Blame - docs/dyn/dlp_v2.projects.content.html - platform/external/python/google-api-python-client

2020-10-06 16:46:05 -0700

[diff] [blame]

78

<code><a href="#close">close()</a></code></p>

79

<p class="firstline">Close httplib2 connections.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#deidentify">deidentify(parent, body=None, x__xgafv=None)</a></code></p>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

82

<p class="firstline">De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

83

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

84

<code><a href="#inspect">inspect(parent, body=None, x__xgafv=None)</a></code></p>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

85

<p class="firstline">Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

86

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

87

<code><a href="#reidentify">reidentify(parent, body=None, x__xgafv=None)</a></code></p>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

88

<p class="firstline">Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

89

<h3>Method Details</h3>

90

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

91

<code class="details" id="close">close()</code>

92

<pre>Close httplib2 connections.</pre>

93

</div>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

94

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

95

96

<code class="details" id="deidentify">deidentify(parent, body=None, x__xgafv=None)</code>

97

<pre>De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

99

Args:

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

100

parent: string, Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

101

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

102

The object takes the form of:

103

104

{ # Request to de-identify a list of items.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

105

"locationId": "A String", # Deprecated. This field has no effect.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

106

"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

107

"contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.

108

"A String",

109

],

110

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

111

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

112

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

113

{ # Max findings configuration per infoType, per content item or long running DlpJob.

114

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

115

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

116

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

117

"maxFindings": 42, # Max findings limit for the given infoType.

118

},

119

],

120

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

121

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

122

},

123

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

124

{ # Type of information detected by the API.

125

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

126

},

127

],

128

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

129

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

130

{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

131

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

132

{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

133

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.

134

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.

135

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

136

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

137

},

138

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

139

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

144

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

145

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

146

42,

147

],

148

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

149

},

150

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

151

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

152

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

153

{ # Type of information detected by the API.

154

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

155

},

156

],

157

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

158

},

159

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

160

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

161

"windowBefore": 42, # Number of characters before the finding to consider.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

162

"windowAfter": 42, # Number of characters after the finding to consider.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

163

},

164

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

165

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

166

42,

167

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

168

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

169

},

170

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

171

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

172

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

177

"infoTypes": [ # List of infoTypes this rule set is applied to.

178

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

179

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

180

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

181

],

182

},

183

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

184

"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

185

{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

186

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

187

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

188

},

189

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

190

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

191

"name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

192

},

193

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

194

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

195

42,

196

],

197

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

198

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

199

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

200

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

201

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

202

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

203

"windowBefore": 42, # Number of characters before the finding to consider.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

204

"windowAfter": 42, # Number of characters after the finding to consider.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

205

},

206

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

207

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

208

42,

209

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

210

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

211

},

212

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

213

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

214

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

219

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.

220

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

221

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

222

},

223

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

224

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

229

"surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

230

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

231

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

232

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

233

},

234

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

235

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

236

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

237

"deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

238

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.

239

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors

240

},

241

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

242

},

243

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

244

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.

245

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

246

{ # A transformation to apply to text that is identified as a specific info_type.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

247

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

248

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

249

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

250

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

251

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

252

},

253

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

254

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

255

"wrappedKey": "A String", # Required. The wrapped data crypto key.

256

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

257

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

258

"key": "A String", # Required. A 128/192/256 bit key.

259

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

260

},

261

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

262

"name": "A String", # Name describing the field.

263

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

264

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

265

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

266

},

267

},

268

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

269

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

270

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

271

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

272

"charactersToSkip": "A String", # Characters to not transform when masking.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

273

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

274

],

275

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

276

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

277

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

278

},

279

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

280

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

281

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

282

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

283

},

284

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

285

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

286

"wrappedKey": "A String", # Required. The wrapped data crypto key.

287

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

288

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

289

"key": "A String", # Required. A 128/192/256 bit key.

290

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

291

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

292

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

293

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

294

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

295

"name": "A String", # Name describing the field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

296

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

297

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

298

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

299

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

300

},

301

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

302

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

303

"wrappedKey": "A String", # Required. The wrapped data crypto key.

304

},

305

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

306

"key": "A String", # Required. A 128/192/256 bit key.

307

},

308

},

309

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

310

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

311

},

312

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

313

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

314

{ # Bucket is represented as a range, along with replacement values.

315

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

316

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

317

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

318

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

319

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

320

},

321

"dayOfWeekValue": "A String", # day of week

322

"integerValue": "A String", # integer

323

"booleanValue": True or False, # boolean

324

"stringValue": "A String", # string

325

"floatValue": 3.14, # float

326

"timestampValue": "A String", # timestamp

327

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

328

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

329

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

330

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

331

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

332

},

333

},

334

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

335

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

336

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

337

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

338

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

339

},

340

"dayOfWeekValue": "A String", # day of week

341

"integerValue": "A String", # integer

342

"booleanValue": True or False, # boolean

343

"stringValue": "A String", # string

344

"floatValue": 3.14, # float

345

"timestampValue": "A String", # timestamp

346

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

347

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

348

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

349

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

350

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

351

},

352

},

353

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

354

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

355

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

356

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

357

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

358

},

359

"dayOfWeekValue": "A String", # day of week

360

"integerValue": "A String", # integer

361

"booleanValue": True or False, # boolean

362

"stringValue": "A String", # string

363

"floatValue": 3.14, # float

364

"timestampValue": "A String", # timestamp

365

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

366

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

367

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

368

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

369

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

374

},

375

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

376

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

377

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

378

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

379

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

380

},

381

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

382

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

383

"wrappedKey": "A String", # Required. The wrapped data crypto key.

384

},

385

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

386

"key": "A String", # Required. A 128/192/256 bit key.

387

},

388

},

389

"commonAlphabet": "A String", # Common alphabets.

390

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

391

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

392

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

393

},

394

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

395

"name": "A String", # Name describing the field.

396

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

397

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

398

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

399

"partToExtract": "A String", # The part of the time to keep.

400

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

401

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

402

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

403

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

404

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

405

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

406

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

407

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

408

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

409

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

410

},

411

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

412

"integerValue": "A String", # integer

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

413

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

414

"stringValue": "A String", # string

415

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

416

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

417

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

418

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

419

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

420

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

421

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

422

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

423

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

424

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

425

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

426

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

427

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

428

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

429

},

430

"dayOfWeekValue": "A String", # day of week

431

"integerValue": "A String", # integer

432

"booleanValue": True or False, # boolean

433

"stringValue": "A String", # string

434

"floatValue": 3.14, # float

435

"timestampValue": "A String", # timestamp

436

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

437

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

438

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

439

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

440

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

445

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

446

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

447

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

448

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

449

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

450

},

451

"dayOfWeekValue": "A String", # day of week

452

"integerValue": "A String", # integer

453

"booleanValue": True or False, # boolean

454

"stringValue": "A String", # string

455

"floatValue": 3.14, # float

456

"timestampValue": "A String", # timestamp

457

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

458

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

459

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

460

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

461

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

466

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

467

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

468

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

469

{ # Type of information detected by the API.

470

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

471

},

472

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

473

},

474

],

475

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

476

"recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

477

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

478

{ # The transformation to apply to the field.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

479

"fields": [ # Required. Input field(s) to apply the transformation to.

480

{ # General identifier of a data field in a storage service.

481

"name": "A String", # Name describing the field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

482

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

483

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

484

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

485

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

486

{ # A transformation to apply to text that is identified as a specific info_type.

487

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

488

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

489

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

490

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

491

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

492

},

493

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

494

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

495

"wrappedKey": "A String", # Required. The wrapped data crypto key.

496

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

497

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

498

"key": "A String", # Required. A 128/192/256 bit key.

499

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

500

},

501

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

502

"name": "A String", # Name describing the field.

503

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

504

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

505

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

506

},

507

},

508

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

509

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

510

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

511

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

512

"charactersToSkip": "A String", # Characters to not transform when masking.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

513

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

514

],

515

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

516

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

517

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

518

},

519

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

520

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

521

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

522

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

523

},

524

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

525

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

526

"wrappedKey": "A String", # Required. The wrapped data crypto key.

527

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

528

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

529

"key": "A String", # Required. A 128/192/256 bit key.

530

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

531

},

532

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

533

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

534

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

535

"name": "A String", # Name describing the field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

536

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

537

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

538

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

539

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

540

},

541

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

542

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

543

"wrappedKey": "A String", # Required. The wrapped data crypto key.

544

},

545

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

546

"key": "A String", # Required. A 128/192/256 bit key.

547

},

548

},

549

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

550

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

551

},

552

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

553

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

554

{ # Bucket is represented as a range, along with replacement values.

555

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

556

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

557

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

558

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

559

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

560

},

561

"dayOfWeekValue": "A String", # day of week

562

"integerValue": "A String", # integer

563

"booleanValue": True or False, # boolean

564

"stringValue": "A String", # string

565

"floatValue": 3.14, # float

566

"timestampValue": "A String", # timestamp

567

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

568

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

569

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

570

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

571

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

572

},

573

},

574

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

575

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

576

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

577

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

578

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

579

},

580

"dayOfWeekValue": "A String", # day of week

581

"integerValue": "A String", # integer

582

"booleanValue": True or False, # boolean

583

"stringValue": "A String", # string

584

"floatValue": 3.14, # float

585

"timestampValue": "A String", # timestamp

586

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

587

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

588

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

589

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

590

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

591

},

592

},

593

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

594

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

595

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

596

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

597

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

598

},

599

"dayOfWeekValue": "A String", # day of week

600

"integerValue": "A String", # integer

601

"booleanValue": True or False, # boolean

602

"stringValue": "A String", # string

603

"floatValue": 3.14, # float

604

"timestampValue": "A String", # timestamp

605

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

606

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

607

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

608

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

609

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

614

},

615

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

616

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

617

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

618

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

619

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

620

},

621

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

622

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

623

"wrappedKey": "A String", # Required. The wrapped data crypto key.

624

},

625

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

626

"key": "A String", # Required. A 128/192/256 bit key.

627

},

628

},

629

"commonAlphabet": "A String", # Common alphabets.

630

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

631

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

632

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

633

},

634

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

635

"name": "A String", # Name describing the field.

636

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

637

},

638

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

639

"partToExtract": "A String", # The part of the time to keep.

640

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

641

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

642

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

643

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

644

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

645

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

646

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

647

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

648

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

649

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

650

},

651

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

652

"integerValue": "A String", # integer

653

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

654

"stringValue": "A String", # string

655

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

656

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

657

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

658

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

659

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

660

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

661

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

662

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

663

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

664

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

665

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

666

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

667

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

668

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

669

},

670

"dayOfWeekValue": "A String", # day of week

671

"integerValue": "A String", # integer

672

"booleanValue": True or False, # boolean

673

"stringValue": "A String", # string

674

"floatValue": 3.14, # float

675

"timestampValue": "A String", # timestamp

676

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

677

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

678

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

679

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

680

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

685

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

686

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

687

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

688

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

689

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

690

},

691

"dayOfWeekValue": "A String", # day of week

692

"integerValue": "A String", # integer

693

"booleanValue": True or False, # boolean

694

"stringValue": "A String", # string

695

"floatValue": 3.14, # float

696

"timestampValue": "A String", # timestamp

697

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

698

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

699

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

700

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

701

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

706

},

707

},

708

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

709

{ # Type of information detected by the API.

710

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

716

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

717

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

718

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

719

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

720

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

721

},

722

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

723

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

724

"wrappedKey": "A String", # Required. The wrapped data crypto key.

725

},

726

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

727

"key": "A String", # Required. A 128/192/256 bit key.

728

},

729

},

730

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

731

"name": "A String", # Name describing the field.

732

},

733

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

734

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

735

},

736

},

737

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

738

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

739

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

740

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

741

"charactersToSkip": "A String", # Characters to not transform when masking.

742

},

743

],

744

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

745

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

746

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

747

},

748

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

749

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

750

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

751

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

752

},

753

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

754

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

755

"wrappedKey": "A String", # Required. The wrapped data crypto key.

756

},

757

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

758

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

763

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

764

"name": "A String", # Name describing the field.

765

},

766

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

767

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

768

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

769

},

770

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

771

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

772

"wrappedKey": "A String", # Required. The wrapped data crypto key.

773

},

774

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

775

"key": "A String", # Required. A 128/192/256 bit key.

776

},

777

},

778

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

779

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

780

},

781

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

782

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

783

{ # Bucket is represented as a range, along with replacement values.

784

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

785

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

786

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

787

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

788

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

789

},

790

"dayOfWeekValue": "A String", # day of week

791

"integerValue": "A String", # integer

792

"booleanValue": True or False, # boolean

793

"stringValue": "A String", # string

794

"floatValue": 3.14, # float

795

"timestampValue": "A String", # timestamp

796

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

797

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

798

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

799

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

800

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

801

},

802

},

803

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

804

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

805

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

806

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

807

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

808

},

809

"dayOfWeekValue": "A String", # day of week

810

"integerValue": "A String", # integer

811

"booleanValue": True or False, # boolean

812

"stringValue": "A String", # string

813

"floatValue": 3.14, # float

814

"timestampValue": "A String", # timestamp

815

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

816

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

817

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

818

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

819

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

820

},

821

},

822

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

823

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

824

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

825

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

826

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

827

},

828

"dayOfWeekValue": "A String", # day of week

829

"integerValue": "A String", # integer

830

"booleanValue": True or False, # boolean

831

"stringValue": "A String", # string

832

"floatValue": 3.14, # float

833

"timestampValue": "A String", # timestamp

834

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

835

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

836

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

837

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

838

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

845

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

846

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

847

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

848

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

849

},

850

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

851

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

852

"wrappedKey": "A String", # Required. The wrapped data crypto key.

853

},

854

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

855

"key": "A String", # Required. A 128/192/256 bit key.

856

},

857

},

858

"commonAlphabet": "A String", # Common alphabets.

859

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

860

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

861

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

862

},

863

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

864

"name": "A String", # Name describing the field.

865

},

866

},

867

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

868

"partToExtract": "A String", # The part of the time to keep.

869

},

870

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

871

},

872

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

873

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

874

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

875

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

876

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

877

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

878

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

879

},

880

"dayOfWeekValue": "A String", # day of week

881

"integerValue": "A String", # integer

882

"booleanValue": True or False, # boolean

883

"stringValue": "A String", # string

884

"floatValue": 3.14, # float

885

"timestampValue": "A String", # timestamp

886

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

887

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

888

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

889

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

890

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

891

},

892

},

893

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

894

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

895

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

896

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

897

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

898

},

899

"dayOfWeekValue": "A String", # day of week

900

"integerValue": "A String", # integer

901

"booleanValue": True or False, # boolean

902

"stringValue": "A String", # string

903

"floatValue": 3.14, # float

904

"timestampValue": "A String", # timestamp

905

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

906

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

907

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

908

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

909

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

914

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

915

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

916

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

917

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

918

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

919

},

920

"dayOfWeekValue": "A String", # day of week

921

"integerValue": "A String", # integer

922

"booleanValue": True or False, # boolean

923

"stringValue": "A String", # string

924

"floatValue": 3.14, # float

925

"timestampValue": "A String", # timestamp

926

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

927

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

928

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

929

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

930

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

935

},

936

},

937

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

938

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

939

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

940

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

941

"conditions": [ # A collection of conditions.

942

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

943

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

944

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

945

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

946

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

947

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

948

},

949

"dayOfWeekValue": "A String", # day of week

950

"integerValue": "A String", # integer

951

"booleanValue": True or False, # boolean

952

"stringValue": "A String", # string

953

"floatValue": 3.14, # float

954

"timestampValue": "A String", # timestamp

955

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

956

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

957

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

958

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

959

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

960

},

961

},

962

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

963

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

964

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

],

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.

974

{ # Configuration to suppress records whose suppression conditions evaluate to true.

975

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

976

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

977

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

978

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

979

"conditions": [ # A collection of conditions.

980

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

981

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

982

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

983

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

984

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

985

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

986

},

987

"dayOfWeekValue": "A String", # day of week

988

"integerValue": "A String", # integer

989

"booleanValue": True or False, # boolean

990

"stringValue": "A String", # string

991

"floatValue": 3.14, # float

992

"timestampValue": "A String", # timestamp

993

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

994

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

995

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

996

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

997

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

998

},

999

},

1000

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1001

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1002

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

],

},

},

"deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

1014

"item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.

1015

"value": "A String", # String data to inspect or redact.

1016

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

1017

"headers": [ # Headers of the table.

1018

{ # General identifier of a data field in a storage service.

1019

"name": "A String", # Name describing the field.

1020

},

1021

],

1022

"rows": [ # Rows of the table.

1023

{ # Values of the row.

1024

"values": [ # Individual cells.

1025

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

1026

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1027

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1028

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1029

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1030

},

1031

"dayOfWeekValue": "A String", # day of week

1032

"integerValue": "A String", # integer

1033

"booleanValue": True or False, # boolean

1034

"stringValue": "A String", # string

1035

"floatValue": 3.14, # float

1036

"timestampValue": "A String", # timestamp

1037

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1038

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1039

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1040

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1041

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1042

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1043

},

1044

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1045

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1046

],

1047

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1048

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

1049

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

1050

"data": "A String", # Content data to inspect or redact.

1051

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1052

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1053

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1054

}

1055

1056

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1063

1064

{ # Results of de-identifying a ContentItem.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1065

"item": { # Container structure for the content to inspect. # The de-identified item.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1066

"value": "A String", # String data to inspect or redact.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1067

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1068

"headers": [ # Headers of the table.

1069

{ # General identifier of a data field in a storage service.

1070

"name": "A String", # Name describing the field.

1071

},

1072

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1073

"rows": [ # Rows of the table.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1074

{ # Values of the row.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1075

"values": [ # Individual cells.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1076

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1077

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1078

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1079

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1080

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1081

},

1082

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1083

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1084

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1085

"stringValue": "A String", # string

1086

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1087

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1088

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1089

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1090

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1091

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1092

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1093

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1098

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1099

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

1100

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

1101

"data": "A String", # Content data to inspect or redact.

1102

},

1103

},

1104

"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`.

1105

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

1106

"transformationSummaries": [ # Transformations applied to the dataset.

1107

{ # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.

1108

"fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.

1109

{ # The transformation to apply to the field.

1110

"fields": [ # Required. Input field(s) to apply the transformation to.

1111

{ # General identifier of a data field in a storage service.

1112

"name": "A String", # Name describing the field.

1113

},

1114

],

1115

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

1116

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

1117

{ # A transformation to apply to text that is identified as a specific info_type.

1118

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

1119

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

1120

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

1121

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1122

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1123

},

1124

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1125

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1126

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1127

},

1128

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1129

"key": "A String", # Required. A 128/192/256 bit key.

1130

},

1131

},

1132

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

1133

"name": "A String", # Name describing the field.

1134

},

1135

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

1136

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1137

},

1138

},

1139

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

1140

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

1141

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

1142

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

1143

"charactersToSkip": "A String", # Characters to not transform when masking.

1144

},

1145

],

1146

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

1147

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

1148

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

1149

},

1150

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

1151

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

1152

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1153

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1154

},

1155

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1156

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1157

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1158

},

1159

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1160

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

1165

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

1166

"name": "A String", # Name describing the field.

1167

},

1168

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

1169

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1170

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1171

},

1172

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1173

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1174

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1175

},

1176

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1177

"key": "A String", # Required. A 128/192/256 bit key.

1178

},

1179

},

1180

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1181

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

1182

},

1183

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

1184

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1185

{ # Bucket is represented as a range, along with replacement values.

1186

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

1187

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1188

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1189

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1190

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1191

},

1192

"dayOfWeekValue": "A String", # day of week

1193

"integerValue": "A String", # integer

1194

"booleanValue": True or False, # boolean

1195

"stringValue": "A String", # string

1196

"floatValue": 3.14, # float

1197

"timestampValue": "A String", # timestamp

1198

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1199

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1200

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1201

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1202

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1203

},

1204

},

1205

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

1206

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1207

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1208

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1209

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1210

},

1211

"dayOfWeekValue": "A String", # day of week

1212

"integerValue": "A String", # integer

1213

"booleanValue": True or False, # boolean

1214

"stringValue": "A String", # string

1215

"floatValue": 3.14, # float

1216

"timestampValue": "A String", # timestamp

1217

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1218

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1219

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1220

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1221

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1222

},

1223

},

1224

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

1225

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1226

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1227

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1228

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1229

},

1230

"dayOfWeekValue": "A String", # day of week

1231

"integerValue": "A String", # integer

1232

"booleanValue": True or False, # boolean

1233

"stringValue": "A String", # string

1234

"floatValue": 3.14, # float

1235

"timestampValue": "A String", # timestamp

1236

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1237

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1238

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1239

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1240

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

1247

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

1248

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

1249

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1250

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1251

},

1252

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1253

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1254

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1255

},

1256

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1257

"key": "A String", # Required. A 128/192/256 bit key.

1258

},

1259

},

1260

"commonAlphabet": "A String", # Common alphabets.

1261

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1262

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

1263

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1264

},

1265

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

1266

"name": "A String", # Name describing the field.

1267

},

1268

},

1269

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

1270

"partToExtract": "A String", # The part of the time to keep.

1271

},

1272

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1273

},

1274

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

1275

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1276

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1277

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1278

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1279

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1280

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1281

},

1282

"dayOfWeekValue": "A String", # day of week

1283

"integerValue": "A String", # integer

1284

"booleanValue": True or False, # boolean

1285

"stringValue": "A String", # string

1286

"floatValue": 3.14, # float

1287

"timestampValue": "A String", # timestamp

1288

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1289

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1290

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1291

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1292

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1293

},

1294

},

1295

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

1296

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1297

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1298

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1299

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1300

},

1301

"dayOfWeekValue": "A String", # day of week

1302

"integerValue": "A String", # integer

1303

"booleanValue": True or False, # boolean

1304

"stringValue": "A String", # string

1305

"floatValue": 3.14, # float

1306

"timestampValue": "A String", # timestamp

1307

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1308

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1309

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1310

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1311

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1316

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

1317

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1318

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1319

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1320

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1321

},

1322

"dayOfWeekValue": "A String", # day of week

1323

"integerValue": "A String", # integer

1324

"booleanValue": True or False, # boolean

1325

"stringValue": "A String", # string

1326

"floatValue": 3.14, # float

1327

"timestampValue": "A String", # timestamp

1328

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1329

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1330

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1331

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1332

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

1337

},

1338

},

1339

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

1340

{ # Type of information detected by the API.

1341

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

1348

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

1349

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

1350

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1351

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1352

},

1353

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1354

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1355

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1356

},

1357

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1358

"key": "A String", # Required. A 128/192/256 bit key.

1359

},

1360

},

1361

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

1362

"name": "A String", # Name describing the field.

1363

},

1364

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

1365

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1366

},

1367

},

1368

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

1369

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

1370

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

1371

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

1372

"charactersToSkip": "A String", # Characters to not transform when masking.

1373

},

1374

],

1375

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

1376

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

1377

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

1378

},

1379

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

1380

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

1381

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1382

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1383

},

1384

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1385

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1386

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1387

},

1388

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1389

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

1394

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

1395

"name": "A String", # Name describing the field.

1396

},

1397

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

1398

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1399

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1400

},

1401

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1402

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1403

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1404

},

1405

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1406

"key": "A String", # Required. A 128/192/256 bit key.

1407

},

1408

},

1409

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1410

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

1411

},

1412

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

1413

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1414

{ # Bucket is represented as a range, along with replacement values.

1415

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

1416

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1417

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1418

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1419

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1420

},

1421

"dayOfWeekValue": "A String", # day of week

1422

"integerValue": "A String", # integer

1423

"booleanValue": True or False, # boolean

1424

"stringValue": "A String", # string

1425

"floatValue": 3.14, # float

1426

"timestampValue": "A String", # timestamp

1427

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1428

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1429

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1430

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1431

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1432

},

1433

},

1434

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

1435

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1436

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1437

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1438

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1439

},

1440

"dayOfWeekValue": "A String", # day of week

1441

"integerValue": "A String", # integer

1442

"booleanValue": True or False, # boolean

1443

"stringValue": "A String", # string

1444

"floatValue": 3.14, # float

1445

"timestampValue": "A String", # timestamp

1446

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1447

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1448

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1449

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1450

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1451

},

1452

},

1453

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

1454

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1455

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1456

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1457

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1458

},

1459

"dayOfWeekValue": "A String", # day of week

1460

"integerValue": "A String", # integer

1461

"booleanValue": True or False, # boolean

1462

"stringValue": "A String", # string

1463

"floatValue": 3.14, # float

1464

"timestampValue": "A String", # timestamp

1465

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1466

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1467

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1468

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1469

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

1476

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

1477

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

1478

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1479

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1480

},

1481

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1482

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1483

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1484

},

1485

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1486

"key": "A String", # Required. A 128/192/256 bit key.

1487

},

1488

},

1489

"commonAlphabet": "A String", # Common alphabets.

1490

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1491

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

1492

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1493

},

1494

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

1495

"name": "A String", # Name describing the field.

1496

},

1497

},

1498

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

1499

"partToExtract": "A String", # The part of the time to keep.

1500

},

1501

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1502

},

1503

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

1504

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1505

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1506

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1507

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1508

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1509

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1510

},

1511

"dayOfWeekValue": "A String", # day of week

1512

"integerValue": "A String", # integer

1513

"booleanValue": True or False, # boolean

1514

"stringValue": "A String", # string

1515

"floatValue": 3.14, # float

1516

"timestampValue": "A String", # timestamp

1517

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1518

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1519

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1520

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1521

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1522

},

1523

},

1524

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

1525

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1526

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1527

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1528

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1529

},

1530

"dayOfWeekValue": "A String", # day of week

1531

"integerValue": "A String", # integer

1532

"booleanValue": True or False, # boolean

1533

"stringValue": "A String", # string

1534

"floatValue": 3.14, # float

1535

"timestampValue": "A String", # timestamp

1536

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1537

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1538

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1539

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1540

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1545

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

1546

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1547

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1548

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1549

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1550

},

1551

"dayOfWeekValue": "A String", # day of week

1552

"integerValue": "A String", # integer

1553

"booleanValue": True or False, # boolean

1554

"stringValue": "A String", # string

1555

"floatValue": 3.14, # float

1556

"timestampValue": "A String", # timestamp

1557

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1558

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1559

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1560

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1561

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

1566

},

1567

},

1568

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

1569

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

1570

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

1571

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1572

"conditions": [ # A collection of conditions.

1573

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

1574

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

1575

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1576

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1577

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1578

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1579

},

1580

"dayOfWeekValue": "A String", # day of week

1581

"integerValue": "A String", # integer

1582

"booleanValue": True or False, # boolean

1583

"stringValue": "A String", # string

1584

"floatValue": 3.14, # float

1585

"timestampValue": "A String", # timestamp

1586

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1587

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1588

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1589

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1590

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1591

},

1592

},

1593

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1594

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1595

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

],

"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.

1605

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

1606

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

1607

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1608

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1609

},

1610

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1611

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1612

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1613

},

1614

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1615

"key": "A String", # Required. A 128/192/256 bit key.

1616

},

1617

},

1618

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

1619

"name": "A String", # Name describing the field.

1620

},

1621

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

1622

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1623

},

1624

},

1625

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

1626

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

1627

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

1628

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

1629

"charactersToSkip": "A String", # Characters to not transform when masking.

1630

},

1631

],

1632

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

1633

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

1634

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

1635

},

1636

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

1637

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

1638

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1639

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1640

},

1641

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1642

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1643

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1644

},

1645

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1646

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

1651

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

1652

"name": "A String", # Name describing the field.

1653

},

1654

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

1655

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1656

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1657

},

1658

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1659

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1660

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1661

},

1662

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1663

"key": "A String", # Required. A 128/192/256 bit key.

1664

},

1665

},

1666

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1667

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

1668

},

1669

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

1670

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1671

{ # Bucket is represented as a range, along with replacement values.

1672

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

1673

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1674

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1675

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1676

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1677

},

1678

"dayOfWeekValue": "A String", # day of week

1679

"integerValue": "A String", # integer

1680

"booleanValue": True or False, # boolean

1681

"stringValue": "A String", # string

1682

"floatValue": 3.14, # float

1683

"timestampValue": "A String", # timestamp

1684

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1685

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1686

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1687

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1688

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1689

},

1690

},

1691

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

1692

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1693

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1694

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1695

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1696

},

1697

"dayOfWeekValue": "A String", # day of week

1698

"integerValue": "A String", # integer

1699

"booleanValue": True or False, # boolean

1700

"stringValue": "A String", # string

1701

"floatValue": 3.14, # float

1702

"timestampValue": "A String", # timestamp

1703

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1704

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1705

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1706

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1707

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1708

},

1709

},

1710

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

1711

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1712

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1713

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1714

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1715

},

1716

"dayOfWeekValue": "A String", # day of week

1717

"integerValue": "A String", # integer

1718

"booleanValue": True or False, # boolean

1719

"stringValue": "A String", # string

1720

"floatValue": 3.14, # float

1721

"timestampValue": "A String", # timestamp

1722

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1723

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1724

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1725

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1726

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

1733

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

1734

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

1735

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

1736

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

1737

},

1738

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

1739

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1740

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1741

},

1742

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

1743

"key": "A String", # Required. A 128/192/256 bit key.

1744

},

1745

},

1746

"commonAlphabet": "A String", # Common alphabets.

1747

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1748

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

1749

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1750

},

1751

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

1752

"name": "A String", # Name describing the field.

1753

},

1754

},

1755

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

1756

"partToExtract": "A String", # The part of the time to keep.

1757

},

1758

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1759

},

1760

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

1761

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1762

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

1763

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1764

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1765

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1766

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1767

},

1768

"dayOfWeekValue": "A String", # day of week

1769

"integerValue": "A String", # integer

1770

"booleanValue": True or False, # boolean

1771

"stringValue": "A String", # string

1772

"floatValue": 3.14, # float

1773

"timestampValue": "A String", # timestamp

1774

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1775

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1776

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1777

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1778

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1779

},

1780

},

1781

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

1782

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1783

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1784

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1785

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1786

},

1787

"dayOfWeekValue": "A String", # day of week

1788

"integerValue": "A String", # integer

1789

"booleanValue": True or False, # boolean

1790

"stringValue": "A String", # string

1791

"floatValue": 3.14, # float

1792

"timestampValue": "A String", # timestamp

1793

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1794

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1795

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1796

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1797

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1802

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

1803

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1804

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1805

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1806

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1807

},

1808

"dayOfWeekValue": "A String", # day of week

1809

"integerValue": "A String", # integer

1810

"booleanValue": True or False, # boolean

1811

"stringValue": "A String", # string

1812

"floatValue": 3.14, # float

1813

"timestampValue": "A String", # timestamp

1814

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1815

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1816

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1817

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1818

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

1823

},

1824

},

1825

"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.

1826

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1827

},

1828

"results": [ # Collection of all transformations that took place or had an error.

1829

{ # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.

1830

"count": "A String", # Number of transformations counted by this result.

1831

"details": "A String", # A place for warnings or errors to show up if a transformation didn't work as expected.

1832

"code": "A String", # Outcome of the transformation.

1833

},

1834

],

1835

"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.

1836

"name": "A String", # Name describing the field.

1837

},

1838

"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.

1839

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

1840

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

1841

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

1842

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1843

"conditions": [ # A collection of conditions.

1844

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

1845

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

1846

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1847

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1848

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1849

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1850

},

1851

"dayOfWeekValue": "A String", # day of week

1852

"integerValue": "A String", # integer

1853

"booleanValue": True or False, # boolean

1854

"stringValue": "A String", # string

1855

"floatValue": 3.14, # float

1856

"timestampValue": "A String", # timestamp

1857

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1858

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1859

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1860

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1861

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1862

},

1863

},

1864

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1865

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1866

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

1875

},

1876

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

},

}</pre>

</div>

<code class="details" id="inspect">inspect(parent, body=None, x__xgafv=None)</code>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1883

<pre>Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1884

1885

Args:

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1886

parent: string, Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1887

body: object, The request body.

1888

The object takes the form of:

1889

1890

{ # Request to search for potentially sensitive info in a ContentItem.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1891

"item": { # Container structure for the content to inspect. # The item to inspect.

1892

"value": "A String", # String data to inspect or redact.

1893

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

1894

"headers": [ # Headers of the table.

1895

{ # General identifier of a data field in a storage service.

1896

"name": "A String", # Name describing the field.

1897

},

1898

],

1899

"rows": [ # Rows of the table.

1900

{ # Values of the row.

1901

"values": [ # Individual cells.

1902

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

1903

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

1904

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

1905

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

1906

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

1907

},

1908

"dayOfWeekValue": "A String", # day of week

1909

"integerValue": "A String", # integer

1910

"booleanValue": True or False, # boolean

1911

"stringValue": "A String", # string

1912

"floatValue": 3.14, # float

1913

"timestampValue": "A String", # timestamp

1914

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

1915

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

1916

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

1917

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1918

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

],

},

],

},

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

1926

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

1927

"data": "A String", # Content data to inspect or redact.

1928

},

1929

},

1930

"locationId": "A String", # Deprecated. This field has no effect.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1931

"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. What specified here will override the template referenced by the inspect_template_name argument.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1932

"contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.

1933

"A String",

1934

],

1935

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

1936

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

1937

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

1938

{ # Max findings configuration per infoType, per content item or long running DlpJob.

1939

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1940

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1941

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1942

"maxFindings": 42, # Max findings limit for the given infoType.

1943

},

1944

],

1945

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

1946

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

1947

},

1948

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

1949

{ # Type of information detected by the API.

1950

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1951

},

1952

],

1953

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

1954

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

1955

{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1956

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

1957

{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

1958

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.

1959

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.

1960

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

1961

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

1962

},

1963

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

1964

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1969

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

1970

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

1971

42,

1972

],

1973

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

1974

},

1975

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1976

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

1977

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

1978

{ # Type of information detected by the API.

1979

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

1980

},

1981

],

1982

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1983

},

1984

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

1985

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1986

"windowBefore": 42, # Number of characters before the finding to consider.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1987

"windowAfter": 42, # Number of characters after the finding to consider.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1988

},

1989

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

1990

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

1991

42,

1992

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

1993

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

1994

},

1995

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

1996

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

1997

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2002

"infoTypes": [ # List of infoTypes this rule set is applied to.

2003

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2004

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2005

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2006

],

2007

},

2008

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2009

"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

2010

{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2011

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

2012

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2013

},

2014

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

2015

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

2016

"name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

2017

},

2018

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

2019

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

2020

42,

2021

],

2022

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

2023

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2024

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

2025

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

2026

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

2027

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2028

"windowBefore": 42, # Number of characters before the finding to consider.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2029

"windowAfter": 42, # Number of characters after the finding to consider.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2030

},

2031

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2032

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

2033

42,

2034

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2035

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

2036

},

2037

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

2038

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

2039

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2044

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.

2045

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

2046

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

2047

},

2048

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

2049

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2054

"surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2055

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2056

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

2057

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2058

},

2059

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2060

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2061

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2062

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2063

}

2064

2065

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2072

2073

{ # Results of inspecting an item.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2074

"result": { # All the findings for a single scanned item. # The findings.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2075

"findingsTruncated": True or False, # If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2076

"findings": [ # List of findings for an item.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2077

{ # Represents a piece of potentially sensitive content.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2078

"likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2079

"jobCreateTime": "A String", # Time the job started that produced this finding.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2080

"name": "A String", # Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings.

2081

"triggerName": "A String", # Job trigger name, if applicable, for this finding.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2082

"location": { # Specifies the location of the finding. # Where the content was found.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2083

"byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.

2084

"end": "A String", # Index of the last character of the range (exclusive).

2085

"start": "A String", # Index of the first character of the range (inclusive).

2086

},

2087

"codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding. These are relative to the finding's containing element. Provided when the content is text.

2088

"end": "A String", # Index of the last character of the range (exclusive).

2089

"start": "A String", # Index of the first character of the range (inclusive).

2090

},

2091

"container": { # Represents a container that may contain DLP findings. Examples of a container include a file, table, or database record. # Information about the container where this finding occurred, if available.

2092

"type": "A String", # Container type, for example BigQuery or Google Cloud Storage.

2093

"projectId": "A String", # Project where the finding was found. Can be different from the project that owns the finding.

2094

"version": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).

2095

"updateTime": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

2096

"relativePath": "A String", # The rest of the path after the root. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the relative path is `table_id` - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative path is `folder/filename.txt`

2097

"fullPath": "A String", # A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'

2098

"rootPath": "A String", # The root of the container. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the root is `dataset_id` - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root is `gs://bucket`

2099

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2100

"contentLocations": [ # List of nested objects pointing to the precise location of the finding within the file or record.

2101

{ # Precise location of the finding within a document, record, image, or metadata container.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2102

"containerTimestamp": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2103

"metadataLocation": { # Metadata Location # Location within the metadata for inspected content.

2104

"storageLabel": { # Storage metadata label to indicate which metadata entry contains findings. # Storage metadata.

2105

"key": "A String",

2106

},

2107

"type": "A String", # Type of metadata containing the finding.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2108

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2109

"documentLocation": { # Location of a finding within a document. # Location data for document files.

2110

"fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding is located.

2111

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2112

"containerName": "A String", # Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: * BigQuery tables: `{project_id}:{dataset_id}.{table_id}` * Cloud Storage files: `gs://{bucket}/{path}` * Datastore namespace: {namespace} Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).

2113

"imageLocation": { # Location of the finding within an image. # Location within an image's pixels.

2114

"boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.

2115

{ # Bounding box encompassing detected text within an image.

2116

"width": 42, # Width of the bounding box in pixels.

2117

"height": 42, # Height of the bounding box in pixels.

2118

"left": 42, # Left coordinate of the bounding box. (0,0) is upper left.

2119

"top": 42, # Top coordinate of the bounding box. (0,0) is upper left.

},

],

},

"recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.

2124

"fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.

2125

"name": "A String", # Name describing the field.

2126

},

2127

"recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.

2128

"bigQueryKey": { # Row key for identifying a record in BigQuery table.

2129

"rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify `inspect_job.storage_config.big_query_options.identifying_fields` in `CreateDlpJobRequest`.

2130

"tableReference": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Complete BigQuery table reference.

2131

"datasetId": "A String", # Dataset ID of the table.

2132

"tableId": "A String", # Name of the table.

2133

"projectId": "A String", # The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.

2134

},

2135

},

2136

"idValues": [ # Values of identifying columns in the given row. Order of values matches the order of `identifying_fields` specified in the scanning request.

2137

"A String",

2138

],

2139

"datastoreKey": { # Record key for a finding in Cloud Datastore.

2140

"entityKey": { # A unique identifier for a Datastore entity. If a key's partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts. # Datastore entity key.

2141

"path": [ # The entity path. An entity path consists of one or more elements composed of a kind and a string or numerical identifier, which identify entities. The first element identifies a _root entity_, the second element identifies a _child_ of the root entity, the third element identifies a child of the second entity, and so forth. The entities identified by all prefixes of the path are called the element's _ancestors_. A path can never be empty, and a path can have at most 100 elements.

2142

{ # A (kind, ID/name) pair used to construct a key path. If either name or ID is set, the element is complete. If neither is set, the element is incomplete.

2143

"id": "A String", # The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future.

2144

"name": "A String", # The name of the entity. A name matching regex `__.*__` is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be `""`.

2145

"kind": "A String", # The kind of the entity. A kind matching regex `__.*__` is reserved/read-only. A kind must not contain more than 1500 bytes when UTF-8 encoded. Cannot be `""`.

2146

},

2147

],

2148

"partitionId": { # Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. A partition ID contains several dimensions: project ID and namespace ID. # Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition.

2149

"namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.

2150

"projectId": "A String", # The ID of the project to which the entities belong.

},

},

},

},

"tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.

2156

"rowIndex": "A String", # The zero-based index of the row where the finding is located. Only populated for resources that have a natural ordering, not BigQuery. In BigQuery, to identify the row a finding came from, populate BigQueryOptions.identifying_fields with your primary key column names and when you store the findings the value of those columns will be stored inside of Finding.

2157

},

2158

},

2159

"containerVersion": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2160

},

2161

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2162

},

2163

"quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.

2164

"dateTime": { # Message for a date time object. e.g. 2018-01-01, 5th August. # The date time indicated by the quote.

2165

"date": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # One or more of the following must be set. Must be a valid date or time value.

2166

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2167

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2168

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2169

},

2170

"time": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # Time of day

2171

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2172

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2173

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2174

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2175

},

2176

"timeZone": { # Time zone of the date time object. # Time zone

2177

"offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.

2178

},

2179

"dayOfWeek": "A String", # Day of week

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2180

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2181

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2182

"quote": "A String", # The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if `include_quote` is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted.

2183

"infoType": { # Type of information detected by the API. # The type of content that might have been found. Provided if `excluded_types` is false.

2184

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2185

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2186

"jobName": "A String", # The job that stored the finding.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2187

"findingId": "A String", # The unique finding id.

2188

"resourceName": "A String", # The job that stored the finding.

2189

"createTime": "A String", # Timestamp when finding was detected.

2190

"labels": { # The labels associated with this `Finding`. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label values must be between 0 and 63 characters long and must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`. No more than 10 labels can be associated with a given finding. Examples: * `"environment" : "production"` * `"pipeline" : "etl"`

2191

"a_key": "A String",

2192

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

},

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2200

<code class="details" id="reidentify">reidentify(parent, body=None, x__xgafv=None)</code>

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2201

<pre>Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2202

2203

Args:

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2204

parent: string, Required. Parent resource name. The format of this value varies depending on whether you have [specified a processing location](https://cloud.google.com/dlp/docs/specifying-location): + Projects scope, location specified: `projects/`PROJECT_ID`/locations/`LOCATION_ID + Projects scope, no location specified (defaults to global): `projects/`PROJECT_ID The following example `parent` string specifies a parent project with the identifier `example-project`, and specifies the `europe-west3` location for processing data: parent=projects/example-project/locations/europe-west3 (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2205

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2206

The object takes the form of:

2207

2208

{ # Request to re-identify an item.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2209

"reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`. Any configuration directly specified in `reidentify_config` or `inspect_config` will override those set in the template. The `DeidentifyTemplate` used must include only reversible transformations. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

2210

"inspectTemplateName": "A String", # Template to use. Any configuration directly specified in `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

2211

"reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item. This field shares the same proto message type that is used for de-identification, however its usage here is for the reversal of the previous de-identification. Re-identification is performed by examining the transformations used to de-identify the items and executing the reverse. This requires that only reversible transformations be provided here. The reversible transformations are: - `CryptoDeterministicConfig` - `CryptoReplaceFfxFpeConfig`

2212

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.

2213

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors

2214

},

2215

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

2216

},

2217

},

2218

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.

2219

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

2220

{ # A transformation to apply to text that is identified as a specific info_type.

2221

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2222

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

2223

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

2224

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2225

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2226

},

2227

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2228

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2229

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2230

},

2231

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2232

"key": "A String", # Required. A 128/192/256 bit key.

2233

},

2234

},

2235

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

2236

"name": "A String", # Name describing the field.

2237

},

2238

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

2239

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2240

},

2241

},

2242

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

2243

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

2244

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

2245

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

2246

"charactersToSkip": "A String", # Characters to not transform when masking.

2247

},

2248

],

2249

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

2250

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

2251

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

2252

},

2253

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

2254

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

2255

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2256

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2257

},

2258

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2259

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2260

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2261

},

2262

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2263

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

2268

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

2269

"name": "A String", # Name describing the field.

2270

},

2271

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

2272

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2273

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2274

},

2275

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2276

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2277

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2278

},

2279

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2280

"key": "A String", # Required. A 128/192/256 bit key.

2281

},

2282

},

2283

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2284

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

2285

},

2286

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

2287

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2288

{ # Bucket is represented as a range, along with replacement values.

2289

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

2290

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2291

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2292

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2293

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2294

},

2295

"dayOfWeekValue": "A String", # day of week

2296

"integerValue": "A String", # integer

2297

"booleanValue": True or False, # boolean

2298

"stringValue": "A String", # string

2299

"floatValue": 3.14, # float

2300

"timestampValue": "A String", # timestamp

2301

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2302

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2303

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2304

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2305

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2306

},

2307

},

2308

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

2309

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2310

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2311

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2312

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2313

},

2314

"dayOfWeekValue": "A String", # day of week

2315

"integerValue": "A String", # integer

2316

"booleanValue": True or False, # boolean

2317

"stringValue": "A String", # string

2318

"floatValue": 3.14, # float

2319

"timestampValue": "A String", # timestamp

2320

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2321

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2322

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2323

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2324

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2325

},

2326

},

2327

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

2328

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2329

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2330

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2331

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2332

},

2333

"dayOfWeekValue": "A String", # day of week

2334

"integerValue": "A String", # integer

2335

"booleanValue": True or False, # boolean

2336

"stringValue": "A String", # string

2337

"floatValue": 3.14, # float

2338

"timestampValue": "A String", # timestamp

2339

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2340

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2341

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2342

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2343

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

2350

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

2351

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

2352

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2353

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2354

},

2355

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2356

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2357

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2358

},

2359

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2360

"key": "A String", # Required. A 128/192/256 bit key.

2361

},

2362

},

2363

"commonAlphabet": "A String", # Common alphabets.

2364

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2365

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

2366

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2367

},

2368

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

2369

"name": "A String", # Name describing the field.

2370

},

2371

},

2372

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

2373

"partToExtract": "A String", # The part of the time to keep.

2374

},

2375

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2376

},

2377

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

2378

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2379

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

2380

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2381

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2382

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2383

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2384

},

2385

"dayOfWeekValue": "A String", # day of week

2386

"integerValue": "A String", # integer

2387

"booleanValue": True or False, # boolean

2388

"stringValue": "A String", # string

2389

"floatValue": 3.14, # float

2390

"timestampValue": "A String", # timestamp

2391

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2392

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2393

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2394

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2395

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2396

},

2397

},

2398

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

2399

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2400

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2401

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2402

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2403

},

2404

"dayOfWeekValue": "A String", # day of week

2405

"integerValue": "A String", # integer

2406

"booleanValue": True or False, # boolean

2407

"stringValue": "A String", # string

2408

"floatValue": 3.14, # float

2409

"timestampValue": "A String", # timestamp

2410

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2411

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2412

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2413

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2414

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2419

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

2420

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2421

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2422

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2423

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2424

},

2425

"dayOfWeekValue": "A String", # day of week

2426

"integerValue": "A String", # integer

2427

"booleanValue": True or False, # boolean

2428

"stringValue": "A String", # string

2429

"floatValue": 3.14, # float

2430

"timestampValue": "A String", # timestamp

2431

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2432

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2433

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2434

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2435

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

2440

},

2441

},

2442

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

2443

{ # Type of information detected by the API.

2444

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

2451

"fieldTransformations": [ # Transform the record by applying various field transformations.

2452

{ # The transformation to apply to the field.

2453

"fields": [ # Required. Input field(s) to apply the transformation to.

2454

{ # General identifier of a data field in a storage service.

2455

"name": "A String", # Name describing the field.

2456

},

2457

],

2458

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

2459

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

2460

{ # A transformation to apply to text that is identified as a specific info_type.

2461

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2462

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

2463

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

2464

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2465

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2466

},

2467

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2468

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2469

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2470

},

2471

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2472

"key": "A String", # Required. A 128/192/256 bit key.

2473

},

2474

},

2475

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

2476

"name": "A String", # Name describing the field.

2477

},

2478

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

2479

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2480

},

2481

},

2482

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

2483

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

2484

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

2485

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

2486

"charactersToSkip": "A String", # Characters to not transform when masking.

2487

},

2488

],

2489

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

2490

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

2491

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

2492

},

2493

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

2494

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

2495

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2496

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2497

},

2498

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2499

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2500

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2501

},

2502

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2503

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

2508

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

2509

"name": "A String", # Name describing the field.

2510

},

2511

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

2512

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2513

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2514

},

2515

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2516

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2517

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2518

},

2519

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2520

"key": "A String", # Required. A 128/192/256 bit key.

2521

},

2522

},

2523

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2524

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

2525

},

2526

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

2527

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2528

{ # Bucket is represented as a range, along with replacement values.

2529

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

2530

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2531

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2532

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2533

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2534

},

2535

"dayOfWeekValue": "A String", # day of week

2536

"integerValue": "A String", # integer

2537

"booleanValue": True or False, # boolean

2538

"stringValue": "A String", # string

2539

"floatValue": 3.14, # float

2540

"timestampValue": "A String", # timestamp

2541

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2542

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2543

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2544

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2545

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2546

},

2547

},

2548

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

2549

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2550

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2551

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2552

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2553

},

2554

"dayOfWeekValue": "A String", # day of week

2555

"integerValue": "A String", # integer

2556

"booleanValue": True or False, # boolean

2557

"stringValue": "A String", # string

2558

"floatValue": 3.14, # float

2559

"timestampValue": "A String", # timestamp

2560

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2561

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2562

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2563

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2564

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2565

},

2566

},

2567

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

2568

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2569

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2570

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2571

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2572

},

2573

"dayOfWeekValue": "A String", # day of week

2574

"integerValue": "A String", # integer

2575

"booleanValue": True or False, # boolean

2576

"stringValue": "A String", # string

2577

"floatValue": 3.14, # float

2578

"timestampValue": "A String", # timestamp

2579

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2580

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2581

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2582

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2583

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

2590

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

2591

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

2592

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2593

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2594

},

2595

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2596

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2597

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2598

},

2599

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2600

"key": "A String", # Required. A 128/192/256 bit key.

2601

},

2602

},

2603

"commonAlphabet": "A String", # Common alphabets.

2604

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2605

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

2606

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2607

},

2608

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

2609

"name": "A String", # Name describing the field.

2610

},

2611

},

2612

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

2613

"partToExtract": "A String", # The part of the time to keep.

2614

},

2615

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2616

},

2617

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

2618

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2619

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

2620

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2621

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2622

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2623

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2624

},

2625

"dayOfWeekValue": "A String", # day of week

2626

"integerValue": "A String", # integer

2627

"booleanValue": True or False, # boolean

2628

"stringValue": "A String", # string

2629

"floatValue": 3.14, # float

2630

"timestampValue": "A String", # timestamp

2631

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2632

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2633

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2634

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2635

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2636

},

2637

},

2638

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

2639

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2640

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2641

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2642

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2643

},

2644

"dayOfWeekValue": "A String", # day of week

2645

"integerValue": "A String", # integer

2646

"booleanValue": True or False, # boolean

2647

"stringValue": "A String", # string

2648

"floatValue": 3.14, # float

2649

"timestampValue": "A String", # timestamp

2650

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2651

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2652

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2653

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2654

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2659

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

2660

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2661

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2662

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2663

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2664

},

2665

"dayOfWeekValue": "A String", # day of week

2666

"integerValue": "A String", # integer

2667

"booleanValue": True or False, # boolean

2668

"stringValue": "A String", # string

2669

"floatValue": 3.14, # float

2670

"timestampValue": "A String", # timestamp

2671

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2672

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2673

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2674

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2675

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

2680

},

2681

},

2682

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

2683

{ # Type of information detected by the API.

2684

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

2691

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

2692

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

2693

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2694

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2695

},

2696

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2697

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2698

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2699

},

2700

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2701

"key": "A String", # Required. A 128/192/256 bit key.

2702

},

2703

},

2704

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

2705

"name": "A String", # Name describing the field.

2706

},

2707

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

2708

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2709

},

2710

},

2711

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

2712

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

2713

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

2714

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

2715

"charactersToSkip": "A String", # Characters to not transform when masking.

2716

},

2717

],

2718

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

2719

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

2720

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

2721

},

2722

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

2723

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

2724

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2725

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2726

},

2727

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2728

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2729

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2730

},

2731

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2732

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

2737

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

2738

"name": "A String", # Name describing the field.

2739

},

2740

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

2741

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2742

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2743

},

2744

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2745

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2746

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2747

},

2748

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2749

"key": "A String", # Required. A 128/192/256 bit key.

2750

},

2751

},

2752

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2753

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

2754

},

2755

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

2756

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2757

{ # Bucket is represented as a range, along with replacement values.

2758

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

2759

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2760

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2761

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2762

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2763

},

2764

"dayOfWeekValue": "A String", # day of week

2765

"integerValue": "A String", # integer

2766

"booleanValue": True or False, # boolean

2767

"stringValue": "A String", # string

2768

"floatValue": 3.14, # float

2769

"timestampValue": "A String", # timestamp

2770

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2771

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2772

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2773

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2774

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2775

},

2776

},

2777

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

2778

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2779

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2780

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2781

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2782

},

2783

"dayOfWeekValue": "A String", # day of week

2784

"integerValue": "A String", # integer

2785

"booleanValue": True or False, # boolean

2786

"stringValue": "A String", # string

2787

"floatValue": 3.14, # float

2788

"timestampValue": "A String", # timestamp

2789

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2790

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2791

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2792

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2793

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2794

},

2795

},

2796

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

2797

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2798

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2799

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2800

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2801

},

2802

"dayOfWeekValue": "A String", # day of week

2803

"integerValue": "A String", # integer

2804

"booleanValue": True or False, # boolean

2805

"stringValue": "A String", # string

2806

"floatValue": 3.14, # float

2807

"timestampValue": "A String", # timestamp

2808

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2809

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2810

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2811

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2812

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

2819

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

2820

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

2821

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

2822

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

2823

},

2824

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

2825

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2826

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2827

},

2828

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

2829

"key": "A String", # Required. A 128/192/256 bit key.

2830

},

2831

},

2832

"commonAlphabet": "A String", # Common alphabets.

2833

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2834

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

2835

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

2836

},

2837

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

2838

"name": "A String", # Name describing the field.

2839

},

2840

},

2841

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

2842

"partToExtract": "A String", # The part of the time to keep.

2843

},

2844

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2845

},

2846

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

2847

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2848

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

2849

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2850

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2851

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2852

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2853

},

2854

"dayOfWeekValue": "A String", # day of week

2855

"integerValue": "A String", # integer

2856

"booleanValue": True or False, # boolean

2857

"stringValue": "A String", # string

2858

"floatValue": 3.14, # float

2859

"timestampValue": "A String", # timestamp

2860

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2861

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2862

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2863

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2864

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2865

},

2866

},

2867

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

2868

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2869

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2870

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2871

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2872

},

2873

"dayOfWeekValue": "A String", # day of week

2874

"integerValue": "A String", # integer

2875

"booleanValue": True or False, # boolean

2876

"stringValue": "A String", # string

2877

"floatValue": 3.14, # float

2878

"timestampValue": "A String", # timestamp

2879

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2880

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2881

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2882

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2883

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2888

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

2889

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2890

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2891

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2892

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2893

},

2894

"dayOfWeekValue": "A String", # day of week

2895

"integerValue": "A String", # integer

2896

"booleanValue": True or False, # boolean

2897

"stringValue": "A String", # string

2898

"floatValue": 3.14, # float

2899

"timestampValue": "A String", # timestamp

2900

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2901

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2902

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2903

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2904

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

2909

},

2910

},

2911

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

2912

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2913

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

2914

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2915

"conditions": [ # A collection of conditions.

2916

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

2917

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2918

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2919

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2920

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2921

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2922

},

2923

"dayOfWeekValue": "A String", # day of week

2924

"integerValue": "A String", # integer

2925

"booleanValue": True or False, # boolean

2926

"stringValue": "A String", # string

2927

"floatValue": 3.14, # float

2928

"timestampValue": "A String", # timestamp

2929

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2930

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2931

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2932

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2933

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2934

},

2935

},

2936

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

2937

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2938

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

],

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.

2948

{ # Configuration to suppress records whose suppression conditions evaluate to true.

2949

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

2950

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2951

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

2952

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2953

"conditions": [ # A collection of conditions.

2954

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

2955

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2956

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

2957

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

2958

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

2959

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

2960

},

2961

"dayOfWeekValue": "A String", # day of week

2962

"integerValue": "A String", # integer

2963

"booleanValue": True or False, # boolean

2964

"stringValue": "A String", # string

2965

"floatValue": 3.14, # float

2966

"timestampValue": "A String", # timestamp

2967

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

2968

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

2969

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

2970

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2971

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2972

},

2973

},

2974

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

2975

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2976

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

],

},

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2987

"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2988

"contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.

2989

"A String",

2990

],

2991

"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

2992

"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.

2993

"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.

2994

{ # Max findings configuration per infoType, per content item or long running DlpJob.

2995

"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

2996

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2997

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

2998

"maxFindings": 42, # Max findings limit for the given infoType.

2999

},

3000

],

3001

"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.

3002

"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.

3003

},

3004

"infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

3005

{ # Type of information detected by the API.

3006

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3007

},

3008

],

3009

"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

3010

"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

3011

{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3012

"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3013

{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.

3014

"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.

3015

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.

3016

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

3017

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3018

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3019

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3020

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3021

"A String",

3022

],

3023

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3024

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3025

"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.

3026

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

3027

42,

3028

],

3029

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

3030

},

3031

"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3032

"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3033

"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3034

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3035

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3036

},

3037

],

3038

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3039

},

3040

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

3041

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3042

"windowBefore": 42, # Number of characters before the finding to consider.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3043

"windowAfter": 42, # Number of characters after the finding to consider.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3044

},

3045

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3046

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

3047

42,

3048

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3049

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

3050

},

3051

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

3052

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

3053

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3054

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3055

},

3056

},

3057

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3058

"infoTypes": [ # List of infoTypes this rule set is applied to.

3059

{ # Type of information detected by the API.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3060

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3061

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3062

],

3063

},

3064

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3065

"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

3066

{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3067

"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.

3068

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3069

},

3070

"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.

3071

"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.

3072

"name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.

3073

},

3074

"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.

3075

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

3076

42,

3077

],

3078

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

3079

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3080

"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.

3081

{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.

3082

"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.

3083

"proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "$\d{3}$ \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "$xxx$", where "xxx" is the area code in question.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3084

"windowBefore": 42, # Number of characters before the finding to consider.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3085

"windowAfter": 42, # Number of characters after the finding to consider.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3086

},

3087

"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3088

"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

3089

42,

3090

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3091

"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

3092

},

3093

"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as part of a detection rule. # Likelihood adjustment to apply to all matching findings.

3094

"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.

3095

"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3100

"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.

3101

"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

3102

"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

3103

},

3104

"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.

3105

"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

"A String",

],

},

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3110

"surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3111

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3112

"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

3113

"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3114

},

3115

],

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3116

"excludeInfoTypes": True or False, # When true, excludes type information of the findings.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3117

},

3118

"item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.

3119

"value": "A String", # String data to inspect or redact.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3120

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

3121

"headers": [ # Headers of the table.

3122

{ # General identifier of a data field in a storage service.

3123

"name": "A String", # Name describing the field.

3124

},

3125

],

3126

"rows": [ # Rows of the table.

3127

{ # Values of the row.

3128

"values": [ # Individual cells.

3129

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3130

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3131

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3132

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3133

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3134

},

3135

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3136

"integerValue": "A String", # integer

3137

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3138

"stringValue": "A String", # string

3139

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3140

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3141

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3142

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3143

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3144

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3145

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3146

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

},

],

},

],

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3152

"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.

3153

"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.

3154

"data": "A String", # Content data to inspect or redact.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3155

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3156

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3157

"locationId": "A String", # Deprecated. This field has no effect.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3158

}

3159

3160

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3167

3168

{ # Results of re-identifying a item.

3169

"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3170

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3171

"transformationSummaries": [ # Transformations applied to the dataset.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3172

{ # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.

3173

"fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3174

{ # The transformation to apply to the field.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3175

"fields": [ # Required. Input field(s) to apply the transformation to.

3176

{ # General identifier of a data field in a storage service.

3177

"name": "A String", # Name describing the field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3178

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3179

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3180

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.

3181

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

3182

{ # A transformation to apply to text that is identified as a specific info_type.

3183

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3184

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

3185

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3186

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3187

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3188

},

3189

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3190

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3191

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3192

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3193

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3194

"key": "A String", # Required. A 128/192/256 bit key.

3195

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3196

},

3197

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

3198

"name": "A String", # Name describing the field.

3199

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3200

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

3201

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3202

},

3203

},

3204

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

3205

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

3206

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

3207

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

3208

"charactersToSkip": "A String", # Characters to not transform when masking.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3209

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3210

],

3211

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

3212

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

3213

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

3214

},

3215

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3216

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3217

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3218

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3219

},

3220

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3221

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3222

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3223

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3224

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3225

"key": "A String", # Required. A 128/192/256 bit key.

3226

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3227

},

3228

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3229

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

3230

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

3231

"name": "A String", # Name describing the field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3232

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3233

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

3234

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3235

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3236

},

3237

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3238

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3239

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3240

},

3241

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3242

"key": "A String", # Required. A 128/192/256 bit key.

3243

},

3244

},

3245

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3246

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

3247

},

3248

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3249

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3250

{ # Bucket is represented as a range, along with replacement values.

3251

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3252

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3253

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3254

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3255

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3256

},

3257

"dayOfWeekValue": "A String", # day of week

3258

"integerValue": "A String", # integer

3259

"booleanValue": True or False, # boolean

3260

"stringValue": "A String", # string

3261

"floatValue": 3.14, # float

3262

"timestampValue": "A String", # timestamp

3263

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3264

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3265

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3266

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3267

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3268

},

3269

},

3270

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3271

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3272

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3273

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3274

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3275

},

3276

"dayOfWeekValue": "A String", # day of week

3277

"integerValue": "A String", # integer

3278

"booleanValue": True or False, # boolean

3279

"stringValue": "A String", # string

3280

"floatValue": 3.14, # float

3281

"timestampValue": "A String", # timestamp

3282

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3283

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3284

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3285

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3286

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3287

},

3288

},

3289

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3290

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3291

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3292

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3293

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3294

},

3295

"dayOfWeekValue": "A String", # day of week

3296

"integerValue": "A String", # integer

3297

"booleanValue": True or False, # boolean

3298

"stringValue": "A String", # string

3299

"floatValue": 3.14, # float

3300

"timestampValue": "A String", # timestamp

3301

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3302

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3303

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3304

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3305

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3310

},

3311

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3312

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

3313

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3314

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3315

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3316

},

3317

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3318

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3319

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3320

},

3321

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3322

"key": "A String", # Required. A 128/192/256 bit key.

3323

},

3324

},

3325

"commonAlphabet": "A String", # Common alphabets.

3326

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3327

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

3328

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3329

},

3330

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

3331

"name": "A String", # Name describing the field.

3332

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3333

},

3334

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3335

"partToExtract": "A String", # The part of the time to keep.

3336

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3337

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3338

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3339

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3340

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3341

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3342

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3343

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3344

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3345

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3346

},

3347

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3348

"integerValue": "A String", # integer

3349

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3350

"stringValue": "A String", # string

3351

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3352

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3353

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3354

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3355

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3356

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3357

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3358

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3359

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3360

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

3361

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3362

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3363

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3364

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3365

},

3366

"dayOfWeekValue": "A String", # day of week

3367

"integerValue": "A String", # integer

3368

"booleanValue": True or False, # boolean

3369

"stringValue": "A String", # string

3370

"floatValue": 3.14, # float

3371

"timestampValue": "A String", # timestamp

3372

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3373

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3374

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3375

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3376

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3381

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

3382

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3383

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3384

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3385

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3386

},

3387

"dayOfWeekValue": "A String", # day of week

3388

"integerValue": "A String", # integer

3389

"booleanValue": True or False, # boolean

3390

"stringValue": "A String", # string

3391

"floatValue": 3.14, # float

3392

"timestampValue": "A String", # timestamp

3393

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3394

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3395

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3396

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3397

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3402

},

3403

},

3404

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.

3405

{ # Type of information detected by the API.

3406

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3412

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

3413

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

3414

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

3415

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3416

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3417

},

3418

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3419

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3420

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3421

},

3422

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3423

"key": "A String", # Required. A 128/192/256 bit key.

3424

},

3425

},

3426

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

3427

"name": "A String", # Name describing the field.

3428

},

3429

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

3430

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3431

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3432

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3433

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

3434

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

3435

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

3436

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

3437

"charactersToSkip": "A String", # Characters to not transform when masking.

3438

},

3439

],

3440

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

3441

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

3442

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

3443

},

3444

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3445

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

3446

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3447

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3448

},

3449

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3450

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3451

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3452

},

3453

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3454

"key": "A String", # Required. A 128/192/256 bit key.

},

},

},

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

3459

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

3460

"name": "A String", # Name describing the field.

3461

},

3462

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

3463

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3464

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3465

},

3466

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3467

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3468

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3469

},

3470

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3471

"key": "A String", # Required. A 128/192/256 bit key.

3472

},

3473

},

3474

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3475

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

3476

},

3477

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3478

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3479

{ # Bucket is represented as a range, along with replacement values.

3480

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3481

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3482

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3483

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3484

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3485

},

3486

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3487

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3488

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3489

"stringValue": "A String", # string

3490

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3491

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3492

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3493

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3494

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3495

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3496

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3497

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3498

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3499

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3500

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3501

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3502

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3503

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3504

},

3505

"dayOfWeekValue": "A String", # day of week

3506

"integerValue": "A String", # integer

3507

"booleanValue": True or False, # boolean

3508

"stringValue": "A String", # string

3509

"floatValue": 3.14, # float

3510

"timestampValue": "A String", # timestamp

3511

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3512

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3513

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3514

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3515

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3516

},

3517

},

3518

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3519

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3520

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3521

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3522

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3523

},

3524

"dayOfWeekValue": "A String", # day of week

3525

"integerValue": "A String", # integer

3526

"booleanValue": True or False, # boolean

3527

"stringValue": "A String", # string

3528

"floatValue": 3.14, # float

3529

"timestampValue": "A String", # timestamp

3530

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3531

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3532

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3533

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3534

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3535

},

3536

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3537

},

3538

],

3539

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3540

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

3541

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

3542

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3543

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3544

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3545

},

3546

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3547

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3548

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3549

},

3550

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3551

"key": "A String", # Required. A 128/192/256 bit key.

3552

},

3553

},

3554

"commonAlphabet": "A String", # Common alphabets.

3555

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3556

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

3557

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3558

},

3559

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

3560

"name": "A String", # Name describing the field.

3561

},

3562

},

3563

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3564

"partToExtract": "A String", # The part of the time to keep.

3565

},

3566

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3567

},

3568

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3569

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3570

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

3571

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3572

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3573

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3574

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3575

},

3576

"dayOfWeekValue": "A String", # day of week

3577

"integerValue": "A String", # integer

3578

"booleanValue": True or False, # boolean

3579

"stringValue": "A String", # string

3580

"floatValue": 3.14, # float

3581

"timestampValue": "A String", # timestamp

3582

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3583

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3584

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3585

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3586

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3587

},

3588

},

3589

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

3590

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3591

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3592

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3593

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3594

},

3595

"dayOfWeekValue": "A String", # day of week

3596

"integerValue": "A String", # integer

3597

"booleanValue": True or False, # boolean

3598

"stringValue": "A String", # string

3599

"floatValue": 3.14, # float

3600

"timestampValue": "A String", # timestamp

3601

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3602

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3603

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3604

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3605

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3610

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

3611

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3612

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3613

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3614

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3615

},

3616

"dayOfWeekValue": "A String", # day of week

3617

"integerValue": "A String", # integer

3618

"booleanValue": True or False, # boolean

3619

"stringValue": "A String", # string

3620

"floatValue": 3.14, # float

3621

"timestampValue": "A String", # timestamp

3622

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3623

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3624

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3625

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3626

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

3631

},

3632

},

3633

"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.

3634

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

3635

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

3636

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3637

"conditions": [ # A collection of conditions.

3638

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

3639

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

3640

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3641

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3642

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3643

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3644

},

3645

"dayOfWeekValue": "A String", # day of week

3646

"integerValue": "A String", # integer

3647

"booleanValue": True or False, # boolean

3648

"stringValue": "A String", # string

3649

"floatValue": 3.14, # float

3650

"timestampValue": "A String", # timestamp

3651

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3652

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3653

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3654

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3655

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3656

},

3657

},

3658

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

3659

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3660

"name": "A String", # Name describing the field.

},

},

],

},

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3666

},

3667

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3668

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3669

"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3670

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto

3671

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3672

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3673

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3674

},

3675

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3676

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3677

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3678

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3679

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3680

"key": "A String", # Required. A 128/192/256 bit key.

3681

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3682

},

3683

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.

3684

"name": "A String", # Name describing the field.

3685

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3686

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

3687

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3688

},

3689

},

3690

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask

3691

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.

3692

{ # Characters to skip when doing deidentification of a value. These will be left alone and skipped.

3693

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.

3694

"charactersToSkip": "A String", # Characters to not transform when masking.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3695

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3696

],

3697

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.

3698

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

3699

"maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.

3700

},

3701

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto

3702

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3703

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3704

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3705

},

3706

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3707

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3708

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3709

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3710

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3711

"key": "A String", # Required. A 128/192/256 bit key.

3712

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3713

},

3714

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3715

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift

3716

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

3717

"name": "A String", # Name describing the field.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3718

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3719

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

3720

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3721

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3722

},

3723

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3724

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3725

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3726

},

3727

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3728

"key": "A String", # Required. A 128/192/256 bit key.

3729

},

3730

},

3731

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3732

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

3733

},

3734

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing

3735

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3736

{ # Bucket is represented as a range, along with replacement values.

3737

"replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.

3738

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3739

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3740

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3741

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3742

},

3743

"dayOfWeekValue": "A String", # day of week

3744

"integerValue": "A String", # integer

3745

"booleanValue": True or False, # boolean

3746

"stringValue": "A String", # string

3747

"floatValue": 3.14, # float

3748

"timestampValue": "A String", # timestamp

3749

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3750

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3751

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3752

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3753

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3754

},

3755

},

3756

"min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.

3757

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3758

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3759

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3760

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3761

},

3762

"dayOfWeekValue": "A String", # day of week

3763

"integerValue": "A String", # integer

3764

"booleanValue": True or False, # boolean

3765

"stringValue": "A String", # string

3766

"floatValue": 3.14, # float

3767

"timestampValue": "A String", # timestamp

3768

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3769

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3770

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3771

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3772

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3773

},

3774

},

3775

"max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.

3776

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3777

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3778

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3779

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3780

},

3781

"dayOfWeekValue": "A String", # day of week

3782

"integerValue": "A String", # integer

3783

"booleanValue": True or False, # boolean

3784

"stringValue": "A String", # string

3785

"floatValue": 3.14, # float

3786

"timestampValue": "A String", # timestamp

3787

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3788

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3789

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3790

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3791

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3796

},

3797

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3798

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/

3799

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.

3800

"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key

3801

"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

3802

},

3803

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key

3804

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3805

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3806

},

3807

"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key

3808

"key": "A String", # Required. A 128/192/256 bit key.

3809

},

3810

},

3811

"commonAlphabet": "A String", # Common alphabets.

3812

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3813

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

3814

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

3815

},

3816

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2

3817

"name": "A String", # Name describing the field.

3818

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3819

},

3820

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction

3821

"partToExtract": "A String", # The part of the time to keep.

3822

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3823

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3824

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3825

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing

3826

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3827

"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3828

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3829

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3830

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3831

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3832

},

3833

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3834

"integerValue": "A String", # integer

3835

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3836

"stringValue": "A String", # string

3837

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3838

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3839

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3840

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3841

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3842

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3843

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3844

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3845

},

3846

"lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".

3847

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3848

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3849

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3850

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3851

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3852

"dayOfWeekValue": "A String", # day of week

3853

"integerValue": "A String", # integer

3854

"booleanValue": True or False, # boolean

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3855

"stringValue": "A String", # string

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3856

"floatValue": 3.14, # float

3857

"timestampValue": "A String", # timestamp

3858

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3859

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3860

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3861

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3862

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3863

},

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3864

},

3865

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3866

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3867

"newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.

3868

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3869

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3870

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3871

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3872

},

3873

"dayOfWeekValue": "A String", # day of week

3874

"integerValue": "A String", # integer

3875

"booleanValue": True or False, # boolean

3876

"stringValue": "A String", # string

3877

"floatValue": 3.14, # float

3878

"timestampValue": "A String", # timestamp

3879

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3880

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3881

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3882

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3883

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact

3888

},

3889

},

3890

"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.

3891

"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3892

},

3893

"results": [ # Collection of all transformations that took place or had an error.

3894

{ # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.

3895

"count": "A String", # Number of transformations counted by this result.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3896

"details": "A String", # A place for warnings or errors to show up if a transformation didn't work as expected.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3897

"code": "A String", # Outcome of the transformation.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3898

},

3899

],

3900

"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.

3901

"name": "A String", # Name describing the field.

3902

},

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3903

"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.

3904

"condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

3905

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

3906

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.

3907

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3908

"conditions": [ # A collection of conditions.

3909

{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

3910

"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

3911

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3912

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3913

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3914

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3915

},

3916

"dayOfWeekValue": "A String", # day of week

3917

"integerValue": "A String", # integer

3918

"booleanValue": True or False, # boolean

3919

"stringValue": "A String", # string

3920

"floatValue": 3.14, # float

3921

"timestampValue": "A String", # timestamp

3922

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

3923

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

3924

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3925

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3926

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3927

},

3928

},

3929

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

3930

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3931

"name": "A String", # Name describing the field.

},

},

],

},

},

},

},

"transformedBytes": "A String", # Total size in bytes that were transformed in some way.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3940

},

3941

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3942

},

3943

"item": { # Container structure for the content to inspect. # The re-identified item.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3944

"value": "A String", # String data to inspect or redact.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3945

"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3946

"headers": [ # Headers of the table.

3947

{ # General identifier of a data field in a storage service.

3948

"name": "A String", # Name describing the field.

3949

},

3950

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3951

"rows": [ # Rows of the table.

3952

{ # Values of the row.

3953

"values": [ # Individual cells.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3954

{ # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3955

"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date

3956

"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.

3957

"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.

3958

"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.

3959

},

3960

"dayOfWeekValue": "A String", # day of week

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3961

"integerValue": "A String", # integer

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3962

"booleanValue": True or False, # boolean

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3963

"stringValue": "A String", # string

3964

"floatValue": 3.14, # float

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3965

"timestampValue": "A String", # timestamp

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3966

"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day

Bu Sun Kim

2020-11-16 11:05:03 -0700

[diff] [blame^]

3967

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.

Dmitry Frenkel

2020-10-06 16:46:05 -0700

[diff] [blame]

3968

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.

3969

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim