153

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1154

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1155

{ # Bucket is represented as a range, along with replacement values.

1156

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1157

# used.

1158

# Note that for the purposes of inspection or transformation, the number

1159

# of bytes considered to comprise a 'Value' is based on its representation

1160

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1161

# 123456789, the number of bytes would be counted as 9, even though an

1162

# int64 only holds up to 8 bytes of data.

1163

"booleanValue": True or False, # boolean

1164

"floatValue": 3.14, # float

1165

"dayOfWeekValue": "A String", # day of week

1166

"timestampValue": "A String", # timestamp

1167

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1168

# and time zone are either specified elsewhere or are not significant. The date

1169

# is relative to the Proleptic Gregorian Calendar. This can represent:

1170

#

1171

# * A full date, with non-zero year, month and day values

1172

# * A month and day value, with a zero year, e.g. an anniversary

1173

# * A year on its own, with zero month and day values

1174

# * A year and month value, with a zero day, e.g. a credit card expiration date

1175

#

1176

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1177

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1178

# a year.

1179

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1180

# month and day.

1181

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1182

# if specifying a year by itself or a year and month where the day is not

1183

# significant.

1184

},

1185

"stringValue": "A String", # string

1186

"integerValue": "A String", # integer

1187

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1188

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1189

# types are google.type.Date and `google.protobuf.Timestamp`.

1190

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1191

# allow the value 60 if it allows leap-seconds.

1192

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1193

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1194

# to allow the value "24:00:00" for scenarios like business closing time.

1195

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1196

},

1197

},

1198

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1199

# Note that for the purposes of inspection or transformation, the number

1200

# of bytes considered to comprise a 'Value' is based on its representation

1201

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1202

# 123456789, the number of bytes would be counted as 9, even though an

1203

# int64 only holds up to 8 bytes of data.

1204

"booleanValue": True or False, # boolean

1205

"floatValue": 3.14, # float

1206

"dayOfWeekValue": "A String", # day of week

1207

"timestampValue": "A String", # timestamp

1208

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1209

# and time zone are either specified elsewhere or are not significant. The date

1210

# is relative to the Proleptic Gregorian Calendar. This can represent:

1211

#

1212

# * A full date, with non-zero year, month and day values

1213

# * A month and day value, with a zero year, e.g. an anniversary

1214

# * A year on its own, with zero month and day values

1215

# * A year and month value, with a zero day, e.g. a credit card expiration date

1216

#

1217

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1218

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1219

# a year.

1220

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1221

# month and day.

1222

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1223

# if specifying a year by itself or a year and month where the day is not

1224

# significant.

1225

},

1226

"stringValue": "A String", # string

1227

"integerValue": "A String", # integer

1228

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1229

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1230

# types are google.type.Date and `google.protobuf.Timestamp`.

1231

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1232

# allow the value 60 if it allows leap-seconds.

1233

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1234

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1235

# to allow the value "24:00:00" for scenarios like business closing time.

1236

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1237

},

1238

},

1239

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1240

# the default behavior will be to hyphenate the min-max range.

1241

# Note that for the purposes of inspection or transformation, the number

1242

# of bytes considered to comprise a 'Value' is based on its representation

1243

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1244

# 123456789, the number of bytes would be counted as 9, even though an

1245

# int64 only holds up to 8 bytes of data.

1246

"booleanValue": True or False, # boolean

1247

"floatValue": 3.14, # float

1248

"dayOfWeekValue": "A String", # day of week

1249

"timestampValue": "A String", # timestamp

1250

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1251

# and time zone are either specified elsewhere or are not significant. The date

1252

# is relative to the Proleptic Gregorian Calendar. This can represent:

1253

#

1254

# * A full date, with non-zero year, month and day values

1255

# * A month and day value, with a zero year, e.g. an anniversary

1256

# * A year on its own, with zero month and day values

1257

# * A year and month value, with a zero day, e.g. a credit card expiration date

1258

#

1259

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1260

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1261

# a year.

1262

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1263

# month and day.

1264

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1265

# if specifying a year by itself or a year and month where the day is not

1266

# significant.

1267

},

1268

"stringValue": "A String", # string

1269

"integerValue": "A String", # integer

1270

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1271

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1272

# types are google.type.Date and `google.protobuf.Timestamp`.

1273

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1274

# allow the value 60 if it allows leap-seconds.

1275

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1276

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1277

# to allow the value "24:00:00" for scenarios like business closing time.

1278

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1285

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1286

# Note that for the purposes of inspection or transformation, the number

1287

# of bytes considered to comprise a 'Value' is based on its representation

1288

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1289

# 123456789, the number of bytes would be counted as 9, even though an

1290

# int64 only holds up to 8 bytes of data.

1291

"booleanValue": True or False, # boolean

1292

"floatValue": 3.14, # float

1293

"dayOfWeekValue": "A String", # day of week

1294

"timestampValue": "A String", # timestamp

1295

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1296

# and time zone are either specified elsewhere or are not significant. The date

1297

# is relative to the Proleptic Gregorian Calendar. This can represent:

1298

#

1299

# * A full date, with non-zero year, month and day values

1300

# * A month and day value, with a zero year, e.g. an anniversary

1301

# * A year on its own, with zero month and day values

1302

# * A year and month value, with a zero day, e.g. a credit card expiration date

1303

#

1304

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1305

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1306

# a year.

1307

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1308

# month and day.

1309

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1310

# if specifying a year by itself or a year and month where the day is not

1311

# significant.

1312

},

1313

"stringValue": "A String", # string

1314

"integerValue": "A String", # integer

1315

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1316

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1317

# types are google.type.Date and `google.protobuf.Timestamp`.

1318

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1319

# allow the value 60 if it allows leap-seconds.

1320

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1321

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1322

# to allow the value "24:00:00" for scenarios like business closing time.

1323

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1328

# fixed character. Masking can start from the beginning or end of the string.

1329

# This can be used on data of any type (numbers, longs, and so on) and when

1330

# de-identifying structured data we'll attempt to preserve the original data's

1331

# type. (This allows you to take a long like 123 and modify it to a string like

1332

# **3.

1333

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1334

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1335

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1336

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

1337

# is `true`, then the string `12345` is masked as `12***`.

1338

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1339

# characters. For example, if the input string is `555-555-5555` and you

1340

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1341

# returns `***-**5-5555`.

1342

{ # Characters to skip when doing deidentification of a value. These will be left

1343

# alone and skipped.

1344

"charactersToSkip": "A String", # Characters to not transform when masking.

1345

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1350

# masked. Skipped characters do not count towards this tally.

1351

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1352

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1353

# code or credit card number. This string must have a length of 1. If not

1354

# supplied, this value defaults to `*` for strings, and `0` for digits.

1355

},

1356

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1357

# Bucketing transformation can provide all of this functionality,

1358

# but requires more configuration. This message is provided as a convenience to

1359

# the user for simple bucketing strategies.

1360

#

1361

# The transformed value will be a hyphenated string of

1362

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1363

# all values that are within this bucket will be replaced with "10-20".

1364

#

1365

# This can be used on data of type: double, long.

1366

#

1367

# If the bound Value type differs from the type of data

1368

# being transformed, we will first attempt converting the type of the data to

1369

# be transformed to match the type of the bound before comparing.

1370

#

1371

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1372

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1373

# grouped together into a single bucket; for example if `lower_bound` = 10,

1374

# then all values less than 10 are replaced with the value "-10".

1375

# Note that for the purposes of inspection or transformation, the number

1376

# of bytes considered to comprise a 'Value' is based on its representation

1377

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1378

# 123456789, the number of bytes would be counted as 9, even though an

1379

# int64 only holds up to 8 bytes of data.

1380

"booleanValue": True or False, # boolean

1381

"floatValue": 3.14, # float

1382

"dayOfWeekValue": "A String", # day of week

1383

"timestampValue": "A String", # timestamp

1384

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1385

# and time zone are either specified elsewhere or are not significant. The date

1386

# is relative to the Proleptic Gregorian Calendar. This can represent:

1387

#

1388

# * A full date, with non-zero year, month and day values

1389

# * A month and day value, with a zero year, e.g. an anniversary

1390

# * A year on its own, with zero month and day values

1391

# * A year and month value, with a zero day, e.g. a credit card expiration date

1392

#

1393

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1394

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1395

# a year.

1396

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1397

# month and day.

1398

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1399

# if specifying a year by itself or a year and month where the day is not

1400

# significant.

1401

},

1402

"stringValue": "A String", # string

1403

"integerValue": "A String", # integer

1404

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1405

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1406

# types are google.type.Date and `google.protobuf.Timestamp`.

1407

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1408

# allow the value 60 if it allows leap-seconds.

1409

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1410

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1411

# to allow the value "24:00:00" for scenarios like business closing time.

1412

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1413

},

1414

},

1415

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1416

# grouped together into a single bucket; for example if `upper_bound` = 89,

1417

# then all values greater than 89 are replaced with the value "89+".

1418

# Note that for the purposes of inspection or transformation, the number

1419

# of bytes considered to comprise a 'Value' is based on its representation

1420

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1421

# 123456789, the number of bytes would be counted as 9, even though an

1422

# int64 only holds up to 8 bytes of data.

1423

"booleanValue": True or False, # boolean

1424

"floatValue": 3.14, # float

1425

"dayOfWeekValue": "A String", # day of week

1426

"timestampValue": "A String", # timestamp

1427

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1428

# and time zone are either specified elsewhere or are not significant. The date

1429

# is relative to the Proleptic Gregorian Calendar. This can represent:

1430

#

1431

# * A full date, with non-zero year, month and day values

1432

# * A month and day value, with a zero year, e.g. an anniversary

1433

# * A year on its own, with zero month and day values

1434

# * A year and month value, with a zero day, e.g. a credit card expiration date

1435

#

1436

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1437

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1438

# a year.

1439

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1440

# month and day.

1441

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1442

# if specifying a year by itself or a year and month where the day is not

1443

# significant.

1444

},

1445

"stringValue": "A String", # string

1446

"integerValue": "A String", # integer

1447

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1448

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1449

# types are google.type.Date and `google.protobuf.Timestamp`.

1450

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1451

# allow the value 60 if it allows leap-seconds.

1452

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1453

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1454

# to allow the value "24:00:00" for scenarios like business closing time.

1455

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1456

},

1457

},

1458

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1459

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1460

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1461

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1462

},

1463

},

1464

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

1465

# given `RecordCondition`. The conditions are allowed to reference fields

1466

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

1471

# column for the same record is within a specific range.

1472

# - Redact a field if the date of birth field is greater than 85.

1473

# a field.

1474

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

1475

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

1476

# only supported value is `AND`.

1477

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1478

"conditions": [ # A collection of conditions.

1479

{ # The field type of `value` and `field` do not need to match to be

1480

# considered equal, but not all comparisons are possible.

1481

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

1482

# but all other comparisons are invalid with incompatible types.

1483

# A `value` of type:

1484

#

1485

# - `string` can be compared against all other types

1486

# - `boolean` can only be compared against other booleans

1487

# - `integer` can be compared against doubles or a string if the string value

1488

# can be parsed as an integer.

1489

# - `double` can be compared against integers or a string if the string can

1490

# be parsed as a double.

1491

# - `Timestamp` can be compared against strings in RFC 3339 date string

1492

# format.

1493

# - `TimeOfDay` can be compared against timestamps and strings in the format

1494

# of 'HH:mm:ss'.

1495

#

1496

# If we fail to compare do to type mismatch, a warning will be given and

1497

# the condition will evaluate to false.

1498

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1499

"name": "A String", # Name describing the field.

1500

},

1501

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1502

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

1503

# Note that for the purposes of inspection or transformation, the number

1504

# of bytes considered to comprise a 'Value' is based on its representation

1505

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1506

# 123456789, the number of bytes would be counted as 9, even though an

1507

# int64 only holds up to 8 bytes of data.

1508

"booleanValue": True or False, # boolean

1509

"floatValue": 3.14, # float

1510

"dayOfWeekValue": "A String", # day of week

1511

"timestampValue": "A String", # timestamp

1512

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1513

# and time zone are either specified elsewhere or are not significant. The date

1514

# is relative to the Proleptic Gregorian Calendar. This can represent:

1515

#

1516

# * A full date, with non-zero year, month and day values

1517

# * A month and day value, with a zero year, e.g. an anniversary

1518

# * A year on its own, with zero month and day values

1519

# * A year and month value, with a zero day, e.g. a credit card expiration date

1520

#

1521

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1522

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1523

# a year.

1524

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1525

# month and day.

1526

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1527

# if specifying a year by itself or a year and month where the day is not

1528

# significant.

1529

},

1530

"stringValue": "A String", # string

1531

"integerValue": "A String", # integer

1532

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1533

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1534

# types are google.type.Date and `google.protobuf.Timestamp`.

1535

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1536

# allow the value 60 if it allows leap-seconds.

1537

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1538

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1539

# to allow the value "24:00:00" for scenarios like business closing time.

1540

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

1552

# transformation everywhere.

1553

# apply various `PrimitiveTransformation`s to each finding, where the

1554

# transformation is applied to only values that were identified as a specific

1555

# info_type.

1556

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

1557

# for a given infoType.

1558

{ # A transformation to apply to text that is identified as a specific

1559

# info_type.

1560

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

1561

# this transformation to apply to all findings that correspond to

1562

# infoTypes that were requested in `InspectConfig`.

1563

{ # Type of information detected by the API.

1564

"name": "A String", # Name of the information type. Either a name of your choosing when

1565

# creating a CustomInfoType, or one of the names listed

1566

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1567

# a built-in type. InfoType names should conform to the pattern

1568

# `[a-zA-Z0-9_]{1,64}`.

1569

},

1570

],

1571

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

1572

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

1573

# portion of the value.

1574

"partToExtract": "A String", # The part of the time to keep.

1575

},

1576

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

1577

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

1578

# to learn more.

1579

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

1580

# If set, must also set cryptoKey. If set, shift will be consistent for the

1581

# given context.

1582

"name": "A String", # Name describing the field.

1583

},

1584

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

1585

# range (inclusive ends). Negative means shift to earlier in time. Must not

1586

# be more than 365250 days (1000 years) each direction.

1587

#

1588

# For example, 3 means shift date to at most 3 days into the future.

1589

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1590

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

1591

# results in the same shift for the same context and crypto_key. If

1592

# set, must also set context. Can only be applied to table items.

1593

# a key encryption key (KEK) stored by KMS).

1594

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1595

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1596

# unwrap the data crypto key.

1597

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1598

# The wrapped key must be a 128/192/256 bit key.

1599

# Authorization requires the following IAM permissions when sending a request

1600

# to perform a crypto transformation using a kms-wrapped crypto key:

1601

# dlp.kms.encrypt

1602

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1603

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1604

},

1605

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1606

# leaking the key. Choose another type of key if possible.

1607

"key": "A String", # Required. A 128/192/256 bit key.

1608

},

1609

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1610

# It will be discarded after the request finishes.

1611

"name": "A String", # Required. Name of the key.

1612

# This is an arbitrary string used to differentiate different keys.

1613

# A unique key is generated per name: two separate `TransientCryptoKey`

1614

# protos share the same generated key if their names are the same.

1615

# When the data crypto key is generated, this name is not used in any way

1616

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1621

},

1622

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

1623

# Uses SHA-256.

1624

# The key size must be either 32 or 64 bytes.

1625

# Outputs a base64 encoded representation of the hashed output

1626

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

1627

# Currently, only string and integer values can be hashed.

1628

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

1629

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

1630

# a key encryption key (KEK) stored by KMS).

1631

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1632

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1633

# unwrap the data crypto key.

1634

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1635

# The wrapped key must be a 128/192/256 bit key.

1636

# Authorization requires the following IAM permissions when sending a request

1637

# to perform a crypto transformation using a kms-wrapped crypto key:

1638

# dlp.kms.encrypt

1639

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1640

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1641

},

1642

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1643

# leaking the key. Choose another type of key if possible.

1644

"key": "A String", # Required. A 128/192/256 bit key.

1645

},

1646

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1647

# It will be discarded after the request finishes.

1648

"name": "A String", # Required. Name of the key.

1649

# This is an arbitrary string used to differentiate different keys.

1650

# A unique key is generated per name: two separate `TransientCryptoKey`

1651

# protos share the same generated key if their names are the same.

1652

# When the data crypto key is generated, this name is not used in any way

1653

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

1658

# (FPE) with the FFX mode of operation; however when used in the

1659

# `ReidentifyContent` API method, it serves the opposite function by reversing

1660

# the surrogate back into the original identifier. The identifier must be

1661

# encoded as ASCII. For a given crypto key and context, the same identifier

1662

# will be replaced with the same surrogate. Identifiers must be at least two

1663

# characters long. In the case that the identifier is the empty string, it will

1664

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

1665

# more.

1666

#

1667

# Note: We recommend using CryptoDeterministicConfig for all use cases which

1668

# do not require preserving the input alphabet space and size, plus warrant

1669

# referential integrity.

1670

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

1671

# that the FFX mode natively supports. This happens before/after

1672

# encryption/decryption.

1673

# Each character listed must appear only once.

1674

# Number of characters must be in the range [2, 95].

1675

# This must be encoded as ASCII.

1676

# The order of characters does not matter.

1677

"commonAlphabet": "A String", # Common alphabets.

1678

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

1679

# This annotation will be applied to the surrogate by prefixing it with

1680

# the name of the custom infoType followed by the number of

1681

# characters comprising the surrogate. The following scheme defines the

1682

# format: info_type_name(surrogate_character_count):surrogate

1683

#

1684

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

1685

# the surrogate is 'abc', the full replacement value

1686

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1687

#

1688

# This annotation identifies the surrogate when inspecting content using the

1689

# custom infoType

1690

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

1691

# This facilitates reversal of the surrogate when it occurs in free text.

1692

#

1693

# In order for inspection to work properly, the name of this infoType must

1694

# not occur naturally anywhere in your data; otherwise, inspection may

1695

# find a surrogate that does not correspond to an actual identifier.

1696

# Therefore, choose your custom infoType name carefully after considering

1697

# what your data looks like. One way to select a name that has a high chance

1698

# of yielding reliable detection is to include one or more unicode characters

1699

# that are highly improbable to exist in your data.

1700

# For example, assuming your data is entered from a regular ASCII keyboard,

1701

# the symbol with the hex code point 29DD might be used like so:

1702

# ⧝MY_TOKEN_TYPE

1703

"name": "A String", # Name of the information type. Either a name of your choosing when

1704

# creating a CustomInfoType, or one of the names listed

1705

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1706

# a built-in type. InfoType names should conform to the pattern

1707

# `[a-zA-Z0-9_]{1,64}`.

1708

},

1709

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1710

# identifier in two different contexts won't be given the same surrogate. If

1711

# the context is not set, a default tweak will be used.

1712

#

1713

# If the context is set but:

1714

#

1715

# 1. there is no record present when transforming a given value or

1716

# 1. the field is not present when transforming a given value,

1717

#

1718

# a default tweak will be used.

1719

#

1720

# Note that case (1) is expected when an `InfoTypeTransformation` is

1721

# applied to both structured and non-structured `ContentItem`s.

1722

# Currently, the referenced field may be of value type integer or string.

1723

#

1724

# The tweak is constructed as a sequence of bytes in big endian byte order

1725

# such that:

1726

#

1727

# - a 64 bit integer is encoded followed by a single byte of value 1

1728

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1729

"name": "A String", # Name describing the field.

1730

},

1731

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1732

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1733

# a key encryption key (KEK) stored by KMS).

1734

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1735

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1736

# unwrap the data crypto key.

1737

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1738

# The wrapped key must be a 128/192/256 bit key.

1739

# Authorization requires the following IAM permissions when sending a request

1740

# to perform a crypto transformation using a kms-wrapped crypto key:

1741

# dlp.kms.encrypt

1742

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1743

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1744

},

1745

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1746

# leaking the key. Choose another type of key if possible.

1747

"key": "A String", # Required. A 128/192/256 bit key.

1748

},

1749

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1750

# It will be discarded after the request finishes.

1751

"name": "A String", # Required. Name of the key.

1752

# This is an arbitrary string used to differentiate different keys.

1753

# A unique key is generated per name: two separate `TransientCryptoKey`

1754

# protos share the same generated key if their names are the same.

1755

# When the data crypto key is generated, this name is not used in any way

1756

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1761

# input. Outputs a base64 encoded representation of the encrypted output.

1762

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1763

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1764

# This annotation will be applied to the surrogate by prefixing it with

1765

# the name of the custom info type followed by the number of

1766

# characters comprising the surrogate. The following scheme defines the

1767

# format: {info type name}({surrogate character count}):{surrogate}

1768

#

1769

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1770

# the surrogate is 'abc', the full replacement value

1771

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1772

#

1773

# This annotation identifies the surrogate when inspecting content using the

1774

# custom info type 'Surrogate'. This facilitates reversal of the

1775

# surrogate when it occurs in free text.

1776

#

1777

# Note: For record transformations where the entire cell in a table is being

1778

# transformed, surrogates are not mandatory. Surrogates are used to denote

1779

# the location of the token and are necessary for re-identification in free

1780

# form text.

1781

#

1782

# In order for inspection to work properly, the name of this info type must

1783

# not occur naturally anywhere in your data; otherwise, inspection may either

1784

#

1785

# - reverse a surrogate that does not correspond to an actual identifier

1786

# - be unable to parse the surrogate and result in an error

1787

#

1788

# Therefore, choose your custom info type name carefully after considering

1789

# what your data looks like. One way to select a name that has a high chance

1790

# of yielding reliable detection is to include one or more unicode characters

1791

# that are highly improbable to exist in your data.

1792

# For example, assuming your data is entered from a regular ASCII keyboard,

1793

# the symbol with the hex code point 29DD might be used like so:

1794

# ⧝MY_TOKEN_TYPE.

1795

"name": "A String", # Name of the information type. Either a name of your choosing when

1796

# creating a CustomInfoType, or one of the names listed

1797

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1798

# a built-in type. InfoType names should conform to the pattern

1799

# `[a-zA-Z0-9_]{1,64}`.

1800

},

1801

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1802

# referential integrity such that the same identifier in two different

1803

# contexts will be given a distinct surrogate. The context is appended to

1804

# plaintext value being encrypted. On decryption the provided context is

1805

# validated against the value used during encryption. If a context was

1806

# provided during encryption, same context must be provided during decryption

1807

# as well.

1808

#

1809

# If the context is not set, plaintext would be used as is for encryption.

1810

# If the context is set but:

1811

#

1812

# 1. there is no record present when transforming a given value or

1813

# 2. the field is not present when transforming a given value,

1814

#

1815

# plaintext would be used as is for encryption.

1816

#

1817

# Note that case (1) is expected when an `InfoTypeTransformation` is

1818

# applied to both structured and non-structured `ContentItem`s.

1819

"name": "A String", # Name describing the field.

1820

},

1821

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1822

# a key encryption key (KEK) stored by KMS).

1823

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1824

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1825

# unwrap the data crypto key.

1826

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1827

# The wrapped key must be a 128/192/256 bit key.

1828

# Authorization requires the following IAM permissions when sending a request

1829

# to perform a crypto transformation using a kms-wrapped crypto key:

1830

# dlp.kms.encrypt

1831

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1832

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1833

},

1834

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1835

# leaking the key. Choose another type of key if possible.

1836

"key": "A String", # Required. A 128/192/256 bit key.

1837

},

1838

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1839

# It will be discarded after the request finishes.

1840

"name": "A String", # Required. Name of the key.

1841

# This is an arbitrary string used to differentiate different keys.

1842

# A unique key is generated per name: two separate `TransientCryptoKey`

1843

# protos share the same generated key if their names are the same.

1844

# When the data crypto key is generated, this name is not used in any way

1845

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1850

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1851

# output would be 'My phone number is '.

1852

},

1853

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1854

# replacement values are dynamically provided by the user for custom behavior,

1855

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1856

# This can be used on

1857

# data of type: number, long, string, timestamp.

1858

# If the bound `Value` type differs from the type of data being transformed, we

1859

# will first attempt converting the type of the data to be transformed to match

1860

# the type of the bound before comparing.

1861

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1862

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1863

{ # Bucket is represented as a range, along with replacement values.

1864

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1865

# used.

1866

# Note that for the purposes of inspection or transformation, the number

1867

# of bytes considered to comprise a 'Value' is based on its representation

1868

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1869

# 123456789, the number of bytes would be counted as 9, even though an

1870

# int64 only holds up to 8 bytes of data.

1871

"booleanValue": True or False, # boolean

1872

"floatValue": 3.14, # float

1873

"dayOfWeekValue": "A String", # day of week

1874

"timestampValue": "A String", # timestamp

1875

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1876

# and time zone are either specified elsewhere or are not significant. The date

1877

# is relative to the Proleptic Gregorian Calendar. This can represent:

1878

#

1879

# * A full date, with non-zero year, month and day values

1880

# * A month and day value, with a zero year, e.g. an anniversary

1881

# * A year on its own, with zero month and day values

1882

# * A year and month value, with a zero day, e.g. a credit card expiration date

1883

#

1884

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1885

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1886

# a year.

1887

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1888

# month and day.

1889

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1890

# if specifying a year by itself or a year and month where the day is not

1891

# significant.

1892

},

1893

"stringValue": "A String", # string

1894

"integerValue": "A String", # integer

1895

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1896

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1897

# types are google.type.Date and `google.protobuf.Timestamp`.

1898

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1899

# allow the value 60 if it allows leap-seconds.

1900

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1901

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1902

# to allow the value "24:00:00" for scenarios like business closing time.

1903

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1904

},

1905

},

1906

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1907

# Note that for the purposes of inspection or transformation, the number

1908

# of bytes considered to comprise a 'Value' is based on its representation

1909

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1910

# 123456789, the number of bytes would be counted as 9, even though an

1911

# int64 only holds up to 8 bytes of data.

1912

"booleanValue": True or False, # boolean

1913

"floatValue": 3.14, # float

1914

"dayOfWeekValue": "A String", # day of week

1915

"timestampValue": "A String", # timestamp

1916

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1917

# and time zone are either specified elsewhere or are not significant. The date

1918

# is relative to the Proleptic Gregorian Calendar. This can represent:

1919

#

1920

# * A full date, with non-zero year, month and day values

1921

# * A month and day value, with a zero year, e.g. an anniversary

1922

# * A year on its own, with zero month and day values

1923

# * A year and month value, with a zero day, e.g. a credit card expiration date

1924

#

1925

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1926

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1927

# a year.

1928

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1929

# month and day.

1930

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1931

# if specifying a year by itself or a year and month where the day is not

1932

# significant.

1933

},

1934

"stringValue": "A String", # string

1935

"integerValue": "A String", # integer

1936

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1937

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1938

# types are google.type.Date and `google.protobuf.Timestamp`.

1939

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1940

# allow the value 60 if it allows leap-seconds.

1941

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1942

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1943

# to allow the value "24:00:00" for scenarios like business closing time.

1944

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1945

},

1946

},

1947

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1948

# the default behavior will be to hyphenate the min-max range.

1949

# Note that for the purposes of inspection or transformation, the number

1950

# of bytes considered to comprise a 'Value' is based on its representation

1951

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1952

# 123456789, the number of bytes would be counted as 9, even though an

1953

# int64 only holds up to 8 bytes of data.

1954

"booleanValue": True or False, # boolean

1955

"floatValue": 3.14, # float

1956

"dayOfWeekValue": "A String", # day of week

1957

"timestampValue": "A String", # timestamp

1958

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1959

# and time zone are either specified elsewhere or are not significant. The date

1960

# is relative to the Proleptic Gregorian Calendar. This can represent:

1961

#

1962

# * A full date, with non-zero year, month and day values

1963

# * A month and day value, with a zero year, e.g. an anniversary

1964

# * A year on its own, with zero month and day values

1965

# * A year and month value, with a zero day, e.g. a credit card expiration date

1966

#

1967

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1968

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1969

# a year.

1970

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1971

# month and day.

1972

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1973

# if specifying a year by itself or a year and month where the day is not

1974

# significant.

1975

},

1976

"stringValue": "A String", # string

1977

"integerValue": "A String", # integer

1978

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1979

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1980

# types are google.type.Date and `google.protobuf.Timestamp`.

1981

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1982

# allow the value 60 if it allows leap-seconds.

1983

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1984

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1985

# to allow the value "24:00:00" for scenarios like business closing time.

1986

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1993

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1994

# Note that for the purposes of inspection or transformation, the number

1995

# of bytes considered to comprise a 'Value' is based on its representation

1996

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1997

# 123456789, the number of bytes would be counted as 9, even though an

1998

# int64 only holds up to 8 bytes of data.

1999

"booleanValue": True or False, # boolean

2000

"floatValue": 3.14, # float

2001

"dayOfWeekValue": "A String", # day of week

2002

"timestampValue": "A String", # timestamp

2003

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2004

# and time zone are either specified elsewhere or are not significant. The date

2005

# is relative to the Proleptic Gregorian Calendar. This can represent:

2006

#

2007

# * A full date, with non-zero year, month and day values

2008

# * A month and day value, with a zero year, e.g. an anniversary

2009

# * A year on its own, with zero month and day values

2010

# * A year and month value, with a zero day, e.g. a credit card expiration date

2011

#

2012

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2013

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2014

# a year.

2015

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2016

# month and day.

2017

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2018

# if specifying a year by itself or a year and month where the day is not

2019

# significant.

2020

},

2021

"stringValue": "A String", # string

2022

"integerValue": "A String", # integer

2023

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2024

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2025

# types are google.type.Date and `google.protobuf.Timestamp`.

2026

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2027

# allow the value 60 if it allows leap-seconds.

2028

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2029

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2030

# to allow the value "24:00:00" for scenarios like business closing time.

2031

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2036

# fixed character. Masking can start from the beginning or end of the string.

2037

# This can be used on data of any type (numbers, longs, and so on) and when

2038

# de-identifying structured data we'll attempt to preserve the original data's

2039

# type. (This allows you to take a long like 123 and modify it to a string like

2040

# **3.

2041

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2042

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2043

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2044

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2045

# is `true`, then the string `12345` is masked as `12***`.

2046

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2047

# characters. For example, if the input string is `555-555-5555` and you

2048

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2049

# returns `***-**5-5555`.

2050

{ # Characters to skip when doing deidentification of a value. These will be left

2051

# alone and skipped.

2052

"charactersToSkip": "A String", # Characters to not transform when masking.

2053

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2058

# masked. Skipped characters do not count towards this tally.

2059

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2060

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2061

# code or credit card number. This string must have a length of 1. If not

2062

# supplied, this value defaults to `*` for strings, and `0` for digits.

2063

},

2064

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2065

# Bucketing transformation can provide all of this functionality,

2066

# but requires more configuration. This message is provided as a convenience to

2067

# the user for simple bucketing strategies.

2068

#

2069

# The transformed value will be a hyphenated string of

2070

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2071

# all values that are within this bucket will be replaced with "10-20".

2072

#

2073

# This can be used on data of type: double, long.

2074

#

2075

# If the bound Value type differs from the type of data

2076

# being transformed, we will first attempt converting the type of the data to

2077

# be transformed to match the type of the bound before comparing.

2078

#

2079

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2080

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2081

# grouped together into a single bucket; for example if `lower_bound` = 10,

2082

# then all values less than 10 are replaced with the value "-10".

2083

# Note that for the purposes of inspection or transformation, the number

2084

# of bytes considered to comprise a 'Value' is based on its representation

2085

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2086

# 123456789, the number of bytes would be counted as 9, even though an

2087

# int64 only holds up to 8 bytes of data.

2088

"booleanValue": True or False, # boolean

2089

"floatValue": 3.14, # float

2090

"dayOfWeekValue": "A String", # day of week

2091

"timestampValue": "A String", # timestamp

2092

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2093

# and time zone are either specified elsewhere or are not significant. The date

2094

# is relative to the Proleptic Gregorian Calendar. This can represent:

2095

#

2096

# * A full date, with non-zero year, month and day values

2097

# * A month and day value, with a zero year, e.g. an anniversary

2098

# * A year on its own, with zero month and day values

2099

# * A year and month value, with a zero day, e.g. a credit card expiration date

2100

#

2101

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2102

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2103

# a year.

2104

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2105

# month and day.

2106

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2107

# if specifying a year by itself or a year and month where the day is not

2108

# significant.

2109

},

2110

"stringValue": "A String", # string

2111

"integerValue": "A String", # integer

2112

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2113

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2114

# types are google.type.Date and `google.protobuf.Timestamp`.

2115

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2116

# allow the value 60 if it allows leap-seconds.

2117

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2118

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2119

# to allow the value "24:00:00" for scenarios like business closing time.

2120

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2121

},

2122

},

2123

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2124

# grouped together into a single bucket; for example if `upper_bound` = 89,

2125

# then all values greater than 89 are replaced with the value "89+".

2126

# Note that for the purposes of inspection or transformation, the number

2127

# of bytes considered to comprise a 'Value' is based on its representation

2128

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2129

# 123456789, the number of bytes would be counted as 9, even though an

2130

# int64 only holds up to 8 bytes of data.

2131

"booleanValue": True or False, # boolean

2132

"floatValue": 3.14, # float

2133

"dayOfWeekValue": "A String", # day of week

2134

"timestampValue": "A String", # timestamp

2135

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2136

# and time zone are either specified elsewhere or are not significant. The date

2137

# is relative to the Proleptic Gregorian Calendar. This can represent:

2138

#

2139

# * A full date, with non-zero year, month and day values

2140

# * A month and day value, with a zero year, e.g. an anniversary

2141

# * A year on its own, with zero month and day values

2142

# * A year and month value, with a zero day, e.g. a credit card expiration date

2143

#

2144

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2145

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2146

# a year.

2147

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2148

# month and day.

2149

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2150

# if specifying a year by itself or a year and month where the day is not

2151

# significant.

2152

},

2153

"stringValue": "A String", # string

2154

"integerValue": "A String", # integer

2155

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2156

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2157

# types are google.type.Date and `google.protobuf.Timestamp`.

2158

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2159

# allow the value 60 if it allows leap-seconds.

2160

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2161

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2162

# to allow the value "24:00:00" for scenarios like business closing time.

2163

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2164

},

2165

},

2166

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2167

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2168

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2169

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

},

"locationId": "A String", # The geographic location to store the deidentification template. Reserved

2178

# for future extensions.

2179

}

2180

2181

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2188

2189

{ # DeidentifyTemplates contains instructions on how to de-identify content.

2190

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

2191

"name": "A String", # Output only. The template name.

2192

#

2193

# The template will have one of the following formats:

2194

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

2195

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

2196

"description": "A String", # Short description (max 256 chars).

2197

"displayName": "A String", # Display name (max 256 chars).

2198

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

2199

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

2200

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

2201

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

2202

# mode is `TransformationErrorHandling.ThrowError`.

2203

# transformation error occurs when the requested transformation is incompatible

2204

# with the data. For example, trying to de-identify an IP address using a

2205

# `DateShift` transformation would result in a transformation error, since date

2206

# info cannot be extracted from an IP address.

2207

# Information about any incompatible transformations, and how they were

2208

# handled, is returned in the response as part of the

2209

# `TransformationOverviews`.

2210

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

2211

},

2212

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

2213

# cause an error. For example, if a `DateShift` transformation were applied

2214

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

2219

# specific locations within structured datasets, such as transforming

2220

# a column within a table.

2221

# table.

2222

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

2223

# match any suppression rule are omitted from the output.

2224

{ # Configuration to suppress records whose suppression conditions evaluate to

2225

# true.

2226

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

2227

# evaluated to be suppressed from the transformed content.

2228

# a field.

2229

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2230

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

2231

# only supported value is `AND`.

2232

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2233

"conditions": [ # A collection of conditions.

2234

{ # The field type of `value` and `field` do not need to match to be

2235

# considered equal, but not all comparisons are possible.

2236

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

2237

# but all other comparisons are invalid with incompatible types.

2238

# A `value` of type:

2239

#

2240

# - `string` can be compared against all other types

2241

# - `boolean` can only be compared against other booleans

2242

# - `integer` can be compared against doubles or a string if the string value

2243

# can be parsed as an integer.

2244

# - `double` can be compared against integers or a string if the string can

2245

# be parsed as a double.

2246

# - `Timestamp` can be compared against strings in RFC 3339 date string

2247

# format.

2248

# - `TimeOfDay` can be compared against timestamps and strings in the format

2249

# of 'HH:mm:ss'.

2250

#

2251

# If we fail to compare do to type mismatch, a warning will be given and

2252

# the condition will evaluate to false.

2253

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2254

"name": "A String", # Name describing the field.

2255

},

2256

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

2257

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2258

# Note that for the purposes of inspection or transformation, the number

2259

# of bytes considered to comprise a 'Value' is based on its representation

2260

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2261

# 123456789, the number of bytes would be counted as 9, even though an

2262

# int64 only holds up to 8 bytes of data.

2263

"booleanValue": True or False, # boolean

2264

"floatValue": 3.14, # float

2265

"dayOfWeekValue": "A String", # day of week

2266

"timestampValue": "A String", # timestamp

2267

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2268

# and time zone are either specified elsewhere or are not significant. The date

2269

# is relative to the Proleptic Gregorian Calendar. This can represent:

2270

#

2271

# * A full date, with non-zero year, month and day values

2272

# * A month and day value, with a zero year, e.g. an anniversary

2273

# * A year on its own, with zero month and day values

2274

# * A year and month value, with a zero day, e.g. a credit card expiration date

2275

#

2276

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2277

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2278

# a year.

2279

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2280

# month and day.

2281

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2282

# if specifying a year by itself or a year and month where the day is not

2283

# significant.

2284

},

2285

"stringValue": "A String", # string

2286

"integerValue": "A String", # integer

2287

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2288

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2289

# types are google.type.Date and `google.protobuf.Timestamp`.

2290

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2291

# allow the value 60 if it allows leap-seconds.

2292

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2293

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2294

# to allow the value "24:00:00" for scenarios like business closing time.

2295

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

2306

{ # The transformation to apply to the field.

2307

"fields": [ # Required. Input field(s) to apply the transformation to.

2308

{ # General identifier of a data field in a storage service.

2309

"name": "A String", # Name describing the field.

2310

},

2311

],

2312

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

2313

# transform content that matches an `InfoType`.

2314

# apply various `PrimitiveTransformation`s to each finding, where the

2315

# transformation is applied to only values that were identified as a specific

2316

# info_type.

2317

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

2318

# for a given infoType.

2319

{ # A transformation to apply to text that is identified as a specific

2320

# info_type.

2321

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

2322

# this transformation to apply to all findings that correspond to

2323

# infoTypes that were requested in `InspectConfig`.

2324

{ # Type of information detected by the API.

2325

"name": "A String", # Name of the information type. Either a name of your choosing when

2326

# creating a CustomInfoType, or one of the names listed

2327

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2328

# a built-in type. InfoType names should conform to the pattern

2329

# `[a-zA-Z0-9_]{1,64}`.

2330

},

2331

],

2332

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2333

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2334

# portion of the value.

2335

"partToExtract": "A String", # The part of the time to keep.

2336

},

2337

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2338

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2339

# to learn more.

2340

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2341

# If set, must also set cryptoKey. If set, shift will be consistent for the

2342

# given context.

2343

"name": "A String", # Name describing the field.

2344

},

2345

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2346

# range (inclusive ends). Negative means shift to earlier in time. Must not

2347

# be more than 365250 days (1000 years) each direction.

2348

#

2349

# For example, 3 means shift date to at most 3 days into the future.

2350

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2351

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2352

# results in the same shift for the same context and crypto_key. If

2353

# set, must also set context. Can only be applied to table items.

2354

# a key encryption key (KEK) stored by KMS).

2355

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2356

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2357

# unwrap the data crypto key.

2358

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2359

# The wrapped key must be a 128/192/256 bit key.

2360

# Authorization requires the following IAM permissions when sending a request

2361

# to perform a crypto transformation using a kms-wrapped crypto key:

2362

# dlp.kms.encrypt

2363

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2364

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2365

},

2366

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2367

# leaking the key. Choose another type of key if possible.

2368

"key": "A String", # Required. A 128/192/256 bit key.

2369

},

2370

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2371

# It will be discarded after the request finishes.

2372

"name": "A String", # Required. Name of the key.

2373

# This is an arbitrary string used to differentiate different keys.

2374

# A unique key is generated per name: two separate `TransientCryptoKey`

2375

# protos share the same generated key if their names are the same.

2376

# When the data crypto key is generated, this name is not used in any way

2377

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2382

},

2383

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2384

# Uses SHA-256.

2385

# The key size must be either 32 or 64 bytes.

2386

# Outputs a base64 encoded representation of the hashed output

2387

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2388

# Currently, only string and integer values can be hashed.

2389

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2390

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2391

# a key encryption key (KEK) stored by KMS).

2392

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2393

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2394

# unwrap the data crypto key.

2395

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2396

# The wrapped key must be a 128/192/256 bit key.

2397

# Authorization requires the following IAM permissions when sending a request

2398

# to perform a crypto transformation using a kms-wrapped crypto key:

2399

# dlp.kms.encrypt

2400

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2401

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2402

},

2403

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2404

# leaking the key. Choose another type of key if possible.

2405

"key": "A String", # Required. A 128/192/256 bit key.

2406

},

2407

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2408

# It will be discarded after the request finishes.

2409

"name": "A String", # Required. Name of the key.

2410

# This is an arbitrary string used to differentiate different keys.

2411

# A unique key is generated per name: two separate `TransientCryptoKey`

2412

# protos share the same generated key if their names are the same.

2413

# When the data crypto key is generated, this name is not used in any way

2414

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2419

# (FPE) with the FFX mode of operation; however when used in the

2420

# `ReidentifyContent` API method, it serves the opposite function by reversing

2421

# the surrogate back into the original identifier. The identifier must be

2422

# encoded as ASCII. For a given crypto key and context, the same identifier

2423

# will be replaced with the same surrogate. Identifiers must be at least two

2424

# characters long. In the case that the identifier is the empty string, it will

2425

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2426

# more.

2427

#

2428

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2429

# do not require preserving the input alphabet space and size, plus warrant

2430

# referential integrity.

2431

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

2432

# that the FFX mode natively supports. This happens before/after

2433

# encryption/decryption.

2434

# Each character listed must appear only once.

2435

# Number of characters must be in the range [2, 95].

2436

# This must be encoded as ASCII.

2437

# The order of characters does not matter.

2438

"commonAlphabet": "A String", # Common alphabets.

2439

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2440

# This annotation will be applied to the surrogate by prefixing it with

2441

# the name of the custom infoType followed by the number of

2442

# characters comprising the surrogate. The following scheme defines the

2443

# format: info_type_name(surrogate_character_count):surrogate

2444

#

2445

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2446

# the surrogate is 'abc', the full replacement value

2447

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2448

#

2449

# This annotation identifies the surrogate when inspecting content using the

2450

# custom infoType

2451

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2452

# This facilitates reversal of the surrogate when it occurs in free text.

2453

#

2454

# In order for inspection to work properly, the name of this infoType must

2455

# not occur naturally anywhere in your data; otherwise, inspection may

2456

# find a surrogate that does not correspond to an actual identifier.

2457

# Therefore, choose your custom infoType name carefully after considering

2458

# what your data looks like. One way to select a name that has a high chance

2459

# of yielding reliable detection is to include one or more unicode characters

2460

# that are highly improbable to exist in your data.

2461

# For example, assuming your data is entered from a regular ASCII keyboard,

2462

# the symbol with the hex code point 29DD might be used like so:

2463

# ⧝MY_TOKEN_TYPE

2464

"name": "A String", # Name of the information type. Either a name of your choosing when

2465

# creating a CustomInfoType, or one of the names listed

2466

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2467

# a built-in type. InfoType names should conform to the pattern

2468

# `[a-zA-Z0-9_]{1,64}`.

2469

},

2470

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2471

# identifier in two different contexts won't be given the same surrogate. If

2472

# the context is not set, a default tweak will be used.

2473

#

2474

# If the context is set but:

2475

#

2476

# 1. there is no record present when transforming a given value or

2477

# 1. the field is not present when transforming a given value,

2478

#

2479

# a default tweak will be used.

2480

#

2481

# Note that case (1) is expected when an `InfoTypeTransformation` is

2482

# applied to both structured and non-structured `ContentItem`s.

2483

# Currently, the referenced field may be of value type integer or string.

2484

#

2485

# The tweak is constructed as a sequence of bytes in big endian byte order

2486

# such that:

2487

#

2488

# - a 64 bit integer is encoded followed by a single byte of value 1

2489

# - a string is encoded in UTF-8 format followed by a single byte of value 2

2490

"name": "A String", # Name describing the field.

2491

},

2492

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2493

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

2494

# a key encryption key (KEK) stored by KMS).

2495

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2496

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2497

# unwrap the data crypto key.

2498

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2499

# The wrapped key must be a 128/192/256 bit key.

2500

# Authorization requires the following IAM permissions when sending a request

2501

# to perform a crypto transformation using a kms-wrapped crypto key:

2502

# dlp.kms.encrypt

2503

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2504

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2505

},

2506

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2507

# leaking the key. Choose another type of key if possible.

2508

"key": "A String", # Required. A 128/192/256 bit key.

2509

},

2510

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2511

# It will be discarded after the request finishes.

2512

"name": "A String", # Required. Name of the key.

2513

# This is an arbitrary string used to differentiate different keys.

2514

# A unique key is generated per name: two separate `TransientCryptoKey`

2515

# protos share the same generated key if their names are the same.

2516

# When the data crypto key is generated, this name is not used in any way

2517

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

2522

# input. Outputs a base64 encoded representation of the encrypted output.

2523

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

2524

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

2525

# This annotation will be applied to the surrogate by prefixing it with

2526

# the name of the custom info type followed by the number of

2527

# characters comprising the surrogate. The following scheme defines the

2528

# format: {info type name}({surrogate character count}):{surrogate}

2529

#

2530

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

2531

# the surrogate is 'abc', the full replacement value

2532

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2533

#

2534

# This annotation identifies the surrogate when inspecting content using the

2535

# custom info type 'Surrogate'. This facilitates reversal of the

2536

# surrogate when it occurs in free text.

2537

#

2538

# Note: For record transformations where the entire cell in a table is being

2539

# transformed, surrogates are not mandatory. Surrogates are used to denote

2540

# the location of the token and are necessary for re-identification in free

2541

# form text.

2542

#

2543

# In order for inspection to work properly, the name of this info type must

2544

# not occur naturally anywhere in your data; otherwise, inspection may either

2545

#

2546

# - reverse a surrogate that does not correspond to an actual identifier

2547

# - be unable to parse the surrogate and result in an error

2548

#

2549

# Therefore, choose your custom info type name carefully after considering

2550

# what your data looks like. One way to select a name that has a high chance

2551

# of yielding reliable detection is to include one or more unicode characters

2552

# that are highly improbable to exist in your data.

2553

# For example, assuming your data is entered from a regular ASCII keyboard,

2554

# the symbol with the hex code point 29DD might be used like so:

2555

# ⧝MY_TOKEN_TYPE.

2556

"name": "A String", # Name of the information type. Either a name of your choosing when

2557

# creating a CustomInfoType, or one of the names listed

2558

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2559

# a built-in type. InfoType names should conform to the pattern

2560

# `[a-zA-Z0-9_]{1,64}`.

2561

},

2562

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

2563

# referential integrity such that the same identifier in two different

2564

# contexts will be given a distinct surrogate. The context is appended to

2565

# plaintext value being encrypted. On decryption the provided context is

2566

# validated against the value used during encryption. If a context was

2567

# provided during encryption, same context must be provided during decryption

2568

# as well.

2569

#

2570

# If the context is not set, plaintext would be used as is for encryption.

2571

# If the context is set but:

2572

#

2573

# 1. there is no record present when transforming a given value or

2574

# 2. the field is not present when transforming a given value,

2575

#

2576

# plaintext would be used as is for encryption.

2577

#

2578

# Note that case (1) is expected when an `InfoTypeTransformation` is

2579

# applied to both structured and non-structured `ContentItem`s.

2580

"name": "A String", # Name describing the field.

2581

},

2582

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

2583

# a key encryption key (KEK) stored by KMS).

2584

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2585

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2586

# unwrap the data crypto key.

2587

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2588

# The wrapped key must be a 128/192/256 bit key.

2589

# Authorization requires the following IAM permissions when sending a request

2590

# to perform a crypto transformation using a kms-wrapped crypto key:

2591

# dlp.kms.encrypt

2592

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2593

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2594

},

2595

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2596

# leaking the key. Choose another type of key if possible.

2597

"key": "A String", # Required. A 128/192/256 bit key.

2598

},

2599

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2600

# It will be discarded after the request finishes.

2601

"name": "A String", # Required. Name of the key.

2602

# This is an arbitrary string used to differentiate different keys.

2603

# A unique key is generated per name: two separate `TransientCryptoKey`

2604

# protos share the same generated key if their names are the same.

2605

# When the data crypto key is generated, this name is not used in any way

2606

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

2611

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

2612

# output would be 'My phone number is '.

2613

},

2614

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

2615

# replacement values are dynamically provided by the user for custom behavior,

2616

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

2617

# This can be used on

2618

# data of type: number, long, string, timestamp.

2619

# If the bound `Value` type differs from the type of data being transformed, we

2620

# will first attempt converting the type of the data to be transformed to match

2621

# the type of the bound before comparing.

2622

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2623

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2624

{ # Bucket is represented as a range, along with replacement values.

2625

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

2626

# used.

2627

# Note that for the purposes of inspection or transformation, the number

2628

# of bytes considered to comprise a 'Value' is based on its representation

2629

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2630

# 123456789, the number of bytes would be counted as 9, even though an

2631

# int64 only holds up to 8 bytes of data.

2632

"booleanValue": True or False, # boolean

2633

"floatValue": 3.14, # float

2634

"dayOfWeekValue": "A String", # day of week

2635

"timestampValue": "A String", # timestamp

2636

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2637

# and time zone are either specified elsewhere or are not significant. The date

2638

# is relative to the Proleptic Gregorian Calendar. This can represent:

2639

#

2640

# * A full date, with non-zero year, month and day values

2641

# * A month and day value, with a zero year, e.g. an anniversary

2642

# * A year on its own, with zero month and day values

2643

# * A year and month value, with a zero day, e.g. a credit card expiration date

2644

#

2645

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2646

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2647

# a year.

2648

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2649

# month and day.

2650

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2651

# if specifying a year by itself or a year and month where the day is not

2652

# significant.

2653

},

2654

"stringValue": "A String", # string

2655

"integerValue": "A String", # integer

2656

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2657

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2658

# types are google.type.Date and `google.protobuf.Timestamp`.

2659

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2660

# allow the value 60 if it allows leap-seconds.

2661

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2662

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2663

# to allow the value "24:00:00" for scenarios like business closing time.

2664

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2665

},

2666

},

2667

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

2668

# Note that for the purposes of inspection or transformation, the number

2669

# of bytes considered to comprise a 'Value' is based on its representation

2670

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2671

# 123456789, the number of bytes would be counted as 9, even though an

2672

# int64 only holds up to 8 bytes of data.

2673

"booleanValue": True or False, # boolean

2674

"floatValue": 3.14, # float

2675

"dayOfWeekValue": "A String", # day of week

2676

"timestampValue": "A String", # timestamp

2677

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2678

# and time zone are either specified elsewhere or are not significant. The date

2679

# is relative to the Proleptic Gregorian Calendar. This can represent:

2680

#

2681

# * A full date, with non-zero year, month and day values

2682

# * A month and day value, with a zero year, e.g. an anniversary

2683

# * A year on its own, with zero month and day values

2684

# * A year and month value, with a zero day, e.g. a credit card expiration date

2685

#

2686

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2687

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2688

# a year.

2689

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2690

# month and day.

2691

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2692

# if specifying a year by itself or a year and month where the day is not

2693

# significant.

2694

},

2695

"stringValue": "A String", # string

2696

"integerValue": "A String", # integer

2697

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2698

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2699

# types are google.type.Date and `google.protobuf.Timestamp`.

2700

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2701

# allow the value 60 if it allows leap-seconds.

2702

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2703

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2704

# to allow the value "24:00:00" for scenarios like business closing time.

2705

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2706

},

2707

},

2708

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

2709

# the default behavior will be to hyphenate the min-max range.

2710

# Note that for the purposes of inspection or transformation, the number

2711

# of bytes considered to comprise a 'Value' is based on its representation

2712

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2713

# 123456789, the number of bytes would be counted as 9, even though an

2714

# int64 only holds up to 8 bytes of data.

2715

"booleanValue": True or False, # boolean

2716

"floatValue": 3.14, # float

2717

"dayOfWeekValue": "A String", # day of week

2718

"timestampValue": "A String", # timestamp

2719

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2720

# and time zone are either specified elsewhere or are not significant. The date

2721

# is relative to the Proleptic Gregorian Calendar. This can represent:

2722

#

2723

# * A full date, with non-zero year, month and day values

2724

# * A month and day value, with a zero year, e.g. an anniversary

2725

# * A year on its own, with zero month and day values

2726

# * A year and month value, with a zero day, e.g. a credit card expiration date

2727

#

2728

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2729

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2730

# a year.

2731

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2732

# month and day.

2733

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2734

# if specifying a year by itself or a year and month where the day is not

2735

# significant.

2736

},

2737

"stringValue": "A String", # string

2738

"integerValue": "A String", # integer

2739

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2740

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2741

# types are google.type.Date and `google.protobuf.Timestamp`.

2742

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2743

# allow the value 60 if it allows leap-seconds.

2744

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2745

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2746

# to allow the value "24:00:00" for scenarios like business closing time.

2747

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2754

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

2755

# Note that for the purposes of inspection or transformation, the number

2756

# of bytes considered to comprise a 'Value' is based on its representation

2757

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2758

# 123456789, the number of bytes would be counted as 9, even though an

2759

# int64 only holds up to 8 bytes of data.

2760

"booleanValue": True or False, # boolean

2761

"floatValue": 3.14, # float

2762

"dayOfWeekValue": "A String", # day of week

2763

"timestampValue": "A String", # timestamp

2764

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2765

# and time zone are either specified elsewhere or are not significant. The date

2766

# is relative to the Proleptic Gregorian Calendar. This can represent:

2767

#

2768

# * A full date, with non-zero year, month and day values

2769

# * A month and day value, with a zero year, e.g. an anniversary

2770

# * A year on its own, with zero month and day values

2771

# * A year and month value, with a zero day, e.g. a credit card expiration date

2772

#

2773

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2774

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2775

# a year.

2776

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2777

# month and day.

2778

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2779

# if specifying a year by itself or a year and month where the day is not

2780

# significant.

2781

},

2782

"stringValue": "A String", # string

2783

"integerValue": "A String", # integer

2784

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2785

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2786

# types are google.type.Date and `google.protobuf.Timestamp`.

2787

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2788

# allow the value 60 if it allows leap-seconds.

2789

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2790

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2791

# to allow the value "24:00:00" for scenarios like business closing time.

2792

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2797

# fixed character. Masking can start from the beginning or end of the string.

2798

# This can be used on data of any type (numbers, longs, and so on) and when

2799

# de-identifying structured data we'll attempt to preserve the original data's

2800

# type. (This allows you to take a long like 123 and modify it to a string like

2801

# **3.

2802

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2803

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2804

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2805

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2806

# is `true`, then the string `12345` is masked as `12***`.

2807

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2808

# characters. For example, if the input string is `555-555-5555` and you

2809

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2810

# returns `***-**5-5555`.

2811

{ # Characters to skip when doing deidentification of a value. These will be left

2812

# alone and skipped.

2813

"charactersToSkip": "A String", # Characters to not transform when masking.

2814

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2819

# masked. Skipped characters do not count towards this tally.

2820

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2821

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2822

# code or credit card number. This string must have a length of 1. If not

2823

# supplied, this value defaults to `*` for strings, and `0` for digits.

2824

},

2825

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2826

# Bucketing transformation can provide all of this functionality,

2827

# but requires more configuration. This message is provided as a convenience to

2828

# the user for simple bucketing strategies.

2829

#

2830

# The transformed value will be a hyphenated string of

2831

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2832

# all values that are within this bucket will be replaced with "10-20".

2833

#

2834

# This can be used on data of type: double, long.

2835

#

2836

# If the bound Value type differs from the type of data

2837

# being transformed, we will first attempt converting the type of the data to

2838

# be transformed to match the type of the bound before comparing.

2839

#

2840

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2841

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2842

# grouped together into a single bucket; for example if `lower_bound` = 10,

2843

# then all values less than 10 are replaced with the value "-10".

2844

# Note that for the purposes of inspection or transformation, the number

2845

# of bytes considered to comprise a 'Value' is based on its representation

2846

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2847

# 123456789, the number of bytes would be counted as 9, even though an

2848

# int64 only holds up to 8 bytes of data.

2849

"booleanValue": True or False, # boolean

2850

"floatValue": 3.14, # float

2851

"dayOfWeekValue": "A String", # day of week

2852

"timestampValue": "A String", # timestamp

2853

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2854

# and time zone are either specified elsewhere or are not significant. The date

2855

# is relative to the Proleptic Gregorian Calendar. This can represent:

2856

#

2857

# * A full date, with non-zero year, month and day values

2858

# * A month and day value, with a zero year, e.g. an anniversary

2859

# * A year on its own, with zero month and day values

2860

# * A year and month value, with a zero day, e.g. a credit card expiration date

2861

#

2862

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2863

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2864

# a year.

2865

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2866

# month and day.

2867

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2868

# if specifying a year by itself or a year and month where the day is not

2869

# significant.

2870

},

2871

"stringValue": "A String", # string

2872

"integerValue": "A String", # integer

2873

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2874

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2875

# types are google.type.Date and `google.protobuf.Timestamp`.

2876

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2877

# allow the value 60 if it allows leap-seconds.

2878

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2879

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2880

# to allow the value "24:00:00" for scenarios like business closing time.

2881

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2882

},

2883

},

2884

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2885

# grouped together into a single bucket; for example if `upper_bound` = 89,

2886

# then all values greater than 89 are replaced with the value "89+".

2887

# Note that for the purposes of inspection or transformation, the number

2888

# of bytes considered to comprise a 'Value' is based on its representation

2889

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2890

# 123456789, the number of bytes would be counted as 9, even though an

2891

# int64 only holds up to 8 bytes of data.

2892

"booleanValue": True or False, # boolean

2893

"floatValue": 3.14, # float

2894

"dayOfWeekValue": "A String", # day of week

2895

"timestampValue": "A String", # timestamp

2896

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2897

# and time zone are either specified elsewhere or are not significant. The date

2898

# is relative to the Proleptic Gregorian Calendar. This can represent:

2899

#

2900

# * A full date, with non-zero year, month and day values

2901

# * A month and day value, with a zero year, e.g. an anniversary

2902

# * A year on its own, with zero month and day values

2903

# * A year and month value, with a zero day, e.g. a credit card expiration date

2904

#

2905

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2906

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2907

# a year.

2908

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2909

# month and day.

2910

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2911

# if specifying a year by itself or a year and month where the day is not

2912

# significant.

2913

},

2914

"stringValue": "A String", # string

2915

"integerValue": "A String", # integer

2916

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2917

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2918

# types are google.type.Date and `google.protobuf.Timestamp`.

2919

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2920

# allow the value 60 if it allows leap-seconds.

2921

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2922

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2923

# to allow the value "24:00:00" for scenarios like business closing time.

2924

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2925

},

2926

},

2927

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2928

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2929

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2930

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

2937

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2938

# portion of the value.

2939

"partToExtract": "A String", # The part of the time to keep.

2940

},

2941

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2942

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2943

# to learn more.

2944

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2945

# If set, must also set cryptoKey. If set, shift will be consistent for the

2946

# given context.

2947

"name": "A String", # Name describing the field.

2948

},

2949

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2950

# range (inclusive ends). Negative means shift to earlier in time. Must not

2951

# be more than 365250 days (1000 years) each direction.

2952

#

2953

# For example, 3 means shift date to at most 3 days into the future.

2954

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2955

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2956

# results in the same shift for the same context and crypto_key. If

2957

# set, must also set context. Can only be applied to table items.

2958

# a key encryption key (KEK) stored by KMS).

2959

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2960

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2961

# unwrap the data crypto key.

2962

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2963

# The wrapped key must be a 128/192/256 bit key.

2964

# Authorization requires the following IAM permissions when sending a request

2965

# to perform a crypto transformation using a kms-wrapped crypto key:

2966

# dlp.kms.encrypt

2967

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2968

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2969

},

2970

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2971

# leaking the key. Choose another type of key if possible.

2972

"key": "A String", # Required. A 128/192/256 bit key.

2973

},

2974

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2975

# It will be discarded after the request finishes.

2976

"name": "A String", # Required. Name of the key.

2977

# This is an arbitrary string used to differentiate different keys.

2978

# A unique key is generated per name: two separate `TransientCryptoKey`

2979

# protos share the same generated key if their names are the same.

2980

# When the data crypto key is generated, this name is not used in any way

2981

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2986

},

2987

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2988

# Uses SHA-256.

2989

# The key size must be either 32 or 64 bytes.

2990

# Outputs a base64 encoded representation of the hashed output

2991

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2992

# Currently, only string and integer values can be hashed.

2993

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2994

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2995

# a key encryption key (KEK) stored by KMS).

2996

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2997

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2998

# unwrap the data crypto key.

2999

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3000

# The wrapped key must be a 128/192/256 bit key.

3001

# Authorization requires the following IAM permissions when sending a request

3002

# to perform a crypto transformation using a kms-wrapped crypto key:

3003

# dlp.kms.encrypt

3004

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3005

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3006

},

3007

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3008

# leaking the key. Choose another type of key if possible.

3009

"key": "A String", # Required. A 128/192/256 bit key.

3010

},

3011

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3012

# It will be discarded after the request finishes.

3013

"name": "A String", # Required. Name of the key.

3014

# This is an arbitrary string used to differentiate different keys.

3015

# A unique key is generated per name: two separate `TransientCryptoKey`

3016

# protos share the same generated key if their names are the same.

3017

# When the data crypto key is generated, this name is not used in any way

3018

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3023

# (FPE) with the FFX mode of operation; however when used in the

3024

# `ReidentifyContent` API method, it serves the opposite function by reversing

3025

# the surrogate back into the original identifier. The identifier must be

3026

# encoded as ASCII. For a given crypto key and context, the same identifier

3027

# will be replaced with the same surrogate. Identifiers must be at least two

3028

# characters long. In the case that the identifier is the empty string, it will

3029

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3030

# more.

3031

#

3032

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3033

# do not require preserving the input alphabet space and size, plus warrant

3034

# referential integrity.

3035

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3036

# that the FFX mode natively supports. This happens before/after

3037

# encryption/decryption.

3038

# Each character listed must appear only once.

3039

# Number of characters must be in the range [2, 95].

3040

# This must be encoded as ASCII.

3041

# The order of characters does not matter.

3042

"commonAlphabet": "A String", # Common alphabets.

3043

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3044

# This annotation will be applied to the surrogate by prefixing it with

3045

# the name of the custom infoType followed by the number of

3046

# characters comprising the surrogate. The following scheme defines the

3047

# format: info_type_name(surrogate_character_count):surrogate

3048

#

3049

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3050

# the surrogate is 'abc', the full replacement value

3051

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3052

#

3053

# This annotation identifies the surrogate when inspecting content using the

3054

# custom infoType

3055

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3056

# This facilitates reversal of the surrogate when it occurs in free text.

3057

#

3058

# In order for inspection to work properly, the name of this infoType must

3059

# not occur naturally anywhere in your data; otherwise, inspection may

3060

# find a surrogate that does not correspond to an actual identifier.

3061

# Therefore, choose your custom infoType name carefully after considering

3062

# what your data looks like. One way to select a name that has a high chance

3063

# of yielding reliable detection is to include one or more unicode characters

3064

# that are highly improbable to exist in your data.

3065

# For example, assuming your data is entered from a regular ASCII keyboard,

3066

# the symbol with the hex code point 29DD might be used like so:

3067

# ⧝MY_TOKEN_TYPE

3068

"name": "A String", # Name of the information type. Either a name of your choosing when

3069

# creating a CustomInfoType, or one of the names listed

3070

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3071

# a built-in type. InfoType names should conform to the pattern

3072

# `[a-zA-Z0-9_]{1,64}`.

3073

},

3074

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3075

# identifier in two different contexts won't be given the same surrogate. If

3076

# the context is not set, a default tweak will be used.

3077

#

3078

# If the context is set but:

3079

#

3080

# 1. there is no record present when transforming a given value or

3081

# 1. the field is not present when transforming a given value,

3082

#

3083

# a default tweak will be used.

3084

#

3085

# Note that case (1) is expected when an `InfoTypeTransformation` is

3086

# applied to both structured and non-structured `ContentItem`s.

3087

# Currently, the referenced field may be of value type integer or string.

3088

#

3089

# The tweak is constructed as a sequence of bytes in big endian byte order

3090

# such that:

3091

#

3092

# - a 64 bit integer is encoded followed by a single byte of value 1

3093

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3094

"name": "A String", # Name describing the field.

3095

},

3096

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3097

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3098

# a key encryption key (KEK) stored by KMS).

3099

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3100

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3101

# unwrap the data crypto key.

3102

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3103

# The wrapped key must be a 128/192/256 bit key.

3104

# Authorization requires the following IAM permissions when sending a request

3105

# to perform a crypto transformation using a kms-wrapped crypto key:

3106

# dlp.kms.encrypt

3107

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3108

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3109

},

3110

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3111

# leaking the key. Choose another type of key if possible.

3112

"key": "A String", # Required. A 128/192/256 bit key.

3113

},

3114

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3115

# It will be discarded after the request finishes.

3116

"name": "A String", # Required. Name of the key.

3117

# This is an arbitrary string used to differentiate different keys.

3118

# A unique key is generated per name: two separate `TransientCryptoKey`

3119

# protos share the same generated key if their names are the same.

3120

# When the data crypto key is generated, this name is not used in any way

3121

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3126

# input. Outputs a base64 encoded representation of the encrypted output.

3127

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3128

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3129

# This annotation will be applied to the surrogate by prefixing it with

3130

# the name of the custom info type followed by the number of

3131

# characters comprising the surrogate. The following scheme defines the

3132

# format: {info type name}({surrogate character count}):{surrogate}

3133

#

3134

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3135

# the surrogate is 'abc', the full replacement value

3136

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3137

#

3138

# This annotation identifies the surrogate when inspecting content using the

3139

# custom info type 'Surrogate'. This facilitates reversal of the

3140

# surrogate when it occurs in free text.

3141

#

3142

# Note: For record transformations where the entire cell in a table is being

3143

# transformed, surrogates are not mandatory. Surrogates are used to denote

3144

# the location of the token and are necessary for re-identification in free

3145

# form text.

3146

#

3147

# In order for inspection to work properly, the name of this info type must

3148

# not occur naturally anywhere in your data; otherwise, inspection may either

3149

#

3150

# - reverse a surrogate that does not correspond to an actual identifier

3151

# - be unable to parse the surrogate and result in an error

3152

#

3153

# Therefore, choose your custom info type name carefully after considering

3154

# what your data looks like. One way to select a name that has a high chance

3155

# of yielding reliable detection is to include one or more unicode characters

3156

# that are highly improbable to exist in your data.

3157

# For example, assuming your data is entered from a regular ASCII keyboard,

3158

# the symbol with the hex code point 29DD might be used like so:

3159

# ⧝MY_TOKEN_TYPE.

3160

"name": "A String", # Name of the information type. Either a name of your choosing when

3161

# creating a CustomInfoType, or one of the names listed

3162

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3163

# a built-in type. InfoType names should conform to the pattern

3164

# `[a-zA-Z0-9_]{1,64}`.

3165

},

3166

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3167

# referential integrity such that the same identifier in two different

3168

# contexts will be given a distinct surrogate. The context is appended to

3169

# plaintext value being encrypted. On decryption the provided context is

3170

# validated against the value used during encryption. If a context was

3171

# provided during encryption, same context must be provided during decryption

3172

# as well.

3173

#

3174

# If the context is not set, plaintext would be used as is for encryption.

3175

# If the context is set but:

3176

#

3177

# 1. there is no record present when transforming a given value or

3178

# 2. the field is not present when transforming a given value,

3179

#

3180

# plaintext would be used as is for encryption.

3181

#

3182

# Note that case (1) is expected when an `InfoTypeTransformation` is

3183

# applied to both structured and non-structured `ContentItem`s.

3184

"name": "A String", # Name describing the field.

3185

},

3186

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3187

# a key encryption key (KEK) stored by KMS).

3188

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3189

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3190

# unwrap the data crypto key.

3191

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3192

# The wrapped key must be a 128/192/256 bit key.

3193

# Authorization requires the following IAM permissions when sending a request

3194

# to perform a crypto transformation using a kms-wrapped crypto key:

3195

# dlp.kms.encrypt

3196

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3197

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3198

},

3199

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3200

# leaking the key. Choose another type of key if possible.

3201

"key": "A String", # Required. A 128/192/256 bit key.

3202

},

3203

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3204

# It will be discarded after the request finishes.

3205

"name": "A String", # Required. Name of the key.

3206

# This is an arbitrary string used to differentiate different keys.

3207

# A unique key is generated per name: two separate `TransientCryptoKey`

3208

# protos share the same generated key if their names are the same.

3209

# When the data crypto key is generated, this name is not used in any way

3210

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3215

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3216

# output would be 'My phone number is '.

3217

},

3218

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3219

# replacement values are dynamically provided by the user for custom behavior,

3220

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3221

# This can be used on

3222

# data of type: number, long, string, timestamp.

3223

# If the bound `Value` type differs from the type of data being transformed, we

3224

# will first attempt converting the type of the data to be transformed to match

3225

# the type of the bound before comparing.

3226

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3227

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3228

{ # Bucket is represented as a range, along with replacement values.

3229

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3230

# used.

3231

# Note that for the purposes of inspection or transformation, the number

3232

# of bytes considered to comprise a 'Value' is based on its representation

3233

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3234

# 123456789, the number of bytes would be counted as 9, even though an

3235

# int64 only holds up to 8 bytes of data.

3236

"booleanValue": True or False, # boolean

3237

"floatValue": 3.14, # float

3238

"dayOfWeekValue": "A String", # day of week

3239

"timestampValue": "A String", # timestamp

3240

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3241

# and time zone are either specified elsewhere or are not significant. The date

3242

# is relative to the Proleptic Gregorian Calendar. This can represent:

3243

#

3244

# * A full date, with non-zero year, month and day values

3245

# * A month and day value, with a zero year, e.g. an anniversary

3246

# * A year on its own, with zero month and day values

3247

# * A year and month value, with a zero day, e.g. a credit card expiration date

3248

#

3249

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3250

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3251

# a year.

3252

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3253

# month and day.

3254

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3255

# if specifying a year by itself or a year and month where the day is not

3256

# significant.

3257

},

3258

"stringValue": "A String", # string

3259

"integerValue": "A String", # integer

3260

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3261

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3262

# types are google.type.Date and `google.protobuf.Timestamp`.

3263

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3264

# allow the value 60 if it allows leap-seconds.

3265

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3266

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3267

# to allow the value "24:00:00" for scenarios like business closing time.

3268

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3269

},

3270

},

3271

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3272

# Note that for the purposes of inspection or transformation, the number

3273

# of bytes considered to comprise a 'Value' is based on its representation

3274

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3275

# 123456789, the number of bytes would be counted as 9, even though an

3276

# int64 only holds up to 8 bytes of data.

3277

"booleanValue": True or False, # boolean

3278

"floatValue": 3.14, # float

3279

"dayOfWeekValue": "A String", # day of week

3280

"timestampValue": "A String", # timestamp

3281

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3282

# and time zone are either specified elsewhere or are not significant. The date

3283

# is relative to the Proleptic Gregorian Calendar. This can represent:

3284

#

3285

# * A full date, with non-zero year, month and day values

3286

# * A month and day value, with a zero year, e.g. an anniversary

3287

# * A year on its own, with zero month and day values

3288

# * A year and month value, with a zero day, e.g. a credit card expiration date

3289

#

3290

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3291

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3292

# a year.

3293

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3294

# month and day.

3295

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3296

# if specifying a year by itself or a year and month where the day is not

3297

# significant.

3298

},

3299

"stringValue": "A String", # string

3300

"integerValue": "A String", # integer

3301

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3302

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3303

# types are google.type.Date and `google.protobuf.Timestamp`.

3304

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3305

# allow the value 60 if it allows leap-seconds.

3306

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3307

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3308

# to allow the value "24:00:00" for scenarios like business closing time.

3309

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3310

},

3311

},

3312

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3313

# the default behavior will be to hyphenate the min-max range.

3314

# Note that for the purposes of inspection or transformation, the number

3315

# of bytes considered to comprise a 'Value' is based on its representation

3316

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3317

# 123456789, the number of bytes would be counted as 9, even though an

3318

# int64 only holds up to 8 bytes of data.

3319

"booleanValue": True or False, # boolean

3320

"floatValue": 3.14, # float

3321

"dayOfWeekValue": "A String", # day of week

3322

"timestampValue": "A String", # timestamp

3323

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3324

# and time zone are either specified elsewhere or are not significant. The date

3325

# is relative to the Proleptic Gregorian Calendar. This can represent:

3326

#

3327

# * A full date, with non-zero year, month and day values

3328

# * A month and day value, with a zero year, e.g. an anniversary

3329

# * A year on its own, with zero month and day values

3330

# * A year and month value, with a zero day, e.g. a credit card expiration date

3331

#

3332

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3333

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3334

# a year.

3335

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3336

# month and day.

3337

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3338

# if specifying a year by itself or a year and month where the day is not

3339

# significant.

3340

},

3341

"stringValue": "A String", # string

3342

"integerValue": "A String", # integer

3343

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3344

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3345

# types are google.type.Date and `google.protobuf.Timestamp`.

3346

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3347

# allow the value 60 if it allows leap-seconds.

3348

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3349

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3350

# to allow the value "24:00:00" for scenarios like business closing time.

3351

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3358

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3359

# Note that for the purposes of inspection or transformation, the number

3360

# of bytes considered to comprise a 'Value' is based on its representation

3361

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3362

# 123456789, the number of bytes would be counted as 9, even though an

3363

# int64 only holds up to 8 bytes of data.

3364

"booleanValue": True or False, # boolean

3365

"floatValue": 3.14, # float

3366

"dayOfWeekValue": "A String", # day of week

3367

"timestampValue": "A String", # timestamp

3368

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3369

# and time zone are either specified elsewhere or are not significant. The date

3370

# is relative to the Proleptic Gregorian Calendar. This can represent:

3371

#

3372

# * A full date, with non-zero year, month and day values

3373

# * A month and day value, with a zero year, e.g. an anniversary

3374

# * A year on its own, with zero month and day values

3375

# * A year and month value, with a zero day, e.g. a credit card expiration date

3376

#

3377

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3378

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3379

# a year.

3380

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3381

# month and day.

3382

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3383

# if specifying a year by itself or a year and month where the day is not

3384

# significant.

3385

},

3386

"stringValue": "A String", # string

3387

"integerValue": "A String", # integer

3388

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3389

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3390

# types are google.type.Date and `google.protobuf.Timestamp`.

3391

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3392

# allow the value 60 if it allows leap-seconds.

3393

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3394

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3395

# to allow the value "24:00:00" for scenarios like business closing time.

3396

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

3401

# fixed character. Masking can start from the beginning or end of the string.

3402

# This can be used on data of any type (numbers, longs, and so on) and when

3403

# de-identifying structured data we'll attempt to preserve the original data's

3404

# type. (This allows you to take a long like 123 and modify it to a string like

3405

# **3.

3406

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

3407

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

3408

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

3409

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

3410

# is `true`, then the string `12345` is masked as `12***`.

3411

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

3412

# characters. For example, if the input string is `555-555-5555` and you

3413

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

3414

# returns `***-**5-5555`.

3415

{ # Characters to skip when doing deidentification of a value. These will be left

3416

# alone and skipped.

3417

"charactersToSkip": "A String", # Characters to not transform when masking.

3418

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

3423

# masked. Skipped characters do not count towards this tally.

3424

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

3425

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

3426

# code or credit card number. This string must have a length of 1. If not

3427

# supplied, this value defaults to `*` for strings, and `0` for digits.

3428

},

3429

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3430

# Bucketing transformation can provide all of this functionality,

3431

# but requires more configuration. This message is provided as a convenience to

3432

# the user for simple bucketing strategies.

3433

#

3434

# The transformed value will be a hyphenated string of

3435

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3436

# all values that are within this bucket will be replaced with "10-20".

3437

#

3438

# This can be used on data of type: double, long.

3439

#

3440

# If the bound Value type differs from the type of data

3441

# being transformed, we will first attempt converting the type of the data to

3442

# be transformed to match the type of the bound before comparing.

3443

#

3444

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3445

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

3446

# grouped together into a single bucket; for example if `lower_bound` = 10,

3447

# then all values less than 10 are replaced with the value "-10".

3448

# Note that for the purposes of inspection or transformation, the number

3449

# of bytes considered to comprise a 'Value' is based on its representation

3450

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3451

# 123456789, the number of bytes would be counted as 9, even though an

3452

# int64 only holds up to 8 bytes of data.

3453

"booleanValue": True or False, # boolean

3454

"floatValue": 3.14, # float

3455

"dayOfWeekValue": "A String", # day of week

3456

"timestampValue": "A String", # timestamp

3457

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3458

# and time zone are either specified elsewhere or are not significant. The date

3459

# is relative to the Proleptic Gregorian Calendar. This can represent:

3460

#

3461

# * A full date, with non-zero year, month and day values

3462

# * A month and day value, with a zero year, e.g. an anniversary

3463

# * A year on its own, with zero month and day values

3464

# * A year and month value, with a zero day, e.g. a credit card expiration date

3465

#

3466

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3467

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3468

# a year.

3469

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3470

# month and day.

3471

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3472

# if specifying a year by itself or a year and month where the day is not

3473

# significant.

3474

},

3475

"stringValue": "A String", # string

3476

"integerValue": "A String", # integer

3477

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3478

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3479

# types are google.type.Date and `google.protobuf.Timestamp`.

3480

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3481

# allow the value 60 if it allows leap-seconds.

3482

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3483

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3484

# to allow the value "24:00:00" for scenarios like business closing time.

3485

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3486

},

3487

},

3488

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3489

# grouped together into a single bucket; for example if `upper_bound` = 89,

3490

# then all values greater than 89 are replaced with the value "89+".

3491

# Note that for the purposes of inspection or transformation, the number

3492

# of bytes considered to comprise a 'Value' is based on its representation

3493

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3494

# 123456789, the number of bytes would be counted as 9, even though an

3495

# int64 only holds up to 8 bytes of data.

3496

"booleanValue": True or False, # boolean

3497

"floatValue": 3.14, # float

3498

"dayOfWeekValue": "A String", # day of week

3499

"timestampValue": "A String", # timestamp

3500

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3501

# and time zone are either specified elsewhere or are not significant. The date

3502

# is relative to the Proleptic Gregorian Calendar. This can represent:

3503

#

3504

# * A full date, with non-zero year, month and day values

3505

# * A month and day value, with a zero year, e.g. an anniversary

3506

# * A year on its own, with zero month and day values

3507

# * A year and month value, with a zero day, e.g. a credit card expiration date

3508

#

3509

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3510

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3511

# a year.

3512

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3513

# month and day.

3514

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3515

# if specifying a year by itself or a year and month where the day is not

3516

# significant.

3517

},

3518

"stringValue": "A String", # string

3519

"integerValue": "A String", # integer

3520

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3521

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3522

# types are google.type.Date and `google.protobuf.Timestamp`.

3523

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3524

# allow the value 60 if it allows leap-seconds.

3525

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3526

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3527

# to allow the value "24:00:00" for scenarios like business closing time.

3528

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3529

},

3530

},

3531

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3532

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

3533

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

3534

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3535

},

3536

},

3537

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

3538

# given `RecordCondition`. The conditions are allowed to reference fields

3539

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

3544

# column for the same record is within a specific range.

3545

# - Redact a field if the date of birth field is greater than 85.

3546

# a field.

3547

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

3548

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

3549

# only supported value is `AND`.

3550

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3551

"conditions": [ # A collection of conditions.

3552

{ # The field type of `value` and `field` do not need to match to be

3553

# considered equal, but not all comparisons are possible.

3554

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

3555

# but all other comparisons are invalid with incompatible types.

3556

# A `value` of type:

3557

#

3558

# - `string` can be compared against all other types

3559

# - `boolean` can only be compared against other booleans

3560

# - `integer` can be compared against doubles or a string if the string value

3561

# can be parsed as an integer.

3562

# - `double` can be compared against integers or a string if the string can

3563

# be parsed as a double.

3564

# - `Timestamp` can be compared against strings in RFC 3339 date string

3565

# format.

3566

# - `TimeOfDay` can be compared against timestamps and strings in the format

3567

# of 'HH:mm:ss'.

3568

#

3569

# If we fail to compare do to type mismatch, a warning will be given and

3570

# the condition will evaluate to false.

3571

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3572

"name": "A String", # Name describing the field.

3573

},

3574

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

3575

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

3576

# Note that for the purposes of inspection or transformation, the number

3577

# of bytes considered to comprise a 'Value' is based on its representation

3578

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3579

# 123456789, the number of bytes would be counted as 9, even though an

3580

# int64 only holds up to 8 bytes of data.

3581

"booleanValue": True or False, # boolean

3582

"floatValue": 3.14, # float

3583

"dayOfWeekValue": "A String", # day of week

3584

"timestampValue": "A String", # timestamp

3585

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3586

# and time zone are either specified elsewhere or are not significant. The date

3587

# is relative to the Proleptic Gregorian Calendar. This can represent:

3588

#

3589

# * A full date, with non-zero year, month and day values

3590

# * A month and day value, with a zero year, e.g. an anniversary

3591

# * A year on its own, with zero month and day values

3592

# * A year and month value, with a zero day, e.g. a credit card expiration date

3593

#

3594

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3595

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3596

# a year.

3597

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3598

# month and day.

3599

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3600

# if specifying a year by itself or a year and month where the day is not

3601

# significant.

3602

},

3603

"stringValue": "A String", # string

3604

"integerValue": "A String", # integer

3605

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3606

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3607

# types are google.type.Date and `google.protobuf.Timestamp`.

3608

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3609

# allow the value 60 if it allows leap-seconds.

3610

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3611

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3612

# to allow the value "24:00:00" for scenarios like business closing time.

3613

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

3625

# transformation everywhere.

3626

# apply various `PrimitiveTransformation`s to each finding, where the

3627

# transformation is applied to only values that were identified as a specific

3628

# info_type.

3629

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

3630

# for a given infoType.

3631

{ # A transformation to apply to text that is identified as a specific

3632

# info_type.

3633

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

3634

# this transformation to apply to all findings that correspond to

3635

# infoTypes that were requested in `InspectConfig`.

3636

{ # Type of information detected by the API.

3637

"name": "A String", # Name of the information type. Either a name of your choosing when

3638

# creating a CustomInfoType, or one of the names listed

3639

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3640

# a built-in type. InfoType names should conform to the pattern

3641

# `[a-zA-Z0-9_]{1,64}`.

3642

},

3643

],

3644

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

3645

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

3646

# portion of the value.

3647

"partToExtract": "A String", # The part of the time to keep.

3648

},

3649

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

3650

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

3651

# to learn more.

3652

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

3653

# If set, must also set cryptoKey. If set, shift will be consistent for the

3654

# given context.

3655

"name": "A String", # Name describing the field.

3656

},

3657

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

3658

# range (inclusive ends). Negative means shift to earlier in time. Must not

3659

# be more than 365250 days (1000 years) each direction.

3660

#

3661

# For example, 3 means shift date to at most 3 days into the future.

3662

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3663

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

3664

# results in the same shift for the same context and crypto_key. If

3665

# set, must also set context. Can only be applied to table items.

3666

# a key encryption key (KEK) stored by KMS).

3667

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3668

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3669

# unwrap the data crypto key.

3670

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3671

# The wrapped key must be a 128/192/256 bit key.

3672

# Authorization requires the following IAM permissions when sending a request

3673

# to perform a crypto transformation using a kms-wrapped crypto key:

3674

# dlp.kms.encrypt

3675

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3676

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3677

},

3678

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3679

# leaking the key. Choose another type of key if possible.

3680

"key": "A String", # Required. A 128/192/256 bit key.

3681

},

3682

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3683

# It will be discarded after the request finishes.

3684

"name": "A String", # Required. Name of the key.

3685

# This is an arbitrary string used to differentiate different keys.

3686

# A unique key is generated per name: two separate `TransientCryptoKey`

3687

# protos share the same generated key if their names are the same.

3688

# When the data crypto key is generated, this name is not used in any way

3689

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3694

},

3695

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

3696

# Uses SHA-256.

3697

# The key size must be either 32 or 64 bytes.

3698

# Outputs a base64 encoded representation of the hashed output

3699

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

3700

# Currently, only string and integer values can be hashed.

3701

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

3702

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

3703

# a key encryption key (KEK) stored by KMS).

3704

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3705

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3706

# unwrap the data crypto key.

3707

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3708

# The wrapped key must be a 128/192/256 bit key.

3709

# Authorization requires the following IAM permissions when sending a request

3710

# to perform a crypto transformation using a kms-wrapped crypto key:

3711

# dlp.kms.encrypt

3712

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3713

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3714

},

3715

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3716

# leaking the key. Choose another type of key if possible.

3717

"key": "A String", # Required. A 128/192/256 bit key.

3718

},

3719

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3720

# It will be discarded after the request finishes.

3721

"name": "A String", # Required. Name of the key.

3722

# This is an arbitrary string used to differentiate different keys.

3723

# A unique key is generated per name: two separate `TransientCryptoKey`

3724

# protos share the same generated key if their names are the same.

3725

# When the data crypto key is generated, this name is not used in any way

3726

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3731

# (FPE) with the FFX mode of operation; however when used in the

3732

# `ReidentifyContent` API method, it serves the opposite function by reversing

3733

# the surrogate back into the original identifier. The identifier must be

3734

# encoded as ASCII. For a given crypto key and context, the same identifier

3735

# will be replaced with the same surrogate. Identifiers must be at least two

3736

# characters long. In the case that the identifier is the empty string, it will

3737

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3738

# more.

3739

#

3740

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3741

# do not require preserving the input alphabet space and size, plus warrant

3742

# referential integrity.

3743

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3744

# that the FFX mode natively supports. This happens before/after

3745

# encryption/decryption.

3746

# Each character listed must appear only once.

3747

# Number of characters must be in the range [2, 95].

3748

# This must be encoded as ASCII.

3749

# The order of characters does not matter.

3750

"commonAlphabet": "A String", # Common alphabets.

3751

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3752

# This annotation will be applied to the surrogate by prefixing it with

3753

# the name of the custom infoType followed by the number of

3754

# characters comprising the surrogate. The following scheme defines the

3755

# format: info_type_name(surrogate_character_count):surrogate

3756

#

3757

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3758

# the surrogate is 'abc', the full replacement value

3759

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3760

#

3761

# This annotation identifies the surrogate when inspecting content using the

3762

# custom infoType

3763

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3764

# This facilitates reversal of the surrogate when it occurs in free text.

3765

#

3766

# In order for inspection to work properly, the name of this infoType must

3767

# not occur naturally anywhere in your data; otherwise, inspection may

3768

# find a surrogate that does not correspond to an actual identifier.

3769

# Therefore, choose your custom infoType name carefully after considering

3770

# what your data looks like. One way to select a name that has a high chance

3771

# of yielding reliable detection is to include one or more unicode characters

3772

# that are highly improbable to exist in your data.

3773

# For example, assuming your data is entered from a regular ASCII keyboard,

3774

# the symbol with the hex code point 29DD might be used like so:

3775

# ⧝MY_TOKEN_TYPE

3776

"name": "A String", # Name of the information type. Either a name of your choosing when

3777

# creating a CustomInfoType, or one of the names listed

3778

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3779

# a built-in type. InfoType names should conform to the pattern

3780

# `[a-zA-Z0-9_]{1,64}`.

3781

},

3782

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3783

# identifier in two different contexts won't be given the same surrogate. If

3784

# the context is not set, a default tweak will be used.

3785

#

3786

# If the context is set but:

3787

#

3788

# 1. there is no record present when transforming a given value or

3789

# 1. the field is not present when transforming a given value,

3790

#

3791

# a default tweak will be used.

3792

#

3793

# Note that case (1) is expected when an `InfoTypeTransformation` is

3794

# applied to both structured and non-structured `ContentItem`s.

3795

# Currently, the referenced field may be of value type integer or string.

3796

#

3797

# The tweak is constructed as a sequence of bytes in big endian byte order

3798

# such that:

3799

#

3800

# - a 64 bit integer is encoded followed by a single byte of value 1

3801

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3802

"name": "A String", # Name describing the field.

3803

},

3804

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3805

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3806

# a key encryption key (KEK) stored by KMS).

3807

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3808

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3809

# unwrap the data crypto key.

3810

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3811

# The wrapped key must be a 128/192/256 bit key.

3812

# Authorization requires the following IAM permissions when sending a request

3813

# to perform a crypto transformation using a kms-wrapped crypto key:

3814

# dlp.kms.encrypt

3815

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3816

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3817

},

3818

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3819

# leaking the key. Choose another type of key if possible.

3820

"key": "A String", # Required. A 128/192/256 bit key.

3821

},

3822

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3823

# It will be discarded after the request finishes.

3824

"name": "A String", # Required. Name of the key.

3825

# This is an arbitrary string used to differentiate different keys.

3826

# A unique key is generated per name: two separate `TransientCryptoKey`

3827

# protos share the same generated key if their names are the same.

3828

# When the data crypto key is generated, this name is not used in any way

3829

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3834

# input. Outputs a base64 encoded representation of the encrypted output.

3835

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3836

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3837

# This annotation will be applied to the surrogate by prefixing it with

3838

# the name of the custom info type followed by the number of

3839

# characters comprising the surrogate. The following scheme defines the

3840

# format: {info type name}({surrogate character count}):{surrogate}

3841

#

3842

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3843

# the surrogate is 'abc', the full replacement value

3844

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3845

#

3846

# This annotation identifies the surrogate when inspecting content using the

3847

# custom info type 'Surrogate'. This facilitates reversal of the

3848

# surrogate when it occurs in free text.

3849

#

3850

# Note: For record transformations where the entire cell in a table is being

3851

# transformed, surrogates are not mandatory. Surrogates are used to denote

3852

# the location of the token and are necessary for re-identification in free

3853

# form text.

3854

#

3855

# In order for inspection to work properly, the name of this info type must

3856

# not occur naturally anywhere in your data; otherwise, inspection may either

3857

#

3858

# - reverse a surrogate that does not correspond to an actual identifier

3859

# - be unable to parse the surrogate and result in an error

3860

#

3861

# Therefore, choose your custom info type name carefully after considering

3862

# what your data looks like. One way to select a name that has a high chance

3863

# of yielding reliable detection is to include one or more unicode characters

3864

# that are highly improbable to exist in your data.

3865

# For example, assuming your data is entered from a regular ASCII keyboard,

3866

# the symbol with the hex code point 29DD might be used like so:

3867

# ⧝MY_TOKEN_TYPE.

3868

"name": "A String", # Name of the information type. Either a name of your choosing when

3869

# creating a CustomInfoType, or one of the names listed

3870

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3871

# a built-in type. InfoType names should conform to the pattern

3872

# `[a-zA-Z0-9_]{1,64}`.

3873

},

3874

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3875

# referential integrity such that the same identifier in two different

3876

# contexts will be given a distinct surrogate. The context is appended to

3877

# plaintext value being encrypted. On decryption the provided context is

3878

# validated against the value used during encryption. If a context was

3879

# provided during encryption, same context must be provided during decryption

3880

# as well.

3881

#

3882

# If the context is not set, plaintext would be used as is for encryption.

3883

# If the context is set but:

3884

#

3885

# 1. there is no record present when transforming a given value or

3886

# 2. the field is not present when transforming a given value,

3887

#

3888

# plaintext would be used as is for encryption.

3889

#

3890

# Note that case (1) is expected when an `InfoTypeTransformation` is

3891

# applied to both structured and non-structured `ContentItem`s.

3892

"name": "A String", # Name describing the field.

3893

},

3894

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3895

# a key encryption key (KEK) stored by KMS).

3896

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3897

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3898

# unwrap the data crypto key.

3899

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3900

# The wrapped key must be a 128/192/256 bit key.

3901

# Authorization requires the following IAM permissions when sending a request

3902

# to perform a crypto transformation using a kms-wrapped crypto key:

3903

# dlp.kms.encrypt

3904

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3905

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3906

},

3907

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3908

# leaking the key. Choose another type of key if possible.

3909

"key": "A String", # Required. A 128/192/256 bit key.

3910

},

3911

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3912

# It will be discarded after the request finishes.

3913

"name": "A String", # Required. Name of the key.

3914

# This is an arbitrary string used to differentiate different keys.

3915

# A unique key is generated per name: two separate `TransientCryptoKey`

3916

# protos share the same generated key if their names are the same.

3917

# When the data crypto key is generated, this name is not used in any way

3918

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3923

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3924

# output would be 'My phone number is '.

3925

},

3926

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3927

# replacement values are dynamically provided by the user for custom behavior,

3928

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3929

# This can be used on

3930

# data of type: number, long, string, timestamp.

3931

# If the bound `Value` type differs from the type of data being transformed, we

3932

# will first attempt converting the type of the data to be transformed to match

3933

# the type of the bound before comparing.

3934

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3935

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3936

{ # Bucket is represented as a range, along with replacement values.

3937

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3938

# used.

3939

# Note that for the purposes of inspection or transformation, the number

3940

# of bytes considered to comprise a 'Value' is based on its representation

3941

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3942

# 123456789, the number of bytes would be counted as 9, even though an

3943

# int64 only holds up to 8 bytes of data.

3944

"booleanValue": True or False, # boolean

3945

"floatValue": 3.14, # float

3946

"dayOfWeekValue": "A String", # day of week

3947

"timestampValue": "A String", # timestamp

3948

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3949

# and time zone are either specified elsewhere or are not significant. The date

3950

# is relative to the Proleptic Gregorian Calendar. This can represent:

3951

#

3952

# * A full date, with non-zero year, month and day values

3953

# * A month and day value, with a zero year, e.g. an anniversary

3954

# * A year on its own, with zero month and day values

3955

# * A year and month value, with a zero day, e.g. a credit card expiration date

3956

#

3957

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3958

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3959

# a year.

3960

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3961

# month and day.

3962

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3963

# if specifying a year by itself or a year and month where the day is not

3964

# significant.

3965

},

3966

"stringValue": "A String", # string

3967

"integerValue": "A String", # integer

3968

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3969

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3970

# types are google.type.Date and `google.protobuf.Timestamp`.

3971

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3972

# allow the value 60 if it allows leap-seconds.

3973

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3974

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3975

# to allow the value "24:00:00" for scenarios like business closing time.

3976

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3977

},

3978

},

3979

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3980

# Note that for the purposes of inspection or transformation, the number

3981

# of bytes considered to comprise a 'Value' is based on its representation

3982

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3983

# 123456789, the number of bytes would be counted as 9, even though an

3984

# int64 only holds up to 8 bytes of data.

3985

"booleanValue": True or False, # boolean

3986

"floatValue": 3.14, # float

3987

"dayOfWeekValue": "A String", # day of week

3988

"timestampValue": "A String", # timestamp

3989

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3990

# and time zone are either specified elsewhere or are not significant. The date

3991

# is relative to the Proleptic Gregorian Calendar. This can represent:

3992

#

3993

# * A full date, with non-zero year, month and day values

3994

# * A month and day value, with a zero year, e.g. an anniversary

3995

# * A year on its own, with zero month and day values

3996

# * A year and month value, with a zero day, e.g. a credit card expiration date

3997

#

3998

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3999

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4000

# a year.

4001

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4002

# month and day.

4003

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4004

# if specifying a year by itself or a year and month where the day is not

4005

# significant.

4006

},

4007

"stringValue": "A String", # string

4008

"integerValue": "A String", # integer

4009

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4010

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4011

# types are google.type.Date and `google.protobuf.Timestamp`.

4012

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4013

# allow the value 60 if it allows leap-seconds.

4014

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4015

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4016

# to allow the value "24:00:00" for scenarios like business closing time.

4017

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4018

},

4019

},

4020

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4021

# the default behavior will be to hyphenate the min-max range.

4022

# Note that for the purposes of inspection or transformation, the number

4023

# of bytes considered to comprise a 'Value' is based on its representation

4024

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4025

# 123456789, the number of bytes would be counted as 9, even though an

4026

# int64 only holds up to 8 bytes of data.

4027

"booleanValue": True or False, # boolean

4028

"floatValue": 3.14, # float

4029

"dayOfWeekValue": "A String", # day of week

4030

"timestampValue": "A String", # timestamp

4031

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4032

# and time zone are either specified elsewhere or are not significant. The date

4033

# is relative to the Proleptic Gregorian Calendar. This can represent:

4034

#

4035

# * A full date, with non-zero year, month and day values

4036

# * A month and day value, with a zero year, e.g. an anniversary

4037

# * A year on its own, with zero month and day values

4038

# * A year and month value, with a zero day, e.g. a credit card expiration date

4039

#

4040

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4041

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4042

# a year.

4043

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4044

# month and day.

4045

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4046

# if specifying a year by itself or a year and month where the day is not

4047

# significant.

4048

},

4049

"stringValue": "A String", # string

4050

"integerValue": "A String", # integer

4051

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4052

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4053

# types are google.type.Date and `google.protobuf.Timestamp`.

4054

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4055

# allow the value 60 if it allows leap-seconds.

4056

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4057

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4058

# to allow the value "24:00:00" for scenarios like business closing time.

4059

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4066

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

4067

# Note that for the purposes of inspection or transformation, the number

4068

# of bytes considered to comprise a 'Value' is based on its representation

4069

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4070

# 123456789, the number of bytes would be counted as 9, even though an

4071

# int64 only holds up to 8 bytes of data.

4072

"booleanValue": True or False, # boolean

4073

"floatValue": 3.14, # float

4074

"dayOfWeekValue": "A String", # day of week

4075

"timestampValue": "A String", # timestamp

4076

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4077

# and time zone are either specified elsewhere or are not significant. The date

4078

# is relative to the Proleptic Gregorian Calendar. This can represent:

4079

#

4080

# * A full date, with non-zero year, month and day values

4081

# * A month and day value, with a zero year, e.g. an anniversary

4082

# * A year on its own, with zero month and day values

4083

# * A year and month value, with a zero day, e.g. a credit card expiration date

4084

#

4085

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4086

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4087

# a year.

4088

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4089

# month and day.

4090

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4091

# if specifying a year by itself or a year and month where the day is not

4092

# significant.

4093

},

4094

"stringValue": "A String", # string

4095

"integerValue": "A String", # integer

4096

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4097

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4098

# types are google.type.Date and `google.protobuf.Timestamp`.

4099

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4100

# allow the value 60 if it allows leap-seconds.

4101

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4102

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4103

# to allow the value "24:00:00" for scenarios like business closing time.

4104

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4109

# fixed character. Masking can start from the beginning or end of the string.

4110

# This can be used on data of any type (numbers, longs, and so on) and when

4111

# de-identifying structured data we'll attempt to preserve the original data's

4112

# type. (This allows you to take a long like 123 and modify it to a string like

4113

# **3.

4114

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4115

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4116

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4117

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4118

# is `true`, then the string `12345` is masked as `12***`.

4119

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4120

# characters. For example, if the input string is `555-555-5555` and you

4121

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4122

# returns `***-**5-5555`.

4123

{ # Characters to skip when doing deidentification of a value. These will be left

4124

# alone and skipped.

4125

"charactersToSkip": "A String", # Characters to not transform when masking.

4126

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4131

# masked. Skipped characters do not count towards this tally.

4132

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4133

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4134

# code or credit card number. This string must have a length of 1. If not

4135

# supplied, this value defaults to `*` for strings, and `0` for digits.

4136

},

4137

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4138

# Bucketing transformation can provide all of this functionality,

4139

# but requires more configuration. This message is provided as a convenience to

4140

# the user for simple bucketing strategies.

4141

#

4142

# The transformed value will be a hyphenated string of

4143

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4144

# all values that are within this bucket will be replaced with "10-20".

4145

#

4146

# This can be used on data of type: double, long.

4147

#

4148

# If the bound Value type differs from the type of data

4149

# being transformed, we will first attempt converting the type of the data to

4150

# be transformed to match the type of the bound before comparing.

4151

#

4152

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4153

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4154

# grouped together into a single bucket; for example if `lower_bound` = 10,

4155

# then all values less than 10 are replaced with the value "-10".

4156

# Note that for the purposes of inspection or transformation, the number

4157

# of bytes considered to comprise a 'Value' is based on its representation

4158

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4159

# 123456789, the number of bytes would be counted as 9, even though an

4160

# int64 only holds up to 8 bytes of data.

4161

"booleanValue": True or False, # boolean

4162

"floatValue": 3.14, # float

4163

"dayOfWeekValue": "A String", # day of week

4164

"timestampValue": "A String", # timestamp

4165

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4166

# and time zone are either specified elsewhere or are not significant. The date

4167

# is relative to the Proleptic Gregorian Calendar. This can represent:

4168

#

4169

# * A full date, with non-zero year, month and day values

4170

# * A month and day value, with a zero year, e.g. an anniversary

4171

# * A year on its own, with zero month and day values

4172

# * A year and month value, with a zero day, e.g. a credit card expiration date

4173

#

4174

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4175

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4176

# a year.

4177

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4178

# month and day.

4179

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4180

# if specifying a year by itself or a year and month where the day is not

4181

# significant.

4182

},

4183

"stringValue": "A String", # string

4184

"integerValue": "A String", # integer

4185

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4186

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4187

# types are google.type.Date and `google.protobuf.Timestamp`.

4188

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4189

# allow the value 60 if it allows leap-seconds.

4190

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4191

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4192

# to allow the value "24:00:00" for scenarios like business closing time.

4193

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4194

},

4195

},

4196

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4197

# grouped together into a single bucket; for example if `upper_bound` = 89,

4198

# then all values greater than 89 are replaced with the value "89+".

4199

# Note that for the purposes of inspection or transformation, the number

4200

# of bytes considered to comprise a 'Value' is based on its representation

4201

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4202

# 123456789, the number of bytes would be counted as 9, even though an

4203

# int64 only holds up to 8 bytes of data.

4204

"booleanValue": True or False, # boolean

4205

"floatValue": 3.14, # float

4206

"dayOfWeekValue": "A String", # day of week

4207

"timestampValue": "A String", # timestamp

4208

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4209

# and time zone are either specified elsewhere or are not significant. The date

4210

# is relative to the Proleptic Gregorian Calendar. This can represent:

4211

#

4212

# * A full date, with non-zero year, month and day values

4213

# * A month and day value, with a zero year, e.g. an anniversary

4214

# * A year on its own, with zero month and day values

4215

# * A year and month value, with a zero day, e.g. a credit card expiration date

4216

#

4217

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4218

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4219

# a year.

4220

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4221

# month and day.

4222

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4223

# if specifying a year by itself or a year and month where the day is not

4224

# significant.

4225

},

4226

"stringValue": "A String", # string

4227

"integerValue": "A String", # integer

4228

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4229

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4230

# types are google.type.Date and `google.protobuf.Timestamp`.

4231

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4232

# allow the value 60 if it allows leap-seconds.

4233

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4234

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4235

# to allow the value "24:00:00" for scenarios like business closing time.

4236

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4237

},

4238

},

4239

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

4240

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4241

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4242

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

4254

<pre>Deletes a DeidentifyTemplate.

4255

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

name: string, Required. Resource name of the organization and deidentify template to be deleted,

4260

for example `organizations/433245324/deidentifyTemplates/432452342` or

4261

projects/project-id/deidentifyTemplates/432452342. (required)

4262

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4269

4270

{ # A generic empty message that you can re-use to avoid defining duplicated

4271

# empty messages in your APIs. A typical example is to use it as the request

4272

# or the response type of an API method. For instance:

4273

#

4274

# service Foo {

4275

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

4276

# }

4277

#

4278

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

4284

<pre>Gets a DeidentifyTemplate.

4285

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

name: string, Required. Resource name of the organization and deidentify template to be read, for

4290

example `organizations/433245324/deidentifyTemplates/432452342` or

4291

projects/project-id/deidentifyTemplates/432452342. (required)

4292

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4299

4300

{ # DeidentifyTemplates contains instructions on how to de-identify content.

4301

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

4302

"name": "A String", # Output only. The template name.

4303

#

4304

# The template will have one of the following formats:

4305

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

4306

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

4307

"description": "A String", # Short description (max 256 chars).

4308

"displayName": "A String", # Display name (max 256 chars).

4309

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

4310

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

4311

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

4312

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

4313

# mode is `TransformationErrorHandling.ThrowError`.

4314

# transformation error occurs when the requested transformation is incompatible

4315

# with the data. For example, trying to de-identify an IP address using a

4316

# `DateShift` transformation would result in a transformation error, since date

4317

# info cannot be extracted from an IP address.

4318

# Information about any incompatible transformations, and how they were

4319

# handled, is returned in the response as part of the

4320

# `TransformationOverviews`.

4321

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

4322

},

4323

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

4324

# cause an error. For example, if a `DateShift` transformation were applied

4325

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

4330

# specific locations within structured datasets, such as transforming

4331

# a column within a table.

4332

# table.

4333

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

4334

# match any suppression rule are omitted from the output.

4335

{ # Configuration to suppress records whose suppression conditions evaluate to

4336

# true.

4337

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

4338

# evaluated to be suppressed from the transformed content.

4339

# a field.

4340

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4341

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4342

# only supported value is `AND`.

4343

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4344

"conditions": [ # A collection of conditions.

4345

{ # The field type of `value` and `field` do not need to match to be

4346

# considered equal, but not all comparisons are possible.

4347

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4348

# but all other comparisons are invalid with incompatible types.

4349

# A `value` of type:

4350

#

4351

# - `string` can be compared against all other types

4352

# - `boolean` can only be compared against other booleans

4353

# - `integer` can be compared against doubles or a string if the string value

4354

# can be parsed as an integer.

4355

# - `double` can be compared against integers or a string if the string can

4356

# be parsed as a double.

4357

# - `Timestamp` can be compared against strings in RFC 3339 date string

4358

# format.

4359

# - `TimeOfDay` can be compared against timestamps and strings in the format

4360

# of 'HH:mm:ss'.

4361

#

4362

# If we fail to compare do to type mismatch, a warning will be given and

4363

# the condition will evaluate to false.

4364

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4365

"name": "A String", # Name describing the field.

4366

},

4367

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

4368

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

4369

# Note that for the purposes of inspection or transformation, the number

4370

# of bytes considered to comprise a 'Value' is based on its representation

4371

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4372

# 123456789, the number of bytes would be counted as 9, even though an

4373

# int64 only holds up to 8 bytes of data.

4374

"booleanValue": True or False, # boolean

4375

"floatValue": 3.14, # float

4376

"dayOfWeekValue": "A String", # day of week

4377

"timestampValue": "A String", # timestamp

4378

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4379

# and time zone are either specified elsewhere or are not significant. The date

4380

# is relative to the Proleptic Gregorian Calendar. This can represent:

4381

#

4382

# * A full date, with non-zero year, month and day values

4383

# * A month and day value, with a zero year, e.g. an anniversary

4384

# * A year on its own, with zero month and day values

4385

# * A year and month value, with a zero day, e.g. a credit card expiration date

4386

#

4387

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4388

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4389

# a year.

4390

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4391

# month and day.

4392

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4393

# if specifying a year by itself or a year and month where the day is not

4394

# significant.

4395

},

4396

"stringValue": "A String", # string

4397

"integerValue": "A String", # integer

4398

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4399

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4400

# types are google.type.Date and `google.protobuf.Timestamp`.

4401

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4402

# allow the value 60 if it allows leap-seconds.

4403

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4404

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4405

# to allow the value "24:00:00" for scenarios like business closing time.

4406

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

4417

{ # The transformation to apply to the field.

4418

"fields": [ # Required. Input field(s) to apply the transformation to.

4419

{ # General identifier of a data field in a storage service.

4420

"name": "A String", # Name describing the field.

4421

},

4422

],

4423

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

4424

# transform content that matches an `InfoType`.

4425

# apply various `PrimitiveTransformation`s to each finding, where the

4426

# transformation is applied to only values that were identified as a specific

4427

# info_type.

4428

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

4429

# for a given infoType.

4430

{ # A transformation to apply to text that is identified as a specific

4431

# info_type.

4432

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

4433

# this transformation to apply to all findings that correspond to

4434

# infoTypes that were requested in `InspectConfig`.

4435

{ # Type of information detected by the API.

4436

"name": "A String", # Name of the information type. Either a name of your choosing when

4437

# creating a CustomInfoType, or one of the names listed

4438

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4439

# a built-in type. InfoType names should conform to the pattern

4440

# `[a-zA-Z0-9_]{1,64}`.

4441

},

4442

],

4443

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

4444

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

4445

# portion of the value.

4446

"partToExtract": "A String", # The part of the time to keep.

4447

},

4448

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

4449

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

4450

# to learn more.

4451

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

4452

# If set, must also set cryptoKey. If set, shift will be consistent for the

4453

# given context.

4454

"name": "A String", # Name describing the field.

4455

},

4456

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

4457

# range (inclusive ends). Negative means shift to earlier in time. Must not

4458

# be more than 365250 days (1000 years) each direction.

4459

#

4460

# For example, 3 means shift date to at most 3 days into the future.

4461

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

4462

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

4463

# results in the same shift for the same context and crypto_key. If

4464

# set, must also set context. Can only be applied to table items.

4465

# a key encryption key (KEK) stored by KMS).

4466

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4467

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4468

# unwrap the data crypto key.

4469

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4470

# The wrapped key must be a 128/192/256 bit key.

4471

# Authorization requires the following IAM permissions when sending a request

4472

# to perform a crypto transformation using a kms-wrapped crypto key:

4473

# dlp.kms.encrypt

4474

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4475

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4476

},

4477

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4478

# leaking the key. Choose another type of key if possible.

4479

"key": "A String", # Required. A 128/192/256 bit key.

4480

},

4481

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4482

# It will be discarded after the request finishes.

4483

"name": "A String", # Required. Name of the key.

4484

# This is an arbitrary string used to differentiate different keys.

4485

# A unique key is generated per name: two separate `TransientCryptoKey`

4486

# protos share the same generated key if their names are the same.

4487

# When the data crypto key is generated, this name is not used in any way

4488

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

4493

},

4494

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

4495

# Uses SHA-256.

4496

# The key size must be either 32 or 64 bytes.

4497

# Outputs a base64 encoded representation of the hashed output

4498

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

4499

# Currently, only string and integer values can be hashed.

4500

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

4501

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

4502

# a key encryption key (KEK) stored by KMS).

4503

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4504

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4505

# unwrap the data crypto key.

4506

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4507

# The wrapped key must be a 128/192/256 bit key.

4508

# Authorization requires the following IAM permissions when sending a request

4509

# to perform a crypto transformation using a kms-wrapped crypto key:

4510

# dlp.kms.encrypt

4511

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4512

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4513

},

4514

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4515

# leaking the key. Choose another type of key if possible.

4516

"key": "A String", # Required. A 128/192/256 bit key.

4517

},

4518

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4519

# It will be discarded after the request finishes.

4520

"name": "A String", # Required. Name of the key.

4521

# This is an arbitrary string used to differentiate different keys.

4522

# A unique key is generated per name: two separate `TransientCryptoKey`

4523

# protos share the same generated key if their names are the same.

4524

# When the data crypto key is generated, this name is not used in any way

4525

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

4530

# (FPE) with the FFX mode of operation; however when used in the

4531

# `ReidentifyContent` API method, it serves the opposite function by reversing

4532

# the surrogate back into the original identifier. The identifier must be

4533

# encoded as ASCII. For a given crypto key and context, the same identifier

4534

# will be replaced with the same surrogate. Identifiers must be at least two

4535

# characters long. In the case that the identifier is the empty string, it will

4536

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

4537

# more.

4538

#

4539

# Note: We recommend using CryptoDeterministicConfig for all use cases which

4540

# do not require preserving the input alphabet space and size, plus warrant

4541

# referential integrity.

4542

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

4543

# that the FFX mode natively supports. This happens before/after

4544

# encryption/decryption.

4545

# Each character listed must appear only once.

4546

# Number of characters must be in the range [2, 95].

4547

# This must be encoded as ASCII.

4548

# The order of characters does not matter.

4549

"commonAlphabet": "A String", # Common alphabets.

4550

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

4551

# This annotation will be applied to the surrogate by prefixing it with

4552

# the name of the custom infoType followed by the number of

4553

# characters comprising the surrogate. The following scheme defines the

4554

# format: info_type_name(surrogate_character_count):surrogate

4555

#

4556

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

4557

# the surrogate is 'abc', the full replacement value

4558

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4559

#

4560

# This annotation identifies the surrogate when inspecting content using the

4561

# custom infoType

4562

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

4563

# This facilitates reversal of the surrogate when it occurs in free text.

4564

#

4565

# In order for inspection to work properly, the name of this infoType must

4566

# not occur naturally anywhere in your data; otherwise, inspection may

4567

# find a surrogate that does not correspond to an actual identifier.

4568

# Therefore, choose your custom infoType name carefully after considering

4569

# what your data looks like. One way to select a name that has a high chance

4570

# of yielding reliable detection is to include one or more unicode characters

4571

# that are highly improbable to exist in your data.

4572

# For example, assuming your data is entered from a regular ASCII keyboard,

4573

# the symbol with the hex code point 29DD might be used like so:

4574

# ⧝MY_TOKEN_TYPE

4575

"name": "A String", # Name of the information type. Either a name of your choosing when

4576

# creating a CustomInfoType, or one of the names listed

4577

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4578

# a built-in type. InfoType names should conform to the pattern

4579

# `[a-zA-Z0-9_]{1,64}`.

4580

},

4581

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

4582

# identifier in two different contexts won't be given the same surrogate. If

4583

# the context is not set, a default tweak will be used.

4584

#

4585

# If the context is set but:

4586

#

4587

# 1. there is no record present when transforming a given value or

4588

# 1. the field is not present when transforming a given value,

4589

#

4590

# a default tweak will be used.

4591

#

4592

# Note that case (1) is expected when an `InfoTypeTransformation` is

4593

# applied to both structured and non-structured `ContentItem`s.

4594

# Currently, the referenced field may be of value type integer or string.

4595

#

4596

# The tweak is constructed as a sequence of bytes in big endian byte order

4597

# such that:

4598

#

4599

# - a 64 bit integer is encoded followed by a single byte of value 1

4600

# - a string is encoded in UTF-8 format followed by a single byte of value 2

4601

"name": "A String", # Name describing the field.

4602

},

4603

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

4604

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

4605

# a key encryption key (KEK) stored by KMS).

4606

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4607

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4608

# unwrap the data crypto key.

4609

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4610

# The wrapped key must be a 128/192/256 bit key.

4611

# Authorization requires the following IAM permissions when sending a request

4612

# to perform a crypto transformation using a kms-wrapped crypto key:

4613

# dlp.kms.encrypt

4614

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4615

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4616

},

4617

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4618

# leaking the key. Choose another type of key if possible.

4619

"key": "A String", # Required. A 128/192/256 bit key.

4620

},

4621

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4622

# It will be discarded after the request finishes.

4623

"name": "A String", # Required. Name of the key.

4624

# This is an arbitrary string used to differentiate different keys.

4625

# A unique key is generated per name: two separate `TransientCryptoKey`

4626

# protos share the same generated key if their names are the same.

4627

# When the data crypto key is generated, this name is not used in any way

4628

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

4633

# input. Outputs a base64 encoded representation of the encrypted output.

4634

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

4635

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

4636

# This annotation will be applied to the surrogate by prefixing it with

4637

# the name of the custom info type followed by the number of

4638

# characters comprising the surrogate. The following scheme defines the

4639

# format: {info type name}({surrogate character count}):{surrogate}

4640

#

4641

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

4642

# the surrogate is 'abc', the full replacement value

4643

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4644

#

4645

# This annotation identifies the surrogate when inspecting content using the

4646

# custom info type 'Surrogate'. This facilitates reversal of the

4647

# surrogate when it occurs in free text.

4648

#

4649

# Note: For record transformations where the entire cell in a table is being

4650

# transformed, surrogates are not mandatory. Surrogates are used to denote

4651

# the location of the token and are necessary for re-identification in free

4652

# form text.

4653

#

4654

# In order for inspection to work properly, the name of this info type must

4655

# not occur naturally anywhere in your data; otherwise, inspection may either

4656

#

4657

# - reverse a surrogate that does not correspond to an actual identifier

4658

# - be unable to parse the surrogate and result in an error

4659

#

4660

# Therefore, choose your custom info type name carefully after considering

4661

# what your data looks like. One way to select a name that has a high chance

4662

# of yielding reliable detection is to include one or more unicode characters

4663

# that are highly improbable to exist in your data.

4664

# For example, assuming your data is entered from a regular ASCII keyboard,

4665

# the symbol with the hex code point 29DD might be used like so:

4666

# ⧝MY_TOKEN_TYPE.

4667

"name": "A String", # Name of the information type. Either a name of your choosing when

4668

# creating a CustomInfoType, or one of the names listed

4669

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4670

# a built-in type. InfoType names should conform to the pattern

4671

# `[a-zA-Z0-9_]{1,64}`.

4672

},

4673

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

4674

# referential integrity such that the same identifier in two different

4675

# contexts will be given a distinct surrogate. The context is appended to

4676

# plaintext value being encrypted. On decryption the provided context is

4677

# validated against the value used during encryption. If a context was

4678

# provided during encryption, same context must be provided during decryption

4679

# as well.

4680

#

4681

# If the context is not set, plaintext would be used as is for encryption.

4682

# If the context is set but:

4683

#

4684

# 1. there is no record present when transforming a given value or

4685

# 2. the field is not present when transforming a given value,

4686

#

4687

# plaintext would be used as is for encryption.

4688

#

4689

# Note that case (1) is expected when an `InfoTypeTransformation` is

4690

# applied to both structured and non-structured `ContentItem`s.

4691

"name": "A String", # Name describing the field.

4692

},

4693

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

4694

# a key encryption key (KEK) stored by KMS).

4695

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4696

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4697

# unwrap the data crypto key.

4698

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4699

# The wrapped key must be a 128/192/256 bit key.

4700

# Authorization requires the following IAM permissions when sending a request

4701

# to perform a crypto transformation using a kms-wrapped crypto key:

4702

# dlp.kms.encrypt

4703

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4704

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4705

},

4706

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4707

# leaking the key. Choose another type of key if possible.

4708

"key": "A String", # Required. A 128/192/256 bit key.

4709

},

4710

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4711

# It will be discarded after the request finishes.

4712

"name": "A String", # Required. Name of the key.

4713

# This is an arbitrary string used to differentiate different keys.

4714

# A unique key is generated per name: two separate `TransientCryptoKey`

4715

# protos share the same generated key if their names are the same.

4716

# When the data crypto key is generated, this name is not used in any way

4717

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

4722

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

4723

# output would be 'My phone number is '.

4724

},

4725

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

4726

# replacement values are dynamically provided by the user for custom behavior,

4727

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

4728

# This can be used on

4729

# data of type: number, long, string, timestamp.

4730

# If the bound `Value` type differs from the type of data being transformed, we

4731

# will first attempt converting the type of the data to be transformed to match

4732

# the type of the bound before comparing.

4733

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4734

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

4735

{ # Bucket is represented as a range, along with replacement values.

4736

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

4737

# used.

4738

# Note that for the purposes of inspection or transformation, the number

4739

# of bytes considered to comprise a 'Value' is based on its representation

4740

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4741

# 123456789, the number of bytes would be counted as 9, even though an

4742

# int64 only holds up to 8 bytes of data.

4743

"booleanValue": True or False, # boolean

4744

"floatValue": 3.14, # float

4745

"dayOfWeekValue": "A String", # day of week

4746

"timestampValue": "A String", # timestamp

4747

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4748

# and time zone are either specified elsewhere or are not significant. The date

4749

# is relative to the Proleptic Gregorian Calendar. This can represent:

4750

#

4751

# * A full date, with non-zero year, month and day values

4752

# * A month and day value, with a zero year, e.g. an anniversary

4753

# * A year on its own, with zero month and day values

4754

# * A year and month value, with a zero day, e.g. a credit card expiration date

4755

#

4756

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4757

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4758

# a year.

4759

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4760

# month and day.

4761

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4762

# if specifying a year by itself or a year and month where the day is not

4763

# significant.

4764

},

4765

"stringValue": "A String", # string

4766

"integerValue": "A String", # integer

4767

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4768

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4769

# types are google.type.Date and `google.protobuf.Timestamp`.

4770

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4771

# allow the value 60 if it allows leap-seconds.

4772

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4773

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4774

# to allow the value "24:00:00" for scenarios like business closing time.

4775

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4776

},

4777

},

4778

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

4779

# Note that for the purposes of inspection or transformation, the number

4780

# of bytes considered to comprise a 'Value' is based on its representation

4781

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4782

# 123456789, the number of bytes would be counted as 9, even though an

4783

# int64 only holds up to 8 bytes of data.

4784

"booleanValue": True or False, # boolean

4785

"floatValue": 3.14, # float

4786

"dayOfWeekValue": "A String", # day of week

4787

"timestampValue": "A String", # timestamp

4788

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4789

# and time zone are either specified elsewhere or are not significant. The date

4790

# is relative to the Proleptic Gregorian Calendar. This can represent:

4791

#

4792

# * A full date, with non-zero year, month and day values

4793

# * A month and day value, with a zero year, e.g. an anniversary

4794

# * A year on its own, with zero month and day values

4795

# * A year and month value, with a zero day, e.g. a credit card expiration date

4796

#

4797

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4798

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4799

# a year.

4800

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4801

# month and day.

4802

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4803

# if specifying a year by itself or a year and month where the day is not

4804

# significant.

4805

},

4806

"stringValue": "A String", # string

4807

"integerValue": "A String", # integer

4808

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4809

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4810

# types are google.type.Date and `google.protobuf.Timestamp`.

4811

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4812

# allow the value 60 if it allows leap-seconds.

4813

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4814

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4815

# to allow the value "24:00:00" for scenarios like business closing time.

4816

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4817

},

4818

},

4819

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4820

# the default behavior will be to hyphenate the min-max range.

4821

# Note that for the purposes of inspection or transformation, the number

4822

# of bytes considered to comprise a 'Value' is based on its representation

4823

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4824

# 123456789, the number of bytes would be counted as 9, even though an

4825

# int64 only holds up to 8 bytes of data.

4826

"booleanValue": True or False, # boolean

4827

"floatValue": 3.14, # float

4828

"dayOfWeekValue": "A String", # day of week

4829

"timestampValue": "A String", # timestamp

4830

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4831

# and time zone are either specified elsewhere or are not significant. The date

4832

# is relative to the Proleptic Gregorian Calendar. This can represent:

4833

#

4834

# * A full date, with non-zero year, month and day values

4835

# * A month and day value, with a zero year, e.g. an anniversary

4836

# * A year on its own, with zero month and day values

4837

# * A year and month value, with a zero day, e.g. a credit card expiration date

4838

#

4839

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4840

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4841

# a year.

4842

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4843

# month and day.

4844

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4845

# if specifying a year by itself or a year and month where the day is not

4846

# significant.

4847

},

4848

"stringValue": "A String", # string

4849

"integerValue": "A String", # integer

4850

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4851

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4852

# types are google.type.Date and `google.protobuf.Timestamp`.

4853

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4854

# allow the value 60 if it allows leap-seconds.

4855

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4856

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4857

# to allow the value "24:00:00" for scenarios like business closing time.

4858

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4865

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

4866

# Note that for the purposes of inspection or transformation, the number

4867

# of bytes considered to comprise a 'Value' is based on its representation

4868

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4869

# 123456789, the number of bytes would be counted as 9, even though an

4870

# int64 only holds up to 8 bytes of data.

4871

"booleanValue": True or False, # boolean

4872

"floatValue": 3.14, # float

4873

"dayOfWeekValue": "A String", # day of week

4874

"timestampValue": "A String", # timestamp

4875

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4876

# and time zone are either specified elsewhere or are not significant. The date

4877

# is relative to the Proleptic Gregorian Calendar. This can represent:

4878

#

4879

# * A full date, with non-zero year, month and day values

4880

# * A month and day value, with a zero year, e.g. an anniversary

4881

# * A year on its own, with zero month and day values

4882

# * A year and month value, with a zero day, e.g. a credit card expiration date

4883

#

4884

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4885

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4886

# a year.

4887

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4888

# month and day.

4889

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4890

# if specifying a year by itself or a year and month where the day is not

4891

# significant.

4892

},

4893

"stringValue": "A String", # string

4894

"integerValue": "A String", # integer

4895

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4896

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4897

# types are google.type.Date and `google.protobuf.Timestamp`.

4898

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4899

# allow the value 60 if it allows leap-seconds.

4900

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4901

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4902

# to allow the value "24:00:00" for scenarios like business closing time.

4903

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4908

# fixed character. Masking can start from the beginning or end of the string.

4909

# This can be used on data of any type (numbers, longs, and so on) and when

4910

# de-identifying structured data we'll attempt to preserve the original data's

4911

# type. (This allows you to take a long like 123 and modify it to a string like

4912

# **3.

4913

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4914

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4915

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4916

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4917

# is `true`, then the string `12345` is masked as `12***`.

4918

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4919

# characters. For example, if the input string is `555-555-5555` and you

4920

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4921

# returns `***-**5-5555`.

4922

{ # Characters to skip when doing deidentification of a value. These will be left

4923

# alone and skipped.

4924

"charactersToSkip": "A String", # Characters to not transform when masking.

4925

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4930

# masked. Skipped characters do not count towards this tally.

4931

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4932

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4933

# code or credit card number. This string must have a length of 1. If not

4934

# supplied, this value defaults to `*` for strings, and `0` for digits.

4935

},

4936

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4937

# Bucketing transformation can provide all of this functionality,

4938

# but requires more configuration. This message is provided as a convenience to

4939

# the user for simple bucketing strategies.

4940

#

4941

# The transformed value will be a hyphenated string of

4942

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4943

# all values that are within this bucket will be replaced with "10-20".

4944

#

4945

# This can be used on data of type: double, long.

4946

#

4947

# If the bound Value type differs from the type of data

4948

# being transformed, we will first attempt converting the type of the data to

4949

# be transformed to match the type of the bound before comparing.

4950

#

4951

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4952

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4953

# grouped together into a single bucket; for example if `lower_bound` = 10,

4954

# then all values less than 10 are replaced with the value "-10".

4955

# Note that for the purposes of inspection or transformation, the number

4956

# of bytes considered to comprise a 'Value' is based on its representation

4957

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4958

# 123456789, the number of bytes would be counted as 9, even though an

4959

# int64 only holds up to 8 bytes of data.

4960

"booleanValue": True or False, # boolean

4961

"floatValue": 3.14, # float

4962

"dayOfWeekValue": "A String", # day of week

4963

"timestampValue": "A String", # timestamp

4964

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4965

# and time zone are either specified elsewhere or are not significant. The date

4966

# is relative to the Proleptic Gregorian Calendar. This can represent:

4967

#

4968

# * A full date, with non-zero year, month and day values

4969

# * A month and day value, with a zero year, e.g. an anniversary

4970

# * A year on its own, with zero month and day values

4971

# * A year and month value, with a zero day, e.g. a credit card expiration date

4972

#

4973

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4974

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4975

# a year.

4976

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4977

# month and day.

4978

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4979

# if specifying a year by itself or a year and month where the day is not

4980

# significant.

4981

},

4982

"stringValue": "A String", # string

4983

"integerValue": "A String", # integer

4984

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4985

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4986

# types are google.type.Date and `google.protobuf.Timestamp`.

4987

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4988

# allow the value 60 if it allows leap-seconds.

4989

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4990

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4991

# to allow the value "24:00:00" for scenarios like business closing time.

4992

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4993

},

4994

},

4995

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4996

# grouped together into a single bucket; for example if `upper_bound` = 89,

4997

# then all values greater than 89 are replaced with the value "89+".

4998

# Note that for the purposes of inspection or transformation, the number

4999

# of bytes considered to comprise a 'Value' is based on its representation

5000

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5001

# 123456789, the number of bytes would be counted as 9, even though an

5002

# int64 only holds up to 8 bytes of data.

5003

"booleanValue": True or False, # boolean

5004

"floatValue": 3.14, # float

5005

"dayOfWeekValue": "A String", # day of week

5006

"timestampValue": "A String", # timestamp

5007

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5008

# and time zone are either specified elsewhere or are not significant. The date

5009

# is relative to the Proleptic Gregorian Calendar. This can represent:

5010

#

5011

# * A full date, with non-zero year, month and day values

5012

# * A month and day value, with a zero year, e.g. an anniversary

5013

# * A year on its own, with zero month and day values

5014

# * A year and month value, with a zero day, e.g. a credit card expiration date

5015

#

5016

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5017

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5018

# a year.

5019

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5020

# month and day.

5021

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5022

# if specifying a year by itself or a year and month where the day is not

5023

# significant.

5024

},

5025

"stringValue": "A String", # string

5026

"integerValue": "A String", # integer

5027

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5028

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5029

# types are google.type.Date and `google.protobuf.Timestamp`.

5030

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5031

# allow the value 60 if it allows leap-seconds.

5032

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5033

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5034

# to allow the value "24:00:00" for scenarios like business closing time.

5035

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5036

},

5037

},

5038

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

5039

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

5040

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

5041

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

5048

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5049

# portion of the value.

5050

"partToExtract": "A String", # The part of the time to keep.

5051

},

5052

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5053

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5054

# to learn more.

5055

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5056

# If set, must also set cryptoKey. If set, shift will be consistent for the

5057

# given context.

5058

"name": "A String", # Name describing the field.

5059

},

5060

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5061

# range (inclusive ends). Negative means shift to earlier in time. Must not

5062

# be more than 365250 days (1000 years) each direction.

5063

#

5064

# For example, 3 means shift date to at most 3 days into the future.

5065

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5066

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5067

# results in the same shift for the same context and crypto_key. If

5068

# set, must also set context. Can only be applied to table items.

5069

# a key encryption key (KEK) stored by KMS).

5070

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5071

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5072

# unwrap the data crypto key.

5073

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5074

# The wrapped key must be a 128/192/256 bit key.

5075

# Authorization requires the following IAM permissions when sending a request

5076

# to perform a crypto transformation using a kms-wrapped crypto key:

5077

# dlp.kms.encrypt

5078

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5079

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5080

},

5081

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5082

# leaking the key. Choose another type of key if possible.

5083

"key": "A String", # Required. A 128/192/256 bit key.

5084

},

5085

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5086

# It will be discarded after the request finishes.

5087

"name": "A String", # Required. Name of the key.

5088

# This is an arbitrary string used to differentiate different keys.

5089

# A unique key is generated per name: two separate `TransientCryptoKey`

5090

# protos share the same generated key if their names are the same.

5091

# When the data crypto key is generated, this name is not used in any way

5092

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5097

},

5098

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5099

# Uses SHA-256.

5100

# The key size must be either 32 or 64 bytes.

5101

# Outputs a base64 encoded representation of the hashed output

5102

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5103

# Currently, only string and integer values can be hashed.

5104

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5105

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5106

# a key encryption key (KEK) stored by KMS).

5107

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5108

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5109

# unwrap the data crypto key.

5110

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5111

# The wrapped key must be a 128/192/256 bit key.

5112

# Authorization requires the following IAM permissions when sending a request

5113

# to perform a crypto transformation using a kms-wrapped crypto key:

5114

# dlp.kms.encrypt

5115

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5116

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5117

},

5118

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5119

# leaking the key. Choose another type of key if possible.

5120

"key": "A String", # Required. A 128/192/256 bit key.

5121

},

5122

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5123

# It will be discarded after the request finishes.

5124

"name": "A String", # Required. Name of the key.

5125

# This is an arbitrary string used to differentiate different keys.

5126

# A unique key is generated per name: two separate `TransientCryptoKey`

5127

# protos share the same generated key if their names are the same.

5128

# When the data crypto key is generated, this name is not used in any way

5129

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5134

# (FPE) with the FFX mode of operation; however when used in the

5135

# `ReidentifyContent` API method, it serves the opposite function by reversing

5136

# the surrogate back into the original identifier. The identifier must be

5137

# encoded as ASCII. For a given crypto key and context, the same identifier

5138

# will be replaced with the same surrogate. Identifiers must be at least two

5139

# characters long. In the case that the identifier is the empty string, it will

5140

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5141

# more.

5142

#

5143

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5144

# do not require preserving the input alphabet space and size, plus warrant

5145

# referential integrity.

5146

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5147

# that the FFX mode natively supports. This happens before/after

5148

# encryption/decryption.

5149

# Each character listed must appear only once.

5150

# Number of characters must be in the range [2, 95].

5151

# This must be encoded as ASCII.

5152

# The order of characters does not matter.

5153

"commonAlphabet": "A String", # Common alphabets.

5154

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5155

# This annotation will be applied to the surrogate by prefixing it with

5156

# the name of the custom infoType followed by the number of

5157

# characters comprising the surrogate. The following scheme defines the

5158

# format: info_type_name(surrogate_character_count):surrogate

5159

#

5160

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5161

# the surrogate is 'abc', the full replacement value

5162

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5163

#

5164

# This annotation identifies the surrogate when inspecting content using the

5165

# custom infoType

5166

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5167

# This facilitates reversal of the surrogate when it occurs in free text.

5168

#

5169

# In order for inspection to work properly, the name of this infoType must

5170

# not occur naturally anywhere in your data; otherwise, inspection may

5171

# find a surrogate that does not correspond to an actual identifier.

5172

# Therefore, choose your custom infoType name carefully after considering

5173

# what your data looks like. One way to select a name that has a high chance

5174

# of yielding reliable detection is to include one or more unicode characters

5175

# that are highly improbable to exist in your data.

5176

# For example, assuming your data is entered from a regular ASCII keyboard,

5177

# the symbol with the hex code point 29DD might be used like so:

5178

# ⧝MY_TOKEN_TYPE

5179

"name": "A String", # Name of the information type. Either a name of your choosing when

5180

# creating a CustomInfoType, or one of the names listed

5181

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5182

# a built-in type. InfoType names should conform to the pattern

5183

# `[a-zA-Z0-9_]{1,64}`.

5184

},

5185

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5186

# identifier in two different contexts won't be given the same surrogate. If

5187

# the context is not set, a default tweak will be used.

5188

#

5189

# If the context is set but:

5190

#

5191

# 1. there is no record present when transforming a given value or

5192

# 1. the field is not present when transforming a given value,

5193

#

5194

# a default tweak will be used.

5195

#

5196

# Note that case (1) is expected when an `InfoTypeTransformation` is

5197

# applied to both structured and non-structured `ContentItem`s.

5198

# Currently, the referenced field may be of value type integer or string.

5199

#

5200

# The tweak is constructed as a sequence of bytes in big endian byte order

5201

# such that:

5202

#

5203

# - a 64 bit integer is encoded followed by a single byte of value 1

5204

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5205

"name": "A String", # Name describing the field.

5206

},

5207

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5208

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5209

# a key encryption key (KEK) stored by KMS).

5210

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5211

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5212

# unwrap the data crypto key.

5213

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5214

# The wrapped key must be a 128/192/256 bit key.

5215

# Authorization requires the following IAM permissions when sending a request

5216

# to perform a crypto transformation using a kms-wrapped crypto key:

5217

# dlp.kms.encrypt

5218

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5219

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5220

},

5221

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5222

# leaking the key. Choose another type of key if possible.

5223

"key": "A String", # Required. A 128/192/256 bit key.

5224

},

5225

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5226

# It will be discarded after the request finishes.

5227

"name": "A String", # Required. Name of the key.

5228

# This is an arbitrary string used to differentiate different keys.

5229

# A unique key is generated per name: two separate `TransientCryptoKey`

5230

# protos share the same generated key if their names are the same.

5231

# When the data crypto key is generated, this name is not used in any way

5232

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5237

# input. Outputs a base64 encoded representation of the encrypted output.

5238

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5239

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5240

# This annotation will be applied to the surrogate by prefixing it with

5241

# the name of the custom info type followed by the number of

5242

# characters comprising the surrogate. The following scheme defines the

5243

# format: {info type name}({surrogate character count}):{surrogate}

5244

#

5245

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5246

# the surrogate is 'abc', the full replacement value

5247

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5248

#

5249

# This annotation identifies the surrogate when inspecting content using the

5250

# custom info type 'Surrogate'. This facilitates reversal of the

5251

# surrogate when it occurs in free text.

5252

#

5253

# Note: For record transformations where the entire cell in a table is being

5254

# transformed, surrogates are not mandatory. Surrogates are used to denote

5255

# the location of the token and are necessary for re-identification in free

5256

# form text.

5257

#

5258

# In order for inspection to work properly, the name of this info type must

5259

# not occur naturally anywhere in your data; otherwise, inspection may either

5260

#

5261

# - reverse a surrogate that does not correspond to an actual identifier

5262

# - be unable to parse the surrogate and result in an error

5263

#

5264

# Therefore, choose your custom info type name carefully after considering

5265

# what your data looks like. One way to select a name that has a high chance

5266

# of yielding reliable detection is to include one or more unicode characters

5267

# that are highly improbable to exist in your data.

5268

# For example, assuming your data is entered from a regular ASCII keyboard,

5269

# the symbol with the hex code point 29DD might be used like so:

5270

# ⧝MY_TOKEN_TYPE.

5271

"name": "A String", # Name of the information type. Either a name of your choosing when

5272

# creating a CustomInfoType, or one of the names listed

5273

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5274

# a built-in type. InfoType names should conform to the pattern

5275

# `[a-zA-Z0-9_]{1,64}`.

5276

},

5277

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5278

# referential integrity such that the same identifier in two different

5279

# contexts will be given a distinct surrogate. The context is appended to

5280

# plaintext value being encrypted. On decryption the provided context is

5281

# validated against the value used during encryption. If a context was

5282

# provided during encryption, same context must be provided during decryption

5283

# as well.

5284

#

5285

# If the context is not set, plaintext would be used as is for encryption.

5286

# If the context is set but:

5287

#

5288

# 1. there is no record present when transforming a given value or

5289

# 2. the field is not present when transforming a given value,

5290

#

5291

# plaintext would be used as is for encryption.

5292

#

5293

# Note that case (1) is expected when an `InfoTypeTransformation` is

5294

# applied to both structured and non-structured `ContentItem`s.

5295

"name": "A String", # Name describing the field.

5296

},

5297

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

5298

# a key encryption key (KEK) stored by KMS).

5299

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5300

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5301

# unwrap the data crypto key.

5302

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5303

# The wrapped key must be a 128/192/256 bit key.

5304

# Authorization requires the following IAM permissions when sending a request

5305

# to perform a crypto transformation using a kms-wrapped crypto key:

5306

# dlp.kms.encrypt

5307

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5308

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5309

},

5310

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5311

# leaking the key. Choose another type of key if possible.

5312

"key": "A String", # Required. A 128/192/256 bit key.

5313

},

5314

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5315

# It will be discarded after the request finishes.

5316

"name": "A String", # Required. Name of the key.

5317

# This is an arbitrary string used to differentiate different keys.

5318

# A unique key is generated per name: two separate `TransientCryptoKey`

5319

# protos share the same generated key if their names are the same.

5320

# When the data crypto key is generated, this name is not used in any way

5321

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

5326

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

5327

# output would be 'My phone number is '.

5328

},

5329

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

5330

# replacement values are dynamically provided by the user for custom behavior,

5331

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

5332

# This can be used on

5333

# data of type: number, long, string, timestamp.

5334

# If the bound `Value` type differs from the type of data being transformed, we

5335

# will first attempt converting the type of the data to be transformed to match

5336

# the type of the bound before comparing.

5337

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5338

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

5339

{ # Bucket is represented as a range, along with replacement values.

5340

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

5341

# used.

5342

# Note that for the purposes of inspection or transformation, the number

5343

# of bytes considered to comprise a 'Value' is based on its representation

5344

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5345

# 123456789, the number of bytes would be counted as 9, even though an

5346

# int64 only holds up to 8 bytes of data.

5347

"booleanValue": True or False, # boolean

5348

"floatValue": 3.14, # float

5349

"dayOfWeekValue": "A String", # day of week

5350

"timestampValue": "A String", # timestamp

5351

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5352

# and time zone are either specified elsewhere or are not significant. The date

5353

# is relative to the Proleptic Gregorian Calendar. This can represent:

5354

#

5355

# * A full date, with non-zero year, month and day values

5356

# * A month and day value, with a zero year, e.g. an anniversary

5357

# * A year on its own, with zero month and day values

5358

# * A year and month value, with a zero day, e.g. a credit card expiration date

5359

#

5360

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5361

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5362

# a year.

5363

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5364

# month and day.

5365

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5366

# if specifying a year by itself or a year and month where the day is not

5367

# significant.

5368

},

5369

"stringValue": "A String", # string

5370

"integerValue": "A String", # integer

5371

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5372

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5373

# types are google.type.Date and `google.protobuf.Timestamp`.

5374

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5375

# allow the value 60 if it allows leap-seconds.

5376

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5377

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5378

# to allow the value "24:00:00" for scenarios like business closing time.

5379

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5380

},

5381

},

5382

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

5383

# Note that for the purposes of inspection or transformation, the number

5384

# of bytes considered to comprise a 'Value' is based on its representation

5385

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5386

# 123456789, the number of bytes would be counted as 9, even though an

5387

# int64 only holds up to 8 bytes of data.

5388

"booleanValue": True or False, # boolean

5389

"floatValue": 3.14, # float

5390

"dayOfWeekValue": "A String", # day of week

5391

"timestampValue": "A String", # timestamp

5392

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5393

# and time zone are either specified elsewhere or are not significant. The date

5394

# is relative to the Proleptic Gregorian Calendar. This can represent:

5395

#

5396

# * A full date, with non-zero year, month and day values

5397

# * A month and day value, with a zero year, e.g. an anniversary

5398

# * A year on its own, with zero month and day values

5399

# * A year and month value, with a zero day, e.g. a credit card expiration date

5400

#

5401

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5402

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5403

# a year.

5404

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5405

# month and day.

5406

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5407

# if specifying a year by itself or a year and month where the day is not

5408

# significant.

5409

},

5410

"stringValue": "A String", # string

5411

"integerValue": "A String", # integer

5412

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5413

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5414

# types are google.type.Date and `google.protobuf.Timestamp`.

5415

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5416

# allow the value 60 if it allows leap-seconds.

5417

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5418

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5419

# to allow the value "24:00:00" for scenarios like business closing time.

5420

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5421

},

5422

},

5423

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

5424

# the default behavior will be to hyphenate the min-max range.

5425

# Note that for the purposes of inspection or transformation, the number

5426

# of bytes considered to comprise a 'Value' is based on its representation

5427

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5428

# 123456789, the number of bytes would be counted as 9, even though an

5429

# int64 only holds up to 8 bytes of data.

5430

"booleanValue": True or False, # boolean

5431

"floatValue": 3.14, # float

5432

"dayOfWeekValue": "A String", # day of week

5433

"timestampValue": "A String", # timestamp

5434

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5435

# and time zone are either specified elsewhere or are not significant. The date

5436

# is relative to the Proleptic Gregorian Calendar. This can represent:

5437

#

5438

# * A full date, with non-zero year, month and day values

5439

# * A month and day value, with a zero year, e.g. an anniversary

5440

# * A year on its own, with zero month and day values

5441

# * A year and month value, with a zero day, e.g. a credit card expiration date

5442

#

5443

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5444

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5445

# a year.

5446

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5447

# month and day.

5448

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5449

# if specifying a year by itself or a year and month where the day is not

5450

# significant.

5451

},

5452

"stringValue": "A String", # string

5453

"integerValue": "A String", # integer

5454

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5455

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5456

# types are google.type.Date and `google.protobuf.Timestamp`.

5457

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5458

# allow the value 60 if it allows leap-seconds.

5459

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5460

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5461

# to allow the value "24:00:00" for scenarios like business closing time.

5462

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

5469

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

5470

# Note that for the purposes of inspection or transformation, the number

5471

# of bytes considered to comprise a 'Value' is based on its representation

5472

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5473

# 123456789, the number of bytes would be counted as 9, even though an

5474

# int64 only holds up to 8 bytes of data.

5475

"booleanValue": True or False, # boolean

5476

"floatValue": 3.14, # float

5477

"dayOfWeekValue": "A String", # day of week

5478

"timestampValue": "A String", # timestamp

5479

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5480

# and time zone are either specified elsewhere or are not significant. The date

5481

# is relative to the Proleptic Gregorian Calendar. This can represent:

5482

#

5483

# * A full date, with non-zero year, month and day values

5484

# * A month and day value, with a zero year, e.g. an anniversary

5485

# * A year on its own, with zero month and day values

5486

# * A year and month value, with a zero day, e.g. a credit card expiration date

5487

#

5488

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5489

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5490

# a year.

5491

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5492

# month and day.

5493

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5494

# if specifying a year by itself or a year and month where the day is not

5495

# significant.

5496

},

5497

"stringValue": "A String", # string

5498

"integerValue": "A String", # integer

5499

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5500

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5501

# types are google.type.Date and `google.protobuf.Timestamp`.

5502

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5503

# allow the value 60 if it allows leap-seconds.

5504

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5505

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5506

# to allow the value "24:00:00" for scenarios like business closing time.

5507

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

5512

# fixed character. Masking can start from the beginning or end of the string.

5513

# This can be used on data of any type (numbers, longs, and so on) and when

5514

# de-identifying structured data we'll attempt to preserve the original data's

5515

# type. (This allows you to take a long like 123 and modify it to a string like

5516

# **3.

5517

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

5518

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

5519

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

5520

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

5521

# is `true`, then the string `12345` is masked as `12***`.

5522

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

5523

# characters. For example, if the input string is `555-555-5555` and you

5524

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

5525

# returns `***-**5-5555`.

5526

{ # Characters to skip when doing deidentification of a value. These will be left

5527

# alone and skipped.

5528

"charactersToSkip": "A String", # Characters to not transform when masking.

5529

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

5534

# masked. Skipped characters do not count towards this tally.

5535

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

5536

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

5537

# code or credit card number. This string must have a length of 1. If not

5538

# supplied, this value defaults to `*` for strings, and `0` for digits.

5539

},

5540

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

5541

# Bucketing transformation can provide all of this functionality,

5542

# but requires more configuration. This message is provided as a convenience to

5543

# the user for simple bucketing strategies.

5544

#

5545

# The transformed value will be a hyphenated string of

5546

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

5547

# all values that are within this bucket will be replaced with "10-20".

5548

#

5549

# This can be used on data of type: double, long.

5550

#

5551

# If the bound Value type differs from the type of data

5552

# being transformed, we will first attempt converting the type of the data to

5553

# be transformed to match the type of the bound before comparing.

5554

#

5555

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5556

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

5557

# grouped together into a single bucket; for example if `lower_bound` = 10,

5558

# then all values less than 10 are replaced with the value "-10".

5559

# Note that for the purposes of inspection or transformation, the number

5560

# of bytes considered to comprise a 'Value' is based on its representation

5561

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5562

# 123456789, the number of bytes would be counted as 9, even though an

5563

# int64 only holds up to 8 bytes of data.

5564

"booleanValue": True or False, # boolean

5565

"floatValue": 3.14, # float

5566

"dayOfWeekValue": "A String", # day of week

5567

"timestampValue": "A String", # timestamp

5568

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5569

# and time zone are either specified elsewhere or are not significant. The date

5570

# is relative to the Proleptic Gregorian Calendar. This can represent:

5571

#

5572

# * A full date, with non-zero year, month and day values

5573

# * A month and day value, with a zero year, e.g. an anniversary

5574

# * A year on its own, with zero month and day values

5575

# * A year and month value, with a zero day, e.g. a credit card expiration date

5576

#

5577

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5578

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5579

# a year.

5580

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5581

# month and day.

5582

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5583

# if specifying a year by itself or a year and month where the day is not

5584

# significant.

5585

},

5586

"stringValue": "A String", # string

5587

"integerValue": "A String", # integer

5588

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5589

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5590

# types are google.type.Date and `google.protobuf.Timestamp`.

5591

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5592

# allow the value 60 if it allows leap-seconds.

5593

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5594

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5595

# to allow the value "24:00:00" for scenarios like business closing time.

5596

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5597

},

5598

},

5599

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

5600

# grouped together into a single bucket; for example if `upper_bound` = 89,

5601

# then all values greater than 89 are replaced with the value "89+".

5602

# Note that for the purposes of inspection or transformation, the number

5603

# of bytes considered to comprise a 'Value' is based on its representation

5604

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5605

# 123456789, the number of bytes would be counted as 9, even though an

5606

# int64 only holds up to 8 bytes of data.

5607

"booleanValue": True or False, # boolean

5608

"floatValue": 3.14, # float

5609

"dayOfWeekValue": "A String", # day of week

5610

"timestampValue": "A String", # timestamp

5611

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5612

# and time zone are either specified elsewhere or are not significant. The date

5613

# is relative to the Proleptic Gregorian Calendar. This can represent:

5614

#

5615

# * A full date, with non-zero year, month and day values

5616

# * A month and day value, with a zero year, e.g. an anniversary

5617

# * A year on its own, with zero month and day values

5618

# * A year and month value, with a zero day, e.g. a credit card expiration date

5619

#

5620

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5621

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5622

# a year.

5623

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5624

# month and day.

5625

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5626

# if specifying a year by itself or a year and month where the day is not

5627

# significant.

5628

},

5629

"stringValue": "A String", # string

5630

"integerValue": "A String", # integer

5631

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5632

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5633

# types are google.type.Date and `google.protobuf.Timestamp`.

5634

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5635

# allow the value 60 if it allows leap-seconds.

5636

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5637

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5638

# to allow the value "24:00:00" for scenarios like business closing time.

5639

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5640

},

5641

},

5642

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

5643

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

5644

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

5645

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

5646

},

5647

},

5648

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

5649

# given `RecordCondition`. The conditions are allowed to reference fields

5650

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

5655

# column for the same record is within a specific range.

5656

# - Redact a field if the date of birth field is greater than 85.

5657

# a field.

5658

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

5659

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

5660

# only supported value is `AND`.

5661

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

5662

"conditions": [ # A collection of conditions.

5663

{ # The field type of `value` and `field` do not need to match to be

5664

# considered equal, but not all comparisons are possible.

5665

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

5666

# but all other comparisons are invalid with incompatible types.

5667

# A `value` of type:

5668

#

5669

# - `string` can be compared against all other types

5670

# - `boolean` can only be compared against other booleans

5671

# - `integer` can be compared against doubles or a string if the string value

5672

# can be parsed as an integer.

5673

# - `double` can be compared against integers or a string if the string can

5674

# be parsed as a double.

5675

# - `Timestamp` can be compared against strings in RFC 3339 date string

5676

# format.

5677

# - `TimeOfDay` can be compared against timestamps and strings in the format

5678

# of 'HH:mm:ss'.

5679

#

5680

# If we fail to compare do to type mismatch, a warning will be given and

5681

# the condition will evaluate to false.

5682

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

5683

"name": "A String", # Name describing the field.

5684

},

5685

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

5686

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

5687

# Note that for the purposes of inspection or transformation, the number

5688

# of bytes considered to comprise a 'Value' is based on its representation

5689

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5690

# 123456789, the number of bytes would be counted as 9, even though an

5691

# int64 only holds up to 8 bytes of data.

5692

"booleanValue": True or False, # boolean

5693

"floatValue": 3.14, # float

5694

"dayOfWeekValue": "A String", # day of week

5695

"timestampValue": "A String", # timestamp

5696

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5697

# and time zone are either specified elsewhere or are not significant. The date

5698

# is relative to the Proleptic Gregorian Calendar. This can represent:

5699

#

5700

# * A full date, with non-zero year, month and day values

5701

# * A month and day value, with a zero year, e.g. an anniversary

5702

# * A year on its own, with zero month and day values

5703

# * A year and month value, with a zero day, e.g. a credit card expiration date

5704

#

5705

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5706

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5707

# a year.

5708

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5709

# month and day.

5710

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5711

# if specifying a year by itself or a year and month where the day is not

5712

# significant.

5713

},

5714

"stringValue": "A String", # string

5715

"integerValue": "A String", # integer

5716

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5717

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5718

# types are google.type.Date and `google.protobuf.Timestamp`.

5719

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5720

# allow the value 60 if it allows leap-seconds.

5721

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5722

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5723

# to allow the value "24:00:00" for scenarios like business closing time.

5724

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

5736

# transformation everywhere.

5737

# apply various `PrimitiveTransformation`s to each finding, where the

5738

# transformation is applied to only values that were identified as a specific

5739

# info_type.

5740

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

5741

# for a given infoType.

5742

{ # A transformation to apply to text that is identified as a specific

5743

# info_type.

5744

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

5745

# this transformation to apply to all findings that correspond to

5746

# infoTypes that were requested in `InspectConfig`.

5747

{ # Type of information detected by the API.

5748

"name": "A String", # Name of the information type. Either a name of your choosing when

5749

# creating a CustomInfoType, or one of the names listed

5750

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5751

# a built-in type. InfoType names should conform to the pattern

5752

# `[a-zA-Z0-9_]{1,64}`.

5753

},

5754

],

5755

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

5756

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5757

# portion of the value.

5758

"partToExtract": "A String", # The part of the time to keep.

5759

},

5760

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5761

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5762

# to learn more.

5763

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5764

# If set, must also set cryptoKey. If set, shift will be consistent for the

5765

# given context.

5766

"name": "A String", # Name describing the field.

5767

},

5768

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5769

# range (inclusive ends). Negative means shift to earlier in time. Must not

5770

# be more than 365250 days (1000 years) each direction.

5771

#

5772

# For example, 3 means shift date to at most 3 days into the future.

5773

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5774

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5775

# results in the same shift for the same context and crypto_key. If

5776

# set, must also set context. Can only be applied to table items.

5777

# a key encryption key (KEK) stored by KMS).

5778

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5779

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5780

# unwrap the data crypto key.

5781

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5782

# The wrapped key must be a 128/192/256 bit key.

5783

# Authorization requires the following IAM permissions when sending a request

5784

# to perform a crypto transformation using a kms-wrapped crypto key:

5785

# dlp.kms.encrypt

5786

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5787

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5788

},

5789

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5790

# leaking the key. Choose another type of key if possible.

5791

"key": "A String", # Required. A 128/192/256 bit key.

5792

},

5793

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5794

# It will be discarded after the request finishes.

5795

"name": "A String", # Required. Name of the key.

5796

# This is an arbitrary string used to differentiate different keys.

5797

# A unique key is generated per name: two separate `TransientCryptoKey`

5798

# protos share the same generated key if their names are the same.

5799

# When the data crypto key is generated, this name is not used in any way

5800

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5805

},

5806

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5807

# Uses SHA-256.

5808

# The key size must be either 32 or 64 bytes.

5809

# Outputs a base64 encoded representation of the hashed output

5810

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5811

# Currently, only string and integer values can be hashed.

5812

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5813

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5814

# a key encryption key (KEK) stored by KMS).

5815

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5816

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5817

# unwrap the data crypto key.

5818

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5819

# The wrapped key must be a 128/192/256 bit key.

5820

# Authorization requires the following IAM permissions when sending a request

5821

# to perform a crypto transformation using a kms-wrapped crypto key:

5822

# dlp.kms.encrypt

5823

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5824

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5825

},

5826

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5827

# leaking the key. Choose another type of key if possible.

5828

"key": "A String", # Required. A 128/192/256 bit key.

5829

},

5830

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5831

# It will be discarded after the request finishes.

5832

"name": "A String", # Required. Name of the key.

5833

# This is an arbitrary string used to differentiate different keys.

5834

# A unique key is generated per name: two separate `TransientCryptoKey`

5835

# protos share the same generated key if their names are the same.

5836

# When the data crypto key is generated, this name is not used in any way

5837

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5842

# (FPE) with the FFX mode of operation; however when used in the

5843

# `ReidentifyContent` API method, it serves the opposite function by reversing

5844

# the surrogate back into the original identifier. The identifier must be

5845

# encoded as ASCII. For a given crypto key and context, the same identifier

5846

# will be replaced with the same surrogate. Identifiers must be at least two

5847

# characters long. In the case that the identifier is the empty string, it will

5848

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5849

# more.

5850

#

5851

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5852

# do not require preserving the input alphabet space and size, plus warrant

5853

# referential integrity.

5854

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5855

# that the FFX mode natively supports. This happens before/after

5856

# encryption/decryption.

5857

# Each character listed must appear only once.

5858

# Number of characters must be in the range [2, 95].

5859

# This must be encoded as ASCII.

5860

# The order of characters does not matter.

5861

"commonAlphabet": "A String", # Common alphabets.

5862

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5863

# This annotation will be applied to the surrogate by prefixing it with

5864

# the name of the custom infoType followed by the number of

5865

# characters comprising the surrogate. The following scheme defines the

5866

# format: info_type_name(surrogate_character_count):surrogate

5867

#

5868

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5869

# the surrogate is 'abc', the full replacement value

5870

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5871

#

5872

# This annotation identifies the surrogate when inspecting content using the

5873

# custom infoType

5874

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5875

# This facilitates reversal of the surrogate when it occurs in free text.

5876

#

5877

# In order for inspection to work properly, the name of this infoType must

5878

# not occur naturally anywhere in your data; otherwise, inspection may

5879

# find a surrogate that does not correspond to an actual identifier.

5880

# Therefore, choose your custom infoType name carefully after considering

5881

# what your data looks like. One way to select a name that has a high chance

5882

# of yielding reliable detection is to include one or more unicode characters

5883

# that are highly improbable to exist in your data.

5884

# For example, assuming your data is entered from a regular ASCII keyboard,

5885

# the symbol with the hex code point 29DD might be used like so:

5886

# ⧝MY_TOKEN_TYPE

5887

"name": "A String", # Name of the information type. Either a name of your choosing when

5888

# creating a CustomInfoType, or one of the names listed

5889

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5890

# a built-in type. InfoType names should conform to the pattern

5891

# `[a-zA-Z0-9_]{1,64}`.

5892

},

5893

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5894

# identifier in two different contexts won't be given the same surrogate. If

5895

# the context is not set, a default tweak will be used.

5896

#

5897

# If the context is set but:

5898

#

5899

# 1. there is no record present when transforming a given value or

5900

# 1. the field is not present when transforming a given value,

5901

#

5902

# a default tweak will be used.

5903

#

5904

# Note that case (1) is expected when an `InfoTypeTransformation` is

5905

# applied to both structured and non-structured `ContentItem`s.

5906

# Currently, the referenced field may be of value type integer or string.

5907

#

5908

# The tweak is constructed as a sequence of bytes in big endian byte order

5909

# such that:

5910

#

5911

# - a 64 bit integer is encoded followed by a single byte of value 1

5912

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5913

"name": "A String", # Name describing the field.

5914

},

5915

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5916

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5917

# a key encryption key (KEK) stored by KMS).

5918

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5919

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5920

# unwrap the data crypto key.

5921

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5922

# The wrapped key must be a 128/192/256 bit key.

5923

# Authorization requires the following IAM permissions when sending a request

5924

# to perform a crypto transformation using a kms-wrapped crypto key:

5925

# dlp.kms.encrypt

5926

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5927

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5928

},

5929

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5930

# leaking the key. Choose another type of key if possible.

5931

"key": "A String", # Required. A 128/192/256 bit key.

5932

},

5933

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5934

# It will be discarded after the request finishes.

5935

"name": "A String", # Required. Name of the key.

5936

# This is an arbitrary string used to differentiate different keys.

5937

# A unique key is generated per name: two separate `TransientCryptoKey`

5938

# protos share the same generated key if their names are the same.

5939

# When the data crypto key is generated, this name is not used in any way

5940

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5945

# input. Outputs a base64 encoded representation of the encrypted output.

5946

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5947

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5948

# This annotation will be applied to the surrogate by prefixing it with

5949

# the name of the custom info type followed by the number of

5950

# characters comprising the surrogate. The following scheme defines the

5951

# format: {info type name}({surrogate character count}):{surrogate}

5952

#

5953

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5954

# the surrogate is 'abc', the full replacement value

5955

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5956

#

5957

# This annotation identifies the surrogate when inspecting content using the

5958

# custom info type 'Surrogate'. This facilitates reversal of the

5959

# surrogate when it occurs in free text.

5960

#

5961

# Note: For record transformations where the entire cell in a table is being

5962

# transformed, surrogates are not mandatory. Surrogates are used to denote

5963

# the location of the token and are necessary for re-identification in free

5964

# form text.

5965

#

5966

# In order for inspection to work properly, the name of this info type must

5967

# not occur naturally anywhere in your data; otherwise, inspection may either

5968

#

5969

# - reverse a surrogate that does not correspond to an actual identifier

5970

# - be unable to parse the surrogate and result in an error

5971

#

5972

# Therefore, choose your custom info type name carefully after considering

5973

# what your data looks like. One way to select a name that has a high chance

5974

# of yielding reliable detection is to include one or more unicode characters

5975

# that are highly improbable to exist in your data.

5976

# For example, assuming your data is entered from a regular ASCII keyboard,

5977

# the symbol with the hex code point 29DD might be used like so:

5978

# ⧝MY_TOKEN_TYPE.

5979

"name": "A String", # Name of the information type. Either a name of your choosing when

5980

# creating a CustomInfoType, or one of the names listed

5981

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5982

# a built-in type. InfoType names should conform to the pattern

5983

# `[a-zA-Z0-9_]{1,64}`.

5984

},

5985

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5986

# referential integrity such that the same identifier in two different

5987

# contexts will be given a distinct surrogate. The context is appended to

5988

# plaintext value being encrypted. On decryption the provided context is

5989

# validated against the value used during encryption. If a context was

5990

# provided during encryption, same context must be provided during decryption

5991

# as well.

5992

#

5993

# If the context is not set, plaintext would be used as is for encryption.

5994

# If the context is set but:

5995

#

5996

# 1. there is no record present when transforming a given value or

5997

# 2. the field is not present when transforming a given value,

5998

#

5999

# plaintext would be used as is for encryption.

6000

#

6001

# Note that case (1) is expected when an `InfoTypeTransformation` is

6002

# applied to both structured and non-structured `ContentItem`s.

6003

"name": "A String", # Name describing the field.

6004

},

6005

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6006

# a key encryption key (KEK) stored by KMS).

6007

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6008

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6009

# unwrap the data crypto key.

6010

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6011

# The wrapped key must be a 128/192/256 bit key.

6012

# Authorization requires the following IAM permissions when sending a request

6013

# to perform a crypto transformation using a kms-wrapped crypto key:

6014

# dlp.kms.encrypt

6015

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6016

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6017

},

6018

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6019

# leaking the key. Choose another type of key if possible.

6020

"key": "A String", # Required. A 128/192/256 bit key.

6021

},

6022

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6023

# It will be discarded after the request finishes.

6024

"name": "A String", # Required. Name of the key.

6025

# This is an arbitrary string used to differentiate different keys.

6026

# A unique key is generated per name: two separate `TransientCryptoKey`

6027

# protos share the same generated key if their names are the same.

6028

# When the data crypto key is generated, this name is not used in any way

6029

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6034

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6035

# output would be 'My phone number is '.

6036

},

6037

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6038

# replacement values are dynamically provided by the user for custom behavior,

6039

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6040

# This can be used on

6041

# data of type: number, long, string, timestamp.

6042

# If the bound `Value` type differs from the type of data being transformed, we

6043

# will first attempt converting the type of the data to be transformed to match

6044

# the type of the bound before comparing.

6045

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6046

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6047

{ # Bucket is represented as a range, along with replacement values.

6048

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6049

# used.

6050

# Note that for the purposes of inspection or transformation, the number

6051

# of bytes considered to comprise a 'Value' is based on its representation

6052

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6053

# 123456789, the number of bytes would be counted as 9, even though an

6054

# int64 only holds up to 8 bytes of data.

6055

"booleanValue": True or False, # boolean

6056

"floatValue": 3.14, # float

6057

"dayOfWeekValue": "A String", # day of week

6058

"timestampValue": "A String", # timestamp

6059

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6060

# and time zone are either specified elsewhere or are not significant. The date

6061

# is relative to the Proleptic Gregorian Calendar. This can represent:

6062

#

6063

# * A full date, with non-zero year, month and day values

6064

# * A month and day value, with a zero year, e.g. an anniversary

6065

# * A year on its own, with zero month and day values

6066

# * A year and month value, with a zero day, e.g. a credit card expiration date

6067

#

6068

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6069

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6070

# a year.

6071

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6072

# month and day.

6073

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6074

# if specifying a year by itself or a year and month where the day is not

6075

# significant.

6076

},

6077

"stringValue": "A String", # string

6078

"integerValue": "A String", # integer

6079

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6080

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6081

# types are google.type.Date and `google.protobuf.Timestamp`.

6082

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6083

# allow the value 60 if it allows leap-seconds.

6084

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6085

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6086

# to allow the value "24:00:00" for scenarios like business closing time.

6087

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6088

},

6089

},

6090

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6091

# Note that for the purposes of inspection or transformation, the number

6092

# of bytes considered to comprise a 'Value' is based on its representation

6093

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6094

# 123456789, the number of bytes would be counted as 9, even though an

6095

# int64 only holds up to 8 bytes of data.

6096

"booleanValue": True or False, # boolean

6097

"floatValue": 3.14, # float

6098

"dayOfWeekValue": "A String", # day of week

6099

"timestampValue": "A String", # timestamp

6100

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6101

# and time zone are either specified elsewhere or are not significant. The date

6102

# is relative to the Proleptic Gregorian Calendar. This can represent:

6103

#

6104

# * A full date, with non-zero year, month and day values

6105

# * A month and day value, with a zero year, e.g. an anniversary

6106

# * A year on its own, with zero month and day values

6107

# * A year and month value, with a zero day, e.g. a credit card expiration date

6108

#

6109

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6110

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6111

# a year.

6112

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6113

# month and day.

6114

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6115

# if specifying a year by itself or a year and month where the day is not

6116

# significant.

6117

},

6118

"stringValue": "A String", # string

6119

"integerValue": "A String", # integer

6120

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6121

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6122

# types are google.type.Date and `google.protobuf.Timestamp`.

6123

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6124

# allow the value 60 if it allows leap-seconds.

6125

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6126

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6127

# to allow the value "24:00:00" for scenarios like business closing time.

6128

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6129

},

6130

},

6131

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6132

# the default behavior will be to hyphenate the min-max range.

6133

# Note that for the purposes of inspection or transformation, the number

6134

# of bytes considered to comprise a 'Value' is based on its representation

6135

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6136

# 123456789, the number of bytes would be counted as 9, even though an

6137

# int64 only holds up to 8 bytes of data.

6138

"booleanValue": True or False, # boolean

6139

"floatValue": 3.14, # float

6140

"dayOfWeekValue": "A String", # day of week

6141

"timestampValue": "A String", # timestamp

6142

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6143

# and time zone are either specified elsewhere or are not significant. The date

6144

# is relative to the Proleptic Gregorian Calendar. This can represent:

6145

#

6146

# * A full date, with non-zero year, month and day values

6147

# * A month and day value, with a zero year, e.g. an anniversary

6148

# * A year on its own, with zero month and day values

6149

# * A year and month value, with a zero day, e.g. a credit card expiration date

6150

#

6151

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6152

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6153

# a year.

6154

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6155

# month and day.

6156

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6157

# if specifying a year by itself or a year and month where the day is not

6158

# significant.

6159

},

6160

"stringValue": "A String", # string

6161

"integerValue": "A String", # integer

6162

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6163

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6164

# types are google.type.Date and `google.protobuf.Timestamp`.

6165

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6166

# allow the value 60 if it allows leap-seconds.

6167

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6168

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6169

# to allow the value "24:00:00" for scenarios like business closing time.

6170

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6177

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6178

# Note that for the purposes of inspection or transformation, the number

6179

# of bytes considered to comprise a 'Value' is based on its representation

6180

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6181

# 123456789, the number of bytes would be counted as 9, even though an

6182

# int64 only holds up to 8 bytes of data.

6183

"booleanValue": True or False, # boolean

6184

"floatValue": 3.14, # float

6185

"dayOfWeekValue": "A String", # day of week

6186

"timestampValue": "A String", # timestamp

6187

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6188

# and time zone are either specified elsewhere or are not significant. The date

6189

# is relative to the Proleptic Gregorian Calendar. This can represent:

6190

#

6191

# * A full date, with non-zero year, month and day values

6192

# * A month and day value, with a zero year, e.g. an anniversary

6193

# * A year on its own, with zero month and day values

6194

# * A year and month value, with a zero day, e.g. a credit card expiration date

6195

#

6196

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6197

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6198

# a year.

6199

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6200

# month and day.

6201

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6202

# if specifying a year by itself or a year and month where the day is not

6203

# significant.

6204

},

6205

"stringValue": "A String", # string

6206

"integerValue": "A String", # integer

6207

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6208

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6209

# types are google.type.Date and `google.protobuf.Timestamp`.

6210

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6211

# allow the value 60 if it allows leap-seconds.

6212

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6213

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6214

# to allow the value "24:00:00" for scenarios like business closing time.

6215

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6220

# fixed character. Masking can start from the beginning or end of the string.

6221

# This can be used on data of any type (numbers, longs, and so on) and when

6222

# de-identifying structured data we'll attempt to preserve the original data's

6223

# type. (This allows you to take a long like 123 and modify it to a string like

6224

# **3.

6225

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

6226

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

6227

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

6228

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

6229

# is `true`, then the string `12345` is masked as `12***`.

6230

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

6231

# characters. For example, if the input string is `555-555-5555` and you

6232

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

6233

# returns `***-**5-5555`.

6234

{ # Characters to skip when doing deidentification of a value. These will be left

6235

# alone and skipped.

6236

"charactersToSkip": "A String", # Characters to not transform when masking.

6237

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

6242

# masked. Skipped characters do not count towards this tally.

6243

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

6244

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

6245

# code or credit card number. This string must have a length of 1. If not

6246

# supplied, this value defaults to `*` for strings, and `0` for digits.

6247

},

6248

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6249

# Bucketing transformation can provide all of this functionality,

6250

# but requires more configuration. This message is provided as a convenience to

6251

# the user for simple bucketing strategies.

6252

#

6253

# The transformed value will be a hyphenated string of

6254

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6255

# all values that are within this bucket will be replaced with "10-20".

6256

#

6257

# This can be used on data of type: double, long.

6258

#

6259

# If the bound Value type differs from the type of data

6260

# being transformed, we will first attempt converting the type of the data to

6261

# be transformed to match the type of the bound before comparing.

6262

#

6263

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6264

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6265

# grouped together into a single bucket; for example if `lower_bound` = 10,

6266

# then all values less than 10 are replaced with the value "-10".

6267

# Note that for the purposes of inspection or transformation, the number

6268

# of bytes considered to comprise a 'Value' is based on its representation

6269

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6270

# 123456789, the number of bytes would be counted as 9, even though an

6271

# int64 only holds up to 8 bytes of data.

6272

"booleanValue": True or False, # boolean

6273

"floatValue": 3.14, # float

6274

"dayOfWeekValue": "A String", # day of week

6275

"timestampValue": "A String", # timestamp

6276

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6277

# and time zone are either specified elsewhere or are not significant. The date

6278

# is relative to the Proleptic Gregorian Calendar. This can represent:

6279

#

6280

# * A full date, with non-zero year, month and day values

6281

# * A month and day value, with a zero year, e.g. an anniversary

6282

# * A year on its own, with zero month and day values

6283

# * A year and month value, with a zero day, e.g. a credit card expiration date

6284

#

6285

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6286

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6287

# a year.

6288

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6289

# month and day.

6290

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6291

# if specifying a year by itself or a year and month where the day is not

6292

# significant.

6293

},

6294

"stringValue": "A String", # string

6295

"integerValue": "A String", # integer

6296

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6297

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6298

# types are google.type.Date and `google.protobuf.Timestamp`.

6299

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6300

# allow the value 60 if it allows leap-seconds.

6301

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6302

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6303

# to allow the value "24:00:00" for scenarios like business closing time.

6304

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6305

},

6306

},

6307

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6308

# grouped together into a single bucket; for example if `upper_bound` = 89,

6309

# then all values greater than 89 are replaced with the value "89+".

6310

# Note that for the purposes of inspection or transformation, the number

6311

# of bytes considered to comprise a 'Value' is based on its representation

6312

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6313

# 123456789, the number of bytes would be counted as 9, even though an

6314

# int64 only holds up to 8 bytes of data.

6315

"booleanValue": True or False, # boolean

6316

"floatValue": 3.14, # float

6317

"dayOfWeekValue": "A String", # day of week

6318

"timestampValue": "A String", # timestamp

6319

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6320

# and time zone are either specified elsewhere or are not significant. The date

6321

# is relative to the Proleptic Gregorian Calendar. This can represent:

6322

#

6323

# * A full date, with non-zero year, month and day values

6324

# * A month and day value, with a zero year, e.g. an anniversary

6325

# * A year on its own, with zero month and day values

6326

# * A year and month value, with a zero day, e.g. a credit card expiration date

6327

#

6328

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6329

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6330

# a year.

6331

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6332

# month and day.

6333

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6334

# if specifying a year by itself or a year and month where the day is not

6335

# significant.

6336

},

6337

"stringValue": "A String", # string

6338

"integerValue": "A String", # integer

6339

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6340

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6341

# types are google.type.Date and `google.protobuf.Timestamp`.

6342

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6343

# allow the value 60 if it allows leap-seconds.

6344

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6345

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6346

# to allow the value "24:00:00" for scenarios like business closing time.

6347

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6348

},

6349

},

6350

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6351

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6352

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6353

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

}</pre>

</div>

<code class="details" id="list">list(parent, locationId, pageToken=None, pageSize=None, orderBy=None, x__xgafv=None)</code>

6365

<pre>Lists DeidentifyTemplates.

6366

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

parent: string, Required. The parent resource name, for example projects/my-project-id or

6371

organizations/my-org-id. (required)

6372

locationId: string, The geographic location where deidentifications templates will be retrieved

6373

from. Use `-` for all locations. Reserved for future extensions. (required)

6374

pageToken: string, Page token to continue retrieval. Comes from previous call

6375

to `ListDeidentifyTemplates`.

6376

pageSize: integer, Size of the page, can be limited by server. If zero server returns

6377

a page of max size 100.

6378

orderBy: string, Comma separated list of fields to order by,

6379

followed by `asc` or `desc` postfix. This list is case-insensitive,

6380

default sorting order is ascending, redundant space characters are

6381

insignificant.

6382

6383

Example: `name asc,update_time, create_time desc`

6384

6385

Supported fields are:

6386

6387

- `create_time`: corresponds to time the template was created.

6388

- `update_time`: corresponds to time the template was last updated.

6389

- `name`: corresponds to template's name.

6390

- `display_name`: corresponds to template's display name.

6391

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

6398

6399

{ # Response message for ListDeidentifyTemplates.

6400

"nextPageToken": "A String", # If the next page is available then the next page token to be used

6401

# in following ListDeidentifyTemplates request.

6402

"deidentifyTemplates": [ # List of deidentify templates, up to page_size in

6403

# ListDeidentifyTemplatesRequest.

6404

{ # DeidentifyTemplates contains instructions on how to de-identify content.

6405

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

6406

"name": "A String", # Output only. The template name.

6407

#

6408

# The template will have one of the following formats:

6409

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

6410

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

6411

"description": "A String", # Short description (max 256 chars).

6412

"displayName": "A String", # Display name (max 256 chars).

6413

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

6414

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

6415

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

6416

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

6417

# mode is `TransformationErrorHandling.ThrowError`.

6418

# transformation error occurs when the requested transformation is incompatible

6419

# with the data. For example, trying to de-identify an IP address using a

6420

# `DateShift` transformation would result in a transformation error, since date

6421

# info cannot be extracted from an IP address.

6422

# Information about any incompatible transformations, and how they were

6423

# handled, is returned in the response as part of the

6424

# `TransformationOverviews`.

6425

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

6426

},

6427

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

6428

# cause an error. For example, if a `DateShift` transformation were applied

6429

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

6434

# specific locations within structured datasets, such as transforming

6435

# a column within a table.

6436

# table.

6437

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

6438

# match any suppression rule are omitted from the output.

6439

{ # Configuration to suppress records whose suppression conditions evaluate to

6440

# true.

6441

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

6442

# evaluated to be suppressed from the transformed content.

6443

# a field.

6444

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

6445

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

6446

# only supported value is `AND`.

6447

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

6448

"conditions": [ # A collection of conditions.

6449

{ # The field type of `value` and `field` do not need to match to be

6450

# considered equal, but not all comparisons are possible.

6451

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

6452

# but all other comparisons are invalid with incompatible types.

6453

# A `value` of type:

6454

#

6455

# - `string` can be compared against all other types

6456

# - `boolean` can only be compared against other booleans

6457

# - `integer` can be compared against doubles or a string if the string value

6458

# can be parsed as an integer.

6459

# - `double` can be compared against integers or a string if the string can

6460

# be parsed as a double.

6461

# - `Timestamp` can be compared against strings in RFC 3339 date string

6462

# format.

6463

# - `TimeOfDay` can be compared against timestamps and strings in the format

6464

# of 'HH:mm:ss'.

6465

#

6466

# If we fail to compare do to type mismatch, a warning will be given and

6467

# the condition will evaluate to false.

6468

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

6469

"name": "A String", # Name describing the field.

6470

},

6471

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

6472

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

6473

# Note that for the purposes of inspection or transformation, the number

6474

# of bytes considered to comprise a 'Value' is based on its representation

6475

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6476

# 123456789, the number of bytes would be counted as 9, even though an

6477

# int64 only holds up to 8 bytes of data.

6478

"booleanValue": True or False, # boolean

6479

"floatValue": 3.14, # float

6480

"dayOfWeekValue": "A String", # day of week

6481

"timestampValue": "A String", # timestamp

6482

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6483

# and time zone are either specified elsewhere or are not significant. The date

6484

# is relative to the Proleptic Gregorian Calendar. This can represent:

6485

#

6486

# * A full date, with non-zero year, month and day values

6487

# * A month and day value, with a zero year, e.g. an anniversary

6488

# * A year on its own, with zero month and day values

6489

# * A year and month value, with a zero day, e.g. a credit card expiration date

6490

#

6491

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6492

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6493

# a year.

6494

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6495

# month and day.

6496

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6497

# if specifying a year by itself or a year and month where the day is not

6498

# significant.

6499

},

6500

"stringValue": "A String", # string

6501

"integerValue": "A String", # integer

6502

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6503

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6504

# types are google.type.Date and `google.protobuf.Timestamp`.

6505

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6506

# allow the value 60 if it allows leap-seconds.

6507

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6508

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6509

# to allow the value "24:00:00" for scenarios like business closing time.

6510

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

6521

{ # The transformation to apply to the field.

6522

"fields": [ # Required. Input field(s) to apply the transformation to.

6523

{ # General identifier of a data field in a storage service.

6524

"name": "A String", # Name describing the field.

6525

},

6526

],

6527

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

6528

# transform content that matches an `InfoType`.

6529

# apply various `PrimitiveTransformation`s to each finding, where the

6530

# transformation is applied to only values that were identified as a specific

6531

# info_type.

6532

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

6533

# for a given infoType.

6534

{ # A transformation to apply to text that is identified as a specific

6535

# info_type.

6536

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

6537

# this transformation to apply to all findings that correspond to

6538

# infoTypes that were requested in `InspectConfig`.

6539

{ # Type of information detected by the API.

6540

"name": "A String", # Name of the information type. Either a name of your choosing when

6541

# creating a CustomInfoType, or one of the names listed

6542

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6543

# a built-in type. InfoType names should conform to the pattern

6544

# `[a-zA-Z0-9_]{1,64}`.

6545

},

6546

],

6547

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

6548

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

6549

# portion of the value.

6550

"partToExtract": "A String", # The part of the time to keep.

6551

},

6552

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

6553

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

6554

# to learn more.

6555

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

6556

# If set, must also set cryptoKey. If set, shift will be consistent for the

6557

# given context.

6558

"name": "A String", # Name describing the field.

6559

},

6560

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

6561

# range (inclusive ends). Negative means shift to earlier in time. Must not

6562

# be more than 365250 days (1000 years) each direction.

6563

#

6564

# For example, 3 means shift date to at most 3 days into the future.

6565

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

6566

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

6567

# results in the same shift for the same context and crypto_key. If

6568

# set, must also set context. Can only be applied to table items.

6569

# a key encryption key (KEK) stored by KMS).

6570

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6571

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6572

# unwrap the data crypto key.

6573

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6574

# The wrapped key must be a 128/192/256 bit key.

6575

# Authorization requires the following IAM permissions when sending a request

6576

# to perform a crypto transformation using a kms-wrapped crypto key:

6577

# dlp.kms.encrypt

6578

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6579

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6580

},

6581

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6582

# leaking the key. Choose another type of key if possible.

6583

"key": "A String", # Required. A 128/192/256 bit key.

6584

},

6585

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6586

# It will be discarded after the request finishes.

6587

"name": "A String", # Required. Name of the key.

6588

# This is an arbitrary string used to differentiate different keys.

6589

# A unique key is generated per name: two separate `TransientCryptoKey`

6590

# protos share the same generated key if their names are the same.

6591

# When the data crypto key is generated, this name is not used in any way

6592

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

6597

},

6598

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

6599

# Uses SHA-256.

6600

# The key size must be either 32 or 64 bytes.

6601

# Outputs a base64 encoded representation of the hashed output

6602

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

6603

# Currently, only string and integer values can be hashed.

6604

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

6605

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

6606

# a key encryption key (KEK) stored by KMS).

6607

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6608

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6609

# unwrap the data crypto key.

6610

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6611

# The wrapped key must be a 128/192/256 bit key.

6612

# Authorization requires the following IAM permissions when sending a request

6613

# to perform a crypto transformation using a kms-wrapped crypto key:

6614

# dlp.kms.encrypt

6615

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6616

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6617

},

6618

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6619

# leaking the key. Choose another type of key if possible.

6620

"key": "A String", # Required. A 128/192/256 bit key.

6621

},

6622

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6623

# It will be discarded after the request finishes.

6624

"name": "A String", # Required. Name of the key.

6625

# This is an arbitrary string used to differentiate different keys.

6626

# A unique key is generated per name: two separate `TransientCryptoKey`

6627

# protos share the same generated key if their names are the same.

6628

# When the data crypto key is generated, this name is not used in any way

6629

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

6634

# (FPE) with the FFX mode of operation; however when used in the

6635

# `ReidentifyContent` API method, it serves the opposite function by reversing

6636

# the surrogate back into the original identifier. The identifier must be

6637

# encoded as ASCII. For a given crypto key and context, the same identifier

6638

# will be replaced with the same surrogate. Identifiers must be at least two

6639

# characters long. In the case that the identifier is the empty string, it will

6640

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

6641

# more.

6642

#

6643

# Note: We recommend using CryptoDeterministicConfig for all use cases which

6644

# do not require preserving the input alphabet space and size, plus warrant

6645

# referential integrity.

6646

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

6647

# that the FFX mode natively supports. This happens before/after

6648

# encryption/decryption.

6649

# Each character listed must appear only once.

6650

# Number of characters must be in the range [2, 95].

6651

# This must be encoded as ASCII.

6652

# The order of characters does not matter.

6653

"commonAlphabet": "A String", # Common alphabets.

6654

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

6655

# This annotation will be applied to the surrogate by prefixing it with

6656

# the name of the custom infoType followed by the number of

6657

# characters comprising the surrogate. The following scheme defines the

6658

# format: info_type_name(surrogate_character_count):surrogate

6659

#

6660

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

6661

# the surrogate is 'abc', the full replacement value

6662

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6663

#

6664

# This annotation identifies the surrogate when inspecting content using the

6665

# custom infoType

6666

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

6667

# This facilitates reversal of the surrogate when it occurs in free text.

6668

#

6669

# In order for inspection to work properly, the name of this infoType must

6670

# not occur naturally anywhere in your data; otherwise, inspection may

6671

# find a surrogate that does not correspond to an actual identifier.

6672

# Therefore, choose your custom infoType name carefully after considering

6673

# what your data looks like. One way to select a name that has a high chance

6674

# of yielding reliable detection is to include one or more unicode characters

6675

# that are highly improbable to exist in your data.

6676

# For example, assuming your data is entered from a regular ASCII keyboard,

6677

# the symbol with the hex code point 29DD might be used like so:

6678

# ⧝MY_TOKEN_TYPE

6679

"name": "A String", # Name of the information type. Either a name of your choosing when

6680

# creating a CustomInfoType, or one of the names listed

6681

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6682

# a built-in type. InfoType names should conform to the pattern

6683

# `[a-zA-Z0-9_]{1,64}`.

6684

},

6685

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

6686

# identifier in two different contexts won't be given the same surrogate. If

6687

# the context is not set, a default tweak will be used.

6688

#

6689

# If the context is set but:

6690

#

6691

# 1. there is no record present when transforming a given value or

6692

# 1. the field is not present when transforming a given value,

6693

#

6694

# a default tweak will be used.

6695

#

6696

# Note that case (1) is expected when an `InfoTypeTransformation` is

6697

# applied to both structured and non-structured `ContentItem`s.

6698

# Currently, the referenced field may be of value type integer or string.

6699

#

6700

# The tweak is constructed as a sequence of bytes in big endian byte order

6701

# such that:

6702

#

6703

# - a 64 bit integer is encoded followed by a single byte of value 1

6704

# - a string is encoded in UTF-8 format followed by a single byte of value 2

6705

"name": "A String", # Name describing the field.

6706

},

6707

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

6708

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

6709

# a key encryption key (KEK) stored by KMS).

6710

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6711

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6712

# unwrap the data crypto key.

6713

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6714

# The wrapped key must be a 128/192/256 bit key.

6715

# Authorization requires the following IAM permissions when sending a request

6716

# to perform a crypto transformation using a kms-wrapped crypto key:

6717

# dlp.kms.encrypt

6718

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6719

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6720

},

6721

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6722

# leaking the key. Choose another type of key if possible.

6723

"key": "A String", # Required. A 128/192/256 bit key.

6724

},

6725

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6726

# It will be discarded after the request finishes.

6727

"name": "A String", # Required. Name of the key.

6728

# This is an arbitrary string used to differentiate different keys.

6729

# A unique key is generated per name: two separate `TransientCryptoKey`

6730

# protos share the same generated key if their names are the same.

6731

# When the data crypto key is generated, this name is not used in any way

6732

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

6737

# input. Outputs a base64 encoded representation of the encrypted output.

6738

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

6739

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

6740

# This annotation will be applied to the surrogate by prefixing it with

6741

# the name of the custom info type followed by the number of

6742

# characters comprising the surrogate. The following scheme defines the

6743

# format: {info type name}({surrogate character count}):{surrogate}

6744

#

6745

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

6746

# the surrogate is 'abc', the full replacement value

6747

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6748

#

6749

# This annotation identifies the surrogate when inspecting content using the

6750

# custom info type 'Surrogate'. This facilitates reversal of the

6751

# surrogate when it occurs in free text.

6752

#

6753

# Note: For record transformations where the entire cell in a table is being

6754

# transformed, surrogates are not mandatory. Surrogates are used to denote

6755

# the location of the token and are necessary for re-identification in free

6756

# form text.

6757

#

6758

# In order for inspection to work properly, the name of this info type must

6759

# not occur naturally anywhere in your data; otherwise, inspection may either

6760

#

6761

# - reverse a surrogate that does not correspond to an actual identifier

6762

# - be unable to parse the surrogate and result in an error

6763

#

6764

# Therefore, choose your custom info type name carefully after considering

6765

# what your data looks like. One way to select a name that has a high chance

6766

# of yielding reliable detection is to include one or more unicode characters

6767

# that are highly improbable to exist in your data.

6768

# For example, assuming your data is entered from a regular ASCII keyboard,

6769

# the symbol with the hex code point 29DD might be used like so:

6770

# ⧝MY_TOKEN_TYPE.

6771

"name": "A String", # Name of the information type. Either a name of your choosing when

6772

# creating a CustomInfoType, or one of the names listed

6773

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6774

# a built-in type. InfoType names should conform to the pattern

6775

# `[a-zA-Z0-9_]{1,64}`.

6776

},

6777

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

6778

# referential integrity such that the same identifier in two different

6779

# contexts will be given a distinct surrogate. The context is appended to

6780

# plaintext value being encrypted. On decryption the provided context is

6781

# validated against the value used during encryption. If a context was

6782

# provided during encryption, same context must be provided during decryption

6783

# as well.

6784

#

6785

# If the context is not set, plaintext would be used as is for encryption.

6786

# If the context is set but:

6787

#

6788

# 1. there is no record present when transforming a given value or

6789

# 2. the field is not present when transforming a given value,

6790

#

6791

# plaintext would be used as is for encryption.

6792

#

6793

# Note that case (1) is expected when an `InfoTypeTransformation` is

6794

# applied to both structured and non-structured `ContentItem`s.

6795

"name": "A String", # Name describing the field.

6796

},

6797

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6798

# a key encryption key (KEK) stored by KMS).

6799

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6800

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6801

# unwrap the data crypto key.

6802

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6803

# The wrapped key must be a 128/192/256 bit key.

6804

# Authorization requires the following IAM permissions when sending a request

6805

# to perform a crypto transformation using a kms-wrapped crypto key:

6806

# dlp.kms.encrypt

6807

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6808

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6809

},

6810

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6811

# leaking the key. Choose another type of key if possible.

6812

"key": "A String", # Required. A 128/192/256 bit key.

6813

},

6814

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6815

# It will be discarded after the request finishes.

6816

"name": "A String", # Required. Name of the key.

6817

# This is an arbitrary string used to differentiate different keys.

6818

# A unique key is generated per name: two separate `TransientCryptoKey`

6819

# protos share the same generated key if their names are the same.

6820

# When the data crypto key is generated, this name is not used in any way

6821

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6826

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6827

# output would be 'My phone number is '.

6828

},

6829

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6830

# replacement values are dynamically provided by the user for custom behavior,

6831

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6832

# This can be used on

6833

# data of type: number, long, string, timestamp.

6834

# If the bound `Value` type differs from the type of data being transformed, we

6835

# will first attempt converting the type of the data to be transformed to match

6836

# the type of the bound before comparing.

6837

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6838

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6839

{ # Bucket is represented as a range, along with replacement values.

6840

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6841

# used.

6842

# Note that for the purposes of inspection or transformation, the number

6843

# of bytes considered to comprise a 'Value' is based on its representation

6844

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6845

# 123456789, the number of bytes would be counted as 9, even though an

6846

# int64 only holds up to 8 bytes of data.

6847

"booleanValue": True or False, # boolean

6848

"floatValue": 3.14, # float

6849

"dayOfWeekValue": "A String", # day of week

6850

"timestampValue": "A String", # timestamp

6851

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6852

# and time zone are either specified elsewhere or are not significant. The date

6853

# is relative to the Proleptic Gregorian Calendar. This can represent:

6854

#

6855

# * A full date, with non-zero year, month and day values

6856

# * A month and day value, with a zero year, e.g. an anniversary

6857

# * A year on its own, with zero month and day values

6858

# * A year and month value, with a zero day, e.g. a credit card expiration date

6859

#

6860

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6861

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6862

# a year.

6863

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6864

# month and day.

6865

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6866

# if specifying a year by itself or a year and month where the day is not

6867

# significant.

6868

},

6869

"stringValue": "A String", # string

6870

"integerValue": "A String", # integer

6871

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6872

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6873

# types are google.type.Date and `google.protobuf.Timestamp`.

6874

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6875

# allow the value 60 if it allows leap-seconds.

6876

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6877

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6878

# to allow the value "24:00:00" for scenarios like business closing time.

6879

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6880

},

6881

},

6882

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6883

# Note that for the purposes of inspection or transformation, the number

6884

# of bytes considered to comprise a 'Value' is based on its representation

6885

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6886

# 123456789, the number of bytes would be counted as 9, even though an

6887

# int64 only holds up to 8 bytes of data.

6888

"booleanValue": True or False, # boolean

6889

"floatValue": 3.14, # float

6890

"dayOfWeekValue": "A String", # day of week

6891

"timestampValue": "A String", # timestamp

6892

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6893

# and time zone are either specified elsewhere or are not significant. The date

6894

# is relative to the Proleptic Gregorian Calendar. This can represent:

6895

#

6896

# * A full date, with non-zero year, month and day values

6897

# * A month and day value, with a zero year, e.g. an anniversary

6898

# * A year on its own, with zero month and day values

6899

# * A year and month value, with a zero day, e.g. a credit card expiration date

6900

#

6901

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6902

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6903

# a year.

6904

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6905

# month and day.

6906

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6907

# if specifying a year by itself or a year and month where the day is not

6908

# significant.

6909

},

6910

"stringValue": "A String", # string

6911

"integerValue": "A String", # integer

6912

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6913

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6914

# types are google.type.Date and `google.protobuf.Timestamp`.

6915

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6916

# allow the value 60 if it allows leap-seconds.

6917

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6918

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6919

# to allow the value "24:00:00" for scenarios like business closing time.

6920

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6921

},

6922

},

6923

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6924

# the default behavior will be to hyphenate the min-max range.

6925

# Note that for the purposes of inspection or transformation, the number

6926

# of bytes considered to comprise a 'Value' is based on its representation

6927

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6928

# 123456789, the number of bytes would be counted as 9, even though an

6929

# int64 only holds up to 8 bytes of data.

6930

"booleanValue": True or False, # boolean

6931

"floatValue": 3.14, # float

6932

"dayOfWeekValue": "A String", # day of week

6933

"timestampValue": "A String", # timestamp

6934

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6935

# and time zone are either specified elsewhere or are not significant. The date

6936

# is relative to the Proleptic Gregorian Calendar. This can represent:

6937

#

6938

# * A full date, with non-zero year, month and day values

6939

# * A month and day value, with a zero year, e.g. an anniversary

6940

# * A year on its own, with zero month and day values

6941

# * A year and month value, with a zero day, e.g. a credit card expiration date

6942

#

6943

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6944

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6945

# a year.

6946

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6947

# month and day.

6948

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6949

# if specifying a year by itself or a year and month where the day is not

6950

# significant.

6951

},

6952

"stringValue": "A String", # string

6953

"integerValue": "A String", # integer

6954

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6955

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6956

# types are google.type.Date and `google.protobuf.Timestamp`.

6957

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6958

# allow the value 60 if it allows leap-seconds.

6959

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6960

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6961

# to allow the value "24:00:00" for scenarios like business closing time.

6962

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6969

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6970

# Note that for the purposes of inspection or transformation, the number

6971

# of bytes considered to comprise a 'Value' is based on its representation

6972

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6973

# 123456789, the number of bytes would be counted as 9, even though an

6974

# int64 only holds up to 8 bytes of data.

6975

"booleanValue": True or False, # boolean

6976

"floatValue": 3.14, # float

6977

"dayOfWeekValue": "A String", # day of week

6978

"timestampValue": "A String", # timestamp

6979

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6980

# and time zone are either specified elsewhere or are not significant. The date

6981

# is relative to the Proleptic Gregorian Calendar. This can represent:

6982

#

6983

# * A full date, with non-zero year, month and day values

6984

# * A month and day value, with a zero year, e.g. an anniversary

6985

# * A year on its own, with zero month and day values

6986

# * A year and month value, with a zero day, e.g. a credit card expiration date

6987

#

6988

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6989

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6990

# a year.

6991

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6992

# month and day.

6993

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6994

# if specifying a year by itself or a year and month where the day is not

6995

# significant.

6996

},

6997

"stringValue": "A String", # string

6998

"integerValue": "A String", # integer

6999

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7000

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7001

# types are google.type.Date and `google.protobuf.Timestamp`.

7002

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7003

# allow the value 60 if it allows leap-seconds.

7004

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7005

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7006

# to allow the value "24:00:00" for scenarios like business closing time.

7007

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7012

# fixed character. Masking can start from the beginning or end of the string.

7013

# This can be used on data of any type (numbers, longs, and so on) and when

7014

# de-identifying structured data we'll attempt to preserve the original data's

7015

# type. (This allows you to take a long like 123 and modify it to a string like

7016

# **3.

7017

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7018

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7019

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7020

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7021

# is `true`, then the string `12345` is masked as `12***`.

7022

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7023

# characters. For example, if the input string is `555-555-5555` and you

7024

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7025

# returns `***-**5-5555`.

7026

{ # Characters to skip when doing deidentification of a value. These will be left

7027

# alone and skipped.

7028

"charactersToSkip": "A String", # Characters to not transform when masking.

7029

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7034

# masked. Skipped characters do not count towards this tally.

7035

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7036

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7037

# code or credit card number. This string must have a length of 1. If not

7038

# supplied, this value defaults to `*` for strings, and `0` for digits.

7039

},

7040

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7041

# Bucketing transformation can provide all of this functionality,

7042

# but requires more configuration. This message is provided as a convenience to

7043

# the user for simple bucketing strategies.

7044

#

7045

# The transformed value will be a hyphenated string of

7046

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7047

# all values that are within this bucket will be replaced with "10-20".

7048

#

7049

# This can be used on data of type: double, long.

7050

#

7051

# If the bound Value type differs from the type of data

7052

# being transformed, we will first attempt converting the type of the data to

7053

# be transformed to match the type of the bound before comparing.

7054

#

7055

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7056

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7057

# grouped together into a single bucket; for example if `lower_bound` = 10,

7058

# then all values less than 10 are replaced with the value "-10".

7059

# Note that for the purposes of inspection or transformation, the number

7060

# of bytes considered to comprise a 'Value' is based on its representation

7061

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7062

# 123456789, the number of bytes would be counted as 9, even though an

7063

# int64 only holds up to 8 bytes of data.

7064

"booleanValue": True or False, # boolean

7065

"floatValue": 3.14, # float

7066

"dayOfWeekValue": "A String", # day of week

7067

"timestampValue": "A String", # timestamp

7068

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7069

# and time zone are either specified elsewhere or are not significant. The date

7070

# is relative to the Proleptic Gregorian Calendar. This can represent:

7071

#

7072

# * A full date, with non-zero year, month and day values

7073

# * A month and day value, with a zero year, e.g. an anniversary

7074

# * A year on its own, with zero month and day values

7075

# * A year and month value, with a zero day, e.g. a credit card expiration date

7076

#

7077

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7078

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7079

# a year.

7080

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7081

# month and day.

7082

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7083

# if specifying a year by itself or a year and month where the day is not

7084

# significant.

7085

},

7086

"stringValue": "A String", # string

7087

"integerValue": "A String", # integer

7088

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7089

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7090

# types are google.type.Date and `google.protobuf.Timestamp`.

7091

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7092

# allow the value 60 if it allows leap-seconds.

7093

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7094

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7095

# to allow the value "24:00:00" for scenarios like business closing time.

7096

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7097

},

7098

},

7099

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7100

# grouped together into a single bucket; for example if `upper_bound` = 89,

7101

# then all values greater than 89 are replaced with the value "89+".

7102

# Note that for the purposes of inspection or transformation, the number

7103

# of bytes considered to comprise a 'Value' is based on its representation

7104

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7105

# 123456789, the number of bytes would be counted as 9, even though an

7106

# int64 only holds up to 8 bytes of data.

7107

"booleanValue": True or False, # boolean

7108

"floatValue": 3.14, # float

7109

"dayOfWeekValue": "A String", # day of week

7110

"timestampValue": "A String", # timestamp

7111

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7112

# and time zone are either specified elsewhere or are not significant. The date

7113

# is relative to the Proleptic Gregorian Calendar. This can represent:

7114

#

7115

# * A full date, with non-zero year, month and day values

7116

# * A month and day value, with a zero year, e.g. an anniversary

7117

# * A year on its own, with zero month and day values

7118

# * A year and month value, with a zero day, e.g. a credit card expiration date

7119

#

7120

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7121

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7122

# a year.

7123

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7124

# month and day.

7125

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7126

# if specifying a year by itself or a year and month where the day is not

7127

# significant.

7128

},

7129

"stringValue": "A String", # string

7130

"integerValue": "A String", # integer

7131

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7132

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7133

# types are google.type.Date and `google.protobuf.Timestamp`.

7134

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7135

# allow the value 60 if it allows leap-seconds.

7136

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7137

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7138

# to allow the value "24:00:00" for scenarios like business closing time.

7139

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7140

},

7141

},

7142

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7143

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7144

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7145

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

7152

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7153

# portion of the value.

7154

"partToExtract": "A String", # The part of the time to keep.

7155

},

7156

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7157

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7158

# to learn more.

7159

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7160

# If set, must also set cryptoKey. If set, shift will be consistent for the

7161

# given context.

7162

"name": "A String", # Name describing the field.

7163

},

7164

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7165

# range (inclusive ends). Negative means shift to earlier in time. Must not

7166

# be more than 365250 days (1000 years) each direction.

7167

#

7168

# For example, 3 means shift date to at most 3 days into the future.

7169

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7170

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7171

# results in the same shift for the same context and crypto_key. If

7172

# set, must also set context. Can only be applied to table items.

7173

# a key encryption key (KEK) stored by KMS).

7174

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7175

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7176

# unwrap the data crypto key.

7177

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7178

# The wrapped key must be a 128/192/256 bit key.

7179

# Authorization requires the following IAM permissions when sending a request

7180

# to perform a crypto transformation using a kms-wrapped crypto key:

7181

# dlp.kms.encrypt

7182

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7183

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7184

},

7185

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7186

# leaking the key. Choose another type of key if possible.

7187

"key": "A String", # Required. A 128/192/256 bit key.

7188

},

7189

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7190

# It will be discarded after the request finishes.

7191

"name": "A String", # Required. Name of the key.

7192

# This is an arbitrary string used to differentiate different keys.

7193

# A unique key is generated per name: two separate `TransientCryptoKey`

7194

# protos share the same generated key if their names are the same.

7195

# When the data crypto key is generated, this name is not used in any way

7196

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7201

},

7202

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7203

# Uses SHA-256.

7204

# The key size must be either 32 or 64 bytes.

7205

# Outputs a base64 encoded representation of the hashed output

7206

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7207

# Currently, only string and integer values can be hashed.

7208

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7209

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7210

# a key encryption key (KEK) stored by KMS).

7211

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7212

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7213

# unwrap the data crypto key.

7214

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7215

# The wrapped key must be a 128/192/256 bit key.

7216

# Authorization requires the following IAM permissions when sending a request

7217

# to perform a crypto transformation using a kms-wrapped crypto key:

7218

# dlp.kms.encrypt

7219

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7220

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7221

},

7222

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7223

# leaking the key. Choose another type of key if possible.

7224

"key": "A String", # Required. A 128/192/256 bit key.

7225

},

7226

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7227

# It will be discarded after the request finishes.

7228

"name": "A String", # Required. Name of the key.

7229

# This is an arbitrary string used to differentiate different keys.

7230

# A unique key is generated per name: two separate `TransientCryptoKey`

7231

# protos share the same generated key if their names are the same.

7232

# When the data crypto key is generated, this name is not used in any way

7233

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7238

# (FPE) with the FFX mode of operation; however when used in the

7239

# `ReidentifyContent` API method, it serves the opposite function by reversing

7240

# the surrogate back into the original identifier. The identifier must be

7241

# encoded as ASCII. For a given crypto key and context, the same identifier

7242

# will be replaced with the same surrogate. Identifiers must be at least two

7243

# characters long. In the case that the identifier is the empty string, it will

7244

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7245

# more.

7246

#

7247

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7248

# do not require preserving the input alphabet space and size, plus warrant

7249

# referential integrity.

7250

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7251

# that the FFX mode natively supports. This happens before/after

7252

# encryption/decryption.

7253

# Each character listed must appear only once.

7254

# Number of characters must be in the range [2, 95].

7255

# This must be encoded as ASCII.

7256

# The order of characters does not matter.

7257

"commonAlphabet": "A String", # Common alphabets.

7258

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7259

# This annotation will be applied to the surrogate by prefixing it with

7260

# the name of the custom infoType followed by the number of

7261

# characters comprising the surrogate. The following scheme defines the

7262

# format: info_type_name(surrogate_character_count):surrogate

7263

#

7264

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7265

# the surrogate is 'abc', the full replacement value

7266

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7267

#

7268

# This annotation identifies the surrogate when inspecting content using the

7269

# custom infoType

7270

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7271

# This facilitates reversal of the surrogate when it occurs in free text.

7272

#

7273

# In order for inspection to work properly, the name of this infoType must

7274

# not occur naturally anywhere in your data; otherwise, inspection may

7275

# find a surrogate that does not correspond to an actual identifier.

7276

# Therefore, choose your custom infoType name carefully after considering

7277

# what your data looks like. One way to select a name that has a high chance

7278

# of yielding reliable detection is to include one or more unicode characters

7279

# that are highly improbable to exist in your data.

7280

# For example, assuming your data is entered from a regular ASCII keyboard,

7281

# the symbol with the hex code point 29DD might be used like so:

7282

# ⧝MY_TOKEN_TYPE

7283

"name": "A String", # Name of the information type. Either a name of your choosing when

7284

# creating a CustomInfoType, or one of the names listed

7285

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7286

# a built-in type. InfoType names should conform to the pattern

7287

# `[a-zA-Z0-9_]{1,64}`.

7288

},

7289

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7290

# identifier in two different contexts won't be given the same surrogate. If

7291

# the context is not set, a default tweak will be used.

7292

#

7293

# If the context is set but:

7294

#

7295

# 1. there is no record present when transforming a given value or

7296

# 1. the field is not present when transforming a given value,

7297

#

7298

# a default tweak will be used.

7299

#

7300

# Note that case (1) is expected when an `InfoTypeTransformation` is

7301

# applied to both structured and non-structured `ContentItem`s.

7302

# Currently, the referenced field may be of value type integer or string.

7303

#

7304

# The tweak is constructed as a sequence of bytes in big endian byte order

7305

# such that:

7306

#

7307

# - a 64 bit integer is encoded followed by a single byte of value 1

7308

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7309

"name": "A String", # Name describing the field.

7310

},

7311

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7312

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7313

# a key encryption key (KEK) stored by KMS).

7314

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7315

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7316

# unwrap the data crypto key.

7317

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7318

# The wrapped key must be a 128/192/256 bit key.

7319

# Authorization requires the following IAM permissions when sending a request

7320

# to perform a crypto transformation using a kms-wrapped crypto key:

7321

# dlp.kms.encrypt

7322

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7323

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7324

},

7325

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7326

# leaking the key. Choose another type of key if possible.

7327

"key": "A String", # Required. A 128/192/256 bit key.

7328

},

7329

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7330

# It will be discarded after the request finishes.

7331

"name": "A String", # Required. Name of the key.

7332

# This is an arbitrary string used to differentiate different keys.

7333

# A unique key is generated per name: two separate `TransientCryptoKey`

7334

# protos share the same generated key if their names are the same.

7335

# When the data crypto key is generated, this name is not used in any way

7336

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7341

# input. Outputs a base64 encoded representation of the encrypted output.

7342

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7343

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

7344

# This annotation will be applied to the surrogate by prefixing it with

7345

# the name of the custom info type followed by the number of

7346

# characters comprising the surrogate. The following scheme defines the

7347

# format: {info type name}({surrogate character count}):{surrogate}

7348

#

7349

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7350

# the surrogate is 'abc', the full replacement value

7351

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7352

#

7353

# This annotation identifies the surrogate when inspecting content using the

7354

# custom info type 'Surrogate'. This facilitates reversal of the

7355

# surrogate when it occurs in free text.

7356

#

7357

# Note: For record transformations where the entire cell in a table is being

7358

# transformed, surrogates are not mandatory. Surrogates are used to denote

7359

# the location of the token and are necessary for re-identification in free

7360

# form text.

7361

#

7362

# In order for inspection to work properly, the name of this info type must

7363

# not occur naturally anywhere in your data; otherwise, inspection may either

7364

#

7365

# - reverse a surrogate that does not correspond to an actual identifier

7366

# - be unable to parse the surrogate and result in an error

7367

#

7368

# Therefore, choose your custom info type name carefully after considering

7369

# what your data looks like. One way to select a name that has a high chance

7370

# of yielding reliable detection is to include one or more unicode characters

7371

# that are highly improbable to exist in your data.

7372

# For example, assuming your data is entered from a regular ASCII keyboard,

7373

# the symbol with the hex code point 29DD might be used like so:

7374

# ⧝MY_TOKEN_TYPE.

7375

"name": "A String", # Name of the information type. Either a name of your choosing when

7376

# creating a CustomInfoType, or one of the names listed

7377

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7378

# a built-in type. InfoType names should conform to the pattern

7379

# `[a-zA-Z0-9_]{1,64}`.

7380

},

7381

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7382

# referential integrity such that the same identifier in two different

7383

# contexts will be given a distinct surrogate. The context is appended to

7384

# plaintext value being encrypted. On decryption the provided context is

7385

# validated against the value used during encryption. If a context was

7386

# provided during encryption, same context must be provided during decryption

7387

# as well.

7388

#

7389

# If the context is not set, plaintext would be used as is for encryption.

7390

# If the context is set but:

7391

#

7392

# 1. there is no record present when transforming a given value or

7393

# 2. the field is not present when transforming a given value,

7394

#

7395

# plaintext would be used as is for encryption.

7396

#

7397

# Note that case (1) is expected when an `InfoTypeTransformation` is

7398

# applied to both structured and non-structured `ContentItem`s.

7399

"name": "A String", # Name describing the field.

7400

},

7401

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7402

# a key encryption key (KEK) stored by KMS).

7403

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7404

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7405

# unwrap the data crypto key.

7406

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7407

# The wrapped key must be a 128/192/256 bit key.

7408

# Authorization requires the following IAM permissions when sending a request

7409

# to perform a crypto transformation using a kms-wrapped crypto key:

7410

# dlp.kms.encrypt

7411

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7412

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7413

},

7414

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7415

# leaking the key. Choose another type of key if possible.

7416

"key": "A String", # Required. A 128/192/256 bit key.

7417

},

7418

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7419

# It will be discarded after the request finishes.

7420

"name": "A String", # Required. Name of the key.

7421

# This is an arbitrary string used to differentiate different keys.

7422

# A unique key is generated per name: two separate `TransientCryptoKey`

7423

# protos share the same generated key if their names are the same.

7424

# When the data crypto key is generated, this name is not used in any way

7425

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

7430

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

7431

# output would be 'My phone number is '.

7432

},

7433

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

7434

# replacement values are dynamically provided by the user for custom behavior,

7435

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7436

# This can be used on

7437

# data of type: number, long, string, timestamp.

7438

# If the bound `Value` type differs from the type of data being transformed, we

7439

# will first attempt converting the type of the data to be transformed to match

7440

# the type of the bound before comparing.

7441

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7442

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

7443

{ # Bucket is represented as a range, along with replacement values.

7444

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

7445

# used.

7446

# Note that for the purposes of inspection or transformation, the number

7447

# of bytes considered to comprise a 'Value' is based on its representation

7448

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7449

# 123456789, the number of bytes would be counted as 9, even though an

7450

# int64 only holds up to 8 bytes of data.

7451

"booleanValue": True or False, # boolean

7452

"floatValue": 3.14, # float

7453

"dayOfWeekValue": "A String", # day of week

7454

"timestampValue": "A String", # timestamp

7455

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7456

# and time zone are either specified elsewhere or are not significant. The date

7457

# is relative to the Proleptic Gregorian Calendar. This can represent:

7458

#

7459

# * A full date, with non-zero year, month and day values

7460

# * A month and day value, with a zero year, e.g. an anniversary

7461

# * A year on its own, with zero month and day values

7462

# * A year and month value, with a zero day, e.g. a credit card expiration date

7463

#

7464

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7465

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7466

# a year.

7467

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7468

# month and day.

7469

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7470

# if specifying a year by itself or a year and month where the day is not

7471

# significant.

7472

},

7473

"stringValue": "A String", # string

7474

"integerValue": "A String", # integer

7475

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7476

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7477

# types are google.type.Date and `google.protobuf.Timestamp`.

7478

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7479

# allow the value 60 if it allows leap-seconds.

7480

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7481

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7482

# to allow the value "24:00:00" for scenarios like business closing time.

7483

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7484

},

7485

},

7486

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

7487

# Note that for the purposes of inspection or transformation, the number

7488

# of bytes considered to comprise a 'Value' is based on its representation

7489

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7490

# 123456789, the number of bytes would be counted as 9, even though an

7491

# int64 only holds up to 8 bytes of data.

7492

"booleanValue": True or False, # boolean

7493

"floatValue": 3.14, # float

7494

"dayOfWeekValue": "A String", # day of week

7495

"timestampValue": "A String", # timestamp

7496

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7497

# and time zone are either specified elsewhere or are not significant. The date

7498

# is relative to the Proleptic Gregorian Calendar. This can represent:

7499

#

7500

# * A full date, with non-zero year, month and day values

7501

# * A month and day value, with a zero year, e.g. an anniversary

7502

# * A year on its own, with zero month and day values

7503

# * A year and month value, with a zero day, e.g. a credit card expiration date

7504

#

7505

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7506

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7507

# a year.

7508

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7509

# month and day.

7510

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7511

# if specifying a year by itself or a year and month where the day is not

7512

# significant.

7513

},

7514

"stringValue": "A String", # string

7515

"integerValue": "A String", # integer

7516

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7517

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7518

# types are google.type.Date and `google.protobuf.Timestamp`.

7519

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7520

# allow the value 60 if it allows leap-seconds.

7521

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7522

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7523

# to allow the value "24:00:00" for scenarios like business closing time.

7524

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7525

},

7526

},

7527

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7528

# the default behavior will be to hyphenate the min-max range.

7529

# Note that for the purposes of inspection or transformation, the number

7530

# of bytes considered to comprise a 'Value' is based on its representation

7531

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7532

# 123456789, the number of bytes would be counted as 9, even though an

7533

# int64 only holds up to 8 bytes of data.

7534

"booleanValue": True or False, # boolean

7535

"floatValue": 3.14, # float

7536

"dayOfWeekValue": "A String", # day of week

7537

"timestampValue": "A String", # timestamp

7538

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7539

# and time zone are either specified elsewhere or are not significant. The date

7540

# is relative to the Proleptic Gregorian Calendar. This can represent:

7541

#

7542

# * A full date, with non-zero year, month and day values

7543

# * A month and day value, with a zero year, e.g. an anniversary

7544

# * A year on its own, with zero month and day values

7545

# * A year and month value, with a zero day, e.g. a credit card expiration date

7546

#

7547

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7548

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7549

# a year.

7550

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7551

# month and day.

7552

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7553

# if specifying a year by itself or a year and month where the day is not

7554

# significant.

7555

},

7556

"stringValue": "A String", # string

7557

"integerValue": "A String", # integer

7558

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7559

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7560

# types are google.type.Date and `google.protobuf.Timestamp`.

7561

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7562

# allow the value 60 if it allows leap-seconds.

7563

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7564

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7565

# to allow the value "24:00:00" for scenarios like business closing time.

7566

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

7573

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

7574

# Note that for the purposes of inspection or transformation, the number

7575

# of bytes considered to comprise a 'Value' is based on its representation

7576

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7577

# 123456789, the number of bytes would be counted as 9, even though an

7578

# int64 only holds up to 8 bytes of data.

7579

"booleanValue": True or False, # boolean

7580

"floatValue": 3.14, # float

7581

"dayOfWeekValue": "A String", # day of week

7582

"timestampValue": "A String", # timestamp

7583

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7584

# and time zone are either specified elsewhere or are not significant. The date

7585

# is relative to the Proleptic Gregorian Calendar. This can represent:

7586

#

7587

# * A full date, with non-zero year, month and day values

7588

# * A month and day value, with a zero year, e.g. an anniversary

7589

# * A year on its own, with zero month and day values

7590

# * A year and month value, with a zero day, e.g. a credit card expiration date

7591

#

7592

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7593

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7594

# a year.

7595

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7596

# month and day.

7597

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7598

# if specifying a year by itself or a year and month where the day is not

7599

# significant.

7600

},

7601

"stringValue": "A String", # string

7602

"integerValue": "A String", # integer

7603

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7604

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7605

# types are google.type.Date and `google.protobuf.Timestamp`.

7606

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7607

# allow the value 60 if it allows leap-seconds.

7608

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7609

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7610

# to allow the value "24:00:00" for scenarios like business closing time.

7611

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7616

# fixed character. Masking can start from the beginning or end of the string.

7617

# This can be used on data of any type (numbers, longs, and so on) and when

7618

# de-identifying structured data we'll attempt to preserve the original data's

7619

# type. (This allows you to take a long like 123 and modify it to a string like

7620

# **3.

7621

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7622

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7623

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7624

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7625

# is `true`, then the string `12345` is masked as `12***`.

7626

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7627

# characters. For example, if the input string is `555-555-5555` and you

7628

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7629

# returns `***-**5-5555`.

7630

{ # Characters to skip when doing deidentification of a value. These will be left

7631

# alone and skipped.

7632

"charactersToSkip": "A String", # Characters to not transform when masking.

7633

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7638

# masked. Skipped characters do not count towards this tally.

7639

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7640

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7641

# code or credit card number. This string must have a length of 1. If not

7642

# supplied, this value defaults to `*` for strings, and `0` for digits.

7643

},

7644

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7645

# Bucketing transformation can provide all of this functionality,

7646

# but requires more configuration. This message is provided as a convenience to

7647

# the user for simple bucketing strategies.

7648

#

7649

# The transformed value will be a hyphenated string of

7650

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7651

# all values that are within this bucket will be replaced with "10-20".

7652

#

7653

# This can be used on data of type: double, long.

7654

#

7655

# If the bound Value type differs from the type of data

7656

# being transformed, we will first attempt converting the type of the data to

7657

# be transformed to match the type of the bound before comparing.

7658

#

7659

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7660

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7661

# grouped together into a single bucket; for example if `lower_bound` = 10,

7662

# then all values less than 10 are replaced with the value "-10".

7663

# Note that for the purposes of inspection or transformation, the number

7664

# of bytes considered to comprise a 'Value' is based on its representation

7665

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7666

# 123456789, the number of bytes would be counted as 9, even though an

7667

# int64 only holds up to 8 bytes of data.

7668

"booleanValue": True or False, # boolean

7669

"floatValue": 3.14, # float

7670

"dayOfWeekValue": "A String", # day of week

7671

"timestampValue": "A String", # timestamp

7672

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7673

# and time zone are either specified elsewhere or are not significant. The date

7674

# is relative to the Proleptic Gregorian Calendar. This can represent:

7675

#

7676

# * A full date, with non-zero year, month and day values

7677

# * A month and day value, with a zero year, e.g. an anniversary

7678

# * A year on its own, with zero month and day values

7679

# * A year and month value, with a zero day, e.g. a credit card expiration date

7680

#

7681

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7682

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7683

# a year.

7684

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7685

# month and day.

7686

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7687

# if specifying a year by itself or a year and month where the day is not

7688

# significant.

7689

},

7690

"stringValue": "A String", # string

7691

"integerValue": "A String", # integer

7692

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7693

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7694

# types are google.type.Date and `google.protobuf.Timestamp`.

7695

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7696

# allow the value 60 if it allows leap-seconds.

7697

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7698

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7699

# to allow the value "24:00:00" for scenarios like business closing time.

7700

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7701

},

7702

},

7703

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7704

# grouped together into a single bucket; for example if `upper_bound` = 89,

7705

# then all values greater than 89 are replaced with the value "89+".

7706

# Note that for the purposes of inspection or transformation, the number

7707

# of bytes considered to comprise a 'Value' is based on its representation

7708

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7709

# 123456789, the number of bytes would be counted as 9, even though an

7710

# int64 only holds up to 8 bytes of data.

7711

"booleanValue": True or False, # boolean

7712

"floatValue": 3.14, # float

7713

"dayOfWeekValue": "A String", # day of week

7714

"timestampValue": "A String", # timestamp

7715

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7716

# and time zone are either specified elsewhere or are not significant. The date

7717

# is relative to the Proleptic Gregorian Calendar. This can represent:

7718

#

7719

# * A full date, with non-zero year, month and day values

7720

# * A month and day value, with a zero year, e.g. an anniversary

7721

# * A year on its own, with zero month and day values

7722

# * A year and month value, with a zero day, e.g. a credit card expiration date

7723

#

7724

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7725

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7726

# a year.

7727

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7728

# month and day.

7729

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7730

# if specifying a year by itself or a year and month where the day is not

7731

# significant.

7732

},

7733

"stringValue": "A String", # string

7734

"integerValue": "A String", # integer

7735

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7736

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7737

# types are google.type.Date and `google.protobuf.Timestamp`.

7738

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7739

# allow the value 60 if it allows leap-seconds.

7740

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7741

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7742

# to allow the value "24:00:00" for scenarios like business closing time.

7743

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7744

},

7745

},

7746

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7747

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7748

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7749

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

7750

},

7751

},

7752

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

7753

# given `RecordCondition`. The conditions are allowed to reference fields

7754

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

7759

# column for the same record is within a specific range.

7760

# - Redact a field if the date of birth field is greater than 85.

7761

# a field.

7762

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

7763

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

7764

# only supported value is `AND`.

7765

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

7766

"conditions": [ # A collection of conditions.

7767

{ # The field type of `value` and `field` do not need to match to be

7768

# considered equal, but not all comparisons are possible.

7769

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

7770

# but all other comparisons are invalid with incompatible types.

7771

# A `value` of type:

7772

#

7773

# - `string` can be compared against all other types

7774

# - `boolean` can only be compared against other booleans

7775

# - `integer` can be compared against doubles or a string if the string value

7776

# can be parsed as an integer.

7777

# - `double` can be compared against integers or a string if the string can

7778

# be parsed as a double.

7779

# - `Timestamp` can be compared against strings in RFC 3339 date string

7780

# format.

7781

# - `TimeOfDay` can be compared against timestamps and strings in the format

7782

# of 'HH:mm:ss'.

7783

#

7784

# If we fail to compare do to type mismatch, a warning will be given and

7785

# the condition will evaluate to false.

7786

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

7787

"name": "A String", # Name describing the field.

7788

},

7789

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

7790

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

7791

# Note that for the purposes of inspection or transformation, the number

7792

# of bytes considered to comprise a 'Value' is based on its representation

7793

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7794

# 123456789, the number of bytes would be counted as 9, even though an

7795

# int64 only holds up to 8 bytes of data.

7796

"booleanValue": True or False, # boolean

7797

"floatValue": 3.14, # float

7798

"dayOfWeekValue": "A String", # day of week

7799

"timestampValue": "A String", # timestamp

7800

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7801

# and time zone are either specified elsewhere or are not significant. The date

7802

# is relative to the Proleptic Gregorian Calendar. This can represent:

7803

#

7804

# * A full date, with non-zero year, month and day values

7805

# * A month and day value, with a zero year, e.g. an anniversary

7806

# * A year on its own, with zero month and day values

7807

# * A year and month value, with a zero day, e.g. a credit card expiration date

7808

#

7809

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7810

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7811

# a year.

7812

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7813

# month and day.

7814

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7815

# if specifying a year by itself or a year and month where the day is not

7816

# significant.

7817

},

7818

"stringValue": "A String", # string

7819

"integerValue": "A String", # integer

7820

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7821

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7822

# types are google.type.Date and `google.protobuf.Timestamp`.

7823

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7824

# allow the value 60 if it allows leap-seconds.

7825

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7826

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7827

# to allow the value "24:00:00" for scenarios like business closing time.

7828

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

7840

# transformation everywhere.

7841

# apply various `PrimitiveTransformation`s to each finding, where the

7842

# transformation is applied to only values that were identified as a specific

7843

# info_type.

7844

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

7845

# for a given infoType.

7846

{ # A transformation to apply to text that is identified as a specific

7847

# info_type.

7848

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7849

# this transformation to apply to all findings that correspond to

7850

# infoTypes that were requested in `InspectConfig`.

7851

{ # Type of information detected by the API.

7852

"name": "A String", # Name of the information type. Either a name of your choosing when

7853

# creating a CustomInfoType, or one of the names listed

7854

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7855

# a built-in type. InfoType names should conform to the pattern

7856

# `[a-zA-Z0-9_]{1,64}`.

7857

},

7858

],

7859

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

7860

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7861

# portion of the value.

7862

"partToExtract": "A String", # The part of the time to keep.

7863

},

7864

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7865

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7866

# to learn more.

7867

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7868

# If set, must also set cryptoKey. If set, shift will be consistent for the

7869

# given context.

7870

"name": "A String", # Name describing the field.

7871

},

7872

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7873

# range (inclusive ends). Negative means shift to earlier in time. Must not

7874

# be more than 365250 days (1000 years) each direction.

7875

#

7876

# For example, 3 means shift date to at most 3 days into the future.

7877

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7878

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7879

# results in the same shift for the same context and crypto_key. If

7880

# set, must also set context. Can only be applied to table items.

7881

# a key encryption key (KEK) stored by KMS).

7882

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7883

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7884

# unwrap the data crypto key.

7885

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7886

# The wrapped key must be a 128/192/256 bit key.

7887

# Authorization requires the following IAM permissions when sending a request

7888

# to perform a crypto transformation using a kms-wrapped crypto key:

7889

# dlp.kms.encrypt

7890

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7891

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7892

},

7893

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7894

# leaking the key. Choose another type of key if possible.

7895

"key": "A String", # Required. A 128/192/256 bit key.

7896

},

7897

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7898

# It will be discarded after the request finishes.

7899

"name": "A String", # Required. Name of the key.

7900

# This is an arbitrary string used to differentiate different keys.

7901

# A unique key is generated per name: two separate `TransientCryptoKey`

7902

# protos share the same generated key if their names are the same.

7903

# When the data crypto key is generated, this name is not used in any way

7904

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7909

},

7910

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7911

# Uses SHA-256.

7912

# The key size must be either 32 or 64 bytes.

7913

# Outputs a base64 encoded representation of the hashed output

7914

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7915

# Currently, only string and integer values can be hashed.

7916

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7917

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7918

# a key encryption key (KEK) stored by KMS).

7919

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7920

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7921

# unwrap the data crypto key.

7922

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7923

# The wrapped key must be a 128/192/256 bit key.

7924

# Authorization requires the following IAM permissions when sending a request

7925

# to perform a crypto transformation using a kms-wrapped crypto key:

7926

# dlp.kms.encrypt

7927

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7928

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7929

},

7930

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7931

# leaking the key. Choose another type of key if possible.

7932

"key": "A String", # Required. A 128/192/256 bit key.

7933

},

7934

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7935

# It will be discarded after the request finishes.

7936

"name": "A String", # Required. Name of the key.

7937

# This is an arbitrary string used to differentiate different keys.

7938

# A unique key is generated per name: two separate `TransientCryptoKey`

7939

# protos share the same generated key if their names are the same.

7940

# When the data crypto key is generated, this name is not used in any way

7941

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7946

# (FPE) with the FFX mode of operation; however when used in the

7947

# `ReidentifyContent` API method, it serves the opposite function by reversing

7948

# the surrogate back into the original identifier. The identifier must be

7949

# encoded as ASCII. For a given crypto key and context, the same identifier

7950

# will be replaced with the same surrogate. Identifiers must be at least two

7951

# characters long. In the case that the identifier is the empty string, it will

7952

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7953

# more.

7954

#

7955

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7956

# do not require preserving the input alphabet space and size, plus warrant

7957

# referential integrity.

7958

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7959

# that the FFX mode natively supports. This happens before/after

7960

# encryption/decryption.

7961

# Each character listed must appear only once.

7962

# Number of characters must be in the range [2, 95].

7963

# This must be encoded as ASCII.

7964

# The order of characters does not matter.

7965

"commonAlphabet": "A String", # Common alphabets.

7966

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7967

# This annotation will be applied to the surrogate by prefixing it with

7968

# the name of the custom infoType followed by the number of

7969

# characters comprising the surrogate. The following scheme defines the

7970

# format: info_type_name(surrogate_character_count):surrogate

7971

#

7972

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7973

# the surrogate is 'abc', the full replacement value

7974

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7975

#

7976

# This annotation identifies the surrogate when inspecting content using the

7977

# custom infoType

7978

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7979

# This facilitates reversal of the surrogate when it occurs in free text.

7980

#

7981

# In order for inspection to work properly, the name of this infoType must

7982

# not occur naturally anywhere in your data; otherwise, inspection may

7983

# find a surrogate that does not correspond to an actual identifier.

7984

# Therefore, choose your custom infoType name carefully after considering

7985

# what your data looks like. One way to select a name that has a high chance

7986

# of yielding reliable detection is to include one or more unicode characters

7987

# that are highly improbable to exist in your data.

7988

# For example, assuming your data is entered from a regular ASCII keyboard,

7989

# the symbol with the hex code point 29DD might be used like so:

7990

# ⧝MY_TOKEN_TYPE

7991

"name": "A String", # Name of the information type. Either a name of your choosing when

7992

# creating a CustomInfoType, or one of the names listed

7993

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7994

# a built-in type. InfoType names should conform to the pattern

7995

# `[a-zA-Z0-9_]{1,64}`.

7996

},

7997

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7998

# identifier in two different contexts won't be given the same surrogate. If

7999

# the context is not set, a default tweak will be used.

8000

#

8001

# If the context is set but:

8002

#

8003

# 1. there is no record present when transforming a given value or

8004

# 1. the field is not present when transforming a given value,

8005

#

8006

# a default tweak will be used.

8007

#

8008

# Note that case (1) is expected when an `InfoTypeTransformation` is

8009

# applied to both structured and non-structured `ContentItem`s.

8010

# Currently, the referenced field may be of value type integer or string.

8011

#

8012

# The tweak is constructed as a sequence of bytes in big endian byte order

8013

# such that:

8014

#

8015

# - a 64 bit integer is encoded followed by a single byte of value 1

8016

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8017

"name": "A String", # Name describing the field.

8018

},

8019

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8020

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8021

# a key encryption key (KEK) stored by KMS).

8022

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8023

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8024

# unwrap the data crypto key.

8025

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8026

# The wrapped key must be a 128/192/256 bit key.

8027

# Authorization requires the following IAM permissions when sending a request

8028

# to perform a crypto transformation using a kms-wrapped crypto key:

8029

# dlp.kms.encrypt

8030

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8031

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8032

},

8033

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8034

# leaking the key. Choose another type of key if possible.

8035

"key": "A String", # Required. A 128/192/256 bit key.

8036

},

8037

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8038

# It will be discarded after the request finishes.

8039

"name": "A String", # Required. Name of the key.

8040

# This is an arbitrary string used to differentiate different keys.

8041

# A unique key is generated per name: two separate `TransientCryptoKey`

8042

# protos share the same generated key if their names are the same.

8043

# When the data crypto key is generated, this name is not used in any way

8044

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8049

# input. Outputs a base64 encoded representation of the encrypted output.

8050

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8051

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8052

# This annotation will be applied to the surrogate by prefixing it with

8053

# the name of the custom info type followed by the number of

8054

# characters comprising the surrogate. The following scheme defines the

8055

# format: {info type name}({surrogate character count}):{surrogate}

8056

#

8057

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8058

# the surrogate is 'abc', the full replacement value

8059

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8060

#

8061

# This annotation identifies the surrogate when inspecting content using the

8062

# custom info type 'Surrogate'. This facilitates reversal of the

8063

# surrogate when it occurs in free text.

8064

#

8065

# Note: For record transformations where the entire cell in a table is being

8066

# transformed, surrogates are not mandatory. Surrogates are used to denote

8067

# the location of the token and are necessary for re-identification in free

8068

# form text.

8069

#

8070

# In order for inspection to work properly, the name of this info type must

8071

# not occur naturally anywhere in your data; otherwise, inspection may either

8072

#

8073

# - reverse a surrogate that does not correspond to an actual identifier

8074

# - be unable to parse the surrogate and result in an error

8075

#

8076

# Therefore, choose your custom info type name carefully after considering

8077

# what your data looks like. One way to select a name that has a high chance

8078

# of yielding reliable detection is to include one or more unicode characters

8079

# that are highly improbable to exist in your data.

8080

# For example, assuming your data is entered from a regular ASCII keyboard,

8081

# the symbol with the hex code point 29DD might be used like so:

8082

# ⧝MY_TOKEN_TYPE.

8083

"name": "A String", # Name of the information type. Either a name of your choosing when

8084

# creating a CustomInfoType, or one of the names listed

8085

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8086

# a built-in type. InfoType names should conform to the pattern

8087

# `[a-zA-Z0-9_]{1,64}`.

8088

},

8089

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8090

# referential integrity such that the same identifier in two different

8091

# contexts will be given a distinct surrogate. The context is appended to

8092

# plaintext value being encrypted. On decryption the provided context is

8093

# validated against the value used during encryption. If a context was

8094

# provided during encryption, same context must be provided during decryption

8095

# as well.

8096

#

8097

# If the context is not set, plaintext would be used as is for encryption.

8098

# If the context is set but:

8099

#

8100

# 1. there is no record present when transforming a given value or

8101

# 2. the field is not present when transforming a given value,

8102

#

8103

# plaintext would be used as is for encryption.

8104

#

8105

# Note that case (1) is expected when an `InfoTypeTransformation` is

8106

# applied to both structured and non-structured `ContentItem`s.

8107

"name": "A String", # Name describing the field.

8108

},

8109

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8110

# a key encryption key (KEK) stored by KMS).

8111

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8112

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8113

# unwrap the data crypto key.

8114

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8115

# The wrapped key must be a 128/192/256 bit key.

8116

# Authorization requires the following IAM permissions when sending a request

8117

# to perform a crypto transformation using a kms-wrapped crypto key:

8118

# dlp.kms.encrypt

8119

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8120

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8121

},

8122

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8123

# leaking the key. Choose another type of key if possible.

8124

"key": "A String", # Required. A 128/192/256 bit key.

8125

},

8126

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8127

# It will be discarded after the request finishes.

8128

"name": "A String", # Required. Name of the key.

8129

# This is an arbitrary string used to differentiate different keys.

8130

# A unique key is generated per name: two separate `TransientCryptoKey`

8131

# protos share the same generated key if their names are the same.

8132

# When the data crypto key is generated, this name is not used in any way

8133

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8138

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8139

# output would be 'My phone number is '.

8140

},

8141

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8142

# replacement values are dynamically provided by the user for custom behavior,

8143

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8144

# This can be used on

8145

# data of type: number, long, string, timestamp.

8146

# If the bound `Value` type differs from the type of data being transformed, we

8147

# will first attempt converting the type of the data to be transformed to match

8148

# the type of the bound before comparing.

8149

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8150

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8151

{ # Bucket is represented as a range, along with replacement values.

8152

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8153

# used.

8154

# Note that for the purposes of inspection or transformation, the number

8155

# of bytes considered to comprise a 'Value' is based on its representation

8156

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8157

# 123456789, the number of bytes would be counted as 9, even though an

8158

# int64 only holds up to 8 bytes of data.

8159

"booleanValue": True or False, # boolean

8160

"floatValue": 3.14, # float

8161

"dayOfWeekValue": "A String", # day of week

8162

"timestampValue": "A String", # timestamp

8163

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8164

# and time zone are either specified elsewhere or are not significant. The date

8165

# is relative to the Proleptic Gregorian Calendar. This can represent:

8166

#

8167

# * A full date, with non-zero year, month and day values

8168

# * A month and day value, with a zero year, e.g. an anniversary

8169

# * A year on its own, with zero month and day values

8170

# * A year and month value, with a zero day, e.g. a credit card expiration date

8171

#

8172

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8173

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8174

# a year.

8175

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8176

# month and day.

8177

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8178

# if specifying a year by itself or a year and month where the day is not

8179

# significant.

8180

},

8181

"stringValue": "A String", # string

8182

"integerValue": "A String", # integer

8183

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8184

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8185

# types are google.type.Date and `google.protobuf.Timestamp`.

8186

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8187

# allow the value 60 if it allows leap-seconds.

8188

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8189

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8190

# to allow the value "24:00:00" for scenarios like business closing time.

8191

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8192

},

8193

},

8194

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8195

# Note that for the purposes of inspection or transformation, the number

8196

# of bytes considered to comprise a 'Value' is based on its representation

8197

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8198

# 123456789, the number of bytes would be counted as 9, even though an

8199

# int64 only holds up to 8 bytes of data.

8200

"booleanValue": True or False, # boolean

8201

"floatValue": 3.14, # float

8202

"dayOfWeekValue": "A String", # day of week

8203

"timestampValue": "A String", # timestamp

8204

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8205

# and time zone are either specified elsewhere or are not significant. The date

8206

# is relative to the Proleptic Gregorian Calendar. This can represent:

8207

#

8208

# * A full date, with non-zero year, month and day values

8209

# * A month and day value, with a zero year, e.g. an anniversary

8210

# * A year on its own, with zero month and day values

8211

# * A year and month value, with a zero day, e.g. a credit card expiration date

8212

#

8213

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8214

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8215

# a year.

8216

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8217

# month and day.

8218

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8219

# if specifying a year by itself or a year and month where the day is not

8220

# significant.

8221

},

8222

"stringValue": "A String", # string

8223

"integerValue": "A String", # integer

8224

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8225

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8226

# types are google.type.Date and `google.protobuf.Timestamp`.

8227

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8228

# allow the value 60 if it allows leap-seconds.

8229

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8230

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8231

# to allow the value "24:00:00" for scenarios like business closing time.

8232

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8233

},

8234

},

8235

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

8236

# the default behavior will be to hyphenate the min-max range.

8237

# Note that for the purposes of inspection or transformation, the number

8238

# of bytes considered to comprise a 'Value' is based on its representation

8239

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8240

# 123456789, the number of bytes would be counted as 9, even though an

8241

# int64 only holds up to 8 bytes of data.

8242

"booleanValue": True or False, # boolean

8243

"floatValue": 3.14, # float

8244

"dayOfWeekValue": "A String", # day of week

8245

"timestampValue": "A String", # timestamp

8246

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8247

# and time zone are either specified elsewhere or are not significant. The date

8248

# is relative to the Proleptic Gregorian Calendar. This can represent:

8249

#

8250

# * A full date, with non-zero year, month and day values

8251

# * A month and day value, with a zero year, e.g. an anniversary

8252

# * A year on its own, with zero month and day values

8253

# * A year and month value, with a zero day, e.g. a credit card expiration date

8254

#

8255

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8256

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8257

# a year.

8258

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8259

# month and day.

8260

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8261

# if specifying a year by itself or a year and month where the day is not

8262

# significant.

8263

},

8264

"stringValue": "A String", # string

8265

"integerValue": "A String", # integer

8266

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8267

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8268

# types are google.type.Date and `google.protobuf.Timestamp`.

8269

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8270

# allow the value 60 if it allows leap-seconds.

8271

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8272

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8273

# to allow the value "24:00:00" for scenarios like business closing time.

8274

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8281

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8282

# Note that for the purposes of inspection or transformation, the number

8283

# of bytes considered to comprise a 'Value' is based on its representation

8284

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8285

# 123456789, the number of bytes would be counted as 9, even though an

8286

# int64 only holds up to 8 bytes of data.

8287

"booleanValue": True or False, # boolean

8288

"floatValue": 3.14, # float

8289

"dayOfWeekValue": "A String", # day of week

8290

"timestampValue": "A String", # timestamp

8291

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8292

# and time zone are either specified elsewhere or are not significant. The date

8293

# is relative to the Proleptic Gregorian Calendar. This can represent:

8294

#

8295

# * A full date, with non-zero year, month and day values

8296

# * A month and day value, with a zero year, e.g. an anniversary

8297

# * A year on its own, with zero month and day values

8298

# * A year and month value, with a zero day, e.g. a credit card expiration date

8299

#

8300

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8301

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8302

# a year.

8303

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8304

# month and day.

8305

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8306

# if specifying a year by itself or a year and month where the day is not

8307

# significant.

8308

},

8309

"stringValue": "A String", # string

8310

"integerValue": "A String", # integer

8311

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8312

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8313

# types are google.type.Date and `google.protobuf.Timestamp`.

8314

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8315

# allow the value 60 if it allows leap-seconds.

8316

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8317

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8318

# to allow the value "24:00:00" for scenarios like business closing time.

8319

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

8324

# fixed character. Masking can start from the beginning or end of the string.

8325

# This can be used on data of any type (numbers, longs, and so on) and when

8326

# de-identifying structured data we'll attempt to preserve the original data's

8327

# type. (This allows you to take a long like 123 and modify it to a string like

8328

# **3.

8329

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

8330

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

8331

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

8332

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

8333

# is `true`, then the string `12345` is masked as `12***`.

8334

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

8335

# characters. For example, if the input string is `555-555-5555` and you

8336

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

8337

# returns `***-**5-5555`.

8338

{ # Characters to skip when doing deidentification of a value. These will be left

8339

# alone and skipped.

8340

"charactersToSkip": "A String", # Characters to not transform when masking.

8341

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

8346

# masked. Skipped characters do not count towards this tally.

8347

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

8348

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

8349

# code or credit card number. This string must have a length of 1. If not

8350

# supplied, this value defaults to `*` for strings, and `0` for digits.

8351

},

8352

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8353

# Bucketing transformation can provide all of this functionality,

8354

# but requires more configuration. This message is provided as a convenience to

8355

# the user for simple bucketing strategies.

8356

#

8357

# The transformed value will be a hyphenated string of

8358

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8359

# all values that are within this bucket will be replaced with "10-20".

8360

#

8361

# This can be used on data of type: double, long.

8362

#

8363

# If the bound Value type differs from the type of data

8364

# being transformed, we will first attempt converting the type of the data to

8365

# be transformed to match the type of the bound before comparing.

8366

#

8367

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8368

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

8369

# grouped together into a single bucket; for example if `lower_bound` = 10,

8370

# then all values less than 10 are replaced with the value "-10".

8371

# Note that for the purposes of inspection or transformation, the number

8372

# of bytes considered to comprise a 'Value' is based on its representation

8373

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8374

# 123456789, the number of bytes would be counted as 9, even though an

8375

# int64 only holds up to 8 bytes of data.

8376

"booleanValue": True or False, # boolean

8377

"floatValue": 3.14, # float

8378

"dayOfWeekValue": "A String", # day of week

8379

"timestampValue": "A String", # timestamp

8380

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8381

# and time zone are either specified elsewhere or are not significant. The date

8382

# is relative to the Proleptic Gregorian Calendar. This can represent:

8383

#

8384

# * A full date, with non-zero year, month and day values

8385

# * A month and day value, with a zero year, e.g. an anniversary

8386

# * A year on its own, with zero month and day values

8387

# * A year and month value, with a zero day, e.g. a credit card expiration date

8388

#

8389

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8390

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8391

# a year.

8392

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8393

# month and day.

8394

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8395

# if specifying a year by itself or a year and month where the day is not

8396

# significant.

8397

},

8398

"stringValue": "A String", # string

8399

"integerValue": "A String", # integer

8400

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8401

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8402

# types are google.type.Date and `google.protobuf.Timestamp`.

8403

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8404

# allow the value 60 if it allows leap-seconds.

8405

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8406

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8407

# to allow the value "24:00:00" for scenarios like business closing time.

8408

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8409

},

8410

},

8411

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8412

# grouped together into a single bucket; for example if `upper_bound` = 89,

8413

# then all values greater than 89 are replaced with the value "89+".

8414

# Note that for the purposes of inspection or transformation, the number

8415

# of bytes considered to comprise a 'Value' is based on its representation

8416

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8417

# 123456789, the number of bytes would be counted as 9, even though an

8418

# int64 only holds up to 8 bytes of data.

8419

"booleanValue": True or False, # boolean

8420

"floatValue": 3.14, # float

8421

"dayOfWeekValue": "A String", # day of week

8422

"timestampValue": "A String", # timestamp

8423

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8424

# and time zone are either specified elsewhere or are not significant. The date

8425

# is relative to the Proleptic Gregorian Calendar. This can represent:

8426

#

8427

# * A full date, with non-zero year, month and day values

8428

# * A month and day value, with a zero year, e.g. an anniversary

8429

# * A year on its own, with zero month and day values

8430

# * A year and month value, with a zero day, e.g. a credit card expiration date

8431

#

8432

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8433

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8434

# a year.

8435

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8436

# month and day.

8437

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8438

# if specifying a year by itself or a year and month where the day is not

8439

# significant.

8440

},

8441

"stringValue": "A String", # string

8442

"integerValue": "A String", # integer

8443

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8444

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8445

# types are google.type.Date and `google.protobuf.Timestamp`.

8446

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8447

# allow the value 60 if it allows leap-seconds.

8448

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8449

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8450

# to allow the value "24:00:00" for scenarios like business closing time.

8451

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8452

},

8453

},

8454

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

8455

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

8456

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

8457

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

8471

<pre>Retrieves the next page of results.

8472

8473

Args:

8474

previous_request: The request for the previous page. (required)

8475

previous_response: The response from the request for the previous page. (required)

8476

8477

Returns:

8478

A request object that you can call 'execute()' on to request the next

8479

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>

8485

<pre>Updates the DeidentifyTemplate.

8486

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

name: string, Required. Resource name of organization and deidentify template to be updated, for

8491

example `organizations/433245324/deidentifyTemplates/432452342` or

8492

projects/project-id/deidentifyTemplates/432452342. (required)

8493

body: object, The request body.

8494

The object takes the form of:

8495

8496

{ # Request message for UpdateDeidentifyTemplate.

8497

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value.

8498

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

8499

"name": "A String", # Output only. The template name.

8500

#

8501

# The template will have one of the following formats:

8502

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

8503

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

8504

"description": "A String", # Short description (max 256 chars).

8505

"displayName": "A String", # Display name (max 256 chars).

8506

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

8507

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

8508

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

8509

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

8510

# mode is `TransformationErrorHandling.ThrowError`.

8511

# transformation error occurs when the requested transformation is incompatible

8512

# with the data. For example, trying to de-identify an IP address using a

8513

# `DateShift` transformation would result in a transformation error, since date

8514

# info cannot be extracted from an IP address.

8515

# Information about any incompatible transformations, and how they were

8516

# handled, is returned in the response as part of the

8517

# `TransformationOverviews`.

8518

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

8519

},

8520

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

8521

# cause an error. For example, if a `DateShift` transformation were applied

8522

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

8527

# specific locations within structured datasets, such as transforming

8528

# a column within a table.

8529

# table.

8530

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

8531

# match any suppression rule are omitted from the output.

8532

{ # Configuration to suppress records whose suppression conditions evaluate to

8533

# true.

8534

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

8535

# evaluated to be suppressed from the transformed content.

8536

# a field.

8537

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

8538

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

8539

# only supported value is `AND`.

8540

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

8541

"conditions": [ # A collection of conditions.

8542

{ # The field type of `value` and `field` do not need to match to be

8543

# considered equal, but not all comparisons are possible.

8544

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

8545

# but all other comparisons are invalid with incompatible types.

8546

# A `value` of type:

8547

#

8548

# - `string` can be compared against all other types

8549

# - `boolean` can only be compared against other booleans

8550

# - `integer` can be compared against doubles or a string if the string value

8551

# can be parsed as an integer.

8552

# - `double` can be compared against integers or a string if the string can

8553

# be parsed as a double.

8554

# - `Timestamp` can be compared against strings in RFC 3339 date string

8555

# format.

8556

# - `TimeOfDay` can be compared against timestamps and strings in the format

8557

# of 'HH:mm:ss'.

8558

#

8559

# If we fail to compare do to type mismatch, a warning will be given and

8560

# the condition will evaluate to false.

8561

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

8562

"name": "A String", # Name describing the field.

8563

},

8564

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

8565

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

8566

# Note that for the purposes of inspection or transformation, the number

8567

# of bytes considered to comprise a 'Value' is based on its representation

8568

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8569

# 123456789, the number of bytes would be counted as 9, even though an

8570

# int64 only holds up to 8 bytes of data.

8571

"booleanValue": True or False, # boolean

8572

"floatValue": 3.14, # float

8573

"dayOfWeekValue": "A String", # day of week

8574

"timestampValue": "A String", # timestamp

8575

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8576

# and time zone are either specified elsewhere or are not significant. The date

8577

# is relative to the Proleptic Gregorian Calendar. This can represent:

8578

#

8579

# * A full date, with non-zero year, month and day values

8580

# * A month and day value, with a zero year, e.g. an anniversary

8581

# * A year on its own, with zero month and day values

8582

# * A year and month value, with a zero day, e.g. a credit card expiration date

8583

#

8584

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8585

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8586

# a year.

8587

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8588

# month and day.

8589

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8590

# if specifying a year by itself or a year and month where the day is not

8591

# significant.

8592

},

8593

"stringValue": "A String", # string

8594

"integerValue": "A String", # integer

8595

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8596

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8597

# types are google.type.Date and `google.protobuf.Timestamp`.

8598

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8599

# allow the value 60 if it allows leap-seconds.

8600

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8601

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8602

# to allow the value "24:00:00" for scenarios like business closing time.

8603

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

8614

{ # The transformation to apply to the field.

8615

"fields": [ # Required. Input field(s) to apply the transformation to.

8616

{ # General identifier of a data field in a storage service.

8617

"name": "A String", # Name describing the field.

8618

},

8619

],

8620

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

8621

# transform content that matches an `InfoType`.

8622

# apply various `PrimitiveTransformation`s to each finding, where the

8623

# transformation is applied to only values that were identified as a specific

8624

# info_type.

8625

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

8626

# for a given infoType.

8627

{ # A transformation to apply to text that is identified as a specific

8628

# info_type.

8629

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

8630

# this transformation to apply to all findings that correspond to

8631

# infoTypes that were requested in `InspectConfig`.

8632

{ # Type of information detected by the API.

8633

"name": "A String", # Name of the information type. Either a name of your choosing when

8634

# creating a CustomInfoType, or one of the names listed

8635

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8636

# a built-in type. InfoType names should conform to the pattern

8637

# `[a-zA-Z0-9_]{1,64}`.

8638

},

8639

],

8640

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

8641

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

8642

# portion of the value.

8643

"partToExtract": "A String", # The part of the time to keep.

8644

},

8645

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

8646

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

8647

# to learn more.

8648

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

8649

# If set, must also set cryptoKey. If set, shift will be consistent for the

8650

# given context.

8651

"name": "A String", # Name describing the field.

8652

},

8653

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

8654

# range (inclusive ends). Negative means shift to earlier in time. Must not

8655

# be more than 365250 days (1000 years) each direction.

8656

#

8657

# For example, 3 means shift date to at most 3 days into the future.

8658

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

8659

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

8660

# results in the same shift for the same context and crypto_key. If

8661

# set, must also set context. Can only be applied to table items.

8662

# a key encryption key (KEK) stored by KMS).

8663

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8664

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8665

# unwrap the data crypto key.

8666

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8667

# The wrapped key must be a 128/192/256 bit key.

8668

# Authorization requires the following IAM permissions when sending a request

8669

# to perform a crypto transformation using a kms-wrapped crypto key:

8670

# dlp.kms.encrypt

8671

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8672

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8673

},

8674

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8675

# leaking the key. Choose another type of key if possible.

8676

"key": "A String", # Required. A 128/192/256 bit key.

8677

},

8678

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8679

# It will be discarded after the request finishes.

8680

"name": "A String", # Required. Name of the key.

8681

# This is an arbitrary string used to differentiate different keys.

8682

# A unique key is generated per name: two separate `TransientCryptoKey`

8683

# protos share the same generated key if their names are the same.

8684

# When the data crypto key is generated, this name is not used in any way

8685

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

8690

},

8691

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

8692

# Uses SHA-256.

8693

# The key size must be either 32 or 64 bytes.

8694

# Outputs a base64 encoded representation of the hashed output

8695

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

8696

# Currently, only string and integer values can be hashed.

8697

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

8698

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

8699

# a key encryption key (KEK) stored by KMS).

8700

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8701

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8702

# unwrap the data crypto key.

8703

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8704

# The wrapped key must be a 128/192/256 bit key.

8705

# Authorization requires the following IAM permissions when sending a request

8706

# to perform a crypto transformation using a kms-wrapped crypto key:

8707

# dlp.kms.encrypt

8708

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8709

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8710

},

8711

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8712

# leaking the key. Choose another type of key if possible.

8713

"key": "A String", # Required. A 128/192/256 bit key.

8714

},

8715

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8716

# It will be discarded after the request finishes.

8717

"name": "A String", # Required. Name of the key.

8718

# This is an arbitrary string used to differentiate different keys.

8719

# A unique key is generated per name: two separate `TransientCryptoKey`

8720

# protos share the same generated key if their names are the same.

8721

# When the data crypto key is generated, this name is not used in any way

8722

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

8727

# (FPE) with the FFX mode of operation; however when used in the

8728

# `ReidentifyContent` API method, it serves the opposite function by reversing

8729

# the surrogate back into the original identifier. The identifier must be

8730

# encoded as ASCII. For a given crypto key and context, the same identifier

8731

# will be replaced with the same surrogate. Identifiers must be at least two

8732

# characters long. In the case that the identifier is the empty string, it will

8733

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

8734

# more.

8735

#

8736

# Note: We recommend using CryptoDeterministicConfig for all use cases which

8737

# do not require preserving the input alphabet space and size, plus warrant

8738

# referential integrity.

8739

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

8740

# that the FFX mode natively supports. This happens before/after

8741

# encryption/decryption.

8742

# Each character listed must appear only once.

8743

# Number of characters must be in the range [2, 95].

8744

# This must be encoded as ASCII.

8745

# The order of characters does not matter.

8746

"commonAlphabet": "A String", # Common alphabets.

8747

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

8748

# This annotation will be applied to the surrogate by prefixing it with

8749

# the name of the custom infoType followed by the number of

8750

# characters comprising the surrogate. The following scheme defines the

8751

# format: info_type_name(surrogate_character_count):surrogate

8752

#

8753

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

8754

# the surrogate is 'abc', the full replacement value

8755

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8756

#

8757

# This annotation identifies the surrogate when inspecting content using the

8758

# custom infoType

8759

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

8760

# This facilitates reversal of the surrogate when it occurs in free text.

8761

#

8762

# In order for inspection to work properly, the name of this infoType must

8763

# not occur naturally anywhere in your data; otherwise, inspection may

8764

# find a surrogate that does not correspond to an actual identifier.

8765

# Therefore, choose your custom infoType name carefully after considering

8766

# what your data looks like. One way to select a name that has a high chance

8767

# of yielding reliable detection is to include one or more unicode characters

8768

# that are highly improbable to exist in your data.

8769

# For example, assuming your data is entered from a regular ASCII keyboard,

8770

# the symbol with the hex code point 29DD might be used like so:

8771

# ⧝MY_TOKEN_TYPE

8772

"name": "A String", # Name of the information type. Either a name of your choosing when

8773

# creating a CustomInfoType, or one of the names listed

8774

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8775

# a built-in type. InfoType names should conform to the pattern

8776

# `[a-zA-Z0-9_]{1,64}`.

8777

},

8778

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

8779

# identifier in two different contexts won't be given the same surrogate. If

8780

# the context is not set, a default tweak will be used.

8781

#

8782

# If the context is set but:

8783

#

8784

# 1. there is no record present when transforming a given value or

8785

# 1. the field is not present when transforming a given value,

8786

#

8787

# a default tweak will be used.

8788

#

8789

# Note that case (1) is expected when an `InfoTypeTransformation` is

8790

# applied to both structured and non-structured `ContentItem`s.

8791

# Currently, the referenced field may be of value type integer or string.

8792

#

8793

# The tweak is constructed as a sequence of bytes in big endian byte order

8794

# such that:

8795

#

8796

# - a 64 bit integer is encoded followed by a single byte of value 1

8797

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8798

"name": "A String", # Name describing the field.

8799

},

8800

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8801

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8802

# a key encryption key (KEK) stored by KMS).

8803

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8804

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8805

# unwrap the data crypto key.

8806

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8807

# The wrapped key must be a 128/192/256 bit key.

8808

# Authorization requires the following IAM permissions when sending a request

8809

# to perform a crypto transformation using a kms-wrapped crypto key:

8810

# dlp.kms.encrypt

8811

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8812

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8813

},

8814

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8815

# leaking the key. Choose another type of key if possible.

8816

"key": "A String", # Required. A 128/192/256 bit key.

8817

},

8818

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8819

# It will be discarded after the request finishes.

8820

"name": "A String", # Required. Name of the key.

8821

# This is an arbitrary string used to differentiate different keys.

8822

# A unique key is generated per name: two separate `TransientCryptoKey`

8823

# protos share the same generated key if their names are the same.

8824

# When the data crypto key is generated, this name is not used in any way

8825

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8830

# input. Outputs a base64 encoded representation of the encrypted output.

8831

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8832

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8833

# This annotation will be applied to the surrogate by prefixing it with

8834

# the name of the custom info type followed by the number of

8835

# characters comprising the surrogate. The following scheme defines the

8836

# format: {info type name}({surrogate character count}):{surrogate}

8837

#

8838

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8839

# the surrogate is 'abc', the full replacement value

8840

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8841

#

8842

# This annotation identifies the surrogate when inspecting content using the

8843

# custom info type 'Surrogate'. This facilitates reversal of the

8844

# surrogate when it occurs in free text.

8845

#

8846

# Note: For record transformations where the entire cell in a table is being

8847

# transformed, surrogates are not mandatory. Surrogates are used to denote

8848

# the location of the token and are necessary for re-identification in free

8849

# form text.

8850

#

8851

# In order for inspection to work properly, the name of this info type must

8852

# not occur naturally anywhere in your data; otherwise, inspection may either

8853

#

8854

# - reverse a surrogate that does not correspond to an actual identifier

8855

# - be unable to parse the surrogate and result in an error

8856

#

8857

# Therefore, choose your custom info type name carefully after considering

8858

# what your data looks like. One way to select a name that has a high chance

8859

# of yielding reliable detection is to include one or more unicode characters

8860

# that are highly improbable to exist in your data.

8861

# For example, assuming your data is entered from a regular ASCII keyboard,

8862

# the symbol with the hex code point 29DD might be used like so:

8863

# ⧝MY_TOKEN_TYPE.

8864

"name": "A String", # Name of the information type. Either a name of your choosing when

8865

# creating a CustomInfoType, or one of the names listed

8866

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8867

# a built-in type. InfoType names should conform to the pattern

8868

# `[a-zA-Z0-9_]{1,64}`.

8869

},

8870

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8871

# referential integrity such that the same identifier in two different

8872

# contexts will be given a distinct surrogate. The context is appended to

8873

# plaintext value being encrypted. On decryption the provided context is

8874

# validated against the value used during encryption. If a context was

8875

# provided during encryption, same context must be provided during decryption

8876

# as well.

8877

#

8878

# If the context is not set, plaintext would be used as is for encryption.

8879

# If the context is set but:

8880

#

8881

# 1. there is no record present when transforming a given value or

8882

# 2. the field is not present when transforming a given value,

8883

#

8884

# plaintext would be used as is for encryption.

8885

#

8886

# Note that case (1) is expected when an `InfoTypeTransformation` is

8887

# applied to both structured and non-structured `ContentItem`s.

8888

"name": "A String", # Name describing the field.

8889

},

8890

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8891

# a key encryption key (KEK) stored by KMS).

8892

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8893

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8894

# unwrap the data crypto key.

8895

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8896

# The wrapped key must be a 128/192/256 bit key.

8897

# Authorization requires the following IAM permissions when sending a request

8898

# to perform a crypto transformation using a kms-wrapped crypto key:

8899

# dlp.kms.encrypt

8900

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8901

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8902

},

8903

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8904

# leaking the key. Choose another type of key if possible.

8905

"key": "A String", # Required. A 128/192/256 bit key.

8906

},

8907

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8908

# It will be discarded after the request finishes.

8909

"name": "A String", # Required. Name of the key.

8910

# This is an arbitrary string used to differentiate different keys.

8911

# A unique key is generated per name: two separate `TransientCryptoKey`

8912

# protos share the same generated key if their names are the same.

8913

# When the data crypto key is generated, this name is not used in any way

8914

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8919

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8920

# output would be 'My phone number is '.

8921

},

8922

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8923

# replacement values are dynamically provided by the user for custom behavior,

8924

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8925

# This can be used on

8926

# data of type: number, long, string, timestamp.

8927

# If the bound `Value` type differs from the type of data being transformed, we

8928

# will first attempt converting the type of the data to be transformed to match

8929

# the type of the bound before comparing.

8930

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8931

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8932

{ # Bucket is represented as a range, along with replacement values.

8933

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8934

# used.

8935

# Note that for the purposes of inspection or transformation, the number

8936

# of bytes considered to comprise a 'Value' is based on its representation

8937

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8938

# 123456789, the number of bytes would be counted as 9, even though an

8939

# int64 only holds up to 8 bytes of data.

8940

"booleanValue": True or False, # boolean

8941

"floatValue": 3.14, # float

8942

"dayOfWeekValue": "A String", # day of week

8943

"timestampValue": "A String", # timestamp

8944

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8945

# and time zone are either specified elsewhere or are not significant. The date

8946

# is relative to the Proleptic Gregorian Calendar. This can represent:

8947

#

8948

# * A full date, with non-zero year, month and day values

8949

# * A month and day value, with a zero year, e.g. an anniversary

8950

# * A year on its own, with zero month and day values

8951

# * A year and month value, with a zero day, e.g. a credit card expiration date

8952

#

8953

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8954

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8955

# a year.

8956

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8957

# month and day.

8958

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8959

# if specifying a year by itself or a year and month where the day is not

8960

# significant.

8961

},

8962

"stringValue": "A String", # string

8963

"integerValue": "A String", # integer

8964

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8965

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8966

# types are google.type.Date and `google.protobuf.Timestamp`.

8967

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8968

# allow the value 60 if it allows leap-seconds.

8969

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8970

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8971

# to allow the value "24:00:00" for scenarios like business closing time.

8972

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8973

},

8974

},

8975

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8976

# Note that for the purposes of inspection or transformation, the number

8977

# of bytes considered to comprise a 'Value' is based on its representation

8978

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8979

# 123456789, the number of bytes would be counted as 9, even though an

8980

# int64 only holds up to 8 bytes of data.

8981

"booleanValue": True or False, # boolean

8982

"floatValue": 3.14, # float

8983

"dayOfWeekValue": "A String", # day of week

8984

"timestampValue": "A String", # timestamp

8985

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8986

# and time zone are either specified elsewhere or are not significant. The date

8987

# is relative to the Proleptic Gregorian Calendar. This can represent:

8988

#

8989

# * A full date, with non-zero year, month and day values

8990

# * A month and day value, with a zero year, e.g. an anniversary

8991

# * A year on its own, with zero month and day values

8992

# * A year and month value, with a zero day, e.g. a credit card expiration date

8993

#

8994

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8995

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8996

# a year.

8997

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8998

# month and day.

8999

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9000

# if specifying a year by itself or a year and month where the day is not

9001

# significant.

9002

},

9003

"stringValue": "A String", # string

9004

"integerValue": "A String", # integer

9005

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9006

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9007

# types are google.type.Date and `google.protobuf.Timestamp`.

9008

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9009

# allow the value 60 if it allows leap-seconds.

9010

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9011

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9012

# to allow the value "24:00:00" for scenarios like business closing time.

9013

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9014

},

9015

},

9016

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9017

# the default behavior will be to hyphenate the min-max range.

9018

# Note that for the purposes of inspection or transformation, the number

9019

# of bytes considered to comprise a 'Value' is based on its representation

9020

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9021

# 123456789, the number of bytes would be counted as 9, even though an

9022

# int64 only holds up to 8 bytes of data.

9023

"booleanValue": True or False, # boolean

9024

"floatValue": 3.14, # float

9025

"dayOfWeekValue": "A String", # day of week

9026

"timestampValue": "A String", # timestamp

9027

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9028

# and time zone are either specified elsewhere or are not significant. The date

9029

# is relative to the Proleptic Gregorian Calendar. This can represent:

9030

#

9031

# * A full date, with non-zero year, month and day values

9032

# * A month and day value, with a zero year, e.g. an anniversary

9033

# * A year on its own, with zero month and day values

9034

# * A year and month value, with a zero day, e.g. a credit card expiration date

9035

#

9036

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9037

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9038

# a year.

9039

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9040

# month and day.

9041

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9042

# if specifying a year by itself or a year and month where the day is not

9043

# significant.

9044

},

9045

"stringValue": "A String", # string

9046

"integerValue": "A String", # integer

9047

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9048

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9049

# types are google.type.Date and `google.protobuf.Timestamp`.

9050

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9051

# allow the value 60 if it allows leap-seconds.

9052

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9053

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9054

# to allow the value "24:00:00" for scenarios like business closing time.

9055

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9062

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

9063

# Note that for the purposes of inspection or transformation, the number

9064

# of bytes considered to comprise a 'Value' is based on its representation

9065

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9066

# 123456789, the number of bytes would be counted as 9, even though an

9067

# int64 only holds up to 8 bytes of data.

9068

"booleanValue": True or False, # boolean

9069

"floatValue": 3.14, # float

9070

"dayOfWeekValue": "A String", # day of week

9071

"timestampValue": "A String", # timestamp

9072

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9073

# and time zone are either specified elsewhere or are not significant. The date

9074

# is relative to the Proleptic Gregorian Calendar. This can represent:

9075

#

9076

# * A full date, with non-zero year, month and day values

9077

# * A month and day value, with a zero year, e.g. an anniversary

9078

# * A year on its own, with zero month and day values

9079

# * A year and month value, with a zero day, e.g. a credit card expiration date

9080

#

9081

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9082

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9083

# a year.

9084

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9085

# month and day.

9086

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9087

# if specifying a year by itself or a year and month where the day is not

9088

# significant.

9089

},

9090

"stringValue": "A String", # string

9091

"integerValue": "A String", # integer

9092

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9093

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9094

# types are google.type.Date and `google.protobuf.Timestamp`.

9095

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9096

# allow the value 60 if it allows leap-seconds.

9097

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9098

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9099

# to allow the value "24:00:00" for scenarios like business closing time.

9100

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9105

# fixed character. Masking can start from the beginning or end of the string.

9106

# This can be used on data of any type (numbers, longs, and so on) and when

9107

# de-identifying structured data we'll attempt to preserve the original data's

9108

# type. (This allows you to take a long like 123 and modify it to a string like

9109

# **3.

9110

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9111

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9112

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9113

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9114

# is `true`, then the string `12345` is masked as `12***`.

9115

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9116

# characters. For example, if the input string is `555-555-5555` and you

9117

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9118

# returns `***-**5-5555`.

9119

{ # Characters to skip when doing deidentification of a value. These will be left

9120

# alone and skipped.

9121

"charactersToSkip": "A String", # Characters to not transform when masking.

9122

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9127

# masked. Skipped characters do not count towards this tally.

9128

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9129

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9130

# code or credit card number. This string must have a length of 1. If not

9131

# supplied, this value defaults to `*` for strings, and `0` for digits.

9132

},

9133

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9134

# Bucketing transformation can provide all of this functionality,

9135

# but requires more configuration. This message is provided as a convenience to

9136

# the user for simple bucketing strategies.

9137

#

9138

# The transformed value will be a hyphenated string of

9139

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9140

# all values that are within this bucket will be replaced with "10-20".

9141

#

9142

# This can be used on data of type: double, long.

9143

#

9144

# If the bound Value type differs from the type of data

9145

# being transformed, we will first attempt converting the type of the data to

9146

# be transformed to match the type of the bound before comparing.

9147

#

9148

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9149

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9150

# grouped together into a single bucket; for example if `lower_bound` = 10,

9151

# then all values less than 10 are replaced with the value "-10".

9152

# Note that for the purposes of inspection or transformation, the number

9153

# of bytes considered to comprise a 'Value' is based on its representation

9154

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9155

# 123456789, the number of bytes would be counted as 9, even though an

9156

# int64 only holds up to 8 bytes of data.

9157

"booleanValue": True or False, # boolean

9158

"floatValue": 3.14, # float

9159

"dayOfWeekValue": "A String", # day of week

9160

"timestampValue": "A String", # timestamp

9161

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9162

# and time zone are either specified elsewhere or are not significant. The date

9163

# is relative to the Proleptic Gregorian Calendar. This can represent:

9164

#

9165

# * A full date, with non-zero year, month and day values

9166

# * A month and day value, with a zero year, e.g. an anniversary

9167

# * A year on its own, with zero month and day values

9168

# * A year and month value, with a zero day, e.g. a credit card expiration date

9169

#

9170

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9171

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9172

# a year.

9173

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9174

# month and day.

9175

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9176

# if specifying a year by itself or a year and month where the day is not

9177

# significant.

9178

},

9179

"stringValue": "A String", # string

9180

"integerValue": "A String", # integer

9181

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9182

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9183

# types are google.type.Date and `google.protobuf.Timestamp`.

9184

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9185

# allow the value 60 if it allows leap-seconds.

9186

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9187

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9188

# to allow the value "24:00:00" for scenarios like business closing time.

9189

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9190

},

9191

},

9192

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9193

# grouped together into a single bucket; for example if `upper_bound` = 89,

9194

# then all values greater than 89 are replaced with the value "89+".

9195

# Note that for the purposes of inspection or transformation, the number

9196

# of bytes considered to comprise a 'Value' is based on its representation

9197

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9198

# 123456789, the number of bytes would be counted as 9, even though an

9199

# int64 only holds up to 8 bytes of data.

9200

"booleanValue": True or False, # boolean

9201

"floatValue": 3.14, # float

9202

"dayOfWeekValue": "A String", # day of week

9203

"timestampValue": "A String", # timestamp

9204

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9205

# and time zone are either specified elsewhere or are not significant. The date

9206

# is relative to the Proleptic Gregorian Calendar. This can represent:

9207

#

9208

# * A full date, with non-zero year, month and day values

9209

# * A month and day value, with a zero year, e.g. an anniversary

9210

# * A year on its own, with zero month and day values

9211

# * A year and month value, with a zero day, e.g. a credit card expiration date

9212

#

9213

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9214

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9215

# a year.

9216

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9217

# month and day.

9218

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9219

# if specifying a year by itself or a year and month where the day is not

9220

# significant.

9221

},

9222

"stringValue": "A String", # string

9223

"integerValue": "A String", # integer

9224

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9225

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9226

# types are google.type.Date and `google.protobuf.Timestamp`.

9227

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9228

# allow the value 60 if it allows leap-seconds.

9229

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9230

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9231

# to allow the value "24:00:00" for scenarios like business closing time.

9232

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9233

},

9234

},

9235

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9236

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9237

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9238

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

9245

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9246

# portion of the value.

9247

"partToExtract": "A String", # The part of the time to keep.

9248

},

9249

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9250

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9251

# to learn more.

9252

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9253

# If set, must also set cryptoKey. If set, shift will be consistent for the

9254

# given context.

9255

"name": "A String", # Name describing the field.

9256

},

9257

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9258

# range (inclusive ends). Negative means shift to earlier in time. Must not

9259

# be more than 365250 days (1000 years) each direction.

9260

#

9261

# For example, 3 means shift date to at most 3 days into the future.

9262

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9263

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9264

# results in the same shift for the same context and crypto_key. If

9265

# set, must also set context. Can only be applied to table items.

9266

# a key encryption key (KEK) stored by KMS).

9267

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9268

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9269

# unwrap the data crypto key.

9270

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9271

# The wrapped key must be a 128/192/256 bit key.

9272

# Authorization requires the following IAM permissions when sending a request

9273

# to perform a crypto transformation using a kms-wrapped crypto key:

9274

# dlp.kms.encrypt

9275

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9276

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9277

},

9278

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9279

# leaking the key. Choose another type of key if possible.

9280

"key": "A String", # Required. A 128/192/256 bit key.

9281

},

9282

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9283

# It will be discarded after the request finishes.

9284

"name": "A String", # Required. Name of the key.

9285

# This is an arbitrary string used to differentiate different keys.

9286

# A unique key is generated per name: two separate `TransientCryptoKey`

9287

# protos share the same generated key if their names are the same.

9288

# When the data crypto key is generated, this name is not used in any way

9289

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9294

},

9295

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9296

# Uses SHA-256.

9297

# The key size must be either 32 or 64 bytes.

9298

# Outputs a base64 encoded representation of the hashed output

9299

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9300

# Currently, only string and integer values can be hashed.

9301

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9302

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9303

# a key encryption key (KEK) stored by KMS).

9304

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9305

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9306

# unwrap the data crypto key.

9307

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9308

# The wrapped key must be a 128/192/256 bit key.

9309

# Authorization requires the following IAM permissions when sending a request

9310

# to perform a crypto transformation using a kms-wrapped crypto key:

9311

# dlp.kms.encrypt

9312

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9313

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9314

},

9315

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9316

# leaking the key. Choose another type of key if possible.

9317

"key": "A String", # Required. A 128/192/256 bit key.

9318

},

9319

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9320

# It will be discarded after the request finishes.

9321

"name": "A String", # Required. Name of the key.

9322

# This is an arbitrary string used to differentiate different keys.

9323

# A unique key is generated per name: two separate `TransientCryptoKey`

9324

# protos share the same generated key if their names are the same.

9325

# When the data crypto key is generated, this name is not used in any way

9326

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9331

# (FPE) with the FFX mode of operation; however when used in the

9332

# `ReidentifyContent` API method, it serves the opposite function by reversing

9333

# the surrogate back into the original identifier. The identifier must be

9334

# encoded as ASCII. For a given crypto key and context, the same identifier

9335

# will be replaced with the same surrogate. Identifiers must be at least two

9336

# characters long. In the case that the identifier is the empty string, it will

9337

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9338

# more.

9339

#

9340

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9341

# do not require preserving the input alphabet space and size, plus warrant

9342

# referential integrity.

9343

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9344

# that the FFX mode natively supports. This happens before/after

9345

# encryption/decryption.

9346

# Each character listed must appear only once.

9347

# Number of characters must be in the range [2, 95].

9348

# This must be encoded as ASCII.

9349

# The order of characters does not matter.

9350

"commonAlphabet": "A String", # Common alphabets.

9351

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9352

# This annotation will be applied to the surrogate by prefixing it with

9353

# the name of the custom infoType followed by the number of

9354

# characters comprising the surrogate. The following scheme defines the

9355

# format: info_type_name(surrogate_character_count):surrogate

9356

#

9357

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9358

# the surrogate is 'abc', the full replacement value

9359

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9360

#

9361

# This annotation identifies the surrogate when inspecting content using the

9362

# custom infoType

9363

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9364

# This facilitates reversal of the surrogate when it occurs in free text.

9365

#

9366

# In order for inspection to work properly, the name of this infoType must

9367

# not occur naturally anywhere in your data; otherwise, inspection may

9368

# find a surrogate that does not correspond to an actual identifier.

9369

# Therefore, choose your custom infoType name carefully after considering

9370

# what your data looks like. One way to select a name that has a high chance

9371

# of yielding reliable detection is to include one or more unicode characters

9372

# that are highly improbable to exist in your data.

9373

# For example, assuming your data is entered from a regular ASCII keyboard,

9374

# the symbol with the hex code point 29DD might be used like so:

9375

# ⧝MY_TOKEN_TYPE

9376

"name": "A String", # Name of the information type. Either a name of your choosing when

9377

# creating a CustomInfoType, or one of the names listed

9378

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9379

# a built-in type. InfoType names should conform to the pattern

9380

# `[a-zA-Z0-9_]{1,64}`.

9381

},

9382

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9383

# identifier in two different contexts won't be given the same surrogate. If

9384

# the context is not set, a default tweak will be used.

9385

#

9386

# If the context is set but:

9387

#

9388

# 1. there is no record present when transforming a given value or

9389

# 1. the field is not present when transforming a given value,

9390

#

9391

# a default tweak will be used.

9392

#

9393

# Note that case (1) is expected when an `InfoTypeTransformation` is

9394

# applied to both structured and non-structured `ContentItem`s.

9395

# Currently, the referenced field may be of value type integer or string.

9396

#

9397

# The tweak is constructed as a sequence of bytes in big endian byte order

9398

# such that:

9399

#

9400

# - a 64 bit integer is encoded followed by a single byte of value 1

9401

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9402

"name": "A String", # Name describing the field.

9403

},

9404

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9405

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9406

# a key encryption key (KEK) stored by KMS).

9407

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9408

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9409

# unwrap the data crypto key.

9410

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9411

# The wrapped key must be a 128/192/256 bit key.

9412

# Authorization requires the following IAM permissions when sending a request

9413

# to perform a crypto transformation using a kms-wrapped crypto key:

9414

# dlp.kms.encrypt

9415

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9416

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9417

},

9418

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9419

# leaking the key. Choose another type of key if possible.

9420

"key": "A String", # Required. A 128/192/256 bit key.

9421

},

9422

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9423

# It will be discarded after the request finishes.

9424

"name": "A String", # Required. Name of the key.

9425

# This is an arbitrary string used to differentiate different keys.

9426

# A unique key is generated per name: two separate `TransientCryptoKey`

9427

# protos share the same generated key if their names are the same.

9428

# When the data crypto key is generated, this name is not used in any way

9429

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9434

# input. Outputs a base64 encoded representation of the encrypted output.

9435

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9436

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

9437

# This annotation will be applied to the surrogate by prefixing it with

9438

# the name of the custom info type followed by the number of

9439

# characters comprising the surrogate. The following scheme defines the

9440

# format: {info type name}({surrogate character count}):{surrogate}

9441

#

9442

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9443

# the surrogate is 'abc', the full replacement value

9444

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9445

#

9446

# This annotation identifies the surrogate when inspecting content using the

9447

# custom info type 'Surrogate'. This facilitates reversal of the

9448

# surrogate when it occurs in free text.

9449

#

9450

# Note: For record transformations where the entire cell in a table is being

9451

# transformed, surrogates are not mandatory. Surrogates are used to denote

9452

# the location of the token and are necessary for re-identification in free

9453

# form text.

9454

#

9455

# In order for inspection to work properly, the name of this info type must

9456

# not occur naturally anywhere in your data; otherwise, inspection may either

9457

#

9458

# - reverse a surrogate that does not correspond to an actual identifier

9459

# - be unable to parse the surrogate and result in an error

9460

#

9461

# Therefore, choose your custom info type name carefully after considering

9462

# what your data looks like. One way to select a name that has a high chance

9463

# of yielding reliable detection is to include one or more unicode characters

9464

# that are highly improbable to exist in your data.

9465

# For example, assuming your data is entered from a regular ASCII keyboard,

9466

# the symbol with the hex code point 29DD might be used like so:

9467

# ⧝MY_TOKEN_TYPE.

9468

"name": "A String", # Name of the information type. Either a name of your choosing when

9469

# creating a CustomInfoType, or one of the names listed

9470

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9471

# a built-in type. InfoType names should conform to the pattern

9472

# `[a-zA-Z0-9_]{1,64}`.

9473

},

9474

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

9475

# referential integrity such that the same identifier in two different

9476

# contexts will be given a distinct surrogate. The context is appended to

9477

# plaintext value being encrypted. On decryption the provided context is

9478

# validated against the value used during encryption. If a context was

9479

# provided during encryption, same context must be provided during decryption

9480

# as well.

9481

#

9482

# If the context is not set, plaintext would be used as is for encryption.

9483

# If the context is set but:

9484

#

9485

# 1. there is no record present when transforming a given value or

9486

# 2. the field is not present when transforming a given value,

9487

#

9488

# plaintext would be used as is for encryption.

9489

#

9490

# Note that case (1) is expected when an `InfoTypeTransformation` is

9491

# applied to both structured and non-structured `ContentItem`s.

9492

"name": "A String", # Name describing the field.

9493

},

9494

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

9495

# a key encryption key (KEK) stored by KMS).

9496

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9497

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9498

# unwrap the data crypto key.

9499

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9500

# The wrapped key must be a 128/192/256 bit key.

9501

# Authorization requires the following IAM permissions when sending a request

9502

# to perform a crypto transformation using a kms-wrapped crypto key:

9503

# dlp.kms.encrypt

9504

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9505

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9506

},

9507

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9508

# leaking the key. Choose another type of key if possible.

9509

"key": "A String", # Required. A 128/192/256 bit key.

9510

},

9511

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9512

# It will be discarded after the request finishes.

9513

"name": "A String", # Required. Name of the key.

9514

# This is an arbitrary string used to differentiate different keys.

9515

# A unique key is generated per name: two separate `TransientCryptoKey`

9516

# protos share the same generated key if their names are the same.

9517

# When the data crypto key is generated, this name is not used in any way

9518

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

9523

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

9524

# output would be 'My phone number is '.

9525

},

9526

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

9527

# replacement values are dynamically provided by the user for custom behavior,

9528

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

9529

# This can be used on

9530

# data of type: number, long, string, timestamp.

9531

# If the bound `Value` type differs from the type of data being transformed, we

9532

# will first attempt converting the type of the data to be transformed to match

9533

# the type of the bound before comparing.

9534

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9535

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

9536

{ # Bucket is represented as a range, along with replacement values.

9537

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

9538

# used.

9539

# Note that for the purposes of inspection or transformation, the number

9540

# of bytes considered to comprise a 'Value' is based on its representation

9541

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9542

# 123456789, the number of bytes would be counted as 9, even though an

9543

# int64 only holds up to 8 bytes of data.

9544

"booleanValue": True or False, # boolean

9545

"floatValue": 3.14, # float

9546

"dayOfWeekValue": "A String", # day of week

9547

"timestampValue": "A String", # timestamp

9548

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9549

# and time zone are either specified elsewhere or are not significant. The date

9550

# is relative to the Proleptic Gregorian Calendar. This can represent:

9551

#

9552

# * A full date, with non-zero year, month and day values

9553

# * A month and day value, with a zero year, e.g. an anniversary

9554

# * A year on its own, with zero month and day values

9555

# * A year and month value, with a zero day, e.g. a credit card expiration date

9556

#

9557

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9558

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9559

# a year.

9560

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9561

# month and day.

9562

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9563

# if specifying a year by itself or a year and month where the day is not

9564

# significant.

9565

},

9566

"stringValue": "A String", # string

9567

"integerValue": "A String", # integer

9568

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9569

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9570

# types are google.type.Date and `google.protobuf.Timestamp`.

9571

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9572

# allow the value 60 if it allows leap-seconds.

9573

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9574

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9575

# to allow the value "24:00:00" for scenarios like business closing time.

9576

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9577

},

9578

},

9579

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

9580

# Note that for the purposes of inspection or transformation, the number

9581

# of bytes considered to comprise a 'Value' is based on its representation

9582

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9583

# 123456789, the number of bytes would be counted as 9, even though an

9584

# int64 only holds up to 8 bytes of data.

9585

"booleanValue": True or False, # boolean

9586

"floatValue": 3.14, # float

9587

"dayOfWeekValue": "A String", # day of week

9588

"timestampValue": "A String", # timestamp

9589

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9590

# and time zone are either specified elsewhere or are not significant. The date

9591

# is relative to the Proleptic Gregorian Calendar. This can represent:

9592

#

9593

# * A full date, with non-zero year, month and day values

9594

# * A month and day value, with a zero year, e.g. an anniversary

9595

# * A year on its own, with zero month and day values

9596

# * A year and month value, with a zero day, e.g. a credit card expiration date

9597

#

9598

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9599

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9600

# a year.

9601

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9602

# month and day.

9603

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9604

# if specifying a year by itself or a year and month where the day is not

9605

# significant.

9606

},

9607

"stringValue": "A String", # string

9608

"integerValue": "A String", # integer

9609

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9610

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9611

# types are google.type.Date and `google.protobuf.Timestamp`.

9612

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9613

# allow the value 60 if it allows leap-seconds.

9614

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9615

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9616

# to allow the value "24:00:00" for scenarios like business closing time.

9617

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9618

},

9619

},

9620

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9621

# the default behavior will be to hyphenate the min-max range.

9622

# Note that for the purposes of inspection or transformation, the number

9623

# of bytes considered to comprise a 'Value' is based on its representation

9624

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9625

# 123456789, the number of bytes would be counted as 9, even though an

9626

# int64 only holds up to 8 bytes of data.

9627

"booleanValue": True or False, # boolean

9628

"floatValue": 3.14, # float

9629

"dayOfWeekValue": "A String", # day of week

9630

"timestampValue": "A String", # timestamp

9631

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9632

# and time zone are either specified elsewhere or are not significant. The date

9633

# is relative to the Proleptic Gregorian Calendar. This can represent:

9634

#

9635

# * A full date, with non-zero year, month and day values

9636

# * A month and day value, with a zero year, e.g. an anniversary

9637

# * A year on its own, with zero month and day values

9638

# * A year and month value, with a zero day, e.g. a credit card expiration date

9639

#

9640

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9641

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9642

# a year.

9643

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9644

# month and day.

9645

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9646

# if specifying a year by itself or a year and month where the day is not

9647

# significant.

9648

},

9649

"stringValue": "A String", # string

9650

"integerValue": "A String", # integer

9651

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9652

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9653

# types are google.type.Date and `google.protobuf.Timestamp`.

9654

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9655

# allow the value 60 if it allows leap-seconds.

9656

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9657

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9658

# to allow the value "24:00:00" for scenarios like business closing time.

9659

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9666

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

9667

# Note that for the purposes of inspection or transformation, the number

9668

# of bytes considered to comprise a 'Value' is based on its representation

9669

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9670

# 123456789, the number of bytes would be counted as 9, even though an

9671

# int64 only holds up to 8 bytes of data.

9672

"booleanValue": True or False, # boolean

9673

"floatValue": 3.14, # float

9674

"dayOfWeekValue": "A String", # day of week

9675

"timestampValue": "A String", # timestamp

9676

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9677

# and time zone are either specified elsewhere or are not significant. The date

9678

# is relative to the Proleptic Gregorian Calendar. This can represent:

9679

#

9680

# * A full date, with non-zero year, month and day values

9681

# * A month and day value, with a zero year, e.g. an anniversary

9682

# * A year on its own, with zero month and day values

9683

# * A year and month value, with a zero day, e.g. a credit card expiration date

9684

#

9685

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9686

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9687

# a year.

9688

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9689

# month and day.

9690

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9691

# if specifying a year by itself or a year and month where the day is not

9692

# significant.

9693

},

9694

"stringValue": "A String", # string

9695

"integerValue": "A String", # integer

9696

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9697

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9698

# types are google.type.Date and `google.protobuf.Timestamp`.

9699

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9700

# allow the value 60 if it allows leap-seconds.

9701

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9702

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9703

# to allow the value "24:00:00" for scenarios like business closing time.

9704

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9709

# fixed character. Masking can start from the beginning or end of the string.

9710

# This can be used on data of any type (numbers, longs, and so on) and when

9711

# de-identifying structured data we'll attempt to preserve the original data's

9712

# type. (This allows you to take a long like 123 and modify it to a string like

9713

# **3.

9714

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9715

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9716

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9717

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9718

# is `true`, then the string `12345` is masked as `12***`.

9719

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9720

# characters. For example, if the input string is `555-555-5555` and you

9721

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9722

# returns `***-**5-5555`.

9723

{ # Characters to skip when doing deidentification of a value. These will be left

9724

# alone and skipped.

9725

"charactersToSkip": "A String", # Characters to not transform when masking.

9726

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9731

# masked. Skipped characters do not count towards this tally.

9732

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9733

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9734

# code or credit card number. This string must have a length of 1. If not

9735

# supplied, this value defaults to `*` for strings, and `0` for digits.

9736

},

9737

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9738

# Bucketing transformation can provide all of this functionality,

9739

# but requires more configuration. This message is provided as a convenience to

9740

# the user for simple bucketing strategies.

9741

#

9742

# The transformed value will be a hyphenated string of

9743

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9744

# all values that are within this bucket will be replaced with "10-20".

9745

#

9746

# This can be used on data of type: double, long.

9747

#

9748

# If the bound Value type differs from the type of data

9749

# being transformed, we will first attempt converting the type of the data to

9750

# be transformed to match the type of the bound before comparing.

9751

#

9752

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9753

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9754

# grouped together into a single bucket; for example if `lower_bound` = 10,

9755

# then all values less than 10 are replaced with the value "-10".

9756

# Note that for the purposes of inspection or transformation, the number

9757

# of bytes considered to comprise a 'Value' is based on its representation

9758

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9759

# 123456789, the number of bytes would be counted as 9, even though an

9760

# int64 only holds up to 8 bytes of data.

9761

"booleanValue": True or False, # boolean

9762

"floatValue": 3.14, # float

9763

"dayOfWeekValue": "A String", # day of week

9764

"timestampValue": "A String", # timestamp

9765

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9766

# and time zone are either specified elsewhere or are not significant. The date

9767

# is relative to the Proleptic Gregorian Calendar. This can represent:

9768

#

9769

# * A full date, with non-zero year, month and day values

9770

# * A month and day value, with a zero year, e.g. an anniversary

9771

# * A year on its own, with zero month and day values

9772

# * A year and month value, with a zero day, e.g. a credit card expiration date

9773

#

9774

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9775

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9776

# a year.

9777

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9778

# month and day.

9779

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9780

# if specifying a year by itself or a year and month where the day is not

9781

# significant.

9782

},

9783

"stringValue": "A String", # string

9784

"integerValue": "A String", # integer

9785

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9786

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9787

# types are google.type.Date and `google.protobuf.Timestamp`.

9788

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9789

# allow the value 60 if it allows leap-seconds.

9790

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9791

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9792

# to allow the value "24:00:00" for scenarios like business closing time.

9793

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9794

},

9795

},

9796

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9797

# grouped together into a single bucket; for example if `upper_bound` = 89,

9798

# then all values greater than 89 are replaced with the value "89+".

9799

# Note that for the purposes of inspection or transformation, the number

9800

# of bytes considered to comprise a 'Value' is based on its representation

9801

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9802

# 123456789, the number of bytes would be counted as 9, even though an

9803

# int64 only holds up to 8 bytes of data.

9804

"booleanValue": True or False, # boolean

9805

"floatValue": 3.14, # float

9806

"dayOfWeekValue": "A String", # day of week

9807

"timestampValue": "A String", # timestamp

9808

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9809

# and time zone are either specified elsewhere or are not significant. The date

9810

# is relative to the Proleptic Gregorian Calendar. This can represent:

9811

#

9812

# * A full date, with non-zero year, month and day values

9813

# * A month and day value, with a zero year, e.g. an anniversary

9814

# * A year on its own, with zero month and day values

9815

# * A year and month value, with a zero day, e.g. a credit card expiration date

9816

#

9817

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9818

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9819

# a year.

9820

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9821

# month and day.

9822

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9823

# if specifying a year by itself or a year and month where the day is not

9824

# significant.

9825

},

9826

"stringValue": "A String", # string

9827

"integerValue": "A String", # integer

9828

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9829

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9830

# types are google.type.Date and `google.protobuf.Timestamp`.

9831

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9832

# allow the value 60 if it allows leap-seconds.

9833

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9834

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9835

# to allow the value "24:00:00" for scenarios like business closing time.

9836

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9837

},

9838

},

9839

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9840

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9841

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9842

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

9843

},

9844

},

9845

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

9846

# given `RecordCondition`. The conditions are allowed to reference fields

9847

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

9852

# column for the same record is within a specific range.

9853

# - Redact a field if the date of birth field is greater than 85.

9854

# a field.

9855

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

9856

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

9857

# only supported value is `AND`.

9858

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

9859

"conditions": [ # A collection of conditions.

9860

{ # The field type of `value` and `field` do not need to match to be

9861

# considered equal, but not all comparisons are possible.

9862

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

9863

# but all other comparisons are invalid with incompatible types.

9864

# A `value` of type:

9865

#

9866

# - `string` can be compared against all other types

9867

# - `boolean` can only be compared against other booleans

9868

# - `integer` can be compared against doubles or a string if the string value

9869

# can be parsed as an integer.

9870

# - `double` can be compared against integers or a string if the string can

9871

# be parsed as a double.

9872

# - `Timestamp` can be compared against strings in RFC 3339 date string

9873

# format.

9874

# - `TimeOfDay` can be compared against timestamps and strings in the format

9875

# of 'HH:mm:ss'.

9876

#

9877

# If we fail to compare do to type mismatch, a warning will be given and

9878

# the condition will evaluate to false.

9879

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

9880

"name": "A String", # Name describing the field.

9881

},

9882

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

9883

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

9884

# Note that for the purposes of inspection or transformation, the number

9885

# of bytes considered to comprise a 'Value' is based on its representation

9886

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9887

# 123456789, the number of bytes would be counted as 9, even though an

9888

# int64 only holds up to 8 bytes of data.

9889

"booleanValue": True or False, # boolean

9890

"floatValue": 3.14, # float

9891

"dayOfWeekValue": "A String", # day of week

9892

"timestampValue": "A String", # timestamp

9893

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9894

# and time zone are either specified elsewhere or are not significant. The date

9895

# is relative to the Proleptic Gregorian Calendar. This can represent:

9896

#

9897

# * A full date, with non-zero year, month and day values

9898

# * A month and day value, with a zero year, e.g. an anniversary

9899

# * A year on its own, with zero month and day values

9900

# * A year and month value, with a zero day, e.g. a credit card expiration date

9901

#

9902

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9903

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9904

# a year.

9905

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9906

# month and day.

9907

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9908

# if specifying a year by itself or a year and month where the day is not

9909

# significant.

9910

},

9911

"stringValue": "A String", # string

9912

"integerValue": "A String", # integer

9913

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9914

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9915

# types are google.type.Date and `google.protobuf.Timestamp`.

9916

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9917

# allow the value 60 if it allows leap-seconds.

9918

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9919

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9920

# to allow the value "24:00:00" for scenarios like business closing time.

9921

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

9933

# transformation everywhere.

9934

# apply various `PrimitiveTransformation`s to each finding, where the

9935

# transformation is applied to only values that were identified as a specific

9936

# info_type.

9937

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

9938

# for a given infoType.

9939

{ # A transformation to apply to text that is identified as a specific

9940

# info_type.

9941

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

9942

# this transformation to apply to all findings that correspond to

9943

# infoTypes that were requested in `InspectConfig`.

9944

{ # Type of information detected by the API.

9945

"name": "A String", # Name of the information type. Either a name of your choosing when

9946

# creating a CustomInfoType, or one of the names listed

9947

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9948

# a built-in type. InfoType names should conform to the pattern

9949

# `[a-zA-Z0-9_]{1,64}`.

9950

},

9951

],

9952

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

9953

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9954

# portion of the value.

9955

"partToExtract": "A String", # The part of the time to keep.

9956

},

9957

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9958

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9959

# to learn more.

9960

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9961

# If set, must also set cryptoKey. If set, shift will be consistent for the

9962

# given context.

9963

"name": "A String", # Name describing the field.

9964

},

9965

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9966

# range (inclusive ends). Negative means shift to earlier in time. Must not

9967

# be more than 365250 days (1000 years) each direction.

9968

#

9969

# For example, 3 means shift date to at most 3 days into the future.

9970

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9971

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9972

# results in the same shift for the same context and crypto_key. If

9973

# set, must also set context. Can only be applied to table items.

9974

# a key encryption key (KEK) stored by KMS).

9975

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9976

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9977

# unwrap the data crypto key.

9978

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9979

# The wrapped key must be a 128/192/256 bit key.

9980

# Authorization requires the following IAM permissions when sending a request

9981

# to perform a crypto transformation using a kms-wrapped crypto key:

9982

# dlp.kms.encrypt

9983

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9984

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9985

},

9986

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9987

# leaking the key. Choose another type of key if possible.

9988

"key": "A String", # Required. A 128/192/256 bit key.

9989

},

9990

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9991

# It will be discarded after the request finishes.

9992

"name": "A String", # Required. Name of the key.

9993

# This is an arbitrary string used to differentiate different keys.

9994

# A unique key is generated per name: two separate `TransientCryptoKey`

9995

# protos share the same generated key if their names are the same.

9996

# When the data crypto key is generated, this name is not used in any way

9997

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

10002

},

10003

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

10004

# Uses SHA-256.

10005

# The key size must be either 32 or 64 bytes.

10006

# Outputs a base64 encoded representation of the hashed output

10007

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

10008

# Currently, only string and integer values can be hashed.

10009

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

10010

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

10011

# a key encryption key (KEK) stored by KMS).

10012

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10013

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10014

# unwrap the data crypto key.

10015

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10016

# The wrapped key must be a 128/192/256 bit key.

10017

# Authorization requires the following IAM permissions when sending a request

10018

# to perform a crypto transformation using a kms-wrapped crypto key:

10019

# dlp.kms.encrypt

10020

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10021

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10022

},

10023

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10024

# leaking the key. Choose another type of key if possible.

10025

"key": "A String", # Required. A 128/192/256 bit key.

10026

},

10027

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10028

# It will be discarded after the request finishes.

10029

"name": "A String", # Required. Name of the key.

10030

# This is an arbitrary string used to differentiate different keys.

10031

# A unique key is generated per name: two separate `TransientCryptoKey`

10032

# protos share the same generated key if their names are the same.

10033

# When the data crypto key is generated, this name is not used in any way

10034

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

10039

# (FPE) with the FFX mode of operation; however when used in the

10040

# `ReidentifyContent` API method, it serves the opposite function by reversing

10041

# the surrogate back into the original identifier. The identifier must be

10042

# encoded as ASCII. For a given crypto key and context, the same identifier

10043

# will be replaced with the same surrogate. Identifiers must be at least two

10044

# characters long. In the case that the identifier is the empty string, it will

10045

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

10046

# more.

10047

#

10048

# Note: We recommend using CryptoDeterministicConfig for all use cases which

10049

# do not require preserving the input alphabet space and size, plus warrant

10050

# referential integrity.

10051

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

10052

# that the FFX mode natively supports. This happens before/after

10053

# encryption/decryption.

10054

# Each character listed must appear only once.

10055

# Number of characters must be in the range [2, 95].

10056

# This must be encoded as ASCII.

10057

# The order of characters does not matter.

10058

"commonAlphabet": "A String", # Common alphabets.

10059

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

10060

# This annotation will be applied to the surrogate by prefixing it with

10061

# the name of the custom infoType followed by the number of

10062

# characters comprising the surrogate. The following scheme defines the

10063

# format: info_type_name(surrogate_character_count):surrogate

10064

#

10065

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

10066

# the surrogate is 'abc', the full replacement value

10067

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10068

#

10069

# This annotation identifies the surrogate when inspecting content using the

10070

# custom infoType

10071

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

10072

# This facilitates reversal of the surrogate when it occurs in free text.

10073

#

10074

# In order for inspection to work properly, the name of this infoType must

10075

# not occur naturally anywhere in your data; otherwise, inspection may

10076

# find a surrogate that does not correspond to an actual identifier.

10077

# Therefore, choose your custom infoType name carefully after considering

10078

# what your data looks like. One way to select a name that has a high chance

10079

# of yielding reliable detection is to include one or more unicode characters

10080

# that are highly improbable to exist in your data.

10081

# For example, assuming your data is entered from a regular ASCII keyboard,

10082

# the symbol with the hex code point 29DD might be used like so:

10083

# ⧝MY_TOKEN_TYPE

10084

"name": "A String", # Name of the information type. Either a name of your choosing when

10085

# creating a CustomInfoType, or one of the names listed

10086

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10087

# a built-in type. InfoType names should conform to the pattern

10088

# `[a-zA-Z0-9_]{1,64}`.

10089

},

10090

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

10091

# identifier in two different contexts won't be given the same surrogate. If

10092

# the context is not set, a default tweak will be used.

10093

#

10094

# If the context is set but:

10095

#

10096

# 1. there is no record present when transforming a given value or

10097

# 1. the field is not present when transforming a given value,

10098

#

10099

# a default tweak will be used.

10100

#

10101

# Note that case (1) is expected when an `InfoTypeTransformation` is

10102

# applied to both structured and non-structured `ContentItem`s.

10103

# Currently, the referenced field may be of value type integer or string.

10104

#

10105

# The tweak is constructed as a sequence of bytes in big endian byte order

10106

# such that:

10107

#

10108

# - a 64 bit integer is encoded followed by a single byte of value 1

10109

# - a string is encoded in UTF-8 format followed by a single byte of value 2

10110

"name": "A String", # Name describing the field.

10111

},

10112

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

10113

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

10114

# a key encryption key (KEK) stored by KMS).

10115

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10116

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10117

# unwrap the data crypto key.

10118

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10119

# The wrapped key must be a 128/192/256 bit key.

10120

# Authorization requires the following IAM permissions when sending a request

10121

# to perform a crypto transformation using a kms-wrapped crypto key:

10122

# dlp.kms.encrypt

10123

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10124

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10125

},

10126

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10127

# leaking the key. Choose another type of key if possible.

10128

"key": "A String", # Required. A 128/192/256 bit key.

10129

},

10130

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10131

# It will be discarded after the request finishes.

10132

"name": "A String", # Required. Name of the key.

10133

# This is an arbitrary string used to differentiate different keys.

10134

# A unique key is generated per name: two separate `TransientCryptoKey`

10135

# protos share the same generated key if their names are the same.

10136

# When the data crypto key is generated, this name is not used in any way

10137

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

10142

# input. Outputs a base64 encoded representation of the encrypted output.

10143

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

10144

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

10145

# This annotation will be applied to the surrogate by prefixing it with

10146

# the name of the custom info type followed by the number of

10147

# characters comprising the surrogate. The following scheme defines the

10148

# format: {info type name}({surrogate character count}):{surrogate}

10149

#

10150

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

10151

# the surrogate is 'abc', the full replacement value

10152

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10153

#

10154

# This annotation identifies the surrogate when inspecting content using the

10155

# custom info type 'Surrogate'. This facilitates reversal of the

10156

# surrogate when it occurs in free text.

10157

#

10158

# Note: For record transformations where the entire cell in a table is being

10159

# transformed, surrogates are not mandatory. Surrogates are used to denote

10160

# the location of the token and are necessary for re-identification in free

10161

# form text.

10162

#

10163

# In order for inspection to work properly, the name of this info type must

10164

# not occur naturally anywhere in your data; otherwise, inspection may either

10165

#

10166

# - reverse a surrogate that does not correspond to an actual identifier

10167

# - be unable to parse the surrogate and result in an error

10168

#

10169

# Therefore, choose your custom info type name carefully after considering

10170

# what your data looks like. One way to select a name that has a high chance

10171

# of yielding reliable detection is to include one or more unicode characters

10172

# that are highly improbable to exist in your data.

10173

# For example, assuming your data is entered from a regular ASCII keyboard,

10174

# the symbol with the hex code point 29DD might be used like so:

10175

# ⧝MY_TOKEN_TYPE.

10176

"name": "A String", # Name of the information type. Either a name of your choosing when

10177

# creating a CustomInfoType, or one of the names listed

10178

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10179

# a built-in type. InfoType names should conform to the pattern

10180

# `[a-zA-Z0-9_]{1,64}`.

10181

},

10182

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10183

# referential integrity such that the same identifier in two different

10184

# contexts will be given a distinct surrogate. The context is appended to

10185

# plaintext value being encrypted. On decryption the provided context is

10186

# validated against the value used during encryption. If a context was

10187

# provided during encryption, same context must be provided during decryption

10188

# as well.

10189

#

10190

# If the context is not set, plaintext would be used as is for encryption.

10191

# If the context is set but:

10192

#

10193

# 1. there is no record present when transforming a given value or

10194

# 2. the field is not present when transforming a given value,

10195

#

10196

# plaintext would be used as is for encryption.

10197

#

10198

# Note that case (1) is expected when an `InfoTypeTransformation` is

10199

# applied to both structured and non-structured `ContentItem`s.

10200

"name": "A String", # Name describing the field.

10201

},

10202

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10203

# a key encryption key (KEK) stored by KMS).

10204

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10205

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10206

# unwrap the data crypto key.

10207

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10208

# The wrapped key must be a 128/192/256 bit key.

10209

# Authorization requires the following IAM permissions when sending a request

10210

# to perform a crypto transformation using a kms-wrapped crypto key:

10211

# dlp.kms.encrypt

10212

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10213

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10214

},

10215

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10216

# leaking the key. Choose another type of key if possible.

10217

"key": "A String", # Required. A 128/192/256 bit key.

10218

},

10219

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10220

# It will be discarded after the request finishes.

10221

"name": "A String", # Required. Name of the key.

10222

# This is an arbitrary string used to differentiate different keys.

10223

# A unique key is generated per name: two separate `TransientCryptoKey`

10224

# protos share the same generated key if their names are the same.

10225

# When the data crypto key is generated, this name is not used in any way

10226

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

10231

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

10232

# output would be 'My phone number is '.

10233

},

10234

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10235

# replacement values are dynamically provided by the user for custom behavior,

10236

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10237

# This can be used on

10238

# data of type: number, long, string, timestamp.

10239

# If the bound `Value` type differs from the type of data being transformed, we

10240

# will first attempt converting the type of the data to be transformed to match

10241

# the type of the bound before comparing.

10242

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10243

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

10244

{ # Bucket is represented as a range, along with replacement values.

10245

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

10246

# used.

10247

# Note that for the purposes of inspection or transformation, the number

10248

# of bytes considered to comprise a 'Value' is based on its representation

10249

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10250

# 123456789, the number of bytes would be counted as 9, even though an

10251

# int64 only holds up to 8 bytes of data.

10252

"booleanValue": True or False, # boolean

10253

"floatValue": 3.14, # float

10254

"dayOfWeekValue": "A String", # day of week

10255

"timestampValue": "A String", # timestamp

10256

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10257

# and time zone are either specified elsewhere or are not significant. The date

10258

# is relative to the Proleptic Gregorian Calendar. This can represent:

10259

#

10260

# * A full date, with non-zero year, month and day values

10261

# * A month and day value, with a zero year, e.g. an anniversary

10262

# * A year on its own, with zero month and day values

10263

# * A year and month value, with a zero day, e.g. a credit card expiration date

10264

#

10265

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10266

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10267

# a year.

10268

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10269

# month and day.

10270

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10271

# if specifying a year by itself or a year and month where the day is not

10272

# significant.

10273

},

10274

"stringValue": "A String", # string

10275

"integerValue": "A String", # integer

10276

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10277

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10278

# types are google.type.Date and `google.protobuf.Timestamp`.

10279

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10280

# allow the value 60 if it allows leap-seconds.

10281

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10282

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10283

# to allow the value "24:00:00" for scenarios like business closing time.

10284

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10285

},

10286

},

10287

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

10288

# Note that for the purposes of inspection or transformation, the number

10289

# of bytes considered to comprise a 'Value' is based on its representation

10290

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10291

# 123456789, the number of bytes would be counted as 9, even though an

10292

# int64 only holds up to 8 bytes of data.

10293

"booleanValue": True or False, # boolean

10294

"floatValue": 3.14, # float

10295

"dayOfWeekValue": "A String", # day of week

10296

"timestampValue": "A String", # timestamp

10297

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10298

# and time zone are either specified elsewhere or are not significant. The date

10299

# is relative to the Proleptic Gregorian Calendar. This can represent:

10300

#

10301

# * A full date, with non-zero year, month and day values

10302

# * A month and day value, with a zero year, e.g. an anniversary

10303

# * A year on its own, with zero month and day values

10304

# * A year and month value, with a zero day, e.g. a credit card expiration date

10305

#

10306

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10307

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10308

# a year.

10309

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10310

# month and day.

10311

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10312

# if specifying a year by itself or a year and month where the day is not

10313

# significant.

10314

},

10315

"stringValue": "A String", # string

10316

"integerValue": "A String", # integer

10317

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10318

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10319

# types are google.type.Date and `google.protobuf.Timestamp`.

10320

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10321

# allow the value 60 if it allows leap-seconds.

10322

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10323

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10324

# to allow the value "24:00:00" for scenarios like business closing time.

10325

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10326

},

10327

},

10328

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

10329

# the default behavior will be to hyphenate the min-max range.

10330

# Note that for the purposes of inspection or transformation, the number

10331

# of bytes considered to comprise a 'Value' is based on its representation

10332

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10333

# 123456789, the number of bytes would be counted as 9, even though an

10334

# int64 only holds up to 8 bytes of data.

10335

"booleanValue": True or False, # boolean

10336

"floatValue": 3.14, # float

10337

"dayOfWeekValue": "A String", # day of week

10338

"timestampValue": "A String", # timestamp

10339

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10340

# and time zone are either specified elsewhere or are not significant. The date

10341

# is relative to the Proleptic Gregorian Calendar. This can represent:

10342

#

10343

# * A full date, with non-zero year, month and day values

10344

# * A month and day value, with a zero year, e.g. an anniversary

10345

# * A year on its own, with zero month and day values

10346

# * A year and month value, with a zero day, e.g. a credit card expiration date

10347

#

10348

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10349

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10350

# a year.

10351

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10352

# month and day.

10353

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10354

# if specifying a year by itself or a year and month where the day is not

10355

# significant.

10356

},

10357

"stringValue": "A String", # string

10358

"integerValue": "A String", # integer

10359

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10360

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10361

# types are google.type.Date and `google.protobuf.Timestamp`.

10362

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10363

# allow the value 60 if it allows leap-seconds.

10364

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10365

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10366

# to allow the value "24:00:00" for scenarios like business closing time.

10367

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

10374

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

10375

# Note that for the purposes of inspection or transformation, the number

10376

# of bytes considered to comprise a 'Value' is based on its representation

10377

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10378

# 123456789, the number of bytes would be counted as 9, even though an

10379

# int64 only holds up to 8 bytes of data.

10380

"booleanValue": True or False, # boolean

10381

"floatValue": 3.14, # float

10382

"dayOfWeekValue": "A String", # day of week

10383

"timestampValue": "A String", # timestamp

10384

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10385

# and time zone are either specified elsewhere or are not significant. The date

10386

# is relative to the Proleptic Gregorian Calendar. This can represent:

10387

#

10388

# * A full date, with non-zero year, month and day values

10389

# * A month and day value, with a zero year, e.g. an anniversary

10390

# * A year on its own, with zero month and day values

10391

# * A year and month value, with a zero day, e.g. a credit card expiration date

10392

#

10393

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10394

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10395

# a year.

10396

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10397

# month and day.

10398

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10399

# if specifying a year by itself or a year and month where the day is not

10400

# significant.

10401

},

10402

"stringValue": "A String", # string

10403

"integerValue": "A String", # integer

10404

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10405

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10406

# types are google.type.Date and `google.protobuf.Timestamp`.

10407

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10408

# allow the value 60 if it allows leap-seconds.

10409

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10410

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10411

# to allow the value "24:00:00" for scenarios like business closing time.

10412

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

10417

# fixed character. Masking can start from the beginning or end of the string.

10418

# This can be used on data of any type (numbers, longs, and so on) and when

10419

# de-identifying structured data we'll attempt to preserve the original data's

10420

# type. (This allows you to take a long like 123 and modify it to a string like

10421

# **3.

10422

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

10423

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

10424

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

10425

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

10426

# is `true`, then the string `12345` is masked as `12***`.

10427

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

10428

# characters. For example, if the input string is `555-555-5555` and you

10429

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

10430

# returns `***-**5-5555`.

10431

{ # Characters to skip when doing deidentification of a value. These will be left

10432

# alone and skipped.

10433

"charactersToSkip": "A String", # Characters to not transform when masking.

10434

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

10439

# masked. Skipped characters do not count towards this tally.

10440

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

10441

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

10442

# code or credit card number. This string must have a length of 1. If not

10443

# supplied, this value defaults to `*` for strings, and `0` for digits.

10444

},

10445

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

10446

# Bucketing transformation can provide all of this functionality,

10447

# but requires more configuration. This message is provided as a convenience to

10448

# the user for simple bucketing strategies.

10449

#

10450

# The transformed value will be a hyphenated string of

10451

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

10452

# all values that are within this bucket will be replaced with "10-20".

10453

#

10454

# This can be used on data of type: double, long.

10455

#

10456

# If the bound Value type differs from the type of data

10457

# being transformed, we will first attempt converting the type of the data to

10458

# be transformed to match the type of the bound before comparing.

10459

#

10460

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10461

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

10462

# grouped together into a single bucket; for example if `lower_bound` = 10,

10463

# then all values less than 10 are replaced with the value "-10".

10464

# Note that for the purposes of inspection or transformation, the number

10465

# of bytes considered to comprise a 'Value' is based on its representation

10466

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10467

# 123456789, the number of bytes would be counted as 9, even though an

10468

# int64 only holds up to 8 bytes of data.

10469

"booleanValue": True or False, # boolean

10470

"floatValue": 3.14, # float

10471

"dayOfWeekValue": "A String", # day of week

10472

"timestampValue": "A String", # timestamp

10473

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10474

# and time zone are either specified elsewhere or are not significant. The date

10475

# is relative to the Proleptic Gregorian Calendar. This can represent:

10476

#

10477

# * A full date, with non-zero year, month and day values

10478

# * A month and day value, with a zero year, e.g. an anniversary

10479

# * A year on its own, with zero month and day values

10480

# * A year and month value, with a zero day, e.g. a credit card expiration date

10481

#

10482

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10483

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10484

# a year.

10485

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10486

# month and day.

10487

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10488

# if specifying a year by itself or a year and month where the day is not

10489

# significant.

10490

},

10491

"stringValue": "A String", # string

10492

"integerValue": "A String", # integer

10493

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10494

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10495

# types are google.type.Date and `google.protobuf.Timestamp`.

10496

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10497

# allow the value 60 if it allows leap-seconds.

10498

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10499

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10500

# to allow the value "24:00:00" for scenarios like business closing time.

10501

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10502

},

10503

},

10504

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

10505

# grouped together into a single bucket; for example if `upper_bound` = 89,

10506

# then all values greater than 89 are replaced with the value "89+".

10507

# Note that for the purposes of inspection or transformation, the number

10508

# of bytes considered to comprise a 'Value' is based on its representation

10509

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10510

# 123456789, the number of bytes would be counted as 9, even though an

10511

# int64 only holds up to 8 bytes of data.

10512

"booleanValue": True or False, # boolean

10513

"floatValue": 3.14, # float

10514

"dayOfWeekValue": "A String", # day of week

10515

"timestampValue": "A String", # timestamp

10516

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10517

# and time zone are either specified elsewhere or are not significant. The date

10518

# is relative to the Proleptic Gregorian Calendar. This can represent:

10519

#

10520

# * A full date, with non-zero year, month and day values

10521

# * A month and day value, with a zero year, e.g. an anniversary

10522

# * A year on its own, with zero month and day values

10523

# * A year and month value, with a zero day, e.g. a credit card expiration date

10524

#

10525

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10526

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10527

# a year.

10528

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10529

# month and day.

10530

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10531

# if specifying a year by itself or a year and month where the day is not

10532

# significant.

10533

},

10534

"stringValue": "A String", # string

10535

"integerValue": "A String", # integer

10536

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10537

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10538

# types are google.type.Date and `google.protobuf.Timestamp`.

10539

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10540

# allow the value 60 if it allows leap-seconds.

10541

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10542

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10543

# to allow the value "24:00:00" for scenarios like business closing time.

10544

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10545

},

10546

},

10547

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

10548

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

10549

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

10550

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

},

"updateMask": "A String", # Mask to control which fields get updated.

10559

}

10560

10561

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

10568

10569

{ # DeidentifyTemplates contains instructions on how to de-identify content.

10570

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

10571

"name": "A String", # Output only. The template name.

10572

#

10573

# The template will have one of the following formats:

10574

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

10575

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

10576

"description": "A String", # Short description (max 256 chars).

10577

"displayName": "A String", # Display name (max 256 chars).

10578

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

10579

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

10580

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

10581

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

10582

# mode is `TransformationErrorHandling.ThrowError`.

10583

# transformation error occurs when the requested transformation is incompatible

10584

# with the data. For example, trying to de-identify an IP address using a

10585

# `DateShift` transformation would result in a transformation error, since date

10586

# info cannot be extracted from an IP address.

10587

# Information about any incompatible transformations, and how they were

10588

# handled, is returned in the response as part of the

10589

# `TransformationOverviews`.

10590

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

10591

},

10592

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

10593

# cause an error. For example, if a `DateShift` transformation were applied

10594

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

10599

# specific locations within structured datasets, such as transforming

10600

# a column within a table.

10601

# table.

10602

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

10603

# match any suppression rule are omitted from the output.

10604

{ # Configuration to suppress records whose suppression conditions evaluate to

10605

# true.

10606

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

10607

# evaluated to be suppressed from the transformed content.

10608

# a field.

10609

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

10610

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

10611

# only supported value is `AND`.

10612

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

10613

"conditions": [ # A collection of conditions.

10614

{ # The field type of `value` and `field` do not need to match to be

10615

# considered equal, but not all comparisons are possible.

10616

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

10617

# but all other comparisons are invalid with incompatible types.

10618

# A `value` of type:

10619

#

10620

# - `string` can be compared against all other types

10621

# - `boolean` can only be compared against other booleans

10622

# - `integer` can be compared against doubles or a string if the string value

10623

# can be parsed as an integer.

10624

# - `double` can be compared against integers or a string if the string can

10625

# be parsed as a double.

10626

# - `Timestamp` can be compared against strings in RFC 3339 date string

10627

# format.

10628

# - `TimeOfDay` can be compared against timestamps and strings in the format

10629

# of 'HH:mm:ss'.

10630

#

10631

# If we fail to compare do to type mismatch, a warning will be given and

10632

# the condition will evaluate to false.

10633

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

10634

"name": "A String", # Name describing the field.

10635

},

10636

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

10637

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

10638

# Note that for the purposes of inspection or transformation, the number

10639

# of bytes considered to comprise a 'Value' is based on its representation

10640

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10641

# 123456789, the number of bytes would be counted as 9, even though an

10642

# int64 only holds up to 8 bytes of data.

10643

"booleanValue": True or False, # boolean

10644

"floatValue": 3.14, # float

10645

"dayOfWeekValue": "A String", # day of week

10646

"timestampValue": "A String", # timestamp

10647

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10648

# and time zone are either specified elsewhere or are not significant. The date

10649

# is relative to the Proleptic Gregorian Calendar. This can represent:

10650

#

10651

# * A full date, with non-zero year, month and day values

10652

# * A month and day value, with a zero year, e.g. an anniversary

10653

# * A year on its own, with zero month and day values

10654

# * A year and month value, with a zero day, e.g. a credit card expiration date

10655

#

10656

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10657

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10658

# a year.

10659

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10660

# month and day.

10661

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10662

# if specifying a year by itself or a year and month where the day is not

10663

# significant.

10664

},

10665

"stringValue": "A String", # string

10666

"integerValue": "A String", # integer

10667

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10668

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10669

# types are google.type.Date and `google.protobuf.Timestamp`.

10670

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10671

# allow the value 60 if it allows leap-seconds.

10672

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10673

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10674

# to allow the value "24:00:00" for scenarios like business closing time.

10675

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

"fieldTransformations": [ # Transform the record by applying various field transformations.

10686

{ # The transformation to apply to the field.

10687

"fields": [ # Required. Input field(s) to apply the transformation to.

10688

{ # General identifier of a data field in a storage service.

10689

"name": "A String", # Name describing the field.

10690

},

10691

],

10692

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

10693

# transform content that matches an `InfoType`.

10694

# apply various `PrimitiveTransformation`s to each finding, where the

10695

# transformation is applied to only values that were identified as a specific

10696

# info_type.

10697

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

10698

# for a given infoType.

10699

{ # A transformation to apply to text that is identified as a specific

10700

# info_type.

10701

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

10702

# this transformation to apply to all findings that correspond to

10703

# infoTypes that were requested in `InspectConfig`.

10704

{ # Type of information detected by the API.

10705

"name": "A String", # Name of the information type. Either a name of your choosing when

10706

# creating a CustomInfoType, or one of the names listed

10707

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10708

# a built-in type. InfoType names should conform to the pattern

10709

# `[a-zA-Z0-9_]{1,64}`.

10710

},

10711

],

10712

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

10713

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

10714

# portion of the value.

10715

"partToExtract": "A String", # The part of the time to keep.

10716

},

10717

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

10718

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

10719

# to learn more.

10720

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

10721

# If set, must also set cryptoKey. If set, shift will be consistent for the

10722

# given context.

10723

"name": "A String", # Name describing the field.

10724

},

10725

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

10726

# range (inclusive ends). Negative means shift to earlier in time. Must not

10727

# be more than 365250 days (1000 years) each direction.

10728

#

10729

# For example, 3 means shift date to at most 3 days into the future.

10730

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

10731

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

10732

# results in the same shift for the same context and crypto_key. If

10733

# set, must also set context. Can only be applied to table items.

10734

# a key encryption key (KEK) stored by KMS).

10735

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10736

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10737

# unwrap the data crypto key.

10738

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10739

# The wrapped key must be a 128/192/256 bit key.

10740

# Authorization requires the following IAM permissions when sending a request

10741

# to perform a crypto transformation using a kms-wrapped crypto key:

10742

# dlp.kms.encrypt

10743

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10744

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10745

},

10746

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10747

# leaking the key. Choose another type of key if possible.

10748

"key": "A String", # Required. A 128/192/256 bit key.

10749

},

10750

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10751

# It will be discarded after the request finishes.

10752

"name": "A String", # Required. Name of the key.

10753

# This is an arbitrary string used to differentiate different keys.

10754

# A unique key is generated per name: two separate `TransientCryptoKey`

10755

# protos share the same generated key if their names are the same.

10756

# When the data crypto key is generated, this name is not used in any way

10757

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

10762

},

10763

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

10764

# Uses SHA-256.

10765

# The key size must be either 32 or 64 bytes.

10766

# Outputs a base64 encoded representation of the hashed output

10767

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

10768

# Currently, only string and integer values can be hashed.

10769

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

10770

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

10771

# a key encryption key (KEK) stored by KMS).

10772

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10773

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10774

# unwrap the data crypto key.

10775

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10776

# The wrapped key must be a 128/192/256 bit key.

10777

# Authorization requires the following IAM permissions when sending a request

10778

# to perform a crypto transformation using a kms-wrapped crypto key:

10779

# dlp.kms.encrypt

10780

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10781

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10782

},

10783

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10784

# leaking the key. Choose another type of key if possible.

10785

"key": "A String", # Required. A 128/192/256 bit key.

10786

},

10787

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10788

# It will be discarded after the request finishes.

10789

"name": "A String", # Required. Name of the key.

10790

# This is an arbitrary string used to differentiate different keys.

10791

# A unique key is generated per name: two separate `TransientCryptoKey`

10792

# protos share the same generated key if their names are the same.

10793

# When the data crypto key is generated, this name is not used in any way

10794

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

10799

# (FPE) with the FFX mode of operation; however when used in the

10800

# `ReidentifyContent` API method, it serves the opposite function by reversing

10801

# the surrogate back into the original identifier. The identifier must be

10802

# encoded as ASCII. For a given crypto key and context, the same identifier

10803

# will be replaced with the same surrogate. Identifiers must be at least two

10804

# characters long. In the case that the identifier is the empty string, it will

10805

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

10806

# more.

10807

#

10808

# Note: We recommend using CryptoDeterministicConfig for all use cases which

10809

# do not require preserving the input alphabet space and size, plus warrant

10810

# referential integrity.

10811

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

10812

# that the FFX mode natively supports. This happens before/after

10813

# encryption/decryption.

10814

# Each character listed must appear only once.

10815

# Number of characters must be in the range [2, 95].

10816

# This must be encoded as ASCII.

10817

# The order of characters does not matter.

10818

"commonAlphabet": "A String", # Common alphabets.

10819

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

10820

# This annotation will be applied to the surrogate by prefixing it with

10821

# the name of the custom infoType followed by the number of

10822

# characters comprising the surrogate. The following scheme defines the

10823

# format: info_type_name(surrogate_character_count):surrogate

10824

#

10825

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

10826

# the surrogate is 'abc', the full replacement value

10827

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10828

#

10829

# This annotation identifies the surrogate when inspecting content using the

10830

# custom infoType

10831

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

10832

# This facilitates reversal of the surrogate when it occurs in free text.

10833

#

10834

# In order for inspection to work properly, the name of this infoType must

10835

# not occur naturally anywhere in your data; otherwise, inspection may

10836

# find a surrogate that does not correspond to an actual identifier.

10837

# Therefore, choose your custom infoType name carefully after considering

10838

# what your data looks like. One way to select a name that has a high chance

10839

# of yielding reliable detection is to include one or more unicode characters

10840

# that are highly improbable to exist in your data.

10841

# For example, assuming your data is entered from a regular ASCII keyboard,

10842

# the symbol with the hex code point 29DD might be used like so:

10843

# ⧝MY_TOKEN_TYPE

10844

"name": "A String", # Name of the information type. Either a name of your choosing when

10845

# creating a CustomInfoType, or one of the names listed

10846

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10847

# a built-in type. InfoType names should conform to the pattern

10848

# `[a-zA-Z0-9_]{1,64}`.

10849

},

10850

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

10851

# identifier in two different contexts won't be given the same surrogate. If

10852

# the context is not set, a default tweak will be used.

10853

#

10854

# If the context is set but:

10855

#

10856

# 1. there is no record present when transforming a given value or

10857

# 1. the field is not present when transforming a given value,

10858

#

10859

# a default tweak will be used.

10860

#

10861

# Note that case (1) is expected when an `InfoTypeTransformation` is

10862

# applied to both structured and non-structured `ContentItem`s.

10863

# Currently, the referenced field may be of value type integer or string.

10864

#

10865

# The tweak is constructed as a sequence of bytes in big endian byte order

10866

# such that:

10867

#

10868

# - a 64 bit integer is encoded followed by a single byte of value 1

10869

# - a string is encoded in UTF-8 format followed by a single byte of value 2

10870

"name": "A String", # Name describing the field.

10871

},

10872

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

10873

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

10874

# a key encryption key (KEK) stored by KMS).

10875

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10876

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10877

# unwrap the data crypto key.

10878

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10879

# The wrapped key must be a 128/192/256 bit key.

10880

# Authorization requires the following IAM permissions when sending a request

10881

# to perform a crypto transformation using a kms-wrapped crypto key:

10882

# dlp.kms.encrypt

10883

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10884

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10885

},

10886

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10887

# leaking the key. Choose another type of key if possible.

10888

"key": "A String", # Required. A 128/192/256 bit key.

10889

},

10890

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10891

# It will be discarded after the request finishes.

10892

"name": "A String", # Required. Name of the key.

10893

# This is an arbitrary string used to differentiate different keys.

10894

# A unique key is generated per name: two separate `TransientCryptoKey`

10895

# protos share the same generated key if their names are the same.

10896

# When the data crypto key is generated, this name is not used in any way

10897

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

10902

# input. Outputs a base64 encoded representation of the encrypted output.

10903

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

10904

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

10905

# This annotation will be applied to the surrogate by prefixing it with

10906

# the name of the custom info type followed by the number of

10907

# characters comprising the surrogate. The following scheme defines the

10908

# format: {info type name}({surrogate character count}):{surrogate}

10909

#

10910

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

10911

# the surrogate is 'abc', the full replacement value

10912

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10913

#

10914

# This annotation identifies the surrogate when inspecting content using the

10915

# custom info type 'Surrogate'. This facilitates reversal of the

10916

# surrogate when it occurs in free text.

10917

#

10918

# Note: For record transformations where the entire cell in a table is being

10919

# transformed, surrogates are not mandatory. Surrogates are used to denote

10920

# the location of the token and are necessary for re-identification in free

10921

# form text.

10922

#

10923

# In order for inspection to work properly, the name of this info type must

10924

# not occur naturally anywhere in your data; otherwise, inspection may either

10925

#

10926

# - reverse a surrogate that does not correspond to an actual identifier

10927

# - be unable to parse the surrogate and result in an error

10928

#

10929

# Therefore, choose your custom info type name carefully after considering

10930

# what your data looks like. One way to select a name that has a high chance

10931

# of yielding reliable detection is to include one or more unicode characters

10932

# that are highly improbable to exist in your data.

10933

# For example, assuming your data is entered from a regular ASCII keyboard,

10934

# the symbol with the hex code point 29DD might be used like so:

10935

# ⧝MY_TOKEN_TYPE.

10936

"name": "A String", # Name of the information type. Either a name of your choosing when

10937

# creating a CustomInfoType, or one of the names listed

10938

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10939

# a built-in type. InfoType names should conform to the pattern

10940

# `[a-zA-Z0-9_]{1,64}`.

10941

},

10942

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10943

# referential integrity such that the same identifier in two different

10944

# contexts will be given a distinct surrogate. The context is appended to

10945

# plaintext value being encrypted. On decryption the provided context is

10946

# validated against the value used during encryption. If a context was

10947

# provided during encryption, same context must be provided during decryption

10948

# as well.

10949

#

10950

# If the context is not set, plaintext would be used as is for encryption.

10951

# If the context is set but:

10952

#

10953

# 1. there is no record present when transforming a given value or

10954

# 2. the field is not present when transforming a given value,

10955

#

10956

# plaintext would be used as is for encryption.

10957

#

10958

# Note that case (1) is expected when an `InfoTypeTransformation` is

10959

# applied to both structured and non-structured `ContentItem`s.

10960

"name": "A String", # Name describing the field.

10961

},

10962

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10963

# a key encryption key (KEK) stored by KMS).

10964

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10965

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10966

# unwrap the data crypto key.

10967

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10968

# The wrapped key must be a 128/192/256 bit key.

10969

# Authorization requires the following IAM permissions when sending a request

10970

# to perform a crypto transformation using a kms-wrapped crypto key:

10971

# dlp.kms.encrypt

10972

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10973

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10974

},

10975

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10976

# leaking the key. Choose another type of key if possible.

10977

"key": "A String", # Required. A 128/192/256 bit key.

10978

},

10979

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10980

# It will be discarded after the request finishes.

10981

"name": "A String", # Required. Name of the key.

10982

# This is an arbitrary string used to differentiate different keys.

10983

# A unique key is generated per name: two separate `TransientCryptoKey`

10984

# protos share the same generated key if their names are the same.

10985

# When the data crypto key is generated, this name is not used in any way

10986

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

10991

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

10992

# output would be 'My phone number is '.

10993

},

10994

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10995

# replacement values are dynamically provided by the user for custom behavior,

10996

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10997

# This can be used on

10998

# data of type: number, long, string, timestamp.

10999

# If the bound `Value` type differs from the type of data being transformed, we

11000

# will first attempt converting the type of the data to be transformed to match

11001

# the type of the bound before comparing.

11002

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11003

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

11004

{ # Bucket is represented as a range, along with replacement values.

11005

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

11006

# used.

11007

# Note that for the purposes of inspection or transformation, the number

11008

# of bytes considered to comprise a 'Value' is based on its representation

11009

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11010

# 123456789, the number of bytes would be counted as 9, even though an

11011

# int64 only holds up to 8 bytes of data.

11012

"booleanValue": True or False, # boolean

11013

"floatValue": 3.14, # float

11014

"dayOfWeekValue": "A String", # day of week

11015

"timestampValue": "A String", # timestamp

11016

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11017

# and time zone are either specified elsewhere or are not significant. The date

11018

# is relative to the Proleptic Gregorian Calendar. This can represent:

11019

#

11020

# * A full date, with non-zero year, month and day values

11021

# * A month and day value, with a zero year, e.g. an anniversary

11022

# * A year on its own, with zero month and day values

11023

# * A year and month value, with a zero day, e.g. a credit card expiration date

11024

#

11025

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11026

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11027

# a year.

11028

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11029

# month and day.

11030

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11031

# if specifying a year by itself or a year and month where the day is not

11032

# significant.

11033

},

11034

"stringValue": "A String", # string

11035

"integerValue": "A String", # integer

11036

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11037

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11038

# types are google.type.Date and `google.protobuf.Timestamp`.

11039

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11040

# allow the value 60 if it allows leap-seconds.

11041

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11042

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11043

# to allow the value "24:00:00" for scenarios like business closing time.

11044

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11045

},

11046

},

11047

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

11048

# Note that for the purposes of inspection or transformation, the number

11049

# of bytes considered to comprise a 'Value' is based on its representation

11050

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11051

# 123456789, the number of bytes would be counted as 9, even though an

11052

# int64 only holds up to 8 bytes of data.

11053

"booleanValue": True or False, # boolean

11054

"floatValue": 3.14, # float

11055

"dayOfWeekValue": "A String", # day of week

11056

"timestampValue": "A String", # timestamp

11057

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11058

# and time zone are either specified elsewhere or are not significant. The date

11059

# is relative to the Proleptic Gregorian Calendar. This can represent:

11060

#

11061

# * A full date, with non-zero year, month and day values

11062

# * A month and day value, with a zero year, e.g. an anniversary

11063

# * A year on its own, with zero month and day values

11064

# * A year and month value, with a zero day, e.g. a credit card expiration date

11065

#

11066

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11067

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11068

# a year.

11069

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11070

# month and day.

11071

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11072

# if specifying a year by itself or a year and month where the day is not

11073

# significant.

11074

},

11075

"stringValue": "A String", # string

11076

"integerValue": "A String", # integer

11077

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11078

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11079

# types are google.type.Date and `google.protobuf.Timestamp`.

11080

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11081

# allow the value 60 if it allows leap-seconds.

11082

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11083

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11084

# to allow the value "24:00:00" for scenarios like business closing time.

11085

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11086

},

11087

},

11088

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

11089

# the default behavior will be to hyphenate the min-max range.

11090

# Note that for the purposes of inspection or transformation, the number

11091

# of bytes considered to comprise a 'Value' is based on its representation

11092

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11093

# 123456789, the number of bytes would be counted as 9, even though an

11094

# int64 only holds up to 8 bytes of data.

11095

"booleanValue": True or False, # boolean

11096

"floatValue": 3.14, # float

11097

"dayOfWeekValue": "A String", # day of week

11098

"timestampValue": "A String", # timestamp

11099

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11100

# and time zone are either specified elsewhere or are not significant. The date

11101

# is relative to the Proleptic Gregorian Calendar. This can represent:

11102

#

11103

# * A full date, with non-zero year, month and day values

11104

# * A month and day value, with a zero year, e.g. an anniversary

11105

# * A year on its own, with zero month and day values

11106

# * A year and month value, with a zero day, e.g. a credit card expiration date

11107

#

11108

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11109

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11110

# a year.

11111

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11112

# month and day.

11113

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11114

# if specifying a year by itself or a year and month where the day is not

11115

# significant.

11116

},

11117

"stringValue": "A String", # string

11118

"integerValue": "A String", # integer

11119

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11120

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11121

# types are google.type.Date and `google.protobuf.Timestamp`.

11122

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11123

# allow the value 60 if it allows leap-seconds.

11124

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11125

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11126

# to allow the value "24:00:00" for scenarios like business closing time.

11127

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11134

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

11135

# Note that for the purposes of inspection or transformation, the number

11136

# of bytes considered to comprise a 'Value' is based on its representation

11137

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11138

# 123456789, the number of bytes would be counted as 9, even though an

11139

# int64 only holds up to 8 bytes of data.

11140

"booleanValue": True or False, # boolean

11141

"floatValue": 3.14, # float

11142

"dayOfWeekValue": "A String", # day of week

11143

"timestampValue": "A String", # timestamp

11144

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11145

# and time zone are either specified elsewhere or are not significant. The date

11146

# is relative to the Proleptic Gregorian Calendar. This can represent:

11147

#

11148

# * A full date, with non-zero year, month and day values

11149

# * A month and day value, with a zero year, e.g. an anniversary

11150

# * A year on its own, with zero month and day values

11151

# * A year and month value, with a zero day, e.g. a credit card expiration date

11152

#

11153

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11154

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11155

# a year.

11156

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11157

# month and day.

11158

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11159

# if specifying a year by itself or a year and month where the day is not

11160

# significant.

11161

},

11162

"stringValue": "A String", # string

11163

"integerValue": "A String", # integer

11164

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11165

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11166

# types are google.type.Date and `google.protobuf.Timestamp`.

11167

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11168

# allow the value 60 if it allows leap-seconds.

11169

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11170

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11171

# to allow the value "24:00:00" for scenarios like business closing time.

11172

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11177

# fixed character. Masking can start from the beginning or end of the string.

11178

# This can be used on data of any type (numbers, longs, and so on) and when

11179

# de-identifying structured data we'll attempt to preserve the original data's

11180

# type. (This allows you to take a long like 123 and modify it to a string like

11181

# **3.

11182

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11183

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11184

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11185

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11186

# is `true`, then the string `12345` is masked as `12***`.

11187

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11188

# characters. For example, if the input string is `555-555-5555` and you

11189

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11190

# returns `***-**5-5555`.

11191

{ # Characters to skip when doing deidentification of a value. These will be left

11192

# alone and skipped.

11193

"charactersToSkip": "A String", # Characters to not transform when masking.

11194

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11199

# masked. Skipped characters do not count towards this tally.

11200

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11201

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11202

# code or credit card number. This string must have a length of 1. If not

11203

# supplied, this value defaults to `*` for strings, and `0` for digits.

11204

},

11205

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11206

# Bucketing transformation can provide all of this functionality,

11207

# but requires more configuration. This message is provided as a convenience to

11208

# the user for simple bucketing strategies.

11209

#

11210

# The transformed value will be a hyphenated string of

11211

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11212

# all values that are within this bucket will be replaced with "10-20".

11213

#

11214

# This can be used on data of type: double, long.

11215

#

11216

# If the bound Value type differs from the type of data

11217

# being transformed, we will first attempt converting the type of the data to

11218

# be transformed to match the type of the bound before comparing.

11219

#

11220

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11221

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11222

# grouped together into a single bucket; for example if `lower_bound` = 10,

11223

# then all values less than 10 are replaced with the value "-10".

11224

# Note that for the purposes of inspection or transformation, the number

11225

# of bytes considered to comprise a 'Value' is based on its representation

11226

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11227

# 123456789, the number of bytes would be counted as 9, even though an

11228

# int64 only holds up to 8 bytes of data.

11229

"booleanValue": True or False, # boolean

11230

"floatValue": 3.14, # float

11231

"dayOfWeekValue": "A String", # day of week

11232

"timestampValue": "A String", # timestamp

11233

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11234

# and time zone are either specified elsewhere or are not significant. The date

11235

# is relative to the Proleptic Gregorian Calendar. This can represent:

11236

#

11237

# * A full date, with non-zero year, month and day values

11238

# * A month and day value, with a zero year, e.g. an anniversary

11239

# * A year on its own, with zero month and day values

11240

# * A year and month value, with a zero day, e.g. a credit card expiration date

11241

#

11242

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11243

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11244

# a year.

11245

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11246

# month and day.

11247

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11248

# if specifying a year by itself or a year and month where the day is not

11249

# significant.

11250

},

11251

"stringValue": "A String", # string

11252

"integerValue": "A String", # integer

11253

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11254

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11255

# types are google.type.Date and `google.protobuf.Timestamp`.

11256

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11257

# allow the value 60 if it allows leap-seconds.

11258

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11259

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11260

# to allow the value "24:00:00" for scenarios like business closing time.

11261

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11262

},

11263

},

11264

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11265

# grouped together into a single bucket; for example if `upper_bound` = 89,

11266

# then all values greater than 89 are replaced with the value "89+".

11267

# Note that for the purposes of inspection or transformation, the number

11268

# of bytes considered to comprise a 'Value' is based on its representation

11269

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11270

# 123456789, the number of bytes would be counted as 9, even though an

11271

# int64 only holds up to 8 bytes of data.

11272

"booleanValue": True or False, # boolean

11273

"floatValue": 3.14, # float

11274

"dayOfWeekValue": "A String", # day of week

11275

"timestampValue": "A String", # timestamp

11276

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11277

# and time zone are either specified elsewhere or are not significant. The date

11278

# is relative to the Proleptic Gregorian Calendar. This can represent:

11279

#

11280

# * A full date, with non-zero year, month and day values

11281

# * A month and day value, with a zero year, e.g. an anniversary

11282

# * A year on its own, with zero month and day values

11283

# * A year and month value, with a zero day, e.g. a credit card expiration date

11284

#

11285

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11286

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11287

# a year.

11288

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11289

# month and day.

11290

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11291

# if specifying a year by itself or a year and month where the day is not

11292

# significant.

11293

},

11294

"stringValue": "A String", # string

11295

"integerValue": "A String", # integer

11296

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11297

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11298

# types are google.type.Date and `google.protobuf.Timestamp`.

11299

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11300

# allow the value 60 if it allows leap-seconds.

11301

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11302

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11303

# to allow the value "24:00:00" for scenarios like business closing time.

11304

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11305

},

11306

},

11307

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11308

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11309

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11310

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

11317

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

11318

# portion of the value.

11319

"partToExtract": "A String", # The part of the time to keep.

11320

},

11321

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

11322

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

11323

# to learn more.

11324

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

11325

# If set, must also set cryptoKey. If set, shift will be consistent for the

11326

# given context.

11327

"name": "A String", # Name describing the field.

11328

},

11329

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

11330

# range (inclusive ends). Negative means shift to earlier in time. Must not

11331

# be more than 365250 days (1000 years) each direction.

11332

#

11333

# For example, 3 means shift date to at most 3 days into the future.

11334

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

11335

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

11336

# results in the same shift for the same context and crypto_key. If

11337

# set, must also set context. Can only be applied to table items.

11338

# a key encryption key (KEK) stored by KMS).

11339

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11340

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11341

# unwrap the data crypto key.

11342

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11343

# The wrapped key must be a 128/192/256 bit key.

11344

# Authorization requires the following IAM permissions when sending a request

11345

# to perform a crypto transformation using a kms-wrapped crypto key:

11346

# dlp.kms.encrypt

11347

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11348

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11349

},

11350

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11351

# leaking the key. Choose another type of key if possible.

11352

"key": "A String", # Required. A 128/192/256 bit key.

11353

},

11354

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11355

# It will be discarded after the request finishes.

11356

"name": "A String", # Required. Name of the key.

11357

# This is an arbitrary string used to differentiate different keys.

11358

# A unique key is generated per name: two separate `TransientCryptoKey`

11359

# protos share the same generated key if their names are the same.

11360

# When the data crypto key is generated, this name is not used in any way

11361

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

11366

},

11367

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

11368

# Uses SHA-256.

11369

# The key size must be either 32 or 64 bytes.

11370

# Outputs a base64 encoded representation of the hashed output

11371

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

11372

# Currently, only string and integer values can be hashed.

11373

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

11374

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

11375

# a key encryption key (KEK) stored by KMS).

11376

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11377

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11378

# unwrap the data crypto key.

11379

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11380

# The wrapped key must be a 128/192/256 bit key.

11381

# Authorization requires the following IAM permissions when sending a request

11382

# to perform a crypto transformation using a kms-wrapped crypto key:

11383

# dlp.kms.encrypt

11384

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11385

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11386

},

11387

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11388

# leaking the key. Choose another type of key if possible.

11389

"key": "A String", # Required. A 128/192/256 bit key.

11390

},

11391

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11392

# It will be discarded after the request finishes.

11393

"name": "A String", # Required. Name of the key.

11394

# This is an arbitrary string used to differentiate different keys.

11395

# A unique key is generated per name: two separate `TransientCryptoKey`

11396

# protos share the same generated key if their names are the same.

11397

# When the data crypto key is generated, this name is not used in any way

11398

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

11403

# (FPE) with the FFX mode of operation; however when used in the

11404

# `ReidentifyContent` API method, it serves the opposite function by reversing

11405

# the surrogate back into the original identifier. The identifier must be

11406

# encoded as ASCII. For a given crypto key and context, the same identifier

11407

# will be replaced with the same surrogate. Identifiers must be at least two

11408

# characters long. In the case that the identifier is the empty string, it will

11409

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

11410

# more.

11411

#

11412

# Note: We recommend using CryptoDeterministicConfig for all use cases which

11413

# do not require preserving the input alphabet space and size, plus warrant

11414

# referential integrity.

11415

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

11416

# that the FFX mode natively supports. This happens before/after

11417

# encryption/decryption.

11418

# Each character listed must appear only once.

11419

# Number of characters must be in the range [2, 95].

11420

# This must be encoded as ASCII.

11421

# The order of characters does not matter.

11422

"commonAlphabet": "A String", # Common alphabets.

11423

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

11424

# This annotation will be applied to the surrogate by prefixing it with

11425

# the name of the custom infoType followed by the number of

11426

# characters comprising the surrogate. The following scheme defines the

11427

# format: info_type_name(surrogate_character_count):surrogate

11428

#

11429

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

11430

# the surrogate is 'abc', the full replacement value

11431

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11432

#

11433

# This annotation identifies the surrogate when inspecting content using the

11434

# custom infoType

11435

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

11436

# This facilitates reversal of the surrogate when it occurs in free text.

11437

#

11438

# In order for inspection to work properly, the name of this infoType must

11439

# not occur naturally anywhere in your data; otherwise, inspection may

11440

# find a surrogate that does not correspond to an actual identifier.

11441

# Therefore, choose your custom infoType name carefully after considering

11442

# what your data looks like. One way to select a name that has a high chance

11443

# of yielding reliable detection is to include one or more unicode characters

11444

# that are highly improbable to exist in your data.

11445

# For example, assuming your data is entered from a regular ASCII keyboard,

11446

# the symbol with the hex code point 29DD might be used like so:

11447

# ⧝MY_TOKEN_TYPE

11448

"name": "A String", # Name of the information type. Either a name of your choosing when

11449

# creating a CustomInfoType, or one of the names listed

11450

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11451

# a built-in type. InfoType names should conform to the pattern

11452

# `[a-zA-Z0-9_]{1,64}`.

11453

},

11454

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

11455

# identifier in two different contexts won't be given the same surrogate. If

11456

# the context is not set, a default tweak will be used.

11457

#

11458

# If the context is set but:

11459

#

11460

# 1. there is no record present when transforming a given value or

11461

# 1. the field is not present when transforming a given value,

11462

#

11463

# a default tweak will be used.

11464

#

11465

# Note that case (1) is expected when an `InfoTypeTransformation` is

11466

# applied to both structured and non-structured `ContentItem`s.

11467

# Currently, the referenced field may be of value type integer or string.

11468

#

11469

# The tweak is constructed as a sequence of bytes in big endian byte order

11470

# such that:

11471

#

11472

# - a 64 bit integer is encoded followed by a single byte of value 1

11473

# - a string is encoded in UTF-8 format followed by a single byte of value 2

11474

"name": "A String", # Name describing the field.

11475

},

11476

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

11477

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

11478

# a key encryption key (KEK) stored by KMS).

11479

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11480

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11481

# unwrap the data crypto key.

11482

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11483

# The wrapped key must be a 128/192/256 bit key.

11484

# Authorization requires the following IAM permissions when sending a request

11485

# to perform a crypto transformation using a kms-wrapped crypto key:

11486

# dlp.kms.encrypt

11487

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11488

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11489

},

11490

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11491

# leaking the key. Choose another type of key if possible.

11492

"key": "A String", # Required. A 128/192/256 bit key.

11493

},

11494

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11495

# It will be discarded after the request finishes.

11496

"name": "A String", # Required. Name of the key.

11497

# This is an arbitrary string used to differentiate different keys.

11498

# A unique key is generated per name: two separate `TransientCryptoKey`

11499

# protos share the same generated key if their names are the same.

11500

# When the data crypto key is generated, this name is not used in any way

11501

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

11506

# input. Outputs a base64 encoded representation of the encrypted output.

11507

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

11508

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

11509

# This annotation will be applied to the surrogate by prefixing it with

11510

# the name of the custom info type followed by the number of

11511

# characters comprising the surrogate. The following scheme defines the

11512

# format: {info type name}({surrogate character count}):{surrogate}

11513

#

11514

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

11515

# the surrogate is 'abc', the full replacement value

11516

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11517

#

11518

# This annotation identifies the surrogate when inspecting content using the

11519

# custom info type 'Surrogate'. This facilitates reversal of the

11520

# surrogate when it occurs in free text.

11521

#

11522

# Note: For record transformations where the entire cell in a table is being

11523

# transformed, surrogates are not mandatory. Surrogates are used to denote

11524

# the location of the token and are necessary for re-identification in free

11525

# form text.

11526

#

11527

# In order for inspection to work properly, the name of this info type must

11528

# not occur naturally anywhere in your data; otherwise, inspection may either

11529

#

11530

# - reverse a surrogate that does not correspond to an actual identifier

11531

# - be unable to parse the surrogate and result in an error

11532

#

11533

# Therefore, choose your custom info type name carefully after considering

11534

# what your data looks like. One way to select a name that has a high chance

11535

# of yielding reliable detection is to include one or more unicode characters

11536

# that are highly improbable to exist in your data.

11537

# For example, assuming your data is entered from a regular ASCII keyboard,

11538

# the symbol with the hex code point 29DD might be used like so:

11539

# ⧝MY_TOKEN_TYPE.

11540

"name": "A String", # Name of the information type. Either a name of your choosing when

11541

# creating a CustomInfoType, or one of the names listed

11542

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11543

# a built-in type. InfoType names should conform to the pattern

11544

# `[a-zA-Z0-9_]{1,64}`.

11545

},

11546

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

11547

# referential integrity such that the same identifier in two different

11548

# contexts will be given a distinct surrogate. The context is appended to

11549

# plaintext value being encrypted. On decryption the provided context is

11550

# validated against the value used during encryption. If a context was

11551

# provided during encryption, same context must be provided during decryption

11552

# as well.

11553

#

11554

# If the context is not set, plaintext would be used as is for encryption.

11555

# If the context is set but:

11556

#

11557

# 1. there is no record present when transforming a given value or

11558

# 2. the field is not present when transforming a given value,

11559

#

11560

# plaintext would be used as is for encryption.

11561

#

11562

# Note that case (1) is expected when an `InfoTypeTransformation` is

11563

# applied to both structured and non-structured `ContentItem`s.

11564

"name": "A String", # Name describing the field.

11565

},

11566

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

11567

# a key encryption key (KEK) stored by KMS).

11568

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11569

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11570

# unwrap the data crypto key.

11571

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11572

# The wrapped key must be a 128/192/256 bit key.

11573

# Authorization requires the following IAM permissions when sending a request

11574

# to perform a crypto transformation using a kms-wrapped crypto key:

11575

# dlp.kms.encrypt

11576

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11577

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11578

},

11579

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11580

# leaking the key. Choose another type of key if possible.

11581

"key": "A String", # Required. A 128/192/256 bit key.

11582

},

11583

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11584

# It will be discarded after the request finishes.

11585

"name": "A String", # Required. Name of the key.

11586

# This is an arbitrary string used to differentiate different keys.

11587

# A unique key is generated per name: two separate `TransientCryptoKey`

11588

# protos share the same generated key if their names are the same.

11589

# When the data crypto key is generated, this name is not used in any way

11590

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

11595

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

11596

# output would be 'My phone number is '.

11597

},

11598

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

11599

# replacement values are dynamically provided by the user for custom behavior,

11600

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

11601

# This can be used on

11602

# data of type: number, long, string, timestamp.

11603

# If the bound `Value` type differs from the type of data being transformed, we

11604

# will first attempt converting the type of the data to be transformed to match

11605

# the type of the bound before comparing.

11606

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11607

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

11608

{ # Bucket is represented as a range, along with replacement values.

11609

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

11610

# used.

11611

# Note that for the purposes of inspection or transformation, the number

11612

# of bytes considered to comprise a 'Value' is based on its representation

11613

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11614

# 123456789, the number of bytes would be counted as 9, even though an

11615

# int64 only holds up to 8 bytes of data.

11616

"booleanValue": True or False, # boolean

11617

"floatValue": 3.14, # float

11618

"dayOfWeekValue": "A String", # day of week

11619

"timestampValue": "A String", # timestamp

11620

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11621

# and time zone are either specified elsewhere or are not significant. The date

11622

# is relative to the Proleptic Gregorian Calendar. This can represent:

11623

#

11624

# * A full date, with non-zero year, month and day values

11625

# * A month and day value, with a zero year, e.g. an anniversary

11626

# * A year on its own, with zero month and day values

11627

# * A year and month value, with a zero day, e.g. a credit card expiration date

11628

#

11629

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11630

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11631

# a year.

11632

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11633

# month and day.

11634

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11635

# if specifying a year by itself or a year and month where the day is not

11636

# significant.

11637

},

11638

"stringValue": "A String", # string

11639

"integerValue": "A String", # integer

11640

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11641

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11642

# types are google.type.Date and `google.protobuf.Timestamp`.

11643

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11644

# allow the value 60 if it allows leap-seconds.

11645

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11646

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11647

# to allow the value "24:00:00" for scenarios like business closing time.

11648

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11649

},

11650

},

11651

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

11652

# Note that for the purposes of inspection or transformation, the number

11653

# of bytes considered to comprise a 'Value' is based on its representation

11654

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11655

# 123456789, the number of bytes would be counted as 9, even though an

11656

# int64 only holds up to 8 bytes of data.

11657

"booleanValue": True or False, # boolean

11658

"floatValue": 3.14, # float

11659

"dayOfWeekValue": "A String", # day of week

11660

"timestampValue": "A String", # timestamp

11661

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11662

# and time zone are either specified elsewhere or are not significant. The date

11663

# is relative to the Proleptic Gregorian Calendar. This can represent:

11664

#

11665

# * A full date, with non-zero year, month and day values

11666

# * A month and day value, with a zero year, e.g. an anniversary

11667

# * A year on its own, with zero month and day values

11668

# * A year and month value, with a zero day, e.g. a credit card expiration date

11669

#

11670

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11671

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11672

# a year.

11673

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11674

# month and day.

11675

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11676

# if specifying a year by itself or a year and month where the day is not

11677

# significant.

11678

},

11679

"stringValue": "A String", # string

11680

"integerValue": "A String", # integer

11681

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11682

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11683

# types are google.type.Date and `google.protobuf.Timestamp`.

11684

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11685

# allow the value 60 if it allows leap-seconds.

11686

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11687

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11688

# to allow the value "24:00:00" for scenarios like business closing time.

11689

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11690

},

11691

},

11692

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

11693

# the default behavior will be to hyphenate the min-max range.

11694

# Note that for the purposes of inspection or transformation, the number

11695

# of bytes considered to comprise a 'Value' is based on its representation

11696

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11697

# 123456789, the number of bytes would be counted as 9, even though an

11698

# int64 only holds up to 8 bytes of data.

11699

"booleanValue": True or False, # boolean

11700

"floatValue": 3.14, # float

11701

"dayOfWeekValue": "A String", # day of week

11702

"timestampValue": "A String", # timestamp

11703

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11704

# and time zone are either specified elsewhere or are not significant. The date

11705

# is relative to the Proleptic Gregorian Calendar. This can represent:

11706

#

11707

# * A full date, with non-zero year, month and day values

11708

# * A month and day value, with a zero year, e.g. an anniversary

11709

# * A year on its own, with zero month and day values

11710

# * A year and month value, with a zero day, e.g. a credit card expiration date

11711

#

11712

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11713

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11714

# a year.

11715

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11716

# month and day.

11717

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11718

# if specifying a year by itself or a year and month where the day is not

11719

# significant.

11720

},

11721

"stringValue": "A String", # string

11722

"integerValue": "A String", # integer

11723

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11724

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11725

# types are google.type.Date and `google.protobuf.Timestamp`.

11726

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11727

# allow the value 60 if it allows leap-seconds.

11728

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11729

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11730

# to allow the value "24:00:00" for scenarios like business closing time.

11731

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11738

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

11739

# Note that for the purposes of inspection or transformation, the number

11740

# of bytes considered to comprise a 'Value' is based on its representation

11741

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11742

# 123456789, the number of bytes would be counted as 9, even though an

11743

# int64 only holds up to 8 bytes of data.

11744

"booleanValue": True or False, # boolean

11745

"floatValue": 3.14, # float

11746

"dayOfWeekValue": "A String", # day of week

11747

"timestampValue": "A String", # timestamp

11748

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11749

# and time zone are either specified elsewhere or are not significant. The date

11750

# is relative to the Proleptic Gregorian Calendar. This can represent:

11751

#

11752

# * A full date, with non-zero year, month and day values

11753

# * A month and day value, with a zero year, e.g. an anniversary

11754

# * A year on its own, with zero month and day values

11755

# * A year and month value, with a zero day, e.g. a credit card expiration date

11756

#

11757

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11758

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11759

# a year.

11760

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11761

# month and day.

11762

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11763

# if specifying a year by itself or a year and month where the day is not

11764

# significant.

11765

},

11766

"stringValue": "A String", # string

11767

"integerValue": "A String", # integer

11768

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11769

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11770

# types are google.type.Date and `google.protobuf.Timestamp`.

11771

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11772

# allow the value 60 if it allows leap-seconds.

11773

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11774

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11775

# to allow the value "24:00:00" for scenarios like business closing time.

11776

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11781

# fixed character. Masking can start from the beginning or end of the string.

11782

# This can be used on data of any type (numbers, longs, and so on) and when

11783

# de-identifying structured data we'll attempt to preserve the original data's

11784

# type. (This allows you to take a long like 123 and modify it to a string like

11785

# **3.

11786

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11787

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11788

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11789

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11790

# is `true`, then the string `12345` is masked as `12***`.

11791

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11792

# characters. For example, if the input string is `555-555-5555` and you

11793

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11794

# returns `***-**5-5555`.

11795

{ # Characters to skip when doing deidentification of a value. These will be left

11796

# alone and skipped.

11797

"charactersToSkip": "A String", # Characters to not transform when masking.

11798

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11803

# masked. Skipped characters do not count towards this tally.

11804

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11805

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11806

# code or credit card number. This string must have a length of 1. If not

11807

# supplied, this value defaults to `*` for strings, and `0` for digits.

11808

},

11809

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11810

# Bucketing transformation can provide all of this functionality,

11811

# but requires more configuration. This message is provided as a convenience to

11812

# the user for simple bucketing strategies.

11813

#

11814

# The transformed value will be a hyphenated string of

11815

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11816

# all values that are within this bucket will be replaced with "10-20".

11817

#

11818

# This can be used on data of type: double, long.

11819

#

11820

# If the bound Value type differs from the type of data

11821

# being transformed, we will first attempt converting the type of the data to

11822

# be transformed to match the type of the bound before comparing.

11823

#

11824

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11825

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11826

# grouped together into a single bucket; for example if `lower_bound` = 10,

11827

# then all values less than 10 are replaced with the value "-10".

11828

# Note that for the purposes of inspection or transformation, the number

11829

# of bytes considered to comprise a 'Value' is based on its representation

11830

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11831

# 123456789, the number of bytes would be counted as 9, even though an

11832

# int64 only holds up to 8 bytes of data.

11833

"booleanValue": True or False, # boolean

11834

"floatValue": 3.14, # float

11835

"dayOfWeekValue": "A String", # day of week

11836

"timestampValue": "A String", # timestamp

11837

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11838

# and time zone are either specified elsewhere or are not significant. The date

11839

# is relative to the Proleptic Gregorian Calendar. This can represent:

11840

#

11841

# * A full date, with non-zero year, month and day values

11842

# * A month and day value, with a zero year, e.g. an anniversary

11843

# * A year on its own, with zero month and day values

11844

# * A year and month value, with a zero day, e.g. a credit card expiration date

11845

#

11846

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11847

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11848

# a year.

11849

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11850

# month and day.

11851

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11852

# if specifying a year by itself or a year and month where the day is not

11853

# significant.

11854

},

11855

"stringValue": "A String", # string

11856

"integerValue": "A String", # integer

11857

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11858

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11859

# types are google.type.Date and `google.protobuf.Timestamp`.

11860

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11861

# allow the value 60 if it allows leap-seconds.

11862

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11863

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11864

# to allow the value "24:00:00" for scenarios like business closing time.

11865

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11866

},

11867

},

11868

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11869

# grouped together into a single bucket; for example if `upper_bound` = 89,

11870

# then all values greater than 89 are replaced with the value "89+".

11871

# Note that for the purposes of inspection or transformation, the number

11872

# of bytes considered to comprise a 'Value' is based on its representation

11873

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11874

# 123456789, the number of bytes would be counted as 9, even though an

11875

# int64 only holds up to 8 bytes of data.

11876

"booleanValue": True or False, # boolean

11877

"floatValue": 3.14, # float

11878

"dayOfWeekValue": "A String", # day of week

11879

"timestampValue": "A String", # timestamp

11880

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11881

# and time zone are either specified elsewhere or are not significant. The date

11882

# is relative to the Proleptic Gregorian Calendar. This can represent:

11883

#

11884

# * A full date, with non-zero year, month and day values

11885

# * A month and day value, with a zero year, e.g. an anniversary

11886

# * A year on its own, with zero month and day values

11887

# * A year and month value, with a zero day, e.g. a credit card expiration date

11888

#

11889

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11890

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11891

# a year.

11892

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11893

# month and day.

11894

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11895

# if specifying a year by itself or a year and month where the day is not

11896

# significant.

11897

},

11898

"stringValue": "A String", # string

11899

"integerValue": "A String", # integer

11900

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11901

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11902

# types are google.type.Date and `google.protobuf.Timestamp`.

11903

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11904

# allow the value 60 if it allows leap-seconds.

11905

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11906

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11907

# to allow the value "24:00:00" for scenarios like business closing time.

11908

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11909

},

11910

},

11911

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11912

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11913

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11914

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

11915

},

11916

},

11917

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

11918

# given `RecordCondition`. The conditions are allowed to reference fields

11919

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

11924

# column for the same record is within a specific range.

11925

# - Redact a field if the date of birth field is greater than 85.

11926

# a field.

11927

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

11928

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

11929

# only supported value is `AND`.

11930

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

11931

"conditions": [ # A collection of conditions.

11932

{ # The field type of `value` and `field` do not need to match to be

11933

# considered equal, but not all comparisons are possible.

11934

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

11935

# but all other comparisons are invalid with incompatible types.

11936

# A `value` of type:

11937

#

11938

# - `string` can be compared against all other types

11939

# - `boolean` can only be compared against other booleans

11940

# - `integer` can be compared against doubles or a string if the string value

11941

# can be parsed as an integer.

11942

# - `double` can be compared against integers or a string if the string can

11943

# be parsed as a double.

11944

# - `Timestamp` can be compared against strings in RFC 3339 date string

11945

# format.

11946

# - `TimeOfDay` can be compared against timestamps and strings in the format

11947

# of 'HH:mm:ss'.

11948

#

11949

# If we fail to compare do to type mismatch, a warning will be given and

11950

# the condition will evaluate to false.

11951

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

11952

"name": "A String", # Name describing the field.

11953

},

11954

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

11955

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

11956

# Note that for the purposes of inspection or transformation, the number

11957

# of bytes considered to comprise a 'Value' is based on its representation

11958

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11959

# 123456789, the number of bytes would be counted as 9, even though an

11960

# int64 only holds up to 8 bytes of data.

11961

"booleanValue": True or False, # boolean

11962

"floatValue": 3.14, # float

11963

"dayOfWeekValue": "A String", # day of week

11964

"timestampValue": "A String", # timestamp

11965

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11966

# and time zone are either specified elsewhere or are not significant. The date

11967

# is relative to the Proleptic Gregorian Calendar. This can represent:

11968

#

11969

# * A full date, with non-zero year, month and day values

11970

# * A month and day value, with a zero year, e.g. an anniversary

11971

# * A year on its own, with zero month and day values

11972

# * A year and month value, with a zero day, e.g. a credit card expiration date

11973

#

11974

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11975

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11976

# a year.

11977

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11978

# month and day.

11979

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11980

# if specifying a year by itself or a year and month where the day is not

11981

# significant.

11982

},

11983

"stringValue": "A String", # string

11984

"integerValue": "A String", # integer

11985

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11986

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11987

# types are google.type.Date and `google.protobuf.Timestamp`.

11988

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11989

# allow the value 60 if it allows leap-seconds.

11990

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11991

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11992

# to allow the value "24:00:00" for scenarios like business closing time.

11993

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

},

},

},

],

},

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

12005

# transformation everywhere.

12006

# apply various `PrimitiveTransformation`s to each finding, where the

12007

# transformation is applied to only values that were identified as a specific

12008

# info_type.

12009

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

12010

# for a given infoType.

12011

{ # A transformation to apply to text that is identified as a specific

12012

# info_type.

12013

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

12014

# this transformation to apply to all findings that correspond to

12015

# infoTypes that were requested in `InspectConfig`.

12016

{ # Type of information detected by the API.

12017

"name": "A String", # Name of the information type. Either a name of your choosing when

12018

# creating a CustomInfoType, or one of the names listed

12019

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12020

# a built-in type. InfoType names should conform to the pattern

12021

# `[a-zA-Z0-9_]{1,64}`.

12022

},

12023

],

12024

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

12025

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

12026

# portion of the value.

12027

"partToExtract": "A String", # The part of the time to keep.

12028

},

12029

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

12030

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

12031

# to learn more.

12032

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

12033

# If set, must also set cryptoKey. If set, shift will be consistent for the

12034

# given context.

12035

"name": "A String", # Name describing the field.

12036

},

12037

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

12038

# range (inclusive ends). Negative means shift to earlier in time. Must not

12039

# be more than 365250 days (1000 years) each direction.

12040

#

12041

# For example, 3 means shift date to at most 3 days into the future.

12042

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

12043

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

12044

# results in the same shift for the same context and crypto_key. If

12045

# set, must also set context. Can only be applied to table items.

12046

# a key encryption key (KEK) stored by KMS).

12047

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12048

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12049

# unwrap the data crypto key.

12050

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12051

# The wrapped key must be a 128/192/256 bit key.

12052

# Authorization requires the following IAM permissions when sending a request

12053

# to perform a crypto transformation using a kms-wrapped crypto key:

12054

# dlp.kms.encrypt

12055

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12056

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12057

},

12058

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12059

# leaking the key. Choose another type of key if possible.

12060

"key": "A String", # Required. A 128/192/256 bit key.

12061

},

12062

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12063

# It will be discarded after the request finishes.

12064

"name": "A String", # Required. Name of the key.

12065

# This is an arbitrary string used to differentiate different keys.

12066

# A unique key is generated per name: two separate `TransientCryptoKey`

12067

# protos share the same generated key if their names are the same.

12068

# When the data crypto key is generated, this name is not used in any way

12069

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

12074

},

12075

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

12076

# Uses SHA-256.

12077

# The key size must be either 32 or 64 bytes.

12078

# Outputs a base64 encoded representation of the hashed output

12079

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

12080

# Currently, only string and integer values can be hashed.

12081

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

12082

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

12083

# a key encryption key (KEK) stored by KMS).

12084

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12085

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12086

# unwrap the data crypto key.

12087

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12088

# The wrapped key must be a 128/192/256 bit key.

12089

# Authorization requires the following IAM permissions when sending a request

12090

# to perform a crypto transformation using a kms-wrapped crypto key:

12091

# dlp.kms.encrypt

12092

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12093

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12094

},

12095

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12096

# leaking the key. Choose another type of key if possible.

12097

"key": "A String", # Required. A 128/192/256 bit key.

12098

},

12099

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12100

# It will be discarded after the request finishes.

12101

"name": "A String", # Required. Name of the key.

12102

# This is an arbitrary string used to differentiate different keys.

12103

# A unique key is generated per name: two separate `TransientCryptoKey`

12104

# protos share the same generated key if their names are the same.

12105

# When the data crypto key is generated, this name is not used in any way

12106

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

12111

# (FPE) with the FFX mode of operation; however when used in the

12112

# `ReidentifyContent` API method, it serves the opposite function by reversing

12113

# the surrogate back into the original identifier. The identifier must be

12114

# encoded as ASCII. For a given crypto key and context, the same identifier

12115

# will be replaced with the same surrogate. Identifiers must be at least two

12116

# characters long. In the case that the identifier is the empty string, it will

12117

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

12118

# more.

12119

#

12120

# Note: We recommend using CryptoDeterministicConfig for all use cases which

12121

# do not require preserving the input alphabet space and size, plus warrant

12122

# referential integrity.

12123

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

12124

# that the FFX mode natively supports. This happens before/after

12125

# encryption/decryption.

12126

# Each character listed must appear only once.

12127

# Number of characters must be in the range [2, 95].

12128

# This must be encoded as ASCII.

12129

# The order of characters does not matter.

12130

"commonAlphabet": "A String", # Common alphabets.

12131

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

12132

# This annotation will be applied to the surrogate by prefixing it with

12133

# the name of the custom infoType followed by the number of

12134

# characters comprising the surrogate. The following scheme defines the

12135

# format: info_type_name(surrogate_character_count):surrogate

12136

#

12137

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

12138

# the surrogate is 'abc', the full replacement value

12139

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

12140

#

12141

# This annotation identifies the surrogate when inspecting content using the

12142

# custom infoType

12143

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

12144

# This facilitates reversal of the surrogate when it occurs in free text.

12145

#

12146

# In order for inspection to work properly, the name of this infoType must

12147

# not occur naturally anywhere in your data; otherwise, inspection may

12148

# find a surrogate that does not correspond to an actual identifier.

12149

# Therefore, choose your custom infoType name carefully after considering

12150

# what your data looks like. One way to select a name that has a high chance

12151

# of yielding reliable detection is to include one or more unicode characters

12152

# that are highly improbable to exist in your data.

12153

# For example, assuming your data is entered from a regular ASCII keyboard,

12154

# the symbol with the hex code point 29DD might be used like so:

12155

# ⧝MY_TOKEN_TYPE

12156

"name": "A String", # Name of the information type. Either a name of your choosing when

12157

# creating a CustomInfoType, or one of the names listed

12158

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12159

# a built-in type. InfoType names should conform to the pattern

12160

# `[a-zA-Z0-9_]{1,64}`.

12161

},

12162

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

12163

# identifier in two different contexts won't be given the same surrogate. If

12164

# the context is not set, a default tweak will be used.

12165

#

12166

# If the context is set but:

12167

#

12168

# 1. there is no record present when transforming a given value or

12169

# 1. the field is not present when transforming a given value,

12170

#

12171

# a default tweak will be used.

12172

#

12173

# Note that case (1) is expected when an `InfoTypeTransformation` is

12174

# applied to both structured and non-structured `ContentItem`s.

12175

# Currently, the referenced field may be of value type integer or string.

12176

#

12177

# The tweak is constructed as a sequence of bytes in big endian byte order

12178

# such that:

12179

#

12180

# - a 64 bit integer is encoded followed by a single byte of value 1

12181

# - a string is encoded in UTF-8 format followed by a single byte of value 2

12182

"name": "A String", # Name describing the field.

12183

},

12184

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

12185

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

12186

# a key encryption key (KEK) stored by KMS).

12187

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12188

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12189

# unwrap the data crypto key.

12190

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12191

# The wrapped key must be a 128/192/256 bit key.

12192

# Authorization requires the following IAM permissions when sending a request

12193

# to perform a crypto transformation using a kms-wrapped crypto key:

12194

# dlp.kms.encrypt

12195

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12196

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12197

},

12198

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12199

# leaking the key. Choose another type of key if possible.

12200

"key": "A String", # Required. A 128/192/256 bit key.

12201

},

12202

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12203

# It will be discarded after the request finishes.

12204

"name": "A String", # Required. Name of the key.

12205

# This is an arbitrary string used to differentiate different keys.

12206

# A unique key is generated per name: two separate `TransientCryptoKey`

12207

# protos share the same generated key if their names are the same.

12208

# When the data crypto key is generated, this name is not used in any way

12209

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

12214

# input. Outputs a base64 encoded representation of the encrypted output.

12215

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

12216

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

12217

# This annotation will be applied to the surrogate by prefixing it with

12218

# the name of the custom info type followed by the number of

12219

# characters comprising the surrogate. The following scheme defines the

12220

# format: {info type name}({surrogate character count}):{surrogate}

12221

#

12222

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

12223

# the surrogate is 'abc', the full replacement value

12224

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

12225

#

12226

# This annotation identifies the surrogate when inspecting content using the

12227

# custom info type 'Surrogate'. This facilitates reversal of the

12228

# surrogate when it occurs in free text.

12229

#

12230

# Note: For record transformations where the entire cell in a table is being

12231

# transformed, surrogates are not mandatory. Surrogates are used to denote

12232

# the location of the token and are necessary for re-identification in free

12233

# form text.

12234

#

12235

# In order for inspection to work properly, the name of this info type must

12236

# not occur naturally anywhere in your data; otherwise, inspection may either

12237

#

12238

# - reverse a surrogate that does not correspond to an actual identifier

12239

# - be unable to parse the surrogate and result in an error

12240

#

12241

# Therefore, choose your custom info type name carefully after considering

12242

# what your data looks like. One way to select a name that has a high chance

12243

# of yielding reliable detection is to include one or more unicode characters

12244

# that are highly improbable to exist in your data.

12245

# For example, assuming your data is entered from a regular ASCII keyboard,

12246

# the symbol with the hex code point 29DD might be used like so:

12247

# ⧝MY_TOKEN_TYPE.

12248

"name": "A String", # Name of the information type. Either a name of your choosing when

12249

# creating a CustomInfoType, or one of the names listed

12250

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12251

# a built-in type. InfoType names should conform to the pattern

12252

# `[a-zA-Z0-9_]{1,64}`.

12253

},

12254

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

12255

# referential integrity such that the same identifier in two different

12256

# contexts will be given a distinct surrogate. The context is appended to

12257

# plaintext value being encrypted. On decryption the provided context is

12258

# validated against the value used during encryption. If a context was

12259

# provided during encryption, same context must be provided during decryption

12260

# as well.

12261

#

12262

# If the context is not set, plaintext would be used as is for encryption.

12263

# If the context is set but:

12264

#

12265

# 1. there is no record present when transforming a given value or

12266

# 2. the field is not present when transforming a given value,

12267

#

12268

# plaintext would be used as is for encryption.

12269

#

12270

# Note that case (1) is expected when an `InfoTypeTransformation` is

12271

# applied to both structured and non-structured `ContentItem`s.

12272

"name": "A String", # Name describing the field.

12273

},

12274

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

12275

# a key encryption key (KEK) stored by KMS).

12276

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12277

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12278

# unwrap the data crypto key.

12279

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12280

# The wrapped key must be a 128/192/256 bit key.

12281

# Authorization requires the following IAM permissions when sending a request

12282

# to perform a crypto transformation using a kms-wrapped crypto key:

12283

# dlp.kms.encrypt

12284

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12285

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12286

},

12287

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12288

# leaking the key. Choose another type of key if possible.

12289

"key": "A String", # Required. A 128/192/256 bit key.

12290

},

12291

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12292

# It will be discarded after the request finishes.

12293

"name": "A String", # Required. Name of the key.

12294

# This is an arbitrary string used to differentiate different keys.

12295

# A unique key is generated per name: two separate `TransientCryptoKey`

12296

# protos share the same generated key if their names are the same.

12297

# When the data crypto key is generated, this name is not used in any way

12298

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

12303

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

12304

# output would be 'My phone number is '.

12305

},

12306

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

12307

# replacement values are dynamically provided by the user for custom behavior,

12308

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

12309

# This can be used on

12310

# data of type: number, long, string, timestamp.

12311

# If the bound `Value` type differs from the type of data being transformed, we

12312

# will first attempt converting the type of the data to be transformed to match

12313

# the type of the bound before comparing.

12314

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

12315

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

12316

{ # Bucket is represented as a range, along with replacement values.

12317

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

12318

# used.

12319

# Note that for the purposes of inspection or transformation, the number

12320

# of bytes considered to comprise a 'Value' is based on its representation

12321

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12322

# 123456789, the number of bytes would be counted as 9, even though an

12323

# int64 only holds up to 8 bytes of data.

12324

"booleanValue": True or False, # boolean

12325

"floatValue": 3.14, # float

12326

"dayOfWeekValue": "A String", # day of week

12327

"timestampValue": "A String", # timestamp

12328

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12329

# and time zone are either specified elsewhere or are not significant. The date

12330

# is relative to the Proleptic Gregorian Calendar. This can represent:

12331

#

12332

# * A full date, with non-zero year, month and day values

12333

# * A month and day value, with a zero year, e.g. an anniversary

12334

# * A year on its own, with zero month and day values

12335

# * A year and month value, with a zero day, e.g. a credit card expiration date

12336

#

12337

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12338

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12339

# a year.

12340

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12341

# month and day.

12342

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12343

# if specifying a year by itself or a year and month where the day is not

12344

# significant.

12345

},

12346

"stringValue": "A String", # string

12347

"integerValue": "A String", # integer

12348

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12349

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12350

# types are google.type.Date and `google.protobuf.Timestamp`.

12351

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12352

# allow the value 60 if it allows leap-seconds.

12353

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12354

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12355

# to allow the value "24:00:00" for scenarios like business closing time.

12356

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12357

},

12358

},

12359

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

12360

# Note that for the purposes of inspection or transformation, the number

12361

# of bytes considered to comprise a 'Value' is based on its representation

12362

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12363

# 123456789, the number of bytes would be counted as 9, even though an

12364

# int64 only holds up to 8 bytes of data.

12365

"booleanValue": True or False, # boolean

12366

"floatValue": 3.14, # float

12367

"dayOfWeekValue": "A String", # day of week

12368

"timestampValue": "A String", # timestamp

12369

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12370

# and time zone are either specified elsewhere or are not significant. The date

12371

# is relative to the Proleptic Gregorian Calendar. This can represent:

12372

#

12373

# * A full date, with non-zero year, month and day values

12374

# * A month and day value, with a zero year, e.g. an anniversary

12375

# * A year on its own, with zero month and day values

12376

# * A year and month value, with a zero day, e.g. a credit card expiration date

12377

#

12378

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12379

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12380

# a year.

12381

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12382

# month and day.

12383

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12384

# if specifying a year by itself or a year and month where the day is not

12385

# significant.

12386

},

12387

"stringValue": "A String", # string

12388

"integerValue": "A String", # integer

12389

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12390

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12391

# types are google.type.Date and `google.protobuf.Timestamp`.

12392

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12393

# allow the value 60 if it allows leap-seconds.

12394

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12395

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12396

# to allow the value "24:00:00" for scenarios like business closing time.

12397

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12398

},

12399

},

12400

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

12401

# the default behavior will be to hyphenate the min-max range.

12402

# Note that for the purposes of inspection or transformation, the number

12403

# of bytes considered to comprise a 'Value' is based on its representation

12404

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12405

# 123456789, the number of bytes would be counted as 9, even though an

12406

# int64 only holds up to 8 bytes of data.

12407

"booleanValue": True or False, # boolean

12408

"floatValue": 3.14, # float

12409

"dayOfWeekValue": "A String", # day of week

12410

"timestampValue": "A String", # timestamp

12411

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12412

# and time zone are either specified elsewhere or are not significant. The date

12413

# is relative to the Proleptic Gregorian Calendar. This can represent:

12414

#

12415

# * A full date, with non-zero year, month and day values

12416

# * A month and day value, with a zero year, e.g. an anniversary

12417

# * A year on its own, with zero month and day values

12418

# * A year and month value, with a zero day, e.g. a credit card expiration date

12419

#

12420

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12421

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12422

# a year.

12423

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12424

# month and day.

12425

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12426

# if specifying a year by itself or a year and month where the day is not

12427

# significant.

12428

},

12429

"stringValue": "A String", # string

12430

"integerValue": "A String", # integer

12431

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12432

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12433

# types are google.type.Date and `google.protobuf.Timestamp`.

12434

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12435

# allow the value 60 if it allows leap-seconds.

12436

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12437

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12438

# to allow the value "24:00:00" for scenarios like business closing time.

12439

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

12446

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

12447

# Note that for the purposes of inspection or transformation, the number

12448

# of bytes considered to comprise a 'Value' is based on its representation

12449

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12450

# 123456789, the number of bytes would be counted as 9, even though an

12451

# int64 only holds up to 8 bytes of data.

12452

"booleanValue": True or False, # boolean

12453

"floatValue": 3.14, # float

12454

"dayOfWeekValue": "A String", # day of week

12455

"timestampValue": "A String", # timestamp

12456

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12457

# and time zone are either specified elsewhere or are not significant. The date

12458

# is relative to the Proleptic Gregorian Calendar. This can represent:

12459

#

12460

# * A full date, with non-zero year, month and day values

12461

# * A month and day value, with a zero year, e.g. an anniversary

12462

# * A year on its own, with zero month and day values

12463

# * A year and month value, with a zero day, e.g. a credit card expiration date

12464

#

12465

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12466

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12467

# a year.

12468

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12469

# month and day.

12470

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12471

# if specifying a year by itself or a year and month where the day is not

12472

# significant.

12473

},

12474

"stringValue": "A String", # string

12475

"integerValue": "A String", # integer

12476

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12477

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12478

# types are google.type.Date and `google.protobuf.Timestamp`.

12479

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12480

# allow the value 60 if it allows leap-seconds.

12481

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12482

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12483

# to allow the value "24:00:00" for scenarios like business closing time.

12484

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

12489

# fixed character. Masking can start from the beginning or end of the string.

12490

# This can be used on data of any type (numbers, longs, and so on) and when

12491

# de-identifying structured data we'll attempt to preserve the original data's

12492

# type. (This allows you to take a long like 123 and modify it to a string like

12493

# **3.

12494

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

12495

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

12496

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

12497

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

12498

# is `true`, then the string `12345` is masked as `12***`.

12499

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

12500

# characters. For example, if the input string is `555-555-5555` and you

12501

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

12502

# returns `***-**5-5555`.

12503

{ # Characters to skip when doing deidentification of a value. These will be left

12504

# alone and skipped.

12505

"charactersToSkip": "A String", # Characters to not transform when masking.

12506

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

12511

# masked. Skipped characters do not count towards this tally.

12512

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

12513

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

12514

# code or credit card number. This string must have a length of 1. If not

12515

# supplied, this value defaults to `*` for strings, and `0` for digits.

12516

},

12517

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

12518

# Bucketing transformation can provide all of this functionality,

12519

# but requires more configuration. This message is provided as a convenience to

12520

# the user for simple bucketing strategies.

12521

#

12522

# The transformed value will be a hyphenated string of

12523

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

12524

# all values that are within this bucket will be replaced with "10-20".

12525

#

12526

# This can be used on data of type: double, long.

12527

#

12528

# If the bound Value type differs from the type of data

12529

# being transformed, we will first attempt converting the type of the data to

12530

# be transformed to match the type of the bound before comparing.

12531

#

12532

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

12533

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

12534

# grouped together into a single bucket; for example if `lower_bound` = 10,

12535

# then all values less than 10 are replaced with the value "-10".

12536

# Note that for the purposes of inspection or transformation, the number

12537

# of bytes considered to comprise a 'Value' is based on its representation

12538

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12539

# 123456789, the number of bytes would be counted as 9, even though an

12540

# int64 only holds up to 8 bytes of data.

12541

"booleanValue": True or False, # boolean

12542

"floatValue": 3.14, # float

12543

"dayOfWeekValue": "A String", # day of week

12544

"timestampValue": "A String", # timestamp

12545

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12546

# and time zone are either specified elsewhere or are not significant. The date

12547

# is relative to the Proleptic Gregorian Calendar. This can represent:

12548

#

12549

# * A full date, with non-zero year, month and day values

12550

# * A month and day value, with a zero year, e.g. an anniversary

12551

# * A year on its own, with zero month and day values

12552

# * A year and month value, with a zero day, e.g. a credit card expiration date

12553

#

12554

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12555

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12556

# a year.

12557

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12558

# month and day.

12559

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12560

# if specifying a year by itself or a year and month where the day is not

12561

# significant.

12562

},

12563

"stringValue": "A String", # string

12564

"integerValue": "A String", # integer

12565

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12566

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12567

# types are google.type.Date and `google.protobuf.Timestamp`.

12568

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12569

# allow the value 60 if it allows leap-seconds.

12570

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12571

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12572

# to allow the value "24:00:00" for scenarios like business closing time.

12573

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12574

},

12575

},

12576

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

12577

# grouped together into a single bucket; for example if `upper_bound` = 89,

12578

# then all values greater than 89 are replaced with the value "89+".

12579

# Note that for the purposes of inspection or transformation, the number

12580

# of bytes considered to comprise a 'Value' is based on its representation

12581

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12582

# 123456789, the number of bytes would be counted as 9, even though an

12583

# int64 only holds up to 8 bytes of data.

12584

"booleanValue": True or False, # boolean

12585

"floatValue": 3.14, # float

12586

"dayOfWeekValue": "A String", # day of week

12587

"timestampValue": "A String", # timestamp

12588

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12589

# and time zone are either specified elsewhere or are not significant. The date

12590

# is relative to the Proleptic Gregorian Calendar. This can represent:

12591

#

12592

# * A full date, with non-zero year, month and day values

12593

# * A month and day value, with a zero year, e.g. an anniversary

12594

# * A year on its own, with zero month and day values

12595

# * A year and month value, with a zero day, e.g. a credit card expiration date

12596

#

12597

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12598

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12599

# a year.

12600

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12601

# month and day.

12602

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12603

# if specifying a year by itself or a year and month where the day is not

12604

# significant.

12605

},

12606

"stringValue": "A String", # string

12607

"integerValue": "A String", # integer

12608

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12609

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12610

# types are google.type.Date and `google.protobuf.Timestamp`.

12611

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12612

# allow the value 60 if it allows leap-seconds.

12613

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12614

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12615

# to allow the value "24:00:00" for scenarios like business closing time.

12616

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12617

},

12618

},

12619

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

12620

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

12621

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

12622

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

},

}</pre>

</div>

</body></html>