Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / 715bd7f9ca9a324a05ee05a6476af383e54930f9 / . / docs / dyn / dlp_v2.projects.deidentifyTemplates.html
blob: 44086659d2f3e17545f6c4acc1315ba914ecc8a3 [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame^]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.deidentifyTemplates.html">deidentifyTemplates</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="#create">create(parent, body, x__xgafv=None)</a></code></p>
79<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>
80<p class="toc_element">
81 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
82<p class="firstline">Deletes a DeidentifyTemplate.</p>
83<p class="toc_element">
84 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
85<p class="firstline">Gets a DeidentifyTemplate.</p>
86<p class="toc_element">
87 <code><a href="#list">list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
88<p class="firstline">Lists DeidentifyTemplates.</p>
89<p class="toc_element">
90 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
91<p class="firstline">Retrieves the next page of results.</p>
92<p class="toc_element">
93 <code><a href="#patch">patch(name, body, x__xgafv=None)</a></code></p>
94<p class="firstline">Updates the DeidentifyTemplate.</p>
95<h3>Method Details</h3>
96<div class="method">
97 <code class="details" id="create">create(parent, body, x__xgafv=None)</code>
98 <pre>Creates a DeidentifyTemplate for re-using frequently used configuration
99for de-identifying content, images, and storage.
100See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
101more.
102
103Args:
104 parent: string, The parent resource name, for example projects/my-project-id or
105organizations/my-org-id. (required)
106 body: object, The request body. (required)
107 The object takes the form of:
108
109{ # Request message for CreateDeidentifyTemplate.
110 "deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # The DeidentifyTemplate to create.
111 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
112 "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
113 "displayName": "A String", # Display name (max 256 chars).
114 "description": "A String", # Short description (max 256 chars).
115 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
116 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
117 # transformation everywhere.
118 # apply various `PrimitiveTransformation`s to each finding, where the
119 # transformation is applied to only values that were identified as a specific
120 # info_type.
121 "transformations": [ # Transformation for each infoType. Cannot specify more than one
122 # for a given infoType. [required]
123 { # A transformation to apply to text that is identified as a specific
124 # info_type.
125 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
126 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
127 # fixed character. Masking can start from the beginning or end of the string.
128 # This can be used on data of any type (numbers, longs, and so on) and when
129 # de-identifying structured data we'll attempt to preserve the original data's
130 # type. (This allows you to take a long like 123 and modify it to a string like
131 # **3.
132 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
133 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
134 # mask 5 chars with * we would produce ***-*55-5555.
135 { # Characters to skip when doing deidentification of a value. These will be left
136 # alone and skipped.
137 "commonCharactersToIgnore": "A String",
138 "charactersToSkip": "A String",
139 },
140 ],
141 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
142 # masked. Skipped characters do not count towards this tally.
143 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
144 # alphabetic string such as name, or "0" for a numeric string such as ZIP
145 # code or credit card number. String must have length 1. If not supplied, we
146 # will default to "*" for strings, 0 for digits.
147 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
148 # '0', number_to_mask is 14, and `reverse_order` is false, then
149 # 1234-5678-9012-3456 -> 00000000000000-3456
150 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
151 # is true, then 12345 -> 12***
152 },
153 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
154 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
155 # output would be 'My phone number is '.
156 },
157 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
158 # input. Outputs a base64 encoded representation of the encrypted output.
159 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
160 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
161 # a key encryption key (KEK) stored by KMS).
162 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
163 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
164 # unwrap the data crypto key.
165 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
166 # The wrapped key must be a 128/192/256 bit key.
167 # Authorization requires the following IAM permissions when sending a request
168 # to perform a crypto transformation using a kms-wrapped crypto key:
169 # dlp.kms.encrypt
170 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
171 "wrappedKey": "A String", # The wrapped data crypto key. [required]
172 },
173 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
174 # leaking the key. Choose another type of key if possible.
175 "key": "A String", # A 128/192/256 bit key. [required]
176 },
177 "transient": { # Use this to have a random data crypto key generated.
178 # It will be discarded after the request finishes.
179 "name": "A String", # Name of the key. [required]
180 # This is an arbitrary string used to differentiate different keys.
181 # A unique key is generated per name: two separate `TransientCryptoKey`
182 # protos share the same generated key if their names are the same.
183 # When the data crypto key is generated, this name is not used in any way
184 # (repeating the api call will result in a different key being generated).
185 },
186 },
187 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
188 # referential integrity such that the same identifier in two different
189 # contexts will be given a distinct surrogate. The context is appended to
190 # plaintext value being encrypted. On decryption the provided context is
191 # validated against the value used during encryption. If a context was
192 # provided during encryption, same context must be provided during decryption
193 # as well.
194 #
195 # If the context is not set, plaintext would be used as is for encryption.
196 # If the context is set but:
197 #
198 # 1. there is no record present when transforming a given value or
199 # 2. the field is not present when transforming a given value,
200 #
201 # plaintext would be used as is for encryption.
202 #
203 # Note that case (1) is expected when an `InfoTypeTransformation` is
204 # applied to both structured and non-structured `ContentItem`s.
205 "name": "A String", # Name describing the field.
206 },
207 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
208 # This annotation will be applied to the surrogate by prefixing it with
209 # the name of the custom info type followed by the number of
210 # characters comprising the surrogate. The following scheme defines the
211 # format: <info type name>(<surrogate character count>):<surrogate>
212 #
213 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
214 # the surrogate is 'abc', the full replacement value
215 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
216 #
217 # This annotation identifies the surrogate when inspecting content using the
218 # custom info type 'Surrogate'. This facilitates reversal of the
219 # surrogate when it occurs in free text.
220 #
221 # In order for inspection to work properly, the name of this info type must
222 # not occur naturally anywhere in your data; otherwise, inspection may either
223 #
224 # - reverse a surrogate that does not correspond to an actual identifier
225 # - be unable to parse the surrogate and result in an error
226 #
227 # Therefore, choose your custom info type name carefully after considering
228 # what your data looks like. One way to select a name that has a high chance
229 # of yielding reliable detection is to include one or more unicode characters
230 # that are highly improbable to exist in your data.
231 # For example, assuming your data is entered from a regular ASCII keyboard,
232 # the symbol with the hex code point 29DD might be used like so:
233 # ⧝MY_TOKEN_TYPE
234 "name": "A String", # Name of the information type. Either a name of your choosing when
235 # creating a CustomInfoType, or one of the names listed
236 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
237 # a built-in type. InfoType names should conform to the pattern
238 # [a-zA-Z0-9_]{1,64}.
239 },
240 },
241 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
242 # Bucketing transformation can provide all of this functionality,
243 # but requires more configuration. This message is provided as a convenience to
244 # the user for simple bucketing strategies.
245 #
246 # The transformed value will be a hyphenated string of
247 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
248 # all values that are within this bucket will be replaced with "10-20".
249 #
250 # This can be used on data of type: double, long.
251 #
252 # If the bound Value type differs from the type of data
253 # being transformed, we will first attempt converting the type of the data to
254 # be transformed to match the type of the bound before comparing.
255 #
256 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
257 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
258 # grouped together into a single bucket; for example if `lower_bound` = 10,
259 # then all values less than 10 are replaced with the value “-10”. [Required].
260 # Note that for the purposes of inspection or transformation, the number
261 # of bytes considered to comprise a 'Value' is based on its representation
262 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
263 # 123456789, the number of bytes would be counted as 9, even though an
264 # int64 only holds up to 8 bytes of data.
265 "floatValue": 3.14,
266 "timestampValue": "A String",
267 "dayOfWeekValue": "A String",
268 "timeValue": { # Represents a time of day. The date and time zone are either not significant
269 # or are specified elsewhere. An API may choose to allow leap seconds. Related
270 # types are google.type.Date and `google.protobuf.Timestamp`.
271 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
272 # to allow the value "24:00:00" for scenarios like business closing time.
273 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
274 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
275 # allow the value 60 if it allows leap-seconds.
276 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
277 },
278 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
279 # and time zone are either specified elsewhere or are not significant. The date
280 # is relative to the Proleptic Gregorian Calendar. This can represent:
281 #
282 # * A full date, with non-zero year, month and day values
283 # * A month and day value, with a zero year, e.g. an anniversary
284 # * A year on its own, with zero month and day values
285 # * A year and month value, with a zero day, e.g. a credit card expiration date
286 #
287 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
288 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
289 # a year.
290 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
291 # if specifying a year by itself or a year and month where the day is not
292 # significant.
293 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
294 # month and day.
295 },
296 "stringValue": "A String",
297 "booleanValue": True or False,
298 "integerValue": "A String",
299 },
300 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
301 # grouped together into a single bucket; for example if `upper_bound` = 89,
302 # then all values greater than 89 are replaced with the value “89+”.
303 # [Required].
304 # Note that for the purposes of inspection or transformation, the number
305 # of bytes considered to comprise a 'Value' is based on its representation
306 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
307 # 123456789, the number of bytes would be counted as 9, even though an
308 # int64 only holds up to 8 bytes of data.
309 "floatValue": 3.14,
310 "timestampValue": "A String",
311 "dayOfWeekValue": "A String",
312 "timeValue": { # Represents a time of day. The date and time zone are either not significant
313 # or are specified elsewhere. An API may choose to allow leap seconds. Related
314 # types are google.type.Date and `google.protobuf.Timestamp`.
315 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
316 # to allow the value "24:00:00" for scenarios like business closing time.
317 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
318 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
319 # allow the value 60 if it allows leap-seconds.
320 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
321 },
322 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
323 # and time zone are either specified elsewhere or are not significant. The date
324 # is relative to the Proleptic Gregorian Calendar. This can represent:
325 #
326 # * A full date, with non-zero year, month and day values
327 # * A month and day value, with a zero year, e.g. an anniversary
328 # * A year on its own, with zero month and day values
329 # * A year and month value, with a zero day, e.g. a credit card expiration date
330 #
331 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
332 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
333 # a year.
334 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
335 # if specifying a year by itself or a year and month where the day is not
336 # significant.
337 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
338 # month and day.
339 },
340 "stringValue": "A String",
341 "booleanValue": True or False,
342 "integerValue": "A String",
343 },
344 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
345 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
346 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
347 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
348 },
349 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
350 },
351 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
352 # portion of the value.
353 "partToExtract": "A String",
354 },
355 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
356 # Uses SHA-256.
357 # The key size must be either 32 or 64 bytes.
358 # Outputs a base64 encoded representation of the hashed output
359 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
360 # Currently, only string and integer values can be hashed.
361 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
362 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
363 # a key encryption key (KEK) stored by KMS).
364 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
365 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
366 # unwrap the data crypto key.
367 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
368 # The wrapped key must be a 128/192/256 bit key.
369 # Authorization requires the following IAM permissions when sending a request
370 # to perform a crypto transformation using a kms-wrapped crypto key:
371 # dlp.kms.encrypt
372 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
373 "wrappedKey": "A String", # The wrapped data crypto key. [required]
374 },
375 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
376 # leaking the key. Choose another type of key if possible.
377 "key": "A String", # A 128/192/256 bit key. [required]
378 },
379 "transient": { # Use this to have a random data crypto key generated.
380 # It will be discarded after the request finishes.
381 "name": "A String", # Name of the key. [required]
382 # This is an arbitrary string used to differentiate different keys.
383 # A unique key is generated per name: two separate `TransientCryptoKey`
384 # protos share the same generated key if their names are the same.
385 # When the data crypto key is generated, this name is not used in any way
386 # (repeating the api call will result in a different key being generated).
387 },
388 },
389 },
390 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
391 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
392 # to learn more.
393 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
394 # results in the same shift for the same context and crypto_key.
395 # a key encryption key (KEK) stored by KMS).
396 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
397 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
398 # unwrap the data crypto key.
399 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
400 # The wrapped key must be a 128/192/256 bit key.
401 # Authorization requires the following IAM permissions when sending a request
402 # to perform a crypto transformation using a kms-wrapped crypto key:
403 # dlp.kms.encrypt
404 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
405 "wrappedKey": "A String", # The wrapped data crypto key. [required]
406 },
407 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
408 # leaking the key. Choose another type of key if possible.
409 "key": "A String", # A 128/192/256 bit key. [required]
410 },
411 "transient": { # Use this to have a random data crypto key generated.
412 # It will be discarded after the request finishes.
413 "name": "A String", # Name of the key. [required]
414 # This is an arbitrary string used to differentiate different keys.
415 # A unique key is generated per name: two separate `TransientCryptoKey`
416 # protos share the same generated key if their names are the same.
417 # When the data crypto key is generated, this name is not used in any way
418 # (repeating the api call will result in a different key being generated).
419 },
420 },
421 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
422 # [Required]
423 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
424 # range (inclusive ends). Negative means shift to earlier in time. Must not
425 # be more than 365250 days (1000 years) each direction.
426 #
427 # For example, 3 means shift date to at most 3 days into the future.
428 # [Required]
429 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
430 # If set, must also set method. If set, shift will be consistent for the
431 # given context.
432 "name": "A String", # Name describing the field.
433 },
434 },
435 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
436 # replacement values are dynamically provided by the user for custom behavior,
437 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
438 # This can be used on
439 # data of type: number, long, string, timestamp.
440 # If the bound `Value` type differs from the type of data being transformed, we
441 # will first attempt converting the type of the data to be transformed to match
442 # the type of the bound before comparing.
443 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
444 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
445 { # Bucket is represented as a range, along with replacement values.
446 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
447 # Note that for the purposes of inspection or transformation, the number
448 # of bytes considered to comprise a 'Value' is based on its representation
449 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
450 # 123456789, the number of bytes would be counted as 9, even though an
451 # int64 only holds up to 8 bytes of data.
452 "floatValue": 3.14,
453 "timestampValue": "A String",
454 "dayOfWeekValue": "A String",
455 "timeValue": { # Represents a time of day. The date and time zone are either not significant
456 # or are specified elsewhere. An API may choose to allow leap seconds. Related
457 # types are google.type.Date and `google.protobuf.Timestamp`.
458 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
459 # to allow the value "24:00:00" for scenarios like business closing time.
460 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
461 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
462 # allow the value 60 if it allows leap-seconds.
463 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
464 },
465 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
466 # and time zone are either specified elsewhere or are not significant. The date
467 # is relative to the Proleptic Gregorian Calendar. This can represent:
468 #
469 # * A full date, with non-zero year, month and day values
470 # * A month and day value, with a zero year, e.g. an anniversary
471 # * A year on its own, with zero month and day values
472 # * A year and month value, with a zero day, e.g. a credit card expiration date
473 #
474 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
475 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
476 # a year.
477 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
478 # if specifying a year by itself or a year and month where the day is not
479 # significant.
480 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
481 # month and day.
482 },
483 "stringValue": "A String",
484 "booleanValue": True or False,
485 "integerValue": "A String",
486 },
487 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
488 # the default behavior will be to hyphenate the min-max range.
489 # Note that for the purposes of inspection or transformation, the number
490 # of bytes considered to comprise a 'Value' is based on its representation
491 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
492 # 123456789, the number of bytes would be counted as 9, even though an
493 # int64 only holds up to 8 bytes of data.
494 "floatValue": 3.14,
495 "timestampValue": "A String",
496 "dayOfWeekValue": "A String",
497 "timeValue": { # Represents a time of day. The date and time zone are either not significant
498 # or are specified elsewhere. An API may choose to allow leap seconds. Related
499 # types are google.type.Date and `google.protobuf.Timestamp`.
500 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
501 # to allow the value "24:00:00" for scenarios like business closing time.
502 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
503 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
504 # allow the value 60 if it allows leap-seconds.
505 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
506 },
507 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
508 # and time zone are either specified elsewhere or are not significant. The date
509 # is relative to the Proleptic Gregorian Calendar. This can represent:
510 #
511 # * A full date, with non-zero year, month and day values
512 # * A month and day value, with a zero year, e.g. an anniversary
513 # * A year on its own, with zero month and day values
514 # * A year and month value, with a zero day, e.g. a credit card expiration date
515 #
516 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
517 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
518 # a year.
519 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
520 # if specifying a year by itself or a year and month where the day is not
521 # significant.
522 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
523 # month and day.
524 },
525 "stringValue": "A String",
526 "booleanValue": True or False,
527 "integerValue": "A String",
528 },
529 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
530 # used.
531 # Note that for the purposes of inspection or transformation, the number
532 # of bytes considered to comprise a 'Value' is based on its representation
533 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
534 # 123456789, the number of bytes would be counted as 9, even though an
535 # int64 only holds up to 8 bytes of data.
536 "floatValue": 3.14,
537 "timestampValue": "A String",
538 "dayOfWeekValue": "A String",
539 "timeValue": { # Represents a time of day. The date and time zone are either not significant
540 # or are specified elsewhere. An API may choose to allow leap seconds. Related
541 # types are google.type.Date and `google.protobuf.Timestamp`.
542 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
543 # to allow the value "24:00:00" for scenarios like business closing time.
544 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
545 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
546 # allow the value 60 if it allows leap-seconds.
547 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
548 },
549 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
550 # and time zone are either specified elsewhere or are not significant. The date
551 # is relative to the Proleptic Gregorian Calendar. This can represent:
552 #
553 # * A full date, with non-zero year, month and day values
554 # * A month and day value, with a zero year, e.g. an anniversary
555 # * A year on its own, with zero month and day values
556 # * A year and month value, with a zero day, e.g. a credit card expiration date
557 #
558 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
559 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
560 # a year.
561 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
562 # if specifying a year by itself or a year and month where the day is not
563 # significant.
564 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
565 # month and day.
566 },
567 "stringValue": "A String",
568 "booleanValue": True or False,
569 "integerValue": "A String",
570 },
571 },
572 ],
573 },
574 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
575 # (FPE) with the FFX mode of operation; however when used in the
576 # `ReidentifyContent` API method, it serves the opposite function by reversing
577 # the surrogate back into the original identifier. The identifier must be
578 # encoded as ASCII. For a given crypto key and context, the same identifier
579 # will be replaced with the same surrogate. Identifiers must be at least two
580 # characters long. In the case that the identifier is the empty string, it will
581 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
582 # more.
583 #
584 # Note: We recommend using CryptoDeterministicConfig for all use cases which
585 # do not require preserving the input alphabet space and size, plus warrant
586 # referential integrity.
587 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
588 # a key encryption key (KEK) stored by KMS).
589 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
590 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
591 # unwrap the data crypto key.
592 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
593 # The wrapped key must be a 128/192/256 bit key.
594 # Authorization requires the following IAM permissions when sending a request
595 # to perform a crypto transformation using a kms-wrapped crypto key:
596 # dlp.kms.encrypt
597 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
598 "wrappedKey": "A String", # The wrapped data crypto key. [required]
599 },
600 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
601 # leaking the key. Choose another type of key if possible.
602 "key": "A String", # A 128/192/256 bit key. [required]
603 },
604 "transient": { # Use this to have a random data crypto key generated.
605 # It will be discarded after the request finishes.
606 "name": "A String", # Name of the key. [required]
607 # This is an arbitrary string used to differentiate different keys.
608 # A unique key is generated per name: two separate `TransientCryptoKey`
609 # protos share the same generated key if their names are the same.
610 # When the data crypto key is generated, this name is not used in any way
611 # (repeating the api call will result in a different key being generated).
612 },
613 },
614 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
615 "commonAlphabet": "A String",
616 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
617 # that the FFX mode natively supports. This happens before/after
618 # encryption/decryption.
619 # Each character listed must appear only once.
620 # Number of characters must be in the range [2, 62].
621 # This must be encoded as ASCII.
622 # The order of characters does not matter.
623 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
624 # identifier in two different contexts won't be given the same surrogate. If
625 # the context is not set, a default tweak will be used.
626 #
627 # If the context is set but:
628 #
629 # 1. there is no record present when transforming a given value or
630 # 1. the field is not present when transforming a given value,
631 #
632 # a default tweak will be used.
633 #
634 # Note that case (1) is expected when an `InfoTypeTransformation` is
635 # applied to both structured and non-structured `ContentItem`s.
636 # Currently, the referenced field may be of value type integer or string.
637 #
638 # The tweak is constructed as a sequence of bytes in big endian byte order
639 # such that:
640 #
641 # - a 64 bit integer is encoded followed by a single byte of value 1
642 # - a string is encoded in UTF-8 format followed by a single byte of value 2
643 "name": "A String", # Name describing the field.
644 },
645 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
646 # This annotation will be applied to the surrogate by prefixing it with
647 # the name of the custom infoType followed by the number of
648 # characters comprising the surrogate. The following scheme defines the
649 # format: info_type_name(surrogate_character_count):surrogate
650 #
651 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
652 # the surrogate is 'abc', the full replacement value
653 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
654 #
655 # This annotation identifies the surrogate when inspecting content using the
656 # custom infoType
657 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
658 # This facilitates reversal of the surrogate when it occurs in free text.
659 #
660 # In order for inspection to work properly, the name of this infoType must
661 # not occur naturally anywhere in your data; otherwise, inspection may
662 # find a surrogate that does not correspond to an actual identifier.
663 # Therefore, choose your custom infoType name carefully after considering
664 # what your data looks like. One way to select a name that has a high chance
665 # of yielding reliable detection is to include one or more unicode characters
666 # that are highly improbable to exist in your data.
667 # For example, assuming your data is entered from a regular ASCII keyboard,
668 # the symbol with the hex code point 29DD might be used like so:
669 # ⧝MY_TOKEN_TYPE
670 "name": "A String", # Name of the information type. Either a name of your choosing when
671 # creating a CustomInfoType, or one of the names listed
672 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
673 # a built-in type. InfoType names should conform to the pattern
674 # [a-zA-Z0-9_]{1,64}.
675 },
676 },
677 "replaceConfig": { # Replace each input value with a given `Value`.
678 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
679 # Note that for the purposes of inspection or transformation, the number
680 # of bytes considered to comprise a 'Value' is based on its representation
681 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
682 # 123456789, the number of bytes would be counted as 9, even though an
683 # int64 only holds up to 8 bytes of data.
684 "floatValue": 3.14,
685 "timestampValue": "A String",
686 "dayOfWeekValue": "A String",
687 "timeValue": { # Represents a time of day. The date and time zone are either not significant
688 # or are specified elsewhere. An API may choose to allow leap seconds. Related
689 # types are google.type.Date and `google.protobuf.Timestamp`.
690 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
691 # to allow the value "24:00:00" for scenarios like business closing time.
692 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
693 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
694 # allow the value 60 if it allows leap-seconds.
695 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
696 },
697 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
698 # and time zone are either specified elsewhere or are not significant. The date
699 # is relative to the Proleptic Gregorian Calendar. This can represent:
700 #
701 # * A full date, with non-zero year, month and day values
702 # * A month and day value, with a zero year, e.g. an anniversary
703 # * A year on its own, with zero month and day values
704 # * A year and month value, with a zero day, e.g. a credit card expiration date
705 #
706 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
707 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
708 # a year.
709 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
710 # if specifying a year by itself or a year and month where the day is not
711 # significant.
712 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
713 # month and day.
714 },
715 "stringValue": "A String",
716 "booleanValue": True or False,
717 "integerValue": "A String",
718 },
719 },
720 },
721 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
722 # this transformation to apply to all findings that correspond to
723 # infoTypes that were requested in `InspectConfig`.
724 { # Type of information detected by the API.
725 "name": "A String", # Name of the information type. Either a name of your choosing when
726 # creating a CustomInfoType, or one of the names listed
727 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
728 # a built-in type. InfoType names should conform to the pattern
729 # [a-zA-Z0-9_]{1,64}.
730 },
731 ],
732 },
733 ],
734 },
735 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
736 # specific locations within structured datasets, such as transforming
737 # a column within a table.
738 # table.
739 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
740 # match any suppression rule are omitted from the output [optional].
741 { # Configuration to suppress records whose suppression conditions evaluate to
742 # true.
743 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
744 # evaluated to be suppressed from the transformed content.
745 # a field.
746 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
747 "conditions": { # A collection of conditions.
748 "conditions": [
749 { # The field type of `value` and `field` do not need to match to be
750 # considered equal, but not all comparisons are possible.
751 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
752 # but all other comparisons are invalid with incompatible types.
753 # A `value` of type:
754 #
755 # - `string` can be compared against all other types
756 # - `boolean` can only be compared against other booleans
757 # - `integer` can be compared against doubles or a string if the string value
758 # can be parsed as an integer.
759 # - `double` can be compared against integers or a string if the string can
760 # be parsed as a double.
761 # - `Timestamp` can be compared against strings in RFC 3339 date string
762 # format.
763 # - `TimeOfDay` can be compared against timestamps and strings in the format
764 # of 'HH:mm:ss'.
765 #
766 # If we fail to compare do to type mismatch, a warning will be given and
767 # the condition will evaluate to false.
768 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
769 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
770 "name": "A String", # Name describing the field.
771 },
772 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
773 # Note that for the purposes of inspection or transformation, the number
774 # of bytes considered to comprise a 'Value' is based on its representation
775 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
776 # 123456789, the number of bytes would be counted as 9, even though an
777 # int64 only holds up to 8 bytes of data.
778 "floatValue": 3.14,
779 "timestampValue": "A String",
780 "dayOfWeekValue": "A String",
781 "timeValue": { # Represents a time of day. The date and time zone are either not significant
782 # or are specified elsewhere. An API may choose to allow leap seconds. Related
783 # types are google.type.Date and `google.protobuf.Timestamp`.
784 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
785 # to allow the value "24:00:00" for scenarios like business closing time.
786 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
787 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
788 # allow the value 60 if it allows leap-seconds.
789 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
790 },
791 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
792 # and time zone are either specified elsewhere or are not significant. The date
793 # is relative to the Proleptic Gregorian Calendar. This can represent:
794 #
795 # * A full date, with non-zero year, month and day values
796 # * A month and day value, with a zero year, e.g. an anniversary
797 # * A year on its own, with zero month and day values
798 # * A year and month value, with a zero day, e.g. a credit card expiration date
799 #
800 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
801 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
802 # a year.
803 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
804 # if specifying a year by itself or a year and month where the day is not
805 # significant.
806 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
807 # month and day.
808 },
809 "stringValue": "A String",
810 "booleanValue": True or False,
811 "integerValue": "A String",
812 },
813 },
814 ],
815 },
816 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
817 # only supported value is `AND`.
818 },
819 },
820 },
821 ],
822 "fieldTransformations": [ # Transform the record by applying various field transformations.
823 { # The transformation to apply to the field.
824 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
825 # transform content that matches an `InfoType`.
826 # apply various `PrimitiveTransformation`s to each finding, where the
827 # transformation is applied to only values that were identified as a specific
828 # info_type.
829 "transformations": [ # Transformation for each infoType. Cannot specify more than one
830 # for a given infoType. [required]
831 { # A transformation to apply to text that is identified as a specific
832 # info_type.
833 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
834 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
835 # fixed character. Masking can start from the beginning or end of the string.
836 # This can be used on data of any type (numbers, longs, and so on) and when
837 # de-identifying structured data we'll attempt to preserve the original data's
838 # type. (This allows you to take a long like 123 and modify it to a string like
839 # **3.
840 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
841 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
842 # mask 5 chars with * we would produce ***-*55-5555.
843 { # Characters to skip when doing deidentification of a value. These will be left
844 # alone and skipped.
845 "commonCharactersToIgnore": "A String",
846 "charactersToSkip": "A String",
847 },
848 ],
849 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
850 # masked. Skipped characters do not count towards this tally.
851 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
852 # alphabetic string such as name, or "0" for a numeric string such as ZIP
853 # code or credit card number. String must have length 1. If not supplied, we
854 # will default to "*" for strings, 0 for digits.
855 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
856 # '0', number_to_mask is 14, and `reverse_order` is false, then
857 # 1234-5678-9012-3456 -> 00000000000000-3456
858 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
859 # is true, then 12345 -> 12***
860 },
861 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
862 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
863 # output would be 'My phone number is '.
864 },
865 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
866 # input. Outputs a base64 encoded representation of the encrypted output.
867 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
868 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
869 # a key encryption key (KEK) stored by KMS).
870 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
871 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
872 # unwrap the data crypto key.
873 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
874 # The wrapped key must be a 128/192/256 bit key.
875 # Authorization requires the following IAM permissions when sending a request
876 # to perform a crypto transformation using a kms-wrapped crypto key:
877 # dlp.kms.encrypt
878 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
879 "wrappedKey": "A String", # The wrapped data crypto key. [required]
880 },
881 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
882 # leaking the key. Choose another type of key if possible.
883 "key": "A String", # A 128/192/256 bit key. [required]
884 },
885 "transient": { # Use this to have a random data crypto key generated.
886 # It will be discarded after the request finishes.
887 "name": "A String", # Name of the key. [required]
888 # This is an arbitrary string used to differentiate different keys.
889 # A unique key is generated per name: two separate `TransientCryptoKey`
890 # protos share the same generated key if their names are the same.
891 # When the data crypto key is generated, this name is not used in any way
892 # (repeating the api call will result in a different key being generated).
893 },
894 },
895 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
896 # referential integrity such that the same identifier in two different
897 # contexts will be given a distinct surrogate. The context is appended to
898 # plaintext value being encrypted. On decryption the provided context is
899 # validated against the value used during encryption. If a context was
900 # provided during encryption, same context must be provided during decryption
901 # as well.
902 #
903 # If the context is not set, plaintext would be used as is for encryption.
904 # If the context is set but:
905 #
906 # 1. there is no record present when transforming a given value or
907 # 2. the field is not present when transforming a given value,
908 #
909 # plaintext would be used as is for encryption.
910 #
911 # Note that case (1) is expected when an `InfoTypeTransformation` is
912 # applied to both structured and non-structured `ContentItem`s.
913 "name": "A String", # Name describing the field.
914 },
915 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
916 # This annotation will be applied to the surrogate by prefixing it with
917 # the name of the custom info type followed by the number of
918 # characters comprising the surrogate. The following scheme defines the
919 # format: <info type name>(<surrogate character count>):<surrogate>
920 #
921 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
922 # the surrogate is 'abc', the full replacement value
923 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
924 #
925 # This annotation identifies the surrogate when inspecting content using the
926 # custom info type 'Surrogate'. This facilitates reversal of the
927 # surrogate when it occurs in free text.
928 #
929 # In order for inspection to work properly, the name of this info type must
930 # not occur naturally anywhere in your data; otherwise, inspection may either
931 #
932 # - reverse a surrogate that does not correspond to an actual identifier
933 # - be unable to parse the surrogate and result in an error
934 #
935 # Therefore, choose your custom info type name carefully after considering
936 # what your data looks like. One way to select a name that has a high chance
937 # of yielding reliable detection is to include one or more unicode characters
938 # that are highly improbable to exist in your data.
939 # For example, assuming your data is entered from a regular ASCII keyboard,
940 # the symbol with the hex code point 29DD might be used like so:
941 # ⧝MY_TOKEN_TYPE
942 "name": "A String", # Name of the information type. Either a name of your choosing when
943 # creating a CustomInfoType, or one of the names listed
944 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
945 # a built-in type. InfoType names should conform to the pattern
946 # [a-zA-Z0-9_]{1,64}.
947 },
948 },
949 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
950 # Bucketing transformation can provide all of this functionality,
951 # but requires more configuration. This message is provided as a convenience to
952 # the user for simple bucketing strategies.
953 #
954 # The transformed value will be a hyphenated string of
955 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
956 # all values that are within this bucket will be replaced with "10-20".
957 #
958 # This can be used on data of type: double, long.
959 #
960 # If the bound Value type differs from the type of data
961 # being transformed, we will first attempt converting the type of the data to
962 # be transformed to match the type of the bound before comparing.
963 #
964 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
965 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
966 # grouped together into a single bucket; for example if `lower_bound` = 10,
967 # then all values less than 10 are replaced with the value “-10”. [Required].
968 # Note that for the purposes of inspection or transformation, the number
969 # of bytes considered to comprise a 'Value' is based on its representation
970 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
971 # 123456789, the number of bytes would be counted as 9, even though an
972 # int64 only holds up to 8 bytes of data.
973 "floatValue": 3.14,
974 "timestampValue": "A String",
975 "dayOfWeekValue": "A String",
976 "timeValue": { # Represents a time of day. The date and time zone are either not significant
977 # or are specified elsewhere. An API may choose to allow leap seconds. Related
978 # types are google.type.Date and `google.protobuf.Timestamp`.
979 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
980 # to allow the value "24:00:00" for scenarios like business closing time.
981 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
982 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
983 # allow the value 60 if it allows leap-seconds.
984 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
985 },
986 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
987 # and time zone are either specified elsewhere or are not significant. The date
988 # is relative to the Proleptic Gregorian Calendar. This can represent:
989 #
990 # * A full date, with non-zero year, month and day values
991 # * A month and day value, with a zero year, e.g. an anniversary
992 # * A year on its own, with zero month and day values
993 # * A year and month value, with a zero day, e.g. a credit card expiration date
994 #
995 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
996 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
997 # a year.
998 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
999 # if specifying a year by itself or a year and month where the day is not
1000 # significant.
1001 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1002 # month and day.
1003 },
1004 "stringValue": "A String",
1005 "booleanValue": True or False,
1006 "integerValue": "A String",
1007 },
1008 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
1009 # grouped together into a single bucket; for example if `upper_bound` = 89,
1010 # then all values greater than 89 are replaced with the value “89+”.
1011 # [Required].
1012 # Note that for the purposes of inspection or transformation, the number
1013 # of bytes considered to comprise a 'Value' is based on its representation
1014 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1015 # 123456789, the number of bytes would be counted as 9, even though an
1016 # int64 only holds up to 8 bytes of data.
1017 "floatValue": 3.14,
1018 "timestampValue": "A String",
1019 "dayOfWeekValue": "A String",
1020 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1021 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1022 # types are google.type.Date and `google.protobuf.Timestamp`.
1023 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1024 # to allow the value "24:00:00" for scenarios like business closing time.
1025 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1026 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1027 # allow the value 60 if it allows leap-seconds.
1028 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1029 },
1030 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1031 # and time zone are either specified elsewhere or are not significant. The date
1032 # is relative to the Proleptic Gregorian Calendar. This can represent:
1033 #
1034 # * A full date, with non-zero year, month and day values
1035 # * A month and day value, with a zero year, e.g. an anniversary
1036 # * A year on its own, with zero month and day values
1037 # * A year and month value, with a zero day, e.g. a credit card expiration date
1038 #
1039 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1040 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1041 # a year.
1042 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1043 # if specifying a year by itself or a year and month where the day is not
1044 # significant.
1045 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1046 # month and day.
1047 },
1048 "stringValue": "A String",
1049 "booleanValue": True or False,
1050 "integerValue": "A String",
1051 },
1052 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
1053 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
1054 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
1055 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
1056 },
1057 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
1058 },
1059 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
1060 # portion of the value.
1061 "partToExtract": "A String",
1062 },
1063 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
1064 # Uses SHA-256.
1065 # The key size must be either 32 or 64 bytes.
1066 # Outputs a base64 encoded representation of the hashed output
1067 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
1068 # Currently, only string and integer values can be hashed.
1069 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
1070 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
1071 # a key encryption key (KEK) stored by KMS).
1072 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1073 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1074 # unwrap the data crypto key.
1075 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1076 # The wrapped key must be a 128/192/256 bit key.
1077 # Authorization requires the following IAM permissions when sending a request
1078 # to perform a crypto transformation using a kms-wrapped crypto key:
1079 # dlp.kms.encrypt
1080 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1081 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1082 },
1083 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1084 # leaking the key. Choose another type of key if possible.
1085 "key": "A String", # A 128/192/256 bit key. [required]
1086 },
1087 "transient": { # Use this to have a random data crypto key generated.
1088 # It will be discarded after the request finishes.
1089 "name": "A String", # Name of the key. [required]
1090 # This is an arbitrary string used to differentiate different keys.
1091 # A unique key is generated per name: two separate `TransientCryptoKey`
1092 # protos share the same generated key if their names are the same.
1093 # When the data crypto key is generated, this name is not used in any way
1094 # (repeating the api call will result in a different key being generated).
1095 },
1096 },
1097 },
1098 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
1099 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
1100 # to learn more.
1101 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
1102 # results in the same shift for the same context and crypto_key.
1103 # a key encryption key (KEK) stored by KMS).
1104 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1105 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1106 # unwrap the data crypto key.
1107 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1108 # The wrapped key must be a 128/192/256 bit key.
1109 # Authorization requires the following IAM permissions when sending a request
1110 # to perform a crypto transformation using a kms-wrapped crypto key:
1111 # dlp.kms.encrypt
1112 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1113 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1114 },
1115 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1116 # leaking the key. Choose another type of key if possible.
1117 "key": "A String", # A 128/192/256 bit key. [required]
1118 },
1119 "transient": { # Use this to have a random data crypto key generated.
1120 # It will be discarded after the request finishes.
1121 "name": "A String", # Name of the key. [required]
1122 # This is an arbitrary string used to differentiate different keys.
1123 # A unique key is generated per name: two separate `TransientCryptoKey`
1124 # protos share the same generated key if their names are the same.
1125 # When the data crypto key is generated, this name is not used in any way
1126 # (repeating the api call will result in a different key being generated).
1127 },
1128 },
1129 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
1130 # [Required]
1131 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
1132 # range (inclusive ends). Negative means shift to earlier in time. Must not
1133 # be more than 365250 days (1000 years) each direction.
1134 #
1135 # For example, 3 means shift date to at most 3 days into the future.
1136 # [Required]
1137 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
1138 # If set, must also set method. If set, shift will be consistent for the
1139 # given context.
1140 "name": "A String", # Name describing the field.
1141 },
1142 },
1143 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
1144 # replacement values are dynamically provided by the user for custom behavior,
1145 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
1146 # This can be used on
1147 # data of type: number, long, string, timestamp.
1148 # If the bound `Value` type differs from the type of data being transformed, we
1149 # will first attempt converting the type of the data to be transformed to match
1150 # the type of the bound before comparing.
1151 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1152 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
1153 { # Bucket is represented as a range, along with replacement values.
1154 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
1155 # Note that for the purposes of inspection or transformation, the number
1156 # of bytes considered to comprise a 'Value' is based on its representation
1157 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1158 # 123456789, the number of bytes would be counted as 9, even though an
1159 # int64 only holds up to 8 bytes of data.
1160 "floatValue": 3.14,
1161 "timestampValue": "A String",
1162 "dayOfWeekValue": "A String",
1163 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1164 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1165 # types are google.type.Date and `google.protobuf.Timestamp`.
1166 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1167 # to allow the value "24:00:00" for scenarios like business closing time.
1168 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1169 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1170 # allow the value 60 if it allows leap-seconds.
1171 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1172 },
1173 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1174 # and time zone are either specified elsewhere or are not significant. The date
1175 # is relative to the Proleptic Gregorian Calendar. This can represent:
1176 #
1177 # * A full date, with non-zero year, month and day values
1178 # * A month and day value, with a zero year, e.g. an anniversary
1179 # * A year on its own, with zero month and day values
1180 # * A year and month value, with a zero day, e.g. a credit card expiration date
1181 #
1182 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1183 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1184 # a year.
1185 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1186 # if specifying a year by itself or a year and month where the day is not
1187 # significant.
1188 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1189 # month and day.
1190 },
1191 "stringValue": "A String",
1192 "booleanValue": True or False,
1193 "integerValue": "A String",
1194 },
1195 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
1196 # the default behavior will be to hyphenate the min-max range.
1197 # Note that for the purposes of inspection or transformation, the number
1198 # of bytes considered to comprise a 'Value' is based on its representation
1199 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1200 # 123456789, the number of bytes would be counted as 9, even though an
1201 # int64 only holds up to 8 bytes of data.
1202 "floatValue": 3.14,
1203 "timestampValue": "A String",
1204 "dayOfWeekValue": "A String",
1205 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1206 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1207 # types are google.type.Date and `google.protobuf.Timestamp`.
1208 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1209 # to allow the value "24:00:00" for scenarios like business closing time.
1210 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1211 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1212 # allow the value 60 if it allows leap-seconds.
1213 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1214 },
1215 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1216 # and time zone are either specified elsewhere or are not significant. The date
1217 # is relative to the Proleptic Gregorian Calendar. This can represent:
1218 #
1219 # * A full date, with non-zero year, month and day values
1220 # * A month and day value, with a zero year, e.g. an anniversary
1221 # * A year on its own, with zero month and day values
1222 # * A year and month value, with a zero day, e.g. a credit card expiration date
1223 #
1224 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1225 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1226 # a year.
1227 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1228 # if specifying a year by itself or a year and month where the day is not
1229 # significant.
1230 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1231 # month and day.
1232 },
1233 "stringValue": "A String",
1234 "booleanValue": True or False,
1235 "integerValue": "A String",
1236 },
1237 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
1238 # used.
1239 # Note that for the purposes of inspection or transformation, the number
1240 # of bytes considered to comprise a 'Value' is based on its representation
1241 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1242 # 123456789, the number of bytes would be counted as 9, even though an
1243 # int64 only holds up to 8 bytes of data.
1244 "floatValue": 3.14,
1245 "timestampValue": "A String",
1246 "dayOfWeekValue": "A String",
1247 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1248 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1249 # types are google.type.Date and `google.protobuf.Timestamp`.
1250 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1251 # to allow the value "24:00:00" for scenarios like business closing time.
1252 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1253 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1254 # allow the value 60 if it allows leap-seconds.
1255 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1256 },
1257 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1258 # and time zone are either specified elsewhere or are not significant. The date
1259 # is relative to the Proleptic Gregorian Calendar. This can represent:
1260 #
1261 # * A full date, with non-zero year, month and day values
1262 # * A month and day value, with a zero year, e.g. an anniversary
1263 # * A year on its own, with zero month and day values
1264 # * A year and month value, with a zero day, e.g. a credit card expiration date
1265 #
1266 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1267 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1268 # a year.
1269 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1270 # if specifying a year by itself or a year and month where the day is not
1271 # significant.
1272 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1273 # month and day.
1274 },
1275 "stringValue": "A String",
1276 "booleanValue": True or False,
1277 "integerValue": "A String",
1278 },
1279 },
1280 ],
1281 },
1282 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
1283 # (FPE) with the FFX mode of operation; however when used in the
1284 # `ReidentifyContent` API method, it serves the opposite function by reversing
1285 # the surrogate back into the original identifier. The identifier must be
1286 # encoded as ASCII. For a given crypto key and context, the same identifier
1287 # will be replaced with the same surrogate. Identifiers must be at least two
1288 # characters long. In the case that the identifier is the empty string, it will
1289 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
1290 # more.
1291 #
1292 # Note: We recommend using CryptoDeterministicConfig for all use cases which
1293 # do not require preserving the input alphabet space and size, plus warrant
1294 # referential integrity.
1295 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
1296 # a key encryption key (KEK) stored by KMS).
1297 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1298 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1299 # unwrap the data crypto key.
1300 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1301 # The wrapped key must be a 128/192/256 bit key.
1302 # Authorization requires the following IAM permissions when sending a request
1303 # to perform a crypto transformation using a kms-wrapped crypto key:
1304 # dlp.kms.encrypt
1305 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1306 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1307 },
1308 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1309 # leaking the key. Choose another type of key if possible.
1310 "key": "A String", # A 128/192/256 bit key. [required]
1311 },
1312 "transient": { # Use this to have a random data crypto key generated.
1313 # It will be discarded after the request finishes.
1314 "name": "A String", # Name of the key. [required]
1315 # This is an arbitrary string used to differentiate different keys.
1316 # A unique key is generated per name: two separate `TransientCryptoKey`
1317 # protos share the same generated key if their names are the same.
1318 # When the data crypto key is generated, this name is not used in any way
1319 # (repeating the api call will result in a different key being generated).
1320 },
1321 },
1322 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
1323 "commonAlphabet": "A String",
1324 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
1325 # that the FFX mode natively supports. This happens before/after
1326 # encryption/decryption.
1327 # Each character listed must appear only once.
1328 # Number of characters must be in the range [2, 62].
1329 # This must be encoded as ASCII.
1330 # The order of characters does not matter.
1331 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
1332 # identifier in two different contexts won't be given the same surrogate. If
1333 # the context is not set, a default tweak will be used.
1334 #
1335 # If the context is set but:
1336 #
1337 # 1. there is no record present when transforming a given value or
1338 # 1. the field is not present when transforming a given value,
1339 #
1340 # a default tweak will be used.
1341 #
1342 # Note that case (1) is expected when an `InfoTypeTransformation` is
1343 # applied to both structured and non-structured `ContentItem`s.
1344 # Currently, the referenced field may be of value type integer or string.
1345 #
1346 # The tweak is constructed as a sequence of bytes in big endian byte order
1347 # such that:
1348 #
1349 # - a 64 bit integer is encoded followed by a single byte of value 1
1350 # - a string is encoded in UTF-8 format followed by a single byte of value 2
1351 "name": "A String", # Name describing the field.
1352 },
1353 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
1354 # This annotation will be applied to the surrogate by prefixing it with
1355 # the name of the custom infoType followed by the number of
1356 # characters comprising the surrogate. The following scheme defines the
1357 # format: info_type_name(surrogate_character_count):surrogate
1358 #
1359 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
1360 # the surrogate is 'abc', the full replacement value
1361 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1362 #
1363 # This annotation identifies the surrogate when inspecting content using the
1364 # custom infoType
1365 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
1366 # This facilitates reversal of the surrogate when it occurs in free text.
1367 #
1368 # In order for inspection to work properly, the name of this infoType must
1369 # not occur naturally anywhere in your data; otherwise, inspection may
1370 # find a surrogate that does not correspond to an actual identifier.
1371 # Therefore, choose your custom infoType name carefully after considering
1372 # what your data looks like. One way to select a name that has a high chance
1373 # of yielding reliable detection is to include one or more unicode characters
1374 # that are highly improbable to exist in your data.
1375 # For example, assuming your data is entered from a regular ASCII keyboard,
1376 # the symbol with the hex code point 29DD might be used like so:
1377 # ⧝MY_TOKEN_TYPE
1378 "name": "A String", # Name of the information type. Either a name of your choosing when
1379 # creating a CustomInfoType, or one of the names listed
1380 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1381 # a built-in type. InfoType names should conform to the pattern
1382 # [a-zA-Z0-9_]{1,64}.
1383 },
1384 },
1385 "replaceConfig": { # Replace each input value with a given `Value`.
1386 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
1387 # Note that for the purposes of inspection or transformation, the number
1388 # of bytes considered to comprise a 'Value' is based on its representation
1389 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1390 # 123456789, the number of bytes would be counted as 9, even though an
1391 # int64 only holds up to 8 bytes of data.
1392 "floatValue": 3.14,
1393 "timestampValue": "A String",
1394 "dayOfWeekValue": "A String",
1395 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1396 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1397 # types are google.type.Date and `google.protobuf.Timestamp`.
1398 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1399 # to allow the value "24:00:00" for scenarios like business closing time.
1400 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1401 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1402 # allow the value 60 if it allows leap-seconds.
1403 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1404 },
1405 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1406 # and time zone are either specified elsewhere or are not significant. The date
1407 # is relative to the Proleptic Gregorian Calendar. This can represent:
1408 #
1409 # * A full date, with non-zero year, month and day values
1410 # * A month and day value, with a zero year, e.g. an anniversary
1411 # * A year on its own, with zero month and day values
1412 # * A year and month value, with a zero day, e.g. a credit card expiration date
1413 #
1414 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1415 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1416 # a year.
1417 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1418 # if specifying a year by itself or a year and month where the day is not
1419 # significant.
1420 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1421 # month and day.
1422 },
1423 "stringValue": "A String",
1424 "booleanValue": True or False,
1425 "integerValue": "A String",
1426 },
1427 },
1428 },
1429 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
1430 # this transformation to apply to all findings that correspond to
1431 # infoTypes that were requested in `InspectConfig`.
1432 { # Type of information detected by the API.
1433 "name": "A String", # Name of the information type. Either a name of your choosing when
1434 # creating a CustomInfoType, or one of the names listed
1435 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1436 # a built-in type. InfoType names should conform to the pattern
1437 # [a-zA-Z0-9_]{1,64}.
1438 },
1439 ],
1440 },
1441 ],
1442 },
1443 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
1444 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
1445 # fixed character. Masking can start from the beginning or end of the string.
1446 # This can be used on data of any type (numbers, longs, and so on) and when
1447 # de-identifying structured data we'll attempt to preserve the original data's
1448 # type. (This allows you to take a long like 123 and modify it to a string like
1449 # **3.
1450 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
1451 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
1452 # mask 5 chars with * we would produce ***-*55-5555.
1453 { # Characters to skip when doing deidentification of a value. These will be left
1454 # alone and skipped.
1455 "commonCharactersToIgnore": "A String",
1456 "charactersToSkip": "A String",
1457 },
1458 ],
1459 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
1460 # masked. Skipped characters do not count towards this tally.
1461 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
1462 # alphabetic string such as name, or "0" for a numeric string such as ZIP
1463 # code or credit card number. String must have length 1. If not supplied, we
1464 # will default to "*" for strings, 0 for digits.
1465 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
1466 # '0', number_to_mask is 14, and `reverse_order` is false, then
1467 # 1234-5678-9012-3456 -> 00000000000000-3456
1468 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
1469 # is true, then 12345 -> 12***
1470 },
1471 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
1472 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
1473 # output would be 'My phone number is '.
1474 },
1475 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
1476 # input. Outputs a base64 encoded representation of the encrypted output.
1477 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
1478 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
1479 # a key encryption key (KEK) stored by KMS).
1480 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1481 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1482 # unwrap the data crypto key.
1483 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1484 # The wrapped key must be a 128/192/256 bit key.
1485 # Authorization requires the following IAM permissions when sending a request
1486 # to perform a crypto transformation using a kms-wrapped crypto key:
1487 # dlp.kms.encrypt
1488 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1489 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1490 },
1491 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1492 # leaking the key. Choose another type of key if possible.
1493 "key": "A String", # A 128/192/256 bit key. [required]
1494 },
1495 "transient": { # Use this to have a random data crypto key generated.
1496 # It will be discarded after the request finishes.
1497 "name": "A String", # Name of the key. [required]
1498 # This is an arbitrary string used to differentiate different keys.
1499 # A unique key is generated per name: two separate `TransientCryptoKey`
1500 # protos share the same generated key if their names are the same.
1501 # When the data crypto key is generated, this name is not used in any way
1502 # (repeating the api call will result in a different key being generated).
1503 },
1504 },
1505 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
1506 # referential integrity such that the same identifier in two different
1507 # contexts will be given a distinct surrogate. The context is appended to
1508 # plaintext value being encrypted. On decryption the provided context is
1509 # validated against the value used during encryption. If a context was
1510 # provided during encryption, same context must be provided during decryption
1511 # as well.
1512 #
1513 # If the context is not set, plaintext would be used as is for encryption.
1514 # If the context is set but:
1515 #
1516 # 1. there is no record present when transforming a given value or
1517 # 2. the field is not present when transforming a given value,
1518 #
1519 # plaintext would be used as is for encryption.
1520 #
1521 # Note that case (1) is expected when an `InfoTypeTransformation` is
1522 # applied to both structured and non-structured `ContentItem`s.
1523 "name": "A String", # Name describing the field.
1524 },
1525 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
1526 # This annotation will be applied to the surrogate by prefixing it with
1527 # the name of the custom info type followed by the number of
1528 # characters comprising the surrogate. The following scheme defines the
1529 # format: <info type name>(<surrogate character count>):<surrogate>
1530 #
1531 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
1532 # the surrogate is 'abc', the full replacement value
1533 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1534 #
1535 # This annotation identifies the surrogate when inspecting content using the
1536 # custom info type 'Surrogate'. This facilitates reversal of the
1537 # surrogate when it occurs in free text.
1538 #
1539 # In order for inspection to work properly, the name of this info type must
1540 # not occur naturally anywhere in your data; otherwise, inspection may either
1541 #
1542 # - reverse a surrogate that does not correspond to an actual identifier
1543 # - be unable to parse the surrogate and result in an error
1544 #
1545 # Therefore, choose your custom info type name carefully after considering
1546 # what your data looks like. One way to select a name that has a high chance
1547 # of yielding reliable detection is to include one or more unicode characters
1548 # that are highly improbable to exist in your data.
1549 # For example, assuming your data is entered from a regular ASCII keyboard,
1550 # the symbol with the hex code point 29DD might be used like so:
1551 # ⧝MY_TOKEN_TYPE
1552 "name": "A String", # Name of the information type. Either a name of your choosing when
1553 # creating a CustomInfoType, or one of the names listed
1554 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1555 # a built-in type. InfoType names should conform to the pattern
1556 # [a-zA-Z0-9_]{1,64}.
1557 },
1558 },
1559 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
1560 # Bucketing transformation can provide all of this functionality,
1561 # but requires more configuration. This message is provided as a convenience to
1562 # the user for simple bucketing strategies.
1563 #
1564 # The transformed value will be a hyphenated string of
1565 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
1566 # all values that are within this bucket will be replaced with "10-20".
1567 #
1568 # This can be used on data of type: double, long.
1569 #
1570 # If the bound Value type differs from the type of data
1571 # being transformed, we will first attempt converting the type of the data to
1572 # be transformed to match the type of the bound before comparing.
1573 #
1574 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1575 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
1576 # grouped together into a single bucket; for example if `lower_bound` = 10,
1577 # then all values less than 10 are replaced with the value “-10”. [Required].
1578 # Note that for the purposes of inspection or transformation, the number
1579 # of bytes considered to comprise a 'Value' is based on its representation
1580 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1581 # 123456789, the number of bytes would be counted as 9, even though an
1582 # int64 only holds up to 8 bytes of data.
1583 "floatValue": 3.14,
1584 "timestampValue": "A String",
1585 "dayOfWeekValue": "A String",
1586 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1587 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1588 # types are google.type.Date and `google.protobuf.Timestamp`.
1589 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1590 # to allow the value "24:00:00" for scenarios like business closing time.
1591 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1592 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1593 # allow the value 60 if it allows leap-seconds.
1594 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1595 },
1596 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1597 # and time zone are either specified elsewhere or are not significant. The date
1598 # is relative to the Proleptic Gregorian Calendar. This can represent:
1599 #
1600 # * A full date, with non-zero year, month and day values
1601 # * A month and day value, with a zero year, e.g. an anniversary
1602 # * A year on its own, with zero month and day values
1603 # * A year and month value, with a zero day, e.g. a credit card expiration date
1604 #
1605 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1606 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1607 # a year.
1608 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1609 # if specifying a year by itself or a year and month where the day is not
1610 # significant.
1611 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1612 # month and day.
1613 },
1614 "stringValue": "A String",
1615 "booleanValue": True or False,
1616 "integerValue": "A String",
1617 },
1618 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
1619 # grouped together into a single bucket; for example if `upper_bound` = 89,
1620 # then all values greater than 89 are replaced with the value “89+”.
1621 # [Required].
1622 # Note that for the purposes of inspection or transformation, the number
1623 # of bytes considered to comprise a 'Value' is based on its representation
1624 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1625 # 123456789, the number of bytes would be counted as 9, even though an
1626 # int64 only holds up to 8 bytes of data.
1627 "floatValue": 3.14,
1628 "timestampValue": "A String",
1629 "dayOfWeekValue": "A String",
1630 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1631 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1632 # types are google.type.Date and `google.protobuf.Timestamp`.
1633 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1634 # to allow the value "24:00:00" for scenarios like business closing time.
1635 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1636 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1637 # allow the value 60 if it allows leap-seconds.
1638 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1639 },
1640 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1641 # and time zone are either specified elsewhere or are not significant. The date
1642 # is relative to the Proleptic Gregorian Calendar. This can represent:
1643 #
1644 # * A full date, with non-zero year, month and day values
1645 # * A month and day value, with a zero year, e.g. an anniversary
1646 # * A year on its own, with zero month and day values
1647 # * A year and month value, with a zero day, e.g. a credit card expiration date
1648 #
1649 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1650 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1651 # a year.
1652 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1653 # if specifying a year by itself or a year and month where the day is not
1654 # significant.
1655 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1656 # month and day.
1657 },
1658 "stringValue": "A String",
1659 "booleanValue": True or False,
1660 "integerValue": "A String",
1661 },
1662 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
1663 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
1664 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
1665 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
1666 },
1667 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
1668 },
1669 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
1670 # portion of the value.
1671 "partToExtract": "A String",
1672 },
1673 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
1674 # Uses SHA-256.
1675 # The key size must be either 32 or 64 bytes.
1676 # Outputs a base64 encoded representation of the hashed output
1677 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
1678 # Currently, only string and integer values can be hashed.
1679 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
1680 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
1681 # a key encryption key (KEK) stored by KMS).
1682 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1683 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1684 # unwrap the data crypto key.
1685 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1686 # The wrapped key must be a 128/192/256 bit key.
1687 # Authorization requires the following IAM permissions when sending a request
1688 # to perform a crypto transformation using a kms-wrapped crypto key:
1689 # dlp.kms.encrypt
1690 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1691 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1692 },
1693 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1694 # leaking the key. Choose another type of key if possible.
1695 "key": "A String", # A 128/192/256 bit key. [required]
1696 },
1697 "transient": { # Use this to have a random data crypto key generated.
1698 # It will be discarded after the request finishes.
1699 "name": "A String", # Name of the key. [required]
1700 # This is an arbitrary string used to differentiate different keys.
1701 # A unique key is generated per name: two separate `TransientCryptoKey`
1702 # protos share the same generated key if their names are the same.
1703 # When the data crypto key is generated, this name is not used in any way
1704 # (repeating the api call will result in a different key being generated).
1705 },
1706 },
1707 },
1708 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
1709 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
1710 # to learn more.
1711 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
1712 # results in the same shift for the same context and crypto_key.
1713 # a key encryption key (KEK) stored by KMS).
1714 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1715 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1716 # unwrap the data crypto key.
1717 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1718 # The wrapped key must be a 128/192/256 bit key.
1719 # Authorization requires the following IAM permissions when sending a request
1720 # to perform a crypto transformation using a kms-wrapped crypto key:
1721 # dlp.kms.encrypt
1722 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1723 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1724 },
1725 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1726 # leaking the key. Choose another type of key if possible.
1727 "key": "A String", # A 128/192/256 bit key. [required]
1728 },
1729 "transient": { # Use this to have a random data crypto key generated.
1730 # It will be discarded after the request finishes.
1731 "name": "A String", # Name of the key. [required]
1732 # This is an arbitrary string used to differentiate different keys.
1733 # A unique key is generated per name: two separate `TransientCryptoKey`
1734 # protos share the same generated key if their names are the same.
1735 # When the data crypto key is generated, this name is not used in any way
1736 # (repeating the api call will result in a different key being generated).
1737 },
1738 },
1739 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
1740 # [Required]
1741 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
1742 # range (inclusive ends). Negative means shift to earlier in time. Must not
1743 # be more than 365250 days (1000 years) each direction.
1744 #
1745 # For example, 3 means shift date to at most 3 days into the future.
1746 # [Required]
1747 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
1748 # If set, must also set method. If set, shift will be consistent for the
1749 # given context.
1750 "name": "A String", # Name describing the field.
1751 },
1752 },
1753 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
1754 # replacement values are dynamically provided by the user for custom behavior,
1755 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
1756 # This can be used on
1757 # data of type: number, long, string, timestamp.
1758 # If the bound `Value` type differs from the type of data being transformed, we
1759 # will first attempt converting the type of the data to be transformed to match
1760 # the type of the bound before comparing.
1761 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1762 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
1763 { # Bucket is represented as a range, along with replacement values.
1764 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
1765 # Note that for the purposes of inspection or transformation, the number
1766 # of bytes considered to comprise a 'Value' is based on its representation
1767 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1768 # 123456789, the number of bytes would be counted as 9, even though an
1769 # int64 only holds up to 8 bytes of data.
1770 "floatValue": 3.14,
1771 "timestampValue": "A String",
1772 "dayOfWeekValue": "A String",
1773 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1774 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1775 # types are google.type.Date and `google.protobuf.Timestamp`.
1776 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1777 # to allow the value "24:00:00" for scenarios like business closing time.
1778 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1779 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1780 # allow the value 60 if it allows leap-seconds.
1781 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1782 },
1783 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1784 # and time zone are either specified elsewhere or are not significant. The date
1785 # is relative to the Proleptic Gregorian Calendar. This can represent:
1786 #
1787 # * A full date, with non-zero year, month and day values
1788 # * A month and day value, with a zero year, e.g. an anniversary
1789 # * A year on its own, with zero month and day values
1790 # * A year and month value, with a zero day, e.g. a credit card expiration date
1791 #
1792 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1793 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1794 # a year.
1795 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1796 # if specifying a year by itself or a year and month where the day is not
1797 # significant.
1798 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1799 # month and day.
1800 },
1801 "stringValue": "A String",
1802 "booleanValue": True or False,
1803 "integerValue": "A String",
1804 },
1805 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
1806 # the default behavior will be to hyphenate the min-max range.
1807 # Note that for the purposes of inspection or transformation, the number
1808 # of bytes considered to comprise a 'Value' is based on its representation
1809 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1810 # 123456789, the number of bytes would be counted as 9, even though an
1811 # int64 only holds up to 8 bytes of data.
1812 "floatValue": 3.14,
1813 "timestampValue": "A String",
1814 "dayOfWeekValue": "A String",
1815 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1816 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1817 # types are google.type.Date and `google.protobuf.Timestamp`.
1818 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1819 # to allow the value "24:00:00" for scenarios like business closing time.
1820 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1821 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1822 # allow the value 60 if it allows leap-seconds.
1823 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1824 },
1825 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1826 # and time zone are either specified elsewhere or are not significant. The date
1827 # is relative to the Proleptic Gregorian Calendar. This can represent:
1828 #
1829 # * A full date, with non-zero year, month and day values
1830 # * A month and day value, with a zero year, e.g. an anniversary
1831 # * A year on its own, with zero month and day values
1832 # * A year and month value, with a zero day, e.g. a credit card expiration date
1833 #
1834 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1835 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1836 # a year.
1837 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1838 # if specifying a year by itself or a year and month where the day is not
1839 # significant.
1840 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1841 # month and day.
1842 },
1843 "stringValue": "A String",
1844 "booleanValue": True or False,
1845 "integerValue": "A String",
1846 },
1847 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
1848 # used.
1849 # Note that for the purposes of inspection or transformation, the number
1850 # of bytes considered to comprise a 'Value' is based on its representation
1851 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1852 # 123456789, the number of bytes would be counted as 9, even though an
1853 # int64 only holds up to 8 bytes of data.
1854 "floatValue": 3.14,
1855 "timestampValue": "A String",
1856 "dayOfWeekValue": "A String",
1857 "timeValue": { # Represents a time of day. The date and time zone are either not significant
1858 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1859 # types are google.type.Date and `google.protobuf.Timestamp`.
1860 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1861 # to allow the value "24:00:00" for scenarios like business closing time.
1862 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1863 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1864 # allow the value 60 if it allows leap-seconds.
1865 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1866 },
1867 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
1868 # and time zone are either specified elsewhere or are not significant. The date
1869 # is relative to the Proleptic Gregorian Calendar. This can represent:
1870 #
1871 # * A full date, with non-zero year, month and day values
1872 # * A month and day value, with a zero year, e.g. an anniversary
1873 # * A year on its own, with zero month and day values
1874 # * A year and month value, with a zero day, e.g. a credit card expiration date
1875 #
1876 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1877 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1878 # a year.
1879 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1880 # if specifying a year by itself or a year and month where the day is not
1881 # significant.
1882 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1883 # month and day.
1884 },
1885 "stringValue": "A String",
1886 "booleanValue": True or False,
1887 "integerValue": "A String",
1888 },
1889 },
1890 ],
1891 },
1892 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
1893 # (FPE) with the FFX mode of operation; however when used in the
1894 # `ReidentifyContent` API method, it serves the opposite function by reversing
1895 # the surrogate back into the original identifier. The identifier must be
1896 # encoded as ASCII. For a given crypto key and context, the same identifier
1897 # will be replaced with the same surrogate. Identifiers must be at least two
1898 # characters long. In the case that the identifier is the empty string, it will
1899 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
1900 # more.
1901 #
1902 # Note: We recommend using CryptoDeterministicConfig for all use cases which
1903 # do not require preserving the input alphabet space and size, plus warrant
1904 # referential integrity.
1905 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
1906 # a key encryption key (KEK) stored by KMS).
1907 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1908 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1909 # unwrap the data crypto key.
1910 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
1911 # The wrapped key must be a 128/192/256 bit key.
1912 # Authorization requires the following IAM permissions when sending a request
1913 # to perform a crypto transformation using a kms-wrapped crypto key:
1914 # dlp.kms.encrypt
1915 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
1916 "wrappedKey": "A String", # The wrapped data crypto key. [required]
1917 },
1918 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
1919 # leaking the key. Choose another type of key if possible.
1920 "key": "A String", # A 128/192/256 bit key. [required]
1921 },
1922 "transient": { # Use this to have a random data crypto key generated.
1923 # It will be discarded after the request finishes.
1924 "name": "A String", # Name of the key. [required]
1925 # This is an arbitrary string used to differentiate different keys.
1926 # A unique key is generated per name: two separate `TransientCryptoKey`
1927 # protos share the same generated key if their names are the same.
1928 # When the data crypto key is generated, this name is not used in any way
1929 # (repeating the api call will result in a different key being generated).
1930 },
1931 },
1932 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
1933 "commonAlphabet": "A String",
1934 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
1935 # that the FFX mode natively supports. This happens before/after
1936 # encryption/decryption.
1937 # Each character listed must appear only once.
1938 # Number of characters must be in the range [2, 62].
1939 # This must be encoded as ASCII.
1940 # The order of characters does not matter.
1941 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
1942 # identifier in two different contexts won't be given the same surrogate. If
1943 # the context is not set, a default tweak will be used.
1944 #
1945 # If the context is set but:
1946 #
1947 # 1. there is no record present when transforming a given value or
1948 # 1. the field is not present when transforming a given value,
1949 #
1950 # a default tweak will be used.
1951 #
1952 # Note that case (1) is expected when an `InfoTypeTransformation` is
1953 # applied to both structured and non-structured `ContentItem`s.
1954 # Currently, the referenced field may be of value type integer or string.
1955 #
1956 # The tweak is constructed as a sequence of bytes in big endian byte order
1957 # such that:
1958 #
1959 # - a 64 bit integer is encoded followed by a single byte of value 1
1960 # - a string is encoded in UTF-8 format followed by a single byte of value 2
1961 "name": "A String", # Name describing the field.
1962 },
1963 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
1964 # This annotation will be applied to the surrogate by prefixing it with
1965 # the name of the custom infoType followed by the number of
1966 # characters comprising the surrogate. The following scheme defines the
1967 # format: info_type_name(surrogate_character_count):surrogate
1968 #
1969 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
1970 # the surrogate is 'abc', the full replacement value
1971 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1972 #
1973 # This annotation identifies the surrogate when inspecting content using the
1974 # custom infoType
1975 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
1976 # This facilitates reversal of the surrogate when it occurs in free text.
1977 #
1978 # In order for inspection to work properly, the name of this infoType must
1979 # not occur naturally anywhere in your data; otherwise, inspection may
1980 # find a surrogate that does not correspond to an actual identifier.
1981 # Therefore, choose your custom infoType name carefully after considering
1982 # what your data looks like. One way to select a name that has a high chance
1983 # of yielding reliable detection is to include one or more unicode characters
1984 # that are highly improbable to exist in your data.
1985 # For example, assuming your data is entered from a regular ASCII keyboard,
1986 # the symbol with the hex code point 29DD might be used like so:
1987 # ⧝MY_TOKEN_TYPE
1988 "name": "A String", # Name of the information type. Either a name of your choosing when
1989 # creating a CustomInfoType, or one of the names listed
1990 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1991 # a built-in type. InfoType names should conform to the pattern
1992 # [a-zA-Z0-9_]{1,64}.
1993 },
1994 },
1995 "replaceConfig": { # Replace each input value with a given `Value`.
1996 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
1997 # Note that for the purposes of inspection or transformation, the number
1998 # of bytes considered to comprise a 'Value' is based on its representation
1999 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2000 # 123456789, the number of bytes would be counted as 9, even though an
2001 # int64 only holds up to 8 bytes of data.
2002 "floatValue": 3.14,
2003 "timestampValue": "A String",
2004 "dayOfWeekValue": "A String",
2005 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2006 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2007 # types are google.type.Date and `google.protobuf.Timestamp`.
2008 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2009 # to allow the value "24:00:00" for scenarios like business closing time.
2010 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2011 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2012 # allow the value 60 if it allows leap-seconds.
2013 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2014 },
2015 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2016 # and time zone are either specified elsewhere or are not significant. The date
2017 # is relative to the Proleptic Gregorian Calendar. This can represent:
2018 #
2019 # * A full date, with non-zero year, month and day values
2020 # * A month and day value, with a zero year, e.g. an anniversary
2021 # * A year on its own, with zero month and day values
2022 # * A year and month value, with a zero day, e.g. a credit card expiration date
2023 #
2024 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2025 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2026 # a year.
2027 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2028 # if specifying a year by itself or a year and month where the day is not
2029 # significant.
2030 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2031 # month and day.
2032 },
2033 "stringValue": "A String",
2034 "booleanValue": True or False,
2035 "integerValue": "A String",
2036 },
2037 },
2038 },
2039 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
2040 # given `RecordCondition`. The conditions are allowed to reference fields
2041 # that are not used in the actual transformation. [optional]
2042 #
2043 # Example Use Cases:
2044 #
2045 # - Apply a different bucket transformation to an age column if the zip code
2046 # column for the same record is within a specific range.
2047 # - Redact a field if the date of birth field is greater than 85.
2048 # a field.
2049 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
2050 "conditions": { # A collection of conditions.
2051 "conditions": [
2052 { # The field type of `value` and `field` do not need to match to be
2053 # considered equal, but not all comparisons are possible.
2054 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
2055 # but all other comparisons are invalid with incompatible types.
2056 # A `value` of type:
2057 #
2058 # - `string` can be compared against all other types
2059 # - `boolean` can only be compared against other booleans
2060 # - `integer` can be compared against doubles or a string if the string value
2061 # can be parsed as an integer.
2062 # - `double` can be compared against integers or a string if the string can
2063 # be parsed as a double.
2064 # - `Timestamp` can be compared against strings in RFC 3339 date string
2065 # format.
2066 # - `TimeOfDay` can be compared against timestamps and strings in the format
2067 # of 'HH:mm:ss'.
2068 #
2069 # If we fail to compare do to type mismatch, a warning will be given and
2070 # the condition will evaluate to false.
2071 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
2072 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
2073 "name": "A String", # Name describing the field.
2074 },
2075 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
2076 # Note that for the purposes of inspection or transformation, the number
2077 # of bytes considered to comprise a 'Value' is based on its representation
2078 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2079 # 123456789, the number of bytes would be counted as 9, even though an
2080 # int64 only holds up to 8 bytes of data.
2081 "floatValue": 3.14,
2082 "timestampValue": "A String",
2083 "dayOfWeekValue": "A String",
2084 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2085 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2086 # types are google.type.Date and `google.protobuf.Timestamp`.
2087 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2088 # to allow the value "24:00:00" for scenarios like business closing time.
2089 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2090 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2091 # allow the value 60 if it allows leap-seconds.
2092 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2093 },
2094 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2095 # and time zone are either specified elsewhere or are not significant. The date
2096 # is relative to the Proleptic Gregorian Calendar. This can represent:
2097 #
2098 # * A full date, with non-zero year, month and day values
2099 # * A month and day value, with a zero year, e.g. an anniversary
2100 # * A year on its own, with zero month and day values
2101 # * A year and month value, with a zero day, e.g. a credit card expiration date
2102 #
2103 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2104 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2105 # a year.
2106 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2107 # if specifying a year by itself or a year and month where the day is not
2108 # significant.
2109 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2110 # month and day.
2111 },
2112 "stringValue": "A String",
2113 "booleanValue": True or False,
2114 "integerValue": "A String",
2115 },
2116 },
2117 ],
2118 },
2119 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
2120 # only supported value is `AND`.
2121 },
2122 },
2123 "fields": [ # Input field(s) to apply the transformation to. [required]
2124 { # General identifier of a data field in a storage service.
2125 "name": "A String", # Name describing the field.
2126 },
2127 ],
2128 },
2129 ],
2130 },
2131 },
2132 "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
2133 "name": "A String", # The template name. Output only.
2134 #
2135 # The template will have one of the following formats:
2136 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
2137 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
2138 },
2139 "templateId": "A String", # The template id can contain uppercase and lowercase letters,
2140 # numbers, and hyphens; that is, it must match the regular
2141 # expression: `[a-zA-Z\\d-_]+`. The maximum length is 100
2142 # characters. Can be empty to allow the system to generate one.
2143 }
2144
2145 x__xgafv: string, V1 error format.
2146 Allowed values
2147 1 - v1 error format
2148 2 - v2 error format
2149
2150Returns:
2151 An object of the form:
2152
2153 { # The DeidentifyTemplates contains instructions on how to deidentify content.
2154 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
2155 "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
2156 "displayName": "A String", # Display name (max 256 chars).
2157 "description": "A String", # Short description (max 256 chars).
2158 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
2159 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
2160 # transformation everywhere.
2161 # apply various `PrimitiveTransformation`s to each finding, where the
2162 # transformation is applied to only values that were identified as a specific
2163 # info_type.
2164 "transformations": [ # Transformation for each infoType. Cannot specify more than one
2165 # for a given infoType. [required]
2166 { # A transformation to apply to text that is identified as a specific
2167 # info_type.
2168 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
2169 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
2170 # fixed character. Masking can start from the beginning or end of the string.
2171 # This can be used on data of any type (numbers, longs, and so on) and when
2172 # de-identifying structured data we'll attempt to preserve the original data's
2173 # type. (This allows you to take a long like 123 and modify it to a string like
2174 # **3.
2175 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
2176 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
2177 # mask 5 chars with * we would produce ***-*55-5555.
2178 { # Characters to skip when doing deidentification of a value. These will be left
2179 # alone and skipped.
2180 "commonCharactersToIgnore": "A String",
2181 "charactersToSkip": "A String",
2182 },
2183 ],
2184 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
2185 # masked. Skipped characters do not count towards this tally.
2186 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
2187 # alphabetic string such as name, or "0" for a numeric string such as ZIP
2188 # code or credit card number. String must have length 1. If not supplied, we
2189 # will default to "*" for strings, 0 for digits.
2190 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
2191 # '0', number_to_mask is 14, and `reverse_order` is false, then
2192 # 1234-5678-9012-3456 -> 00000000000000-3456
2193 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
2194 # is true, then 12345 -> 12***
2195 },
2196 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
2197 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
2198 # output would be 'My phone number is '.
2199 },
2200 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
2201 # input. Outputs a base64 encoded representation of the encrypted output.
2202 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
2203 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
2204 # a key encryption key (KEK) stored by KMS).
2205 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2206 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2207 # unwrap the data crypto key.
2208 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
2209 # The wrapped key must be a 128/192/256 bit key.
2210 # Authorization requires the following IAM permissions when sending a request
2211 # to perform a crypto transformation using a kms-wrapped crypto key:
2212 # dlp.kms.encrypt
2213 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
2214 "wrappedKey": "A String", # The wrapped data crypto key. [required]
2215 },
2216 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
2217 # leaking the key. Choose another type of key if possible.
2218 "key": "A String", # A 128/192/256 bit key. [required]
2219 },
2220 "transient": { # Use this to have a random data crypto key generated.
2221 # It will be discarded after the request finishes.
2222 "name": "A String", # Name of the key. [required]
2223 # This is an arbitrary string used to differentiate different keys.
2224 # A unique key is generated per name: two separate `TransientCryptoKey`
2225 # protos share the same generated key if their names are the same.
2226 # When the data crypto key is generated, this name is not used in any way
2227 # (repeating the api call will result in a different key being generated).
2228 },
2229 },
2230 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
2231 # referential integrity such that the same identifier in two different
2232 # contexts will be given a distinct surrogate. The context is appended to
2233 # plaintext value being encrypted. On decryption the provided context is
2234 # validated against the value used during encryption. If a context was
2235 # provided during encryption, same context must be provided during decryption
2236 # as well.
2237 #
2238 # If the context is not set, plaintext would be used as is for encryption.
2239 # If the context is set but:
2240 #
2241 # 1. there is no record present when transforming a given value or
2242 # 2. the field is not present when transforming a given value,
2243 #
2244 # plaintext would be used as is for encryption.
2245 #
2246 # Note that case (1) is expected when an `InfoTypeTransformation` is
2247 # applied to both structured and non-structured `ContentItem`s.
2248 "name": "A String", # Name describing the field.
2249 },
2250 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
2251 # This annotation will be applied to the surrogate by prefixing it with
2252 # the name of the custom info type followed by the number of
2253 # characters comprising the surrogate. The following scheme defines the
2254 # format: <info type name>(<surrogate character count>):<surrogate>
2255 #
2256 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
2257 # the surrogate is 'abc', the full replacement value
2258 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2259 #
2260 # This annotation identifies the surrogate when inspecting content using the
2261 # custom info type 'Surrogate'. This facilitates reversal of the
2262 # surrogate when it occurs in free text.
2263 #
2264 # In order for inspection to work properly, the name of this info type must
2265 # not occur naturally anywhere in your data; otherwise, inspection may either
2266 #
2267 # - reverse a surrogate that does not correspond to an actual identifier
2268 # - be unable to parse the surrogate and result in an error
2269 #
2270 # Therefore, choose your custom info type name carefully after considering
2271 # what your data looks like. One way to select a name that has a high chance
2272 # of yielding reliable detection is to include one or more unicode characters
2273 # that are highly improbable to exist in your data.
2274 # For example, assuming your data is entered from a regular ASCII keyboard,
2275 # the symbol with the hex code point 29DD might be used like so:
2276 # ⧝MY_TOKEN_TYPE
2277 "name": "A String", # Name of the information type. Either a name of your choosing when
2278 # creating a CustomInfoType, or one of the names listed
2279 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2280 # a built-in type. InfoType names should conform to the pattern
2281 # [a-zA-Z0-9_]{1,64}.
2282 },
2283 },
2284 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
2285 # Bucketing transformation can provide all of this functionality,
2286 # but requires more configuration. This message is provided as a convenience to
2287 # the user for simple bucketing strategies.
2288 #
2289 # The transformed value will be a hyphenated string of
2290 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
2291 # all values that are within this bucket will be replaced with "10-20".
2292 #
2293 # This can be used on data of type: double, long.
2294 #
2295 # If the bound Value type differs from the type of data
2296 # being transformed, we will first attempt converting the type of the data to
2297 # be transformed to match the type of the bound before comparing.
2298 #
2299 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
2300 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
2301 # grouped together into a single bucket; for example if `lower_bound` = 10,
2302 # then all values less than 10 are replaced with the value “-10”. [Required].
2303 # Note that for the purposes of inspection or transformation, the number
2304 # of bytes considered to comprise a 'Value' is based on its representation
2305 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2306 # 123456789, the number of bytes would be counted as 9, even though an
2307 # int64 only holds up to 8 bytes of data.
2308 "floatValue": 3.14,
2309 "timestampValue": "A String",
2310 "dayOfWeekValue": "A String",
2311 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2312 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2313 # types are google.type.Date and `google.protobuf.Timestamp`.
2314 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2315 # to allow the value "24:00:00" for scenarios like business closing time.
2316 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2317 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2318 # allow the value 60 if it allows leap-seconds.
2319 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2320 },
2321 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2322 # and time zone are either specified elsewhere or are not significant. The date
2323 # is relative to the Proleptic Gregorian Calendar. This can represent:
2324 #
2325 # * A full date, with non-zero year, month and day values
2326 # * A month and day value, with a zero year, e.g. an anniversary
2327 # * A year on its own, with zero month and day values
2328 # * A year and month value, with a zero day, e.g. a credit card expiration date
2329 #
2330 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2331 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2332 # a year.
2333 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2334 # if specifying a year by itself or a year and month where the day is not
2335 # significant.
2336 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2337 # month and day.
2338 },
2339 "stringValue": "A String",
2340 "booleanValue": True or False,
2341 "integerValue": "A String",
2342 },
2343 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
2344 # grouped together into a single bucket; for example if `upper_bound` = 89,
2345 # then all values greater than 89 are replaced with the value “89+”.
2346 # [Required].
2347 # Note that for the purposes of inspection or transformation, the number
2348 # of bytes considered to comprise a 'Value' is based on its representation
2349 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2350 # 123456789, the number of bytes would be counted as 9, even though an
2351 # int64 only holds up to 8 bytes of data.
2352 "floatValue": 3.14,
2353 "timestampValue": "A String",
2354 "dayOfWeekValue": "A String",
2355 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2356 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2357 # types are google.type.Date and `google.protobuf.Timestamp`.
2358 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2359 # to allow the value "24:00:00" for scenarios like business closing time.
2360 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2361 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2362 # allow the value 60 if it allows leap-seconds.
2363 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2364 },
2365 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2366 # and time zone are either specified elsewhere or are not significant. The date
2367 # is relative to the Proleptic Gregorian Calendar. This can represent:
2368 #
2369 # * A full date, with non-zero year, month and day values
2370 # * A month and day value, with a zero year, e.g. an anniversary
2371 # * A year on its own, with zero month and day values
2372 # * A year and month value, with a zero day, e.g. a credit card expiration date
2373 #
2374 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2375 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2376 # a year.
2377 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2378 # if specifying a year by itself or a year and month where the day is not
2379 # significant.
2380 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2381 # month and day.
2382 },
2383 "stringValue": "A String",
2384 "booleanValue": True or False,
2385 "integerValue": "A String",
2386 },
2387 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
2388 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
2389 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
2390 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
2391 },
2392 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
2393 },
2394 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
2395 # portion of the value.
2396 "partToExtract": "A String",
2397 },
2398 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
2399 # Uses SHA-256.
2400 # The key size must be either 32 or 64 bytes.
2401 # Outputs a base64 encoded representation of the hashed output
2402 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
2403 # Currently, only string and integer values can be hashed.
2404 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
2405 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
2406 # a key encryption key (KEK) stored by KMS).
2407 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2408 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2409 # unwrap the data crypto key.
2410 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
2411 # The wrapped key must be a 128/192/256 bit key.
2412 # Authorization requires the following IAM permissions when sending a request
2413 # to perform a crypto transformation using a kms-wrapped crypto key:
2414 # dlp.kms.encrypt
2415 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
2416 "wrappedKey": "A String", # The wrapped data crypto key. [required]
2417 },
2418 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
2419 # leaking the key. Choose another type of key if possible.
2420 "key": "A String", # A 128/192/256 bit key. [required]
2421 },
2422 "transient": { # Use this to have a random data crypto key generated.
2423 # It will be discarded after the request finishes.
2424 "name": "A String", # Name of the key. [required]
2425 # This is an arbitrary string used to differentiate different keys.
2426 # A unique key is generated per name: two separate `TransientCryptoKey`
2427 # protos share the same generated key if their names are the same.
2428 # When the data crypto key is generated, this name is not used in any way
2429 # (repeating the api call will result in a different key being generated).
2430 },
2431 },
2432 },
2433 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
2434 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
2435 # to learn more.
2436 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
2437 # results in the same shift for the same context and crypto_key.
2438 # a key encryption key (KEK) stored by KMS).
2439 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2440 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2441 # unwrap the data crypto key.
2442 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
2443 # The wrapped key must be a 128/192/256 bit key.
2444 # Authorization requires the following IAM permissions when sending a request
2445 # to perform a crypto transformation using a kms-wrapped crypto key:
2446 # dlp.kms.encrypt
2447 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
2448 "wrappedKey": "A String", # The wrapped data crypto key. [required]
2449 },
2450 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
2451 # leaking the key. Choose another type of key if possible.
2452 "key": "A String", # A 128/192/256 bit key. [required]
2453 },
2454 "transient": { # Use this to have a random data crypto key generated.
2455 # It will be discarded after the request finishes.
2456 "name": "A String", # Name of the key. [required]
2457 # This is an arbitrary string used to differentiate different keys.
2458 # A unique key is generated per name: two separate `TransientCryptoKey`
2459 # protos share the same generated key if their names are the same.
2460 # When the data crypto key is generated, this name is not used in any way
2461 # (repeating the api call will result in a different key being generated).
2462 },
2463 },
2464 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
2465 # [Required]
2466 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
2467 # range (inclusive ends). Negative means shift to earlier in time. Must not
2468 # be more than 365250 days (1000 years) each direction.
2469 #
2470 # For example, 3 means shift date to at most 3 days into the future.
2471 # [Required]
2472 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
2473 # If set, must also set method. If set, shift will be consistent for the
2474 # given context.
2475 "name": "A String", # Name describing the field.
2476 },
2477 },
2478 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
2479 # replacement values are dynamically provided by the user for custom behavior,
2480 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
2481 # This can be used on
2482 # data of type: number, long, string, timestamp.
2483 # If the bound `Value` type differs from the type of data being transformed, we
2484 # will first attempt converting the type of the data to be transformed to match
2485 # the type of the bound before comparing.
2486 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
2487 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
2488 { # Bucket is represented as a range, along with replacement values.
2489 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
2490 # Note that for the purposes of inspection or transformation, the number
2491 # of bytes considered to comprise a 'Value' is based on its representation
2492 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2493 # 123456789, the number of bytes would be counted as 9, even though an
2494 # int64 only holds up to 8 bytes of data.
2495 "floatValue": 3.14,
2496 "timestampValue": "A String",
2497 "dayOfWeekValue": "A String",
2498 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2499 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2500 # types are google.type.Date and `google.protobuf.Timestamp`.
2501 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2502 # to allow the value "24:00:00" for scenarios like business closing time.
2503 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2504 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2505 # allow the value 60 if it allows leap-seconds.
2506 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2507 },
2508 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2509 # and time zone are either specified elsewhere or are not significant. The date
2510 # is relative to the Proleptic Gregorian Calendar. This can represent:
2511 #
2512 # * A full date, with non-zero year, month and day values
2513 # * A month and day value, with a zero year, e.g. an anniversary
2514 # * A year on its own, with zero month and day values
2515 # * A year and month value, with a zero day, e.g. a credit card expiration date
2516 #
2517 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2518 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2519 # a year.
2520 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2521 # if specifying a year by itself or a year and month where the day is not
2522 # significant.
2523 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2524 # month and day.
2525 },
2526 "stringValue": "A String",
2527 "booleanValue": True or False,
2528 "integerValue": "A String",
2529 },
2530 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
2531 # the default behavior will be to hyphenate the min-max range.
2532 # Note that for the purposes of inspection or transformation, the number
2533 # of bytes considered to comprise a 'Value' is based on its representation
2534 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2535 # 123456789, the number of bytes would be counted as 9, even though an
2536 # int64 only holds up to 8 bytes of data.
2537 "floatValue": 3.14,
2538 "timestampValue": "A String",
2539 "dayOfWeekValue": "A String",
2540 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2541 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2542 # types are google.type.Date and `google.protobuf.Timestamp`.
2543 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2544 # to allow the value "24:00:00" for scenarios like business closing time.
2545 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2546 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2547 # allow the value 60 if it allows leap-seconds.
2548 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2549 },
2550 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2551 # and time zone are either specified elsewhere or are not significant. The date
2552 # is relative to the Proleptic Gregorian Calendar. This can represent:
2553 #
2554 # * A full date, with non-zero year, month and day values
2555 # * A month and day value, with a zero year, e.g. an anniversary
2556 # * A year on its own, with zero month and day values
2557 # * A year and month value, with a zero day, e.g. a credit card expiration date
2558 #
2559 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2560 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2561 # a year.
2562 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2563 # if specifying a year by itself or a year and month where the day is not
2564 # significant.
2565 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2566 # month and day.
2567 },
2568 "stringValue": "A String",
2569 "booleanValue": True or False,
2570 "integerValue": "A String",
2571 },
2572 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
2573 # used.
2574 # Note that for the purposes of inspection or transformation, the number
2575 # of bytes considered to comprise a 'Value' is based on its representation
2576 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2577 # 123456789, the number of bytes would be counted as 9, even though an
2578 # int64 only holds up to 8 bytes of data.
2579 "floatValue": 3.14,
2580 "timestampValue": "A String",
2581 "dayOfWeekValue": "A String",
2582 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2583 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2584 # types are google.type.Date and `google.protobuf.Timestamp`.
2585 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2586 # to allow the value "24:00:00" for scenarios like business closing time.
2587 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2588 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2589 # allow the value 60 if it allows leap-seconds.
2590 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2591 },
2592 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2593 # and time zone are either specified elsewhere or are not significant. The date
2594 # is relative to the Proleptic Gregorian Calendar. This can represent:
2595 #
2596 # * A full date, with non-zero year, month and day values
2597 # * A month and day value, with a zero year, e.g. an anniversary
2598 # * A year on its own, with zero month and day values
2599 # * A year and month value, with a zero day, e.g. a credit card expiration date
2600 #
2601 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2602 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2603 # a year.
2604 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2605 # if specifying a year by itself or a year and month where the day is not
2606 # significant.
2607 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2608 # month and day.
2609 },
2610 "stringValue": "A String",
2611 "booleanValue": True or False,
2612 "integerValue": "A String",
2613 },
2614 },
2615 ],
2616 },
2617 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
2618 # (FPE) with the FFX mode of operation; however when used in the
2619 # `ReidentifyContent` API method, it serves the opposite function by reversing
2620 # the surrogate back into the original identifier. The identifier must be
2621 # encoded as ASCII. For a given crypto key and context, the same identifier
2622 # will be replaced with the same surrogate. Identifiers must be at least two
2623 # characters long. In the case that the identifier is the empty string, it will
2624 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
2625 # more.
2626 #
2627 # Note: We recommend using CryptoDeterministicConfig for all use cases which
2628 # do not require preserving the input alphabet space and size, plus warrant
2629 # referential integrity.
2630 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
2631 # a key encryption key (KEK) stored by KMS).
2632 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2633 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2634 # unwrap the data crypto key.
2635 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
2636 # The wrapped key must be a 128/192/256 bit key.
2637 # Authorization requires the following IAM permissions when sending a request
2638 # to perform a crypto transformation using a kms-wrapped crypto key:
2639 # dlp.kms.encrypt
2640 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
2641 "wrappedKey": "A String", # The wrapped data crypto key. [required]
2642 },
2643 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
2644 # leaking the key. Choose another type of key if possible.
2645 "key": "A String", # A 128/192/256 bit key. [required]
2646 },
2647 "transient": { # Use this to have a random data crypto key generated.
2648 # It will be discarded after the request finishes.
2649 "name": "A String", # Name of the key. [required]
2650 # This is an arbitrary string used to differentiate different keys.
2651 # A unique key is generated per name: two separate `TransientCryptoKey`
2652 # protos share the same generated key if their names are the same.
2653 # When the data crypto key is generated, this name is not used in any way
2654 # (repeating the api call will result in a different key being generated).
2655 },
2656 },
2657 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
2658 "commonAlphabet": "A String",
2659 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
2660 # that the FFX mode natively supports. This happens before/after
2661 # encryption/decryption.
2662 # Each character listed must appear only once.
2663 # Number of characters must be in the range [2, 62].
2664 # This must be encoded as ASCII.
2665 # The order of characters does not matter.
2666 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
2667 # identifier in two different contexts won't be given the same surrogate. If
2668 # the context is not set, a default tweak will be used.
2669 #
2670 # If the context is set but:
2671 #
2672 # 1. there is no record present when transforming a given value or
2673 # 1. the field is not present when transforming a given value,
2674 #
2675 # a default tweak will be used.
2676 #
2677 # Note that case (1) is expected when an `InfoTypeTransformation` is
2678 # applied to both structured and non-structured `ContentItem`s.
2679 # Currently, the referenced field may be of value type integer or string.
2680 #
2681 # The tweak is constructed as a sequence of bytes in big endian byte order
2682 # such that:
2683 #
2684 # - a 64 bit integer is encoded followed by a single byte of value 1
2685 # - a string is encoded in UTF-8 format followed by a single byte of value 2
2686 "name": "A String", # Name describing the field.
2687 },
2688 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
2689 # This annotation will be applied to the surrogate by prefixing it with
2690 # the name of the custom infoType followed by the number of
2691 # characters comprising the surrogate. The following scheme defines the
2692 # format: info_type_name(surrogate_character_count):surrogate
2693 #
2694 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
2695 # the surrogate is 'abc', the full replacement value
2696 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2697 #
2698 # This annotation identifies the surrogate when inspecting content using the
2699 # custom infoType
2700 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
2701 # This facilitates reversal of the surrogate when it occurs in free text.
2702 #
2703 # In order for inspection to work properly, the name of this infoType must
2704 # not occur naturally anywhere in your data; otherwise, inspection may
2705 # find a surrogate that does not correspond to an actual identifier.
2706 # Therefore, choose your custom infoType name carefully after considering
2707 # what your data looks like. One way to select a name that has a high chance
2708 # of yielding reliable detection is to include one or more unicode characters
2709 # that are highly improbable to exist in your data.
2710 # For example, assuming your data is entered from a regular ASCII keyboard,
2711 # the symbol with the hex code point 29DD might be used like so:
2712 # ⧝MY_TOKEN_TYPE
2713 "name": "A String", # Name of the information type. Either a name of your choosing when
2714 # creating a CustomInfoType, or one of the names listed
2715 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2716 # a built-in type. InfoType names should conform to the pattern
2717 # [a-zA-Z0-9_]{1,64}.
2718 },
2719 },
2720 "replaceConfig": { # Replace each input value with a given `Value`.
2721 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
2722 # Note that for the purposes of inspection or transformation, the number
2723 # of bytes considered to comprise a 'Value' is based on its representation
2724 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2725 # 123456789, the number of bytes would be counted as 9, even though an
2726 # int64 only holds up to 8 bytes of data.
2727 "floatValue": 3.14,
2728 "timestampValue": "A String",
2729 "dayOfWeekValue": "A String",
2730 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2731 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2732 # types are google.type.Date and `google.protobuf.Timestamp`.
2733 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2734 # to allow the value "24:00:00" for scenarios like business closing time.
2735 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2736 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2737 # allow the value 60 if it allows leap-seconds.
2738 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2739 },
2740 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2741 # and time zone are either specified elsewhere or are not significant. The date
2742 # is relative to the Proleptic Gregorian Calendar. This can represent:
2743 #
2744 # * A full date, with non-zero year, month and day values
2745 # * A month and day value, with a zero year, e.g. an anniversary
2746 # * A year on its own, with zero month and day values
2747 # * A year and month value, with a zero day, e.g. a credit card expiration date
2748 #
2749 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2750 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2751 # a year.
2752 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2753 # if specifying a year by itself or a year and month where the day is not
2754 # significant.
2755 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2756 # month and day.
2757 },
2758 "stringValue": "A String",
2759 "booleanValue": True or False,
2760 "integerValue": "A String",
2761 },
2762 },
2763 },
2764 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
2765 # this transformation to apply to all findings that correspond to
2766 # infoTypes that were requested in `InspectConfig`.
2767 { # Type of information detected by the API.
2768 "name": "A String", # Name of the information type. Either a name of your choosing when
2769 # creating a CustomInfoType, or one of the names listed
2770 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2771 # a built-in type. InfoType names should conform to the pattern
2772 # [a-zA-Z0-9_]{1,64}.
2773 },
2774 ],
2775 },
2776 ],
2777 },
2778 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
2779 # specific locations within structured datasets, such as transforming
2780 # a column within a table.
2781 # table.
2782 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
2783 # match any suppression rule are omitted from the output [optional].
2784 { # Configuration to suppress records whose suppression conditions evaluate to
2785 # true.
2786 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
2787 # evaluated to be suppressed from the transformed content.
2788 # a field.
2789 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
2790 "conditions": { # A collection of conditions.
2791 "conditions": [
2792 { # The field type of `value` and `field` do not need to match to be
2793 # considered equal, but not all comparisons are possible.
2794 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
2795 # but all other comparisons are invalid with incompatible types.
2796 # A `value` of type:
2797 #
2798 # - `string` can be compared against all other types
2799 # - `boolean` can only be compared against other booleans
2800 # - `integer` can be compared against doubles or a string if the string value
2801 # can be parsed as an integer.
2802 # - `double` can be compared against integers or a string if the string can
2803 # be parsed as a double.
2804 # - `Timestamp` can be compared against strings in RFC 3339 date string
2805 # format.
2806 # - `TimeOfDay` can be compared against timestamps and strings in the format
2807 # of 'HH:mm:ss'.
2808 #
2809 # If we fail to compare do to type mismatch, a warning will be given and
2810 # the condition will evaluate to false.
2811 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
2812 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
2813 "name": "A String", # Name describing the field.
2814 },
2815 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
2816 # Note that for the purposes of inspection or transformation, the number
2817 # of bytes considered to comprise a 'Value' is based on its representation
2818 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2819 # 123456789, the number of bytes would be counted as 9, even though an
2820 # int64 only holds up to 8 bytes of data.
2821 "floatValue": 3.14,
2822 "timestampValue": "A String",
2823 "dayOfWeekValue": "A String",
2824 "timeValue": { # Represents a time of day. The date and time zone are either not significant
2825 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2826 # types are google.type.Date and `google.protobuf.Timestamp`.
2827 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2828 # to allow the value "24:00:00" for scenarios like business closing time.
2829 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2830 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2831 # allow the value 60 if it allows leap-seconds.
2832 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2833 },
2834 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
2835 # and time zone are either specified elsewhere or are not significant. The date
2836 # is relative to the Proleptic Gregorian Calendar. This can represent:
2837 #
2838 # * A full date, with non-zero year, month and day values
2839 # * A month and day value, with a zero year, e.g. an anniversary
2840 # * A year on its own, with zero month and day values
2841 # * A year and month value, with a zero day, e.g. a credit card expiration date
2842 #
2843 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2844 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2845 # a year.
2846 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2847 # if specifying a year by itself or a year and month where the day is not
2848 # significant.
2849 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2850 # month and day.
2851 },
2852 "stringValue": "A String",
2853 "booleanValue": True or False,
2854 "integerValue": "A String",
2855 },
2856 },
2857 ],
2858 },
2859 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
2860 # only supported value is `AND`.
2861 },
2862 },
2863 },
2864 ],
2865 "fieldTransformations": [ # Transform the record by applying various field transformations.
2866 { # The transformation to apply to the field.
2867 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
2868 # transform content that matches an `InfoType`.
2869 # apply various `PrimitiveTransformation`s to each finding, where the
2870 # transformation is applied to only values that were identified as a specific
2871 # info_type.
2872 "transformations": [ # Transformation for each infoType. Cannot specify more than one
2873 # for a given infoType. [required]
2874 { # A transformation to apply to text that is identified as a specific
2875 # info_type.
2876 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
2877 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
2878 # fixed character. Masking can start from the beginning or end of the string.
2879 # This can be used on data of any type (numbers, longs, and so on) and when
2880 # de-identifying structured data we'll attempt to preserve the original data's
2881 # type. (This allows you to take a long like 123 and modify it to a string like
2882 # **3.
2883 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
2884 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
2885 # mask 5 chars with * we would produce ***-*55-5555.
2886 { # Characters to skip when doing deidentification of a value. These will be left
2887 # alone and skipped.
2888 "commonCharactersToIgnore": "A String",
2889 "charactersToSkip": "A String",
2890 },
2891 ],
2892 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
2893 # masked. Skipped characters do not count towards this tally.
2894 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
2895 # alphabetic string such as name, or "0" for a numeric string such as ZIP
2896 # code or credit card number. String must have length 1. If not supplied, we
2897 # will default to "*" for strings, 0 for digits.
2898 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
2899 # '0', number_to_mask is 14, and `reverse_order` is false, then
2900 # 1234-5678-9012-3456 -> 00000000000000-3456
2901 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
2902 # is true, then 12345 -> 12***
2903 },
2904 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
2905 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
2906 # output would be 'My phone number is '.
2907 },
2908 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
2909 # input. Outputs a base64 encoded representation of the encrypted output.
2910 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
2911 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
2912 # a key encryption key (KEK) stored by KMS).
2913 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2914 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2915 # unwrap the data crypto key.
2916 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
2917 # The wrapped key must be a 128/192/256 bit key.
2918 # Authorization requires the following IAM permissions when sending a request
2919 # to perform a crypto transformation using a kms-wrapped crypto key:
2920 # dlp.kms.encrypt
2921 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
2922 "wrappedKey": "A String", # The wrapped data crypto key. [required]
2923 },
2924 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
2925 # leaking the key. Choose another type of key if possible.
2926 "key": "A String", # A 128/192/256 bit key. [required]
2927 },
2928 "transient": { # Use this to have a random data crypto key generated.
2929 # It will be discarded after the request finishes.
2930 "name": "A String", # Name of the key. [required]
2931 # This is an arbitrary string used to differentiate different keys.
2932 # A unique key is generated per name: two separate `TransientCryptoKey`
2933 # protos share the same generated key if their names are the same.
2934 # When the data crypto key is generated, this name is not used in any way
2935 # (repeating the api call will result in a different key being generated).
2936 },
2937 },
2938 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
2939 # referential integrity such that the same identifier in two different
2940 # contexts will be given a distinct surrogate. The context is appended to
2941 # plaintext value being encrypted. On decryption the provided context is
2942 # validated against the value used during encryption. If a context was
2943 # provided during encryption, same context must be provided during decryption
2944 # as well.
2945 #
2946 # If the context is not set, plaintext would be used as is for encryption.
2947 # If the context is set but:
2948 #
2949 # 1. there is no record present when transforming a given value or
2950 # 2. the field is not present when transforming a given value,
2951 #
2952 # plaintext would be used as is for encryption.
2953 #
2954 # Note that case (1) is expected when an `InfoTypeTransformation` is
2955 # applied to both structured and non-structured `ContentItem`s.
2956 "name": "A String", # Name describing the field.
2957 },
2958 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
2959 # This annotation will be applied to the surrogate by prefixing it with
2960 # the name of the custom info type followed by the number of
2961 # characters comprising the surrogate. The following scheme defines the
2962 # format: <info type name>(<surrogate character count>):<surrogate>
2963 #
2964 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
2965 # the surrogate is 'abc', the full replacement value
2966 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2967 #
2968 # This annotation identifies the surrogate when inspecting content using the
2969 # custom info type 'Surrogate'. This facilitates reversal of the
2970 # surrogate when it occurs in free text.
2971 #
2972 # In order for inspection to work properly, the name of this info type must
2973 # not occur naturally anywhere in your data; otherwise, inspection may either
2974 #
2975 # - reverse a surrogate that does not correspond to an actual identifier
2976 # - be unable to parse the surrogate and result in an error
2977 #
2978 # Therefore, choose your custom info type name carefully after considering
2979 # what your data looks like. One way to select a name that has a high chance
2980 # of yielding reliable detection is to include one or more unicode characters
2981 # that are highly improbable to exist in your data.
2982 # For example, assuming your data is entered from a regular ASCII keyboard,
2983 # the symbol with the hex code point 29DD might be used like so:
2984 # ⧝MY_TOKEN_TYPE
2985 "name": "A String", # Name of the information type. Either a name of your choosing when
2986 # creating a CustomInfoType, or one of the names listed
2987 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2988 # a built-in type. InfoType names should conform to the pattern
2989 # [a-zA-Z0-9_]{1,64}.
2990 },
2991 },
2992 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
2993 # Bucketing transformation can provide all of this functionality,
2994 # but requires more configuration. This message is provided as a convenience to
2995 # the user for simple bucketing strategies.
2996 #
2997 # The transformed value will be a hyphenated string of
2998 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
2999 # all values that are within this bucket will be replaced with "10-20".
3000 #
3001 # This can be used on data of type: double, long.
3002 #
3003 # If the bound Value type differs from the type of data
3004 # being transformed, we will first attempt converting the type of the data to
3005 # be transformed to match the type of the bound before comparing.
3006 #
3007 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3008 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
3009 # grouped together into a single bucket; for example if `lower_bound` = 10,
3010 # then all values less than 10 are replaced with the value “-10”. [Required].
3011 # Note that for the purposes of inspection or transformation, the number
3012 # of bytes considered to comprise a 'Value' is based on its representation
3013 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3014 # 123456789, the number of bytes would be counted as 9, even though an
3015 # int64 only holds up to 8 bytes of data.
3016 "floatValue": 3.14,
3017 "timestampValue": "A String",
3018 "dayOfWeekValue": "A String",
3019 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3020 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3021 # types are google.type.Date and `google.protobuf.Timestamp`.
3022 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3023 # to allow the value "24:00:00" for scenarios like business closing time.
3024 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3025 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3026 # allow the value 60 if it allows leap-seconds.
3027 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3028 },
3029 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3030 # and time zone are either specified elsewhere or are not significant. The date
3031 # is relative to the Proleptic Gregorian Calendar. This can represent:
3032 #
3033 # * A full date, with non-zero year, month and day values
3034 # * A month and day value, with a zero year, e.g. an anniversary
3035 # * A year on its own, with zero month and day values
3036 # * A year and month value, with a zero day, e.g. a credit card expiration date
3037 #
3038 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3039 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3040 # a year.
3041 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3042 # if specifying a year by itself or a year and month where the day is not
3043 # significant.
3044 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3045 # month and day.
3046 },
3047 "stringValue": "A String",
3048 "booleanValue": True or False,
3049 "integerValue": "A String",
3050 },
3051 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
3052 # grouped together into a single bucket; for example if `upper_bound` = 89,
3053 # then all values greater than 89 are replaced with the value “89+”.
3054 # [Required].
3055 # Note that for the purposes of inspection or transformation, the number
3056 # of bytes considered to comprise a 'Value' is based on its representation
3057 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3058 # 123456789, the number of bytes would be counted as 9, even though an
3059 # int64 only holds up to 8 bytes of data.
3060 "floatValue": 3.14,
3061 "timestampValue": "A String",
3062 "dayOfWeekValue": "A String",
3063 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3064 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3065 # types are google.type.Date and `google.protobuf.Timestamp`.
3066 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3067 # to allow the value "24:00:00" for scenarios like business closing time.
3068 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3069 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3070 # allow the value 60 if it allows leap-seconds.
3071 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3072 },
3073 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3074 # and time zone are either specified elsewhere or are not significant. The date
3075 # is relative to the Proleptic Gregorian Calendar. This can represent:
3076 #
3077 # * A full date, with non-zero year, month and day values
3078 # * A month and day value, with a zero year, e.g. an anniversary
3079 # * A year on its own, with zero month and day values
3080 # * A year and month value, with a zero day, e.g. a credit card expiration date
3081 #
3082 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3083 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3084 # a year.
3085 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3086 # if specifying a year by itself or a year and month where the day is not
3087 # significant.
3088 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3089 # month and day.
3090 },
3091 "stringValue": "A String",
3092 "booleanValue": True or False,
3093 "integerValue": "A String",
3094 },
3095 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
3096 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
3097 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
3098 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
3099 },
3100 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
3101 },
3102 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
3103 # portion of the value.
3104 "partToExtract": "A String",
3105 },
3106 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
3107 # Uses SHA-256.
3108 # The key size must be either 32 or 64 bytes.
3109 # Outputs a base64 encoded representation of the hashed output
3110 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
3111 # Currently, only string and integer values can be hashed.
3112 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
3113 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
3114 # a key encryption key (KEK) stored by KMS).
3115 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3116 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3117 # unwrap the data crypto key.
3118 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3119 # The wrapped key must be a 128/192/256 bit key.
3120 # Authorization requires the following IAM permissions when sending a request
3121 # to perform a crypto transformation using a kms-wrapped crypto key:
3122 # dlp.kms.encrypt
3123 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3124 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3125 },
3126 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3127 # leaking the key. Choose another type of key if possible.
3128 "key": "A String", # A 128/192/256 bit key. [required]
3129 },
3130 "transient": { # Use this to have a random data crypto key generated.
3131 # It will be discarded after the request finishes.
3132 "name": "A String", # Name of the key. [required]
3133 # This is an arbitrary string used to differentiate different keys.
3134 # A unique key is generated per name: two separate `TransientCryptoKey`
3135 # protos share the same generated key if their names are the same.
3136 # When the data crypto key is generated, this name is not used in any way
3137 # (repeating the api call will result in a different key being generated).
3138 },
3139 },
3140 },
3141 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
3142 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
3143 # to learn more.
3144 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
3145 # results in the same shift for the same context and crypto_key.
3146 # a key encryption key (KEK) stored by KMS).
3147 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3148 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3149 # unwrap the data crypto key.
3150 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3151 # The wrapped key must be a 128/192/256 bit key.
3152 # Authorization requires the following IAM permissions when sending a request
3153 # to perform a crypto transformation using a kms-wrapped crypto key:
3154 # dlp.kms.encrypt
3155 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3156 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3157 },
3158 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3159 # leaking the key. Choose another type of key if possible.
3160 "key": "A String", # A 128/192/256 bit key. [required]
3161 },
3162 "transient": { # Use this to have a random data crypto key generated.
3163 # It will be discarded after the request finishes.
3164 "name": "A String", # Name of the key. [required]
3165 # This is an arbitrary string used to differentiate different keys.
3166 # A unique key is generated per name: two separate `TransientCryptoKey`
3167 # protos share the same generated key if their names are the same.
3168 # When the data crypto key is generated, this name is not used in any way
3169 # (repeating the api call will result in a different key being generated).
3170 },
3171 },
3172 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
3173 # [Required]
3174 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
3175 # range (inclusive ends). Negative means shift to earlier in time. Must not
3176 # be more than 365250 days (1000 years) each direction.
3177 #
3178 # For example, 3 means shift date to at most 3 days into the future.
3179 # [Required]
3180 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
3181 # If set, must also set method. If set, shift will be consistent for the
3182 # given context.
3183 "name": "A String", # Name describing the field.
3184 },
3185 },
3186 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
3187 # replacement values are dynamically provided by the user for custom behavior,
3188 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
3189 # This can be used on
3190 # data of type: number, long, string, timestamp.
3191 # If the bound `Value` type differs from the type of data being transformed, we
3192 # will first attempt converting the type of the data to be transformed to match
3193 # the type of the bound before comparing.
3194 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3195 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
3196 { # Bucket is represented as a range, along with replacement values.
3197 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
3198 # Note that for the purposes of inspection or transformation, the number
3199 # of bytes considered to comprise a 'Value' is based on its representation
3200 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3201 # 123456789, the number of bytes would be counted as 9, even though an
3202 # int64 only holds up to 8 bytes of data.
3203 "floatValue": 3.14,
3204 "timestampValue": "A String",
3205 "dayOfWeekValue": "A String",
3206 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3207 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3208 # types are google.type.Date and `google.protobuf.Timestamp`.
3209 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3210 # to allow the value "24:00:00" for scenarios like business closing time.
3211 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3212 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3213 # allow the value 60 if it allows leap-seconds.
3214 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3215 },
3216 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3217 # and time zone are either specified elsewhere or are not significant. The date
3218 # is relative to the Proleptic Gregorian Calendar. This can represent:
3219 #
3220 # * A full date, with non-zero year, month and day values
3221 # * A month and day value, with a zero year, e.g. an anniversary
3222 # * A year on its own, with zero month and day values
3223 # * A year and month value, with a zero day, e.g. a credit card expiration date
3224 #
3225 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3226 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3227 # a year.
3228 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3229 # if specifying a year by itself or a year and month where the day is not
3230 # significant.
3231 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3232 # month and day.
3233 },
3234 "stringValue": "A String",
3235 "booleanValue": True or False,
3236 "integerValue": "A String",
3237 },
3238 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
3239 # the default behavior will be to hyphenate the min-max range.
3240 # Note that for the purposes of inspection or transformation, the number
3241 # of bytes considered to comprise a 'Value' is based on its representation
3242 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3243 # 123456789, the number of bytes would be counted as 9, even though an
3244 # int64 only holds up to 8 bytes of data.
3245 "floatValue": 3.14,
3246 "timestampValue": "A String",
3247 "dayOfWeekValue": "A String",
3248 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3249 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3250 # types are google.type.Date and `google.protobuf.Timestamp`.
3251 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3252 # to allow the value "24:00:00" for scenarios like business closing time.
3253 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3254 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3255 # allow the value 60 if it allows leap-seconds.
3256 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3257 },
3258 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3259 # and time zone are either specified elsewhere or are not significant. The date
3260 # is relative to the Proleptic Gregorian Calendar. This can represent:
3261 #
3262 # * A full date, with non-zero year, month and day values
3263 # * A month and day value, with a zero year, e.g. an anniversary
3264 # * A year on its own, with zero month and day values
3265 # * A year and month value, with a zero day, e.g. a credit card expiration date
3266 #
3267 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3268 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3269 # a year.
3270 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3271 # if specifying a year by itself or a year and month where the day is not
3272 # significant.
3273 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3274 # month and day.
3275 },
3276 "stringValue": "A String",
3277 "booleanValue": True or False,
3278 "integerValue": "A String",
3279 },
3280 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
3281 # used.
3282 # Note that for the purposes of inspection or transformation, the number
3283 # of bytes considered to comprise a 'Value' is based on its representation
3284 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3285 # 123456789, the number of bytes would be counted as 9, even though an
3286 # int64 only holds up to 8 bytes of data.
3287 "floatValue": 3.14,
3288 "timestampValue": "A String",
3289 "dayOfWeekValue": "A String",
3290 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3291 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3292 # types are google.type.Date and `google.protobuf.Timestamp`.
3293 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3294 # to allow the value "24:00:00" for scenarios like business closing time.
3295 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3296 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3297 # allow the value 60 if it allows leap-seconds.
3298 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3299 },
3300 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3301 # and time zone are either specified elsewhere or are not significant. The date
3302 # is relative to the Proleptic Gregorian Calendar. This can represent:
3303 #
3304 # * A full date, with non-zero year, month and day values
3305 # * A month and day value, with a zero year, e.g. an anniversary
3306 # * A year on its own, with zero month and day values
3307 # * A year and month value, with a zero day, e.g. a credit card expiration date
3308 #
3309 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3310 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3311 # a year.
3312 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3313 # if specifying a year by itself or a year and month where the day is not
3314 # significant.
3315 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3316 # month and day.
3317 },
3318 "stringValue": "A String",
3319 "booleanValue": True or False,
3320 "integerValue": "A String",
3321 },
3322 },
3323 ],
3324 },
3325 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
3326 # (FPE) with the FFX mode of operation; however when used in the
3327 # `ReidentifyContent` API method, it serves the opposite function by reversing
3328 # the surrogate back into the original identifier. The identifier must be
3329 # encoded as ASCII. For a given crypto key and context, the same identifier
3330 # will be replaced with the same surrogate. Identifiers must be at least two
3331 # characters long. In the case that the identifier is the empty string, it will
3332 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
3333 # more.
3334 #
3335 # Note: We recommend using CryptoDeterministicConfig for all use cases which
3336 # do not require preserving the input alphabet space and size, plus warrant
3337 # referential integrity.
3338 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
3339 # a key encryption key (KEK) stored by KMS).
3340 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3341 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3342 # unwrap the data crypto key.
3343 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3344 # The wrapped key must be a 128/192/256 bit key.
3345 # Authorization requires the following IAM permissions when sending a request
3346 # to perform a crypto transformation using a kms-wrapped crypto key:
3347 # dlp.kms.encrypt
3348 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3349 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3350 },
3351 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3352 # leaking the key. Choose another type of key if possible.
3353 "key": "A String", # A 128/192/256 bit key. [required]
3354 },
3355 "transient": { # Use this to have a random data crypto key generated.
3356 # It will be discarded after the request finishes.
3357 "name": "A String", # Name of the key. [required]
3358 # This is an arbitrary string used to differentiate different keys.
3359 # A unique key is generated per name: two separate `TransientCryptoKey`
3360 # protos share the same generated key if their names are the same.
3361 # When the data crypto key is generated, this name is not used in any way
3362 # (repeating the api call will result in a different key being generated).
3363 },
3364 },
3365 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
3366 "commonAlphabet": "A String",
3367 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
3368 # that the FFX mode natively supports. This happens before/after
3369 # encryption/decryption.
3370 # Each character listed must appear only once.
3371 # Number of characters must be in the range [2, 62].
3372 # This must be encoded as ASCII.
3373 # The order of characters does not matter.
3374 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
3375 # identifier in two different contexts won't be given the same surrogate. If
3376 # the context is not set, a default tweak will be used.
3377 #
3378 # If the context is set but:
3379 #
3380 # 1. there is no record present when transforming a given value or
3381 # 1. the field is not present when transforming a given value,
3382 #
3383 # a default tweak will be used.
3384 #
3385 # Note that case (1) is expected when an `InfoTypeTransformation` is
3386 # applied to both structured and non-structured `ContentItem`s.
3387 # Currently, the referenced field may be of value type integer or string.
3388 #
3389 # The tweak is constructed as a sequence of bytes in big endian byte order
3390 # such that:
3391 #
3392 # - a 64 bit integer is encoded followed by a single byte of value 1
3393 # - a string is encoded in UTF-8 format followed by a single byte of value 2
3394 "name": "A String", # Name describing the field.
3395 },
3396 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
3397 # This annotation will be applied to the surrogate by prefixing it with
3398 # the name of the custom infoType followed by the number of
3399 # characters comprising the surrogate. The following scheme defines the
3400 # format: info_type_name(surrogate_character_count):surrogate
3401 #
3402 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
3403 # the surrogate is 'abc', the full replacement value
3404 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3405 #
3406 # This annotation identifies the surrogate when inspecting content using the
3407 # custom infoType
3408 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
3409 # This facilitates reversal of the surrogate when it occurs in free text.
3410 #
3411 # In order for inspection to work properly, the name of this infoType must
3412 # not occur naturally anywhere in your data; otherwise, inspection may
3413 # find a surrogate that does not correspond to an actual identifier.
3414 # Therefore, choose your custom infoType name carefully after considering
3415 # what your data looks like. One way to select a name that has a high chance
3416 # of yielding reliable detection is to include one or more unicode characters
3417 # that are highly improbable to exist in your data.
3418 # For example, assuming your data is entered from a regular ASCII keyboard,
3419 # the symbol with the hex code point 29DD might be used like so:
3420 # ⧝MY_TOKEN_TYPE
3421 "name": "A String", # Name of the information type. Either a name of your choosing when
3422 # creating a CustomInfoType, or one of the names listed
3423 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3424 # a built-in type. InfoType names should conform to the pattern
3425 # [a-zA-Z0-9_]{1,64}.
3426 },
3427 },
3428 "replaceConfig": { # Replace each input value with a given `Value`.
3429 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
3430 # Note that for the purposes of inspection or transformation, the number
3431 # of bytes considered to comprise a 'Value' is based on its representation
3432 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3433 # 123456789, the number of bytes would be counted as 9, even though an
3434 # int64 only holds up to 8 bytes of data.
3435 "floatValue": 3.14,
3436 "timestampValue": "A String",
3437 "dayOfWeekValue": "A String",
3438 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3439 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3440 # types are google.type.Date and `google.protobuf.Timestamp`.
3441 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3442 # to allow the value "24:00:00" for scenarios like business closing time.
3443 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3444 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3445 # allow the value 60 if it allows leap-seconds.
3446 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3447 },
3448 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3449 # and time zone are either specified elsewhere or are not significant. The date
3450 # is relative to the Proleptic Gregorian Calendar. This can represent:
3451 #
3452 # * A full date, with non-zero year, month and day values
3453 # * A month and day value, with a zero year, e.g. an anniversary
3454 # * A year on its own, with zero month and day values
3455 # * A year and month value, with a zero day, e.g. a credit card expiration date
3456 #
3457 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3458 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3459 # a year.
3460 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3461 # if specifying a year by itself or a year and month where the day is not
3462 # significant.
3463 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3464 # month and day.
3465 },
3466 "stringValue": "A String",
3467 "booleanValue": True or False,
3468 "integerValue": "A String",
3469 },
3470 },
3471 },
3472 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
3473 # this transformation to apply to all findings that correspond to
3474 # infoTypes that were requested in `InspectConfig`.
3475 { # Type of information detected by the API.
3476 "name": "A String", # Name of the information type. Either a name of your choosing when
3477 # creating a CustomInfoType, or one of the names listed
3478 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3479 # a built-in type. InfoType names should conform to the pattern
3480 # [a-zA-Z0-9_]{1,64}.
3481 },
3482 ],
3483 },
3484 ],
3485 },
3486 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
3487 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
3488 # fixed character. Masking can start from the beginning or end of the string.
3489 # This can be used on data of any type (numbers, longs, and so on) and when
3490 # de-identifying structured data we'll attempt to preserve the original data's
3491 # type. (This allows you to take a long like 123 and modify it to a string like
3492 # **3.
3493 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
3494 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
3495 # mask 5 chars with * we would produce ***-*55-5555.
3496 { # Characters to skip when doing deidentification of a value. These will be left
3497 # alone and skipped.
3498 "commonCharactersToIgnore": "A String",
3499 "charactersToSkip": "A String",
3500 },
3501 ],
3502 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
3503 # masked. Skipped characters do not count towards this tally.
3504 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
3505 # alphabetic string such as name, or "0" for a numeric string such as ZIP
3506 # code or credit card number. String must have length 1. If not supplied, we
3507 # will default to "*" for strings, 0 for digits.
3508 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
3509 # '0', number_to_mask is 14, and `reverse_order` is false, then
3510 # 1234-5678-9012-3456 -> 00000000000000-3456
3511 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
3512 # is true, then 12345 -> 12***
3513 },
3514 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
3515 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
3516 # output would be 'My phone number is '.
3517 },
3518 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
3519 # input. Outputs a base64 encoded representation of the encrypted output.
3520 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
3521 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
3522 # a key encryption key (KEK) stored by KMS).
3523 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3524 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3525 # unwrap the data crypto key.
3526 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3527 # The wrapped key must be a 128/192/256 bit key.
3528 # Authorization requires the following IAM permissions when sending a request
3529 # to perform a crypto transformation using a kms-wrapped crypto key:
3530 # dlp.kms.encrypt
3531 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3532 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3533 },
3534 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3535 # leaking the key. Choose another type of key if possible.
3536 "key": "A String", # A 128/192/256 bit key. [required]
3537 },
3538 "transient": { # Use this to have a random data crypto key generated.
3539 # It will be discarded after the request finishes.
3540 "name": "A String", # Name of the key. [required]
3541 # This is an arbitrary string used to differentiate different keys.
3542 # A unique key is generated per name: two separate `TransientCryptoKey`
3543 # protos share the same generated key if their names are the same.
3544 # When the data crypto key is generated, this name is not used in any way
3545 # (repeating the api call will result in a different key being generated).
3546 },
3547 },
3548 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
3549 # referential integrity such that the same identifier in two different
3550 # contexts will be given a distinct surrogate. The context is appended to
3551 # plaintext value being encrypted. On decryption the provided context is
3552 # validated against the value used during encryption. If a context was
3553 # provided during encryption, same context must be provided during decryption
3554 # as well.
3555 #
3556 # If the context is not set, plaintext would be used as is for encryption.
3557 # If the context is set but:
3558 #
3559 # 1. there is no record present when transforming a given value or
3560 # 2. the field is not present when transforming a given value,
3561 #
3562 # plaintext would be used as is for encryption.
3563 #
3564 # Note that case (1) is expected when an `InfoTypeTransformation` is
3565 # applied to both structured and non-structured `ContentItem`s.
3566 "name": "A String", # Name describing the field.
3567 },
3568 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
3569 # This annotation will be applied to the surrogate by prefixing it with
3570 # the name of the custom info type followed by the number of
3571 # characters comprising the surrogate. The following scheme defines the
3572 # format: <info type name>(<surrogate character count>):<surrogate>
3573 #
3574 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
3575 # the surrogate is 'abc', the full replacement value
3576 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3577 #
3578 # This annotation identifies the surrogate when inspecting content using the
3579 # custom info type 'Surrogate'. This facilitates reversal of the
3580 # surrogate when it occurs in free text.
3581 #
3582 # In order for inspection to work properly, the name of this info type must
3583 # not occur naturally anywhere in your data; otherwise, inspection may either
3584 #
3585 # - reverse a surrogate that does not correspond to an actual identifier
3586 # - be unable to parse the surrogate and result in an error
3587 #
3588 # Therefore, choose your custom info type name carefully after considering
3589 # what your data looks like. One way to select a name that has a high chance
3590 # of yielding reliable detection is to include one or more unicode characters
3591 # that are highly improbable to exist in your data.
3592 # For example, assuming your data is entered from a regular ASCII keyboard,
3593 # the symbol with the hex code point 29DD might be used like so:
3594 # ⧝MY_TOKEN_TYPE
3595 "name": "A String", # Name of the information type. Either a name of your choosing when
3596 # creating a CustomInfoType, or one of the names listed
3597 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3598 # a built-in type. InfoType names should conform to the pattern
3599 # [a-zA-Z0-9_]{1,64}.
3600 },
3601 },
3602 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
3603 # Bucketing transformation can provide all of this functionality,
3604 # but requires more configuration. This message is provided as a convenience to
3605 # the user for simple bucketing strategies.
3606 #
3607 # The transformed value will be a hyphenated string of
3608 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
3609 # all values that are within this bucket will be replaced with "10-20".
3610 #
3611 # This can be used on data of type: double, long.
3612 #
3613 # If the bound Value type differs from the type of data
3614 # being transformed, we will first attempt converting the type of the data to
3615 # be transformed to match the type of the bound before comparing.
3616 #
3617 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3618 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
3619 # grouped together into a single bucket; for example if `lower_bound` = 10,
3620 # then all values less than 10 are replaced with the value “-10”. [Required].
3621 # Note that for the purposes of inspection or transformation, the number
3622 # of bytes considered to comprise a 'Value' is based on its representation
3623 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3624 # 123456789, the number of bytes would be counted as 9, even though an
3625 # int64 only holds up to 8 bytes of data.
3626 "floatValue": 3.14,
3627 "timestampValue": "A String",
3628 "dayOfWeekValue": "A String",
3629 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3630 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3631 # types are google.type.Date and `google.protobuf.Timestamp`.
3632 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3633 # to allow the value "24:00:00" for scenarios like business closing time.
3634 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3635 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3636 # allow the value 60 if it allows leap-seconds.
3637 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3638 },
3639 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3640 # and time zone are either specified elsewhere or are not significant. The date
3641 # is relative to the Proleptic Gregorian Calendar. This can represent:
3642 #
3643 # * A full date, with non-zero year, month and day values
3644 # * A month and day value, with a zero year, e.g. an anniversary
3645 # * A year on its own, with zero month and day values
3646 # * A year and month value, with a zero day, e.g. a credit card expiration date
3647 #
3648 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3649 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3650 # a year.
3651 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3652 # if specifying a year by itself or a year and month where the day is not
3653 # significant.
3654 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3655 # month and day.
3656 },
3657 "stringValue": "A String",
3658 "booleanValue": True or False,
3659 "integerValue": "A String",
3660 },
3661 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
3662 # grouped together into a single bucket; for example if `upper_bound` = 89,
3663 # then all values greater than 89 are replaced with the value “89+”.
3664 # [Required].
3665 # Note that for the purposes of inspection or transformation, the number
3666 # of bytes considered to comprise a 'Value' is based on its representation
3667 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3668 # 123456789, the number of bytes would be counted as 9, even though an
3669 # int64 only holds up to 8 bytes of data.
3670 "floatValue": 3.14,
3671 "timestampValue": "A String",
3672 "dayOfWeekValue": "A String",
3673 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3674 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3675 # types are google.type.Date and `google.protobuf.Timestamp`.
3676 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3677 # to allow the value "24:00:00" for scenarios like business closing time.
3678 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3679 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3680 # allow the value 60 if it allows leap-seconds.
3681 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3682 },
3683 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3684 # and time zone are either specified elsewhere or are not significant. The date
3685 # is relative to the Proleptic Gregorian Calendar. This can represent:
3686 #
3687 # * A full date, with non-zero year, month and day values
3688 # * A month and day value, with a zero year, e.g. an anniversary
3689 # * A year on its own, with zero month and day values
3690 # * A year and month value, with a zero day, e.g. a credit card expiration date
3691 #
3692 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3693 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3694 # a year.
3695 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3696 # if specifying a year by itself or a year and month where the day is not
3697 # significant.
3698 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3699 # month and day.
3700 },
3701 "stringValue": "A String",
3702 "booleanValue": True or False,
3703 "integerValue": "A String",
3704 },
3705 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
3706 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
3707 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
3708 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
3709 },
3710 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
3711 },
3712 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
3713 # portion of the value.
3714 "partToExtract": "A String",
3715 },
3716 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
3717 # Uses SHA-256.
3718 # The key size must be either 32 or 64 bytes.
3719 # Outputs a base64 encoded representation of the hashed output
3720 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
3721 # Currently, only string and integer values can be hashed.
3722 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
3723 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
3724 # a key encryption key (KEK) stored by KMS).
3725 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3726 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3727 # unwrap the data crypto key.
3728 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3729 # The wrapped key must be a 128/192/256 bit key.
3730 # Authorization requires the following IAM permissions when sending a request
3731 # to perform a crypto transformation using a kms-wrapped crypto key:
3732 # dlp.kms.encrypt
3733 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3734 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3735 },
3736 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3737 # leaking the key. Choose another type of key if possible.
3738 "key": "A String", # A 128/192/256 bit key. [required]
3739 },
3740 "transient": { # Use this to have a random data crypto key generated.
3741 # It will be discarded after the request finishes.
3742 "name": "A String", # Name of the key. [required]
3743 # This is an arbitrary string used to differentiate different keys.
3744 # A unique key is generated per name: two separate `TransientCryptoKey`
3745 # protos share the same generated key if their names are the same.
3746 # When the data crypto key is generated, this name is not used in any way
3747 # (repeating the api call will result in a different key being generated).
3748 },
3749 },
3750 },
3751 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
3752 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
3753 # to learn more.
3754 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
3755 # results in the same shift for the same context and crypto_key.
3756 # a key encryption key (KEK) stored by KMS).
3757 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3758 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3759 # unwrap the data crypto key.
3760 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3761 # The wrapped key must be a 128/192/256 bit key.
3762 # Authorization requires the following IAM permissions when sending a request
3763 # to perform a crypto transformation using a kms-wrapped crypto key:
3764 # dlp.kms.encrypt
3765 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3766 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3767 },
3768 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3769 # leaking the key. Choose another type of key if possible.
3770 "key": "A String", # A 128/192/256 bit key. [required]
3771 },
3772 "transient": { # Use this to have a random data crypto key generated.
3773 # It will be discarded after the request finishes.
3774 "name": "A String", # Name of the key. [required]
3775 # This is an arbitrary string used to differentiate different keys.
3776 # A unique key is generated per name: two separate `TransientCryptoKey`
3777 # protos share the same generated key if their names are the same.
3778 # When the data crypto key is generated, this name is not used in any way
3779 # (repeating the api call will result in a different key being generated).
3780 },
3781 },
3782 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
3783 # [Required]
3784 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
3785 # range (inclusive ends). Negative means shift to earlier in time. Must not
3786 # be more than 365250 days (1000 years) each direction.
3787 #
3788 # For example, 3 means shift date to at most 3 days into the future.
3789 # [Required]
3790 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
3791 # If set, must also set method. If set, shift will be consistent for the
3792 # given context.
3793 "name": "A String", # Name describing the field.
3794 },
3795 },
3796 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
3797 # replacement values are dynamically provided by the user for custom behavior,
3798 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
3799 # This can be used on
3800 # data of type: number, long, string, timestamp.
3801 # If the bound `Value` type differs from the type of data being transformed, we
3802 # will first attempt converting the type of the data to be transformed to match
3803 # the type of the bound before comparing.
3804 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3805 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
3806 { # Bucket is represented as a range, along with replacement values.
3807 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
3808 # Note that for the purposes of inspection or transformation, the number
3809 # of bytes considered to comprise a 'Value' is based on its representation
3810 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3811 # 123456789, the number of bytes would be counted as 9, even though an
3812 # int64 only holds up to 8 bytes of data.
3813 "floatValue": 3.14,
3814 "timestampValue": "A String",
3815 "dayOfWeekValue": "A String",
3816 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3817 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3818 # types are google.type.Date and `google.protobuf.Timestamp`.
3819 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3820 # to allow the value "24:00:00" for scenarios like business closing time.
3821 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3822 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3823 # allow the value 60 if it allows leap-seconds.
3824 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3825 },
3826 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3827 # and time zone are either specified elsewhere or are not significant. The date
3828 # is relative to the Proleptic Gregorian Calendar. This can represent:
3829 #
3830 # * A full date, with non-zero year, month and day values
3831 # * A month and day value, with a zero year, e.g. an anniversary
3832 # * A year on its own, with zero month and day values
3833 # * A year and month value, with a zero day, e.g. a credit card expiration date
3834 #
3835 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3836 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3837 # a year.
3838 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3839 # if specifying a year by itself or a year and month where the day is not
3840 # significant.
3841 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3842 # month and day.
3843 },
3844 "stringValue": "A String",
3845 "booleanValue": True or False,
3846 "integerValue": "A String",
3847 },
3848 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
3849 # the default behavior will be to hyphenate the min-max range.
3850 # Note that for the purposes of inspection or transformation, the number
3851 # of bytes considered to comprise a 'Value' is based on its representation
3852 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3853 # 123456789, the number of bytes would be counted as 9, even though an
3854 # int64 only holds up to 8 bytes of data.
3855 "floatValue": 3.14,
3856 "timestampValue": "A String",
3857 "dayOfWeekValue": "A String",
3858 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3859 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3860 # types are google.type.Date and `google.protobuf.Timestamp`.
3861 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3862 # to allow the value "24:00:00" for scenarios like business closing time.
3863 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3864 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3865 # allow the value 60 if it allows leap-seconds.
3866 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3867 },
3868 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3869 # and time zone are either specified elsewhere or are not significant. The date
3870 # is relative to the Proleptic Gregorian Calendar. This can represent:
3871 #
3872 # * A full date, with non-zero year, month and day values
3873 # * A month and day value, with a zero year, e.g. an anniversary
3874 # * A year on its own, with zero month and day values
3875 # * A year and month value, with a zero day, e.g. a credit card expiration date
3876 #
3877 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3878 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3879 # a year.
3880 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3881 # if specifying a year by itself or a year and month where the day is not
3882 # significant.
3883 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3884 # month and day.
3885 },
3886 "stringValue": "A String",
3887 "booleanValue": True or False,
3888 "integerValue": "A String",
3889 },
3890 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
3891 # used.
3892 # Note that for the purposes of inspection or transformation, the number
3893 # of bytes considered to comprise a 'Value' is based on its representation
3894 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3895 # 123456789, the number of bytes would be counted as 9, even though an
3896 # int64 only holds up to 8 bytes of data.
3897 "floatValue": 3.14,
3898 "timestampValue": "A String",
3899 "dayOfWeekValue": "A String",
3900 "timeValue": { # Represents a time of day. The date and time zone are either not significant
3901 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3902 # types are google.type.Date and `google.protobuf.Timestamp`.
3903 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3904 # to allow the value "24:00:00" for scenarios like business closing time.
3905 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3906 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3907 # allow the value 60 if it allows leap-seconds.
3908 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3909 },
3910 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
3911 # and time zone are either specified elsewhere or are not significant. The date
3912 # is relative to the Proleptic Gregorian Calendar. This can represent:
3913 #
3914 # * A full date, with non-zero year, month and day values
3915 # * A month and day value, with a zero year, e.g. an anniversary
3916 # * A year on its own, with zero month and day values
3917 # * A year and month value, with a zero day, e.g. a credit card expiration date
3918 #
3919 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3920 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3921 # a year.
3922 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3923 # if specifying a year by itself or a year and month where the day is not
3924 # significant.
3925 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3926 # month and day.
3927 },
3928 "stringValue": "A String",
3929 "booleanValue": True or False,
3930 "integerValue": "A String",
3931 },
3932 },
3933 ],
3934 },
3935 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
3936 # (FPE) with the FFX mode of operation; however when used in the
3937 # `ReidentifyContent` API method, it serves the opposite function by reversing
3938 # the surrogate back into the original identifier. The identifier must be
3939 # encoded as ASCII. For a given crypto key and context, the same identifier
3940 # will be replaced with the same surrogate. Identifiers must be at least two
3941 # characters long. In the case that the identifier is the empty string, it will
3942 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
3943 # more.
3944 #
3945 # Note: We recommend using CryptoDeterministicConfig for all use cases which
3946 # do not require preserving the input alphabet space and size, plus warrant
3947 # referential integrity.
3948 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
3949 # a key encryption key (KEK) stored by KMS).
3950 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3951 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3952 # unwrap the data crypto key.
3953 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
3954 # The wrapped key must be a 128/192/256 bit key.
3955 # Authorization requires the following IAM permissions when sending a request
3956 # to perform a crypto transformation using a kms-wrapped crypto key:
3957 # dlp.kms.encrypt
3958 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
3959 "wrappedKey": "A String", # The wrapped data crypto key. [required]
3960 },
3961 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
3962 # leaking the key. Choose another type of key if possible.
3963 "key": "A String", # A 128/192/256 bit key. [required]
3964 },
3965 "transient": { # Use this to have a random data crypto key generated.
3966 # It will be discarded after the request finishes.
3967 "name": "A String", # Name of the key. [required]
3968 # This is an arbitrary string used to differentiate different keys.
3969 # A unique key is generated per name: two separate `TransientCryptoKey`
3970 # protos share the same generated key if their names are the same.
3971 # When the data crypto key is generated, this name is not used in any way
3972 # (repeating the api call will result in a different key being generated).
3973 },
3974 },
3975 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
3976 "commonAlphabet": "A String",
3977 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
3978 # that the FFX mode natively supports. This happens before/after
3979 # encryption/decryption.
3980 # Each character listed must appear only once.
3981 # Number of characters must be in the range [2, 62].
3982 # This must be encoded as ASCII.
3983 # The order of characters does not matter.
3984 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
3985 # identifier in two different contexts won't be given the same surrogate. If
3986 # the context is not set, a default tweak will be used.
3987 #
3988 # If the context is set but:
3989 #
3990 # 1. there is no record present when transforming a given value or
3991 # 1. the field is not present when transforming a given value,
3992 #
3993 # a default tweak will be used.
3994 #
3995 # Note that case (1) is expected when an `InfoTypeTransformation` is
3996 # applied to both structured and non-structured `ContentItem`s.
3997 # Currently, the referenced field may be of value type integer or string.
3998 #
3999 # The tweak is constructed as a sequence of bytes in big endian byte order
4000 # such that:
4001 #
4002 # - a 64 bit integer is encoded followed by a single byte of value 1
4003 # - a string is encoded in UTF-8 format followed by a single byte of value 2
4004 "name": "A String", # Name describing the field.
4005 },
4006 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
4007 # This annotation will be applied to the surrogate by prefixing it with
4008 # the name of the custom infoType followed by the number of
4009 # characters comprising the surrogate. The following scheme defines the
4010 # format: info_type_name(surrogate_character_count):surrogate
4011 #
4012 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
4013 # the surrogate is 'abc', the full replacement value
4014 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4015 #
4016 # This annotation identifies the surrogate when inspecting content using the
4017 # custom infoType
4018 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
4019 # This facilitates reversal of the surrogate when it occurs in free text.
4020 #
4021 # In order for inspection to work properly, the name of this infoType must
4022 # not occur naturally anywhere in your data; otherwise, inspection may
4023 # find a surrogate that does not correspond to an actual identifier.
4024 # Therefore, choose your custom infoType name carefully after considering
4025 # what your data looks like. One way to select a name that has a high chance
4026 # of yielding reliable detection is to include one or more unicode characters
4027 # that are highly improbable to exist in your data.
4028 # For example, assuming your data is entered from a regular ASCII keyboard,
4029 # the symbol with the hex code point 29DD might be used like so:
4030 # ⧝MY_TOKEN_TYPE
4031 "name": "A String", # Name of the information type. Either a name of your choosing when
4032 # creating a CustomInfoType, or one of the names listed
4033 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4034 # a built-in type. InfoType names should conform to the pattern
4035 # [a-zA-Z0-9_]{1,64}.
4036 },
4037 },
4038 "replaceConfig": { # Replace each input value with a given `Value`.
4039 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
4040 # Note that for the purposes of inspection or transformation, the number
4041 # of bytes considered to comprise a 'Value' is based on its representation
4042 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4043 # 123456789, the number of bytes would be counted as 9, even though an
4044 # int64 only holds up to 8 bytes of data.
4045 "floatValue": 3.14,
4046 "timestampValue": "A String",
4047 "dayOfWeekValue": "A String",
4048 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4049 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4050 # types are google.type.Date and `google.protobuf.Timestamp`.
4051 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4052 # to allow the value "24:00:00" for scenarios like business closing time.
4053 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4054 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4055 # allow the value 60 if it allows leap-seconds.
4056 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4057 },
4058 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4059 # and time zone are either specified elsewhere or are not significant. The date
4060 # is relative to the Proleptic Gregorian Calendar. This can represent:
4061 #
4062 # * A full date, with non-zero year, month and day values
4063 # * A month and day value, with a zero year, e.g. an anniversary
4064 # * A year on its own, with zero month and day values
4065 # * A year and month value, with a zero day, e.g. a credit card expiration date
4066 #
4067 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4068 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4069 # a year.
4070 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4071 # if specifying a year by itself or a year and month where the day is not
4072 # significant.
4073 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4074 # month and day.
4075 },
4076 "stringValue": "A String",
4077 "booleanValue": True or False,
4078 "integerValue": "A String",
4079 },
4080 },
4081 },
4082 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
4083 # given `RecordCondition`. The conditions are allowed to reference fields
4084 # that are not used in the actual transformation. [optional]
4085 #
4086 # Example Use Cases:
4087 #
4088 # - Apply a different bucket transformation to an age column if the zip code
4089 # column for the same record is within a specific range.
4090 # - Redact a field if the date of birth field is greater than 85.
4091 # a field.
4092 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
4093 "conditions": { # A collection of conditions.
4094 "conditions": [
4095 { # The field type of `value` and `field` do not need to match to be
4096 # considered equal, but not all comparisons are possible.
4097 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
4098 # but all other comparisons are invalid with incompatible types.
4099 # A `value` of type:
4100 #
4101 # - `string` can be compared against all other types
4102 # - `boolean` can only be compared against other booleans
4103 # - `integer` can be compared against doubles or a string if the string value
4104 # can be parsed as an integer.
4105 # - `double` can be compared against integers or a string if the string can
4106 # be parsed as a double.
4107 # - `Timestamp` can be compared against strings in RFC 3339 date string
4108 # format.
4109 # - `TimeOfDay` can be compared against timestamps and strings in the format
4110 # of 'HH:mm:ss'.
4111 #
4112 # If we fail to compare do to type mismatch, a warning will be given and
4113 # the condition will evaluate to false.
4114 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
4115 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
4116 "name": "A String", # Name describing the field.
4117 },
4118 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
4119 # Note that for the purposes of inspection or transformation, the number
4120 # of bytes considered to comprise a 'Value' is based on its representation
4121 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4122 # 123456789, the number of bytes would be counted as 9, even though an
4123 # int64 only holds up to 8 bytes of data.
4124 "floatValue": 3.14,
4125 "timestampValue": "A String",
4126 "dayOfWeekValue": "A String",
4127 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4128 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4129 # types are google.type.Date and `google.protobuf.Timestamp`.
4130 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4131 # to allow the value "24:00:00" for scenarios like business closing time.
4132 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4133 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4134 # allow the value 60 if it allows leap-seconds.
4135 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4136 },
4137 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4138 # and time zone are either specified elsewhere or are not significant. The date
4139 # is relative to the Proleptic Gregorian Calendar. This can represent:
4140 #
4141 # * A full date, with non-zero year, month and day values
4142 # * A month and day value, with a zero year, e.g. an anniversary
4143 # * A year on its own, with zero month and day values
4144 # * A year and month value, with a zero day, e.g. a credit card expiration date
4145 #
4146 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4147 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4148 # a year.
4149 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4150 # if specifying a year by itself or a year and month where the day is not
4151 # significant.
4152 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4153 # month and day.
4154 },
4155 "stringValue": "A String",
4156 "booleanValue": True or False,
4157 "integerValue": "A String",
4158 },
4159 },
4160 ],
4161 },
4162 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
4163 # only supported value is `AND`.
4164 },
4165 },
4166 "fields": [ # Input field(s) to apply the transformation to. [required]
4167 { # General identifier of a data field in a storage service.
4168 "name": "A String", # Name describing the field.
4169 },
4170 ],
4171 },
4172 ],
4173 },
4174 },
4175 "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
4176 "name": "A String", # The template name. Output only.
4177 #
4178 # The template will have one of the following formats:
4179 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
4180 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
4181 }</pre>
4182</div>
4183
4184<div class="method">
4185 <code class="details" id="delete">delete(name, x__xgafv=None)</code>
4186 <pre>Deletes a DeidentifyTemplate.
4187See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
4188more.
4189
4190Args:
4191 name: string, Resource name of the organization and deidentify template to be deleted,
4192for example `organizations/433245324/deidentifyTemplates/432452342` or
4193projects/project-id/deidentifyTemplates/432452342. (required)
4194 x__xgafv: string, V1 error format.
4195 Allowed values
4196 1 - v1 error format
4197 2 - v2 error format
4198
4199Returns:
4200 An object of the form:
4201
4202 { # A generic empty message that you can re-use to avoid defining duplicated
4203 # empty messages in your APIs. A typical example is to use it as the request
4204 # or the response type of an API method. For instance:
4205 #
4206 # service Foo {
4207 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
4208 # }
4209 #
4210 # The JSON representation for `Empty` is empty JSON object `{}`.
4211 }</pre>
4212</div>
4213
4214<div class="method">
4215 <code class="details" id="get">get(name, x__xgafv=None)</code>
4216 <pre>Gets a DeidentifyTemplate.
4217See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
4218more.
4219
4220Args:
4221 name: string, Resource name of the organization and deidentify template to be read, for
4222example `organizations/433245324/deidentifyTemplates/432452342` or
4223projects/project-id/deidentifyTemplates/432452342. (required)
4224 x__xgafv: string, V1 error format.
4225 Allowed values
4226 1 - v1 error format
4227 2 - v2 error format
4228
4229Returns:
4230 An object of the form:
4231
4232 { # The DeidentifyTemplates contains instructions on how to deidentify content.
4233 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
4234 "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
4235 "displayName": "A String", # Display name (max 256 chars).
4236 "description": "A String", # Short description (max 256 chars).
4237 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
4238 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
4239 # transformation everywhere.
4240 # apply various `PrimitiveTransformation`s to each finding, where the
4241 # transformation is applied to only values that were identified as a specific
4242 # info_type.
4243 "transformations": [ # Transformation for each infoType. Cannot specify more than one
4244 # for a given infoType. [required]
4245 { # A transformation to apply to text that is identified as a specific
4246 # info_type.
4247 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
4248 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
4249 # fixed character. Masking can start from the beginning or end of the string.
4250 # This can be used on data of any type (numbers, longs, and so on) and when
4251 # de-identifying structured data we'll attempt to preserve the original data's
4252 # type. (This allows you to take a long like 123 and modify it to a string like
4253 # **3.
4254 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
4255 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
4256 # mask 5 chars with * we would produce ***-*55-5555.
4257 { # Characters to skip when doing deidentification of a value. These will be left
4258 # alone and skipped.
4259 "commonCharactersToIgnore": "A String",
4260 "charactersToSkip": "A String",
4261 },
4262 ],
4263 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
4264 # masked. Skipped characters do not count towards this tally.
4265 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
4266 # alphabetic string such as name, or "0" for a numeric string such as ZIP
4267 # code or credit card number. String must have length 1. If not supplied, we
4268 # will default to "*" for strings, 0 for digits.
4269 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
4270 # '0', number_to_mask is 14, and `reverse_order` is false, then
4271 # 1234-5678-9012-3456 -> 00000000000000-3456
4272 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
4273 # is true, then 12345 -> 12***
4274 },
4275 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
4276 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
4277 # output would be 'My phone number is '.
4278 },
4279 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
4280 # input. Outputs a base64 encoded representation of the encrypted output.
4281 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
4282 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
4283 # a key encryption key (KEK) stored by KMS).
4284 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4285 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4286 # unwrap the data crypto key.
4287 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
4288 # The wrapped key must be a 128/192/256 bit key.
4289 # Authorization requires the following IAM permissions when sending a request
4290 # to perform a crypto transformation using a kms-wrapped crypto key:
4291 # dlp.kms.encrypt
4292 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
4293 "wrappedKey": "A String", # The wrapped data crypto key. [required]
4294 },
4295 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
4296 # leaking the key. Choose another type of key if possible.
4297 "key": "A String", # A 128/192/256 bit key. [required]
4298 },
4299 "transient": { # Use this to have a random data crypto key generated.
4300 # It will be discarded after the request finishes.
4301 "name": "A String", # Name of the key. [required]
4302 # This is an arbitrary string used to differentiate different keys.
4303 # A unique key is generated per name: two separate `TransientCryptoKey`
4304 # protos share the same generated key if their names are the same.
4305 # When the data crypto key is generated, this name is not used in any way
4306 # (repeating the api call will result in a different key being generated).
4307 },
4308 },
4309 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
4310 # referential integrity such that the same identifier in two different
4311 # contexts will be given a distinct surrogate. The context is appended to
4312 # plaintext value being encrypted. On decryption the provided context is
4313 # validated against the value used during encryption. If a context was
4314 # provided during encryption, same context must be provided during decryption
4315 # as well.
4316 #
4317 # If the context is not set, plaintext would be used as is for encryption.
4318 # If the context is set but:
4319 #
4320 # 1. there is no record present when transforming a given value or
4321 # 2. the field is not present when transforming a given value,
4322 #
4323 # plaintext would be used as is for encryption.
4324 #
4325 # Note that case (1) is expected when an `InfoTypeTransformation` is
4326 # applied to both structured and non-structured `ContentItem`s.
4327 "name": "A String", # Name describing the field.
4328 },
4329 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
4330 # This annotation will be applied to the surrogate by prefixing it with
4331 # the name of the custom info type followed by the number of
4332 # characters comprising the surrogate. The following scheme defines the
4333 # format: <info type name>(<surrogate character count>):<surrogate>
4334 #
4335 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
4336 # the surrogate is 'abc', the full replacement value
4337 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4338 #
4339 # This annotation identifies the surrogate when inspecting content using the
4340 # custom info type 'Surrogate'. This facilitates reversal of the
4341 # surrogate when it occurs in free text.
4342 #
4343 # In order for inspection to work properly, the name of this info type must
4344 # not occur naturally anywhere in your data; otherwise, inspection may either
4345 #
4346 # - reverse a surrogate that does not correspond to an actual identifier
4347 # - be unable to parse the surrogate and result in an error
4348 #
4349 # Therefore, choose your custom info type name carefully after considering
4350 # what your data looks like. One way to select a name that has a high chance
4351 # of yielding reliable detection is to include one or more unicode characters
4352 # that are highly improbable to exist in your data.
4353 # For example, assuming your data is entered from a regular ASCII keyboard,
4354 # the symbol with the hex code point 29DD might be used like so:
4355 # ⧝MY_TOKEN_TYPE
4356 "name": "A String", # Name of the information type. Either a name of your choosing when
4357 # creating a CustomInfoType, or one of the names listed
4358 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4359 # a built-in type. InfoType names should conform to the pattern
4360 # [a-zA-Z0-9_]{1,64}.
4361 },
4362 },
4363 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
4364 # Bucketing transformation can provide all of this functionality,
4365 # but requires more configuration. This message is provided as a convenience to
4366 # the user for simple bucketing strategies.
4367 #
4368 # The transformed value will be a hyphenated string of
4369 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
4370 # all values that are within this bucket will be replaced with "10-20".
4371 #
4372 # This can be used on data of type: double, long.
4373 #
4374 # If the bound Value type differs from the type of data
4375 # being transformed, we will first attempt converting the type of the data to
4376 # be transformed to match the type of the bound before comparing.
4377 #
4378 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
4379 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
4380 # grouped together into a single bucket; for example if `lower_bound` = 10,
4381 # then all values less than 10 are replaced with the value “-10”. [Required].
4382 # Note that for the purposes of inspection or transformation, the number
4383 # of bytes considered to comprise a 'Value' is based on its representation
4384 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4385 # 123456789, the number of bytes would be counted as 9, even though an
4386 # int64 only holds up to 8 bytes of data.
4387 "floatValue": 3.14,
4388 "timestampValue": "A String",
4389 "dayOfWeekValue": "A String",
4390 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4391 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4392 # types are google.type.Date and `google.protobuf.Timestamp`.
4393 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4394 # to allow the value "24:00:00" for scenarios like business closing time.
4395 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4396 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4397 # allow the value 60 if it allows leap-seconds.
4398 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4399 },
4400 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4401 # and time zone are either specified elsewhere or are not significant. The date
4402 # is relative to the Proleptic Gregorian Calendar. This can represent:
4403 #
4404 # * A full date, with non-zero year, month and day values
4405 # * A month and day value, with a zero year, e.g. an anniversary
4406 # * A year on its own, with zero month and day values
4407 # * A year and month value, with a zero day, e.g. a credit card expiration date
4408 #
4409 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4410 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4411 # a year.
4412 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4413 # if specifying a year by itself or a year and month where the day is not
4414 # significant.
4415 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4416 # month and day.
4417 },
4418 "stringValue": "A String",
4419 "booleanValue": True or False,
4420 "integerValue": "A String",
4421 },
4422 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
4423 # grouped together into a single bucket; for example if `upper_bound` = 89,
4424 # then all values greater than 89 are replaced with the value “89+”.
4425 # [Required].
4426 # Note that for the purposes of inspection or transformation, the number
4427 # of bytes considered to comprise a 'Value' is based on its representation
4428 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4429 # 123456789, the number of bytes would be counted as 9, even though an
4430 # int64 only holds up to 8 bytes of data.
4431 "floatValue": 3.14,
4432 "timestampValue": "A String",
4433 "dayOfWeekValue": "A String",
4434 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4435 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4436 # types are google.type.Date and `google.protobuf.Timestamp`.
4437 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4438 # to allow the value "24:00:00" for scenarios like business closing time.
4439 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4440 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4441 # allow the value 60 if it allows leap-seconds.
4442 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4443 },
4444 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4445 # and time zone are either specified elsewhere or are not significant. The date
4446 # is relative to the Proleptic Gregorian Calendar. This can represent:
4447 #
4448 # * A full date, with non-zero year, month and day values
4449 # * A month and day value, with a zero year, e.g. an anniversary
4450 # * A year on its own, with zero month and day values
4451 # * A year and month value, with a zero day, e.g. a credit card expiration date
4452 #
4453 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4454 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4455 # a year.
4456 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4457 # if specifying a year by itself or a year and month where the day is not
4458 # significant.
4459 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4460 # month and day.
4461 },
4462 "stringValue": "A String",
4463 "booleanValue": True or False,
4464 "integerValue": "A String",
4465 },
4466 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
4467 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
4468 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
4469 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
4470 },
4471 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
4472 },
4473 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
4474 # portion of the value.
4475 "partToExtract": "A String",
4476 },
4477 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
4478 # Uses SHA-256.
4479 # The key size must be either 32 or 64 bytes.
4480 # Outputs a base64 encoded representation of the hashed output
4481 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
4482 # Currently, only string and integer values can be hashed.
4483 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
4484 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
4485 # a key encryption key (KEK) stored by KMS).
4486 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4487 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4488 # unwrap the data crypto key.
4489 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
4490 # The wrapped key must be a 128/192/256 bit key.
4491 # Authorization requires the following IAM permissions when sending a request
4492 # to perform a crypto transformation using a kms-wrapped crypto key:
4493 # dlp.kms.encrypt
4494 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
4495 "wrappedKey": "A String", # The wrapped data crypto key. [required]
4496 },
4497 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
4498 # leaking the key. Choose another type of key if possible.
4499 "key": "A String", # A 128/192/256 bit key. [required]
4500 },
4501 "transient": { # Use this to have a random data crypto key generated.
4502 # It will be discarded after the request finishes.
4503 "name": "A String", # Name of the key. [required]
4504 # This is an arbitrary string used to differentiate different keys.
4505 # A unique key is generated per name: two separate `TransientCryptoKey`
4506 # protos share the same generated key if their names are the same.
4507 # When the data crypto key is generated, this name is not used in any way
4508 # (repeating the api call will result in a different key being generated).
4509 },
4510 },
4511 },
4512 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
4513 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
4514 # to learn more.
4515 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
4516 # results in the same shift for the same context and crypto_key.
4517 # a key encryption key (KEK) stored by KMS).
4518 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4519 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4520 # unwrap the data crypto key.
4521 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
4522 # The wrapped key must be a 128/192/256 bit key.
4523 # Authorization requires the following IAM permissions when sending a request
4524 # to perform a crypto transformation using a kms-wrapped crypto key:
4525 # dlp.kms.encrypt
4526 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
4527 "wrappedKey": "A String", # The wrapped data crypto key. [required]
4528 },
4529 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
4530 # leaking the key. Choose another type of key if possible.
4531 "key": "A String", # A 128/192/256 bit key. [required]
4532 },
4533 "transient": { # Use this to have a random data crypto key generated.
4534 # It will be discarded after the request finishes.
4535 "name": "A String", # Name of the key. [required]
4536 # This is an arbitrary string used to differentiate different keys.
4537 # A unique key is generated per name: two separate `TransientCryptoKey`
4538 # protos share the same generated key if their names are the same.
4539 # When the data crypto key is generated, this name is not used in any way
4540 # (repeating the api call will result in a different key being generated).
4541 },
4542 },
4543 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
4544 # [Required]
4545 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
4546 # range (inclusive ends). Negative means shift to earlier in time. Must not
4547 # be more than 365250 days (1000 years) each direction.
4548 #
4549 # For example, 3 means shift date to at most 3 days into the future.
4550 # [Required]
4551 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
4552 # If set, must also set method. If set, shift will be consistent for the
4553 # given context.
4554 "name": "A String", # Name describing the field.
4555 },
4556 },
4557 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
4558 # replacement values are dynamically provided by the user for custom behavior,
4559 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
4560 # This can be used on
4561 # data of type: number, long, string, timestamp.
4562 # If the bound `Value` type differs from the type of data being transformed, we
4563 # will first attempt converting the type of the data to be transformed to match
4564 # the type of the bound before comparing.
4565 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
4566 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
4567 { # Bucket is represented as a range, along with replacement values.
4568 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
4569 # Note that for the purposes of inspection or transformation, the number
4570 # of bytes considered to comprise a 'Value' is based on its representation
4571 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4572 # 123456789, the number of bytes would be counted as 9, even though an
4573 # int64 only holds up to 8 bytes of data.
4574 "floatValue": 3.14,
4575 "timestampValue": "A String",
4576 "dayOfWeekValue": "A String",
4577 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4578 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4579 # types are google.type.Date and `google.protobuf.Timestamp`.
4580 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4581 # to allow the value "24:00:00" for scenarios like business closing time.
4582 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4583 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4584 # allow the value 60 if it allows leap-seconds.
4585 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4586 },
4587 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4588 # and time zone are either specified elsewhere or are not significant. The date
4589 # is relative to the Proleptic Gregorian Calendar. This can represent:
4590 #
4591 # * A full date, with non-zero year, month and day values
4592 # * A month and day value, with a zero year, e.g. an anniversary
4593 # * A year on its own, with zero month and day values
4594 # * A year and month value, with a zero day, e.g. a credit card expiration date
4595 #
4596 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4597 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4598 # a year.
4599 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4600 # if specifying a year by itself or a year and month where the day is not
4601 # significant.
4602 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4603 # month and day.
4604 },
4605 "stringValue": "A String",
4606 "booleanValue": True or False,
4607 "integerValue": "A String",
4608 },
4609 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
4610 # the default behavior will be to hyphenate the min-max range.
4611 # Note that for the purposes of inspection or transformation, the number
4612 # of bytes considered to comprise a 'Value' is based on its representation
4613 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4614 # 123456789, the number of bytes would be counted as 9, even though an
4615 # int64 only holds up to 8 bytes of data.
4616 "floatValue": 3.14,
4617 "timestampValue": "A String",
4618 "dayOfWeekValue": "A String",
4619 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4620 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4621 # types are google.type.Date and `google.protobuf.Timestamp`.
4622 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4623 # to allow the value "24:00:00" for scenarios like business closing time.
4624 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4625 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4626 # allow the value 60 if it allows leap-seconds.
4627 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4628 },
4629 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4630 # and time zone are either specified elsewhere or are not significant. The date
4631 # is relative to the Proleptic Gregorian Calendar. This can represent:
4632 #
4633 # * A full date, with non-zero year, month and day values
4634 # * A month and day value, with a zero year, e.g. an anniversary
4635 # * A year on its own, with zero month and day values
4636 # * A year and month value, with a zero day, e.g. a credit card expiration date
4637 #
4638 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4639 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4640 # a year.
4641 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4642 # if specifying a year by itself or a year and month where the day is not
4643 # significant.
4644 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4645 # month and day.
4646 },
4647 "stringValue": "A String",
4648 "booleanValue": True or False,
4649 "integerValue": "A String",
4650 },
4651 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
4652 # used.
4653 # Note that for the purposes of inspection or transformation, the number
4654 # of bytes considered to comprise a 'Value' is based on its representation
4655 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4656 # 123456789, the number of bytes would be counted as 9, even though an
4657 # int64 only holds up to 8 bytes of data.
4658 "floatValue": 3.14,
4659 "timestampValue": "A String",
4660 "dayOfWeekValue": "A String",
4661 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4662 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4663 # types are google.type.Date and `google.protobuf.Timestamp`.
4664 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4665 # to allow the value "24:00:00" for scenarios like business closing time.
4666 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4667 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4668 # allow the value 60 if it allows leap-seconds.
4669 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4670 },
4671 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4672 # and time zone are either specified elsewhere or are not significant. The date
4673 # is relative to the Proleptic Gregorian Calendar. This can represent:
4674 #
4675 # * A full date, with non-zero year, month and day values
4676 # * A month and day value, with a zero year, e.g. an anniversary
4677 # * A year on its own, with zero month and day values
4678 # * A year and month value, with a zero day, e.g. a credit card expiration date
4679 #
4680 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4681 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4682 # a year.
4683 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4684 # if specifying a year by itself or a year and month where the day is not
4685 # significant.
4686 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4687 # month and day.
4688 },
4689 "stringValue": "A String",
4690 "booleanValue": True or False,
4691 "integerValue": "A String",
4692 },
4693 },
4694 ],
4695 },
4696 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
4697 # (FPE) with the FFX mode of operation; however when used in the
4698 # `ReidentifyContent` API method, it serves the opposite function by reversing
4699 # the surrogate back into the original identifier. The identifier must be
4700 # encoded as ASCII. For a given crypto key and context, the same identifier
4701 # will be replaced with the same surrogate. Identifiers must be at least two
4702 # characters long. In the case that the identifier is the empty string, it will
4703 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
4704 # more.
4705 #
4706 # Note: We recommend using CryptoDeterministicConfig for all use cases which
4707 # do not require preserving the input alphabet space and size, plus warrant
4708 # referential integrity.
4709 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
4710 # a key encryption key (KEK) stored by KMS).
4711 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4712 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4713 # unwrap the data crypto key.
4714 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
4715 # The wrapped key must be a 128/192/256 bit key.
4716 # Authorization requires the following IAM permissions when sending a request
4717 # to perform a crypto transformation using a kms-wrapped crypto key:
4718 # dlp.kms.encrypt
4719 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
4720 "wrappedKey": "A String", # The wrapped data crypto key. [required]
4721 },
4722 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
4723 # leaking the key. Choose another type of key if possible.
4724 "key": "A String", # A 128/192/256 bit key. [required]
4725 },
4726 "transient": { # Use this to have a random data crypto key generated.
4727 # It will be discarded after the request finishes.
4728 "name": "A String", # Name of the key. [required]
4729 # This is an arbitrary string used to differentiate different keys.
4730 # A unique key is generated per name: two separate `TransientCryptoKey`
4731 # protos share the same generated key if their names are the same.
4732 # When the data crypto key is generated, this name is not used in any way
4733 # (repeating the api call will result in a different key being generated).
4734 },
4735 },
4736 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
4737 "commonAlphabet": "A String",
4738 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
4739 # that the FFX mode natively supports. This happens before/after
4740 # encryption/decryption.
4741 # Each character listed must appear only once.
4742 # Number of characters must be in the range [2, 62].
4743 # This must be encoded as ASCII.
4744 # The order of characters does not matter.
4745 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
4746 # identifier in two different contexts won't be given the same surrogate. If
4747 # the context is not set, a default tweak will be used.
4748 #
4749 # If the context is set but:
4750 #
4751 # 1. there is no record present when transforming a given value or
4752 # 1. the field is not present when transforming a given value,
4753 #
4754 # a default tweak will be used.
4755 #
4756 # Note that case (1) is expected when an `InfoTypeTransformation` is
4757 # applied to both structured and non-structured `ContentItem`s.
4758 # Currently, the referenced field may be of value type integer or string.
4759 #
4760 # The tweak is constructed as a sequence of bytes in big endian byte order
4761 # such that:
4762 #
4763 # - a 64 bit integer is encoded followed by a single byte of value 1
4764 # - a string is encoded in UTF-8 format followed by a single byte of value 2
4765 "name": "A String", # Name describing the field.
4766 },
4767 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
4768 # This annotation will be applied to the surrogate by prefixing it with
4769 # the name of the custom infoType followed by the number of
4770 # characters comprising the surrogate. The following scheme defines the
4771 # format: info_type_name(surrogate_character_count):surrogate
4772 #
4773 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
4774 # the surrogate is 'abc', the full replacement value
4775 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4776 #
4777 # This annotation identifies the surrogate when inspecting content using the
4778 # custom infoType
4779 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
4780 # This facilitates reversal of the surrogate when it occurs in free text.
4781 #
4782 # In order for inspection to work properly, the name of this infoType must
4783 # not occur naturally anywhere in your data; otherwise, inspection may
4784 # find a surrogate that does not correspond to an actual identifier.
4785 # Therefore, choose your custom infoType name carefully after considering
4786 # what your data looks like. One way to select a name that has a high chance
4787 # of yielding reliable detection is to include one or more unicode characters
4788 # that are highly improbable to exist in your data.
4789 # For example, assuming your data is entered from a regular ASCII keyboard,
4790 # the symbol with the hex code point 29DD might be used like so:
4791 # ⧝MY_TOKEN_TYPE
4792 "name": "A String", # Name of the information type. Either a name of your choosing when
4793 # creating a CustomInfoType, or one of the names listed
4794 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4795 # a built-in type. InfoType names should conform to the pattern
4796 # [a-zA-Z0-9_]{1,64}.
4797 },
4798 },
4799 "replaceConfig": { # Replace each input value with a given `Value`.
4800 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
4801 # Note that for the purposes of inspection or transformation, the number
4802 # of bytes considered to comprise a 'Value' is based on its representation
4803 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4804 # 123456789, the number of bytes would be counted as 9, even though an
4805 # int64 only holds up to 8 bytes of data.
4806 "floatValue": 3.14,
4807 "timestampValue": "A String",
4808 "dayOfWeekValue": "A String",
4809 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4810 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4811 # types are google.type.Date and `google.protobuf.Timestamp`.
4812 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4813 # to allow the value "24:00:00" for scenarios like business closing time.
4814 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4815 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4816 # allow the value 60 if it allows leap-seconds.
4817 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4818 },
4819 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4820 # and time zone are either specified elsewhere or are not significant. The date
4821 # is relative to the Proleptic Gregorian Calendar. This can represent:
4822 #
4823 # * A full date, with non-zero year, month and day values
4824 # * A month and day value, with a zero year, e.g. an anniversary
4825 # * A year on its own, with zero month and day values
4826 # * A year and month value, with a zero day, e.g. a credit card expiration date
4827 #
4828 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4829 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4830 # a year.
4831 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4832 # if specifying a year by itself or a year and month where the day is not
4833 # significant.
4834 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4835 # month and day.
4836 },
4837 "stringValue": "A String",
4838 "booleanValue": True or False,
4839 "integerValue": "A String",
4840 },
4841 },
4842 },
4843 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
4844 # this transformation to apply to all findings that correspond to
4845 # infoTypes that were requested in `InspectConfig`.
4846 { # Type of information detected by the API.
4847 "name": "A String", # Name of the information type. Either a name of your choosing when
4848 # creating a CustomInfoType, or one of the names listed
4849 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4850 # a built-in type. InfoType names should conform to the pattern
4851 # [a-zA-Z0-9_]{1,64}.
4852 },
4853 ],
4854 },
4855 ],
4856 },
4857 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
4858 # specific locations within structured datasets, such as transforming
4859 # a column within a table.
4860 # table.
4861 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
4862 # match any suppression rule are omitted from the output [optional].
4863 { # Configuration to suppress records whose suppression conditions evaluate to
4864 # true.
4865 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
4866 # evaluated to be suppressed from the transformed content.
4867 # a field.
4868 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
4869 "conditions": { # A collection of conditions.
4870 "conditions": [
4871 { # The field type of `value` and `field` do not need to match to be
4872 # considered equal, but not all comparisons are possible.
4873 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
4874 # but all other comparisons are invalid with incompatible types.
4875 # A `value` of type:
4876 #
4877 # - `string` can be compared against all other types
4878 # - `boolean` can only be compared against other booleans
4879 # - `integer` can be compared against doubles or a string if the string value
4880 # can be parsed as an integer.
4881 # - `double` can be compared against integers or a string if the string can
4882 # be parsed as a double.
4883 # - `Timestamp` can be compared against strings in RFC 3339 date string
4884 # format.
4885 # - `TimeOfDay` can be compared against timestamps and strings in the format
4886 # of 'HH:mm:ss'.
4887 #
4888 # If we fail to compare do to type mismatch, a warning will be given and
4889 # the condition will evaluate to false.
4890 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
4891 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
4892 "name": "A String", # Name describing the field.
4893 },
4894 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
4895 # Note that for the purposes of inspection or transformation, the number
4896 # of bytes considered to comprise a 'Value' is based on its representation
4897 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4898 # 123456789, the number of bytes would be counted as 9, even though an
4899 # int64 only holds up to 8 bytes of data.
4900 "floatValue": 3.14,
4901 "timestampValue": "A String",
4902 "dayOfWeekValue": "A String",
4903 "timeValue": { # Represents a time of day. The date and time zone are either not significant
4904 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4905 # types are google.type.Date and `google.protobuf.Timestamp`.
4906 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4907 # to allow the value "24:00:00" for scenarios like business closing time.
4908 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4909 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4910 # allow the value 60 if it allows leap-seconds.
4911 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4912 },
4913 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
4914 # and time zone are either specified elsewhere or are not significant. The date
4915 # is relative to the Proleptic Gregorian Calendar. This can represent:
4916 #
4917 # * A full date, with non-zero year, month and day values
4918 # * A month and day value, with a zero year, e.g. an anniversary
4919 # * A year on its own, with zero month and day values
4920 # * A year and month value, with a zero day, e.g. a credit card expiration date
4921 #
4922 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4923 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4924 # a year.
4925 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4926 # if specifying a year by itself or a year and month where the day is not
4927 # significant.
4928 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4929 # month and day.
4930 },
4931 "stringValue": "A String",
4932 "booleanValue": True or False,
4933 "integerValue": "A String",
4934 },
4935 },
4936 ],
4937 },
4938 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
4939 # only supported value is `AND`.
4940 },
4941 },
4942 },
4943 ],
4944 "fieldTransformations": [ # Transform the record by applying various field transformations.
4945 { # The transformation to apply to the field.
4946 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
4947 # transform content that matches an `InfoType`.
4948 # apply various `PrimitiveTransformation`s to each finding, where the
4949 # transformation is applied to only values that were identified as a specific
4950 # info_type.
4951 "transformations": [ # Transformation for each infoType. Cannot specify more than one
4952 # for a given infoType. [required]
4953 { # A transformation to apply to text that is identified as a specific
4954 # info_type.
4955 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
4956 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
4957 # fixed character. Masking can start from the beginning or end of the string.
4958 # This can be used on data of any type (numbers, longs, and so on) and when
4959 # de-identifying structured data we'll attempt to preserve the original data's
4960 # type. (This allows you to take a long like 123 and modify it to a string like
4961 # **3.
4962 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
4963 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
4964 # mask 5 chars with * we would produce ***-*55-5555.
4965 { # Characters to skip when doing deidentification of a value. These will be left
4966 # alone and skipped.
4967 "commonCharactersToIgnore": "A String",
4968 "charactersToSkip": "A String",
4969 },
4970 ],
4971 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
4972 # masked. Skipped characters do not count towards this tally.
4973 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
4974 # alphabetic string such as name, or "0" for a numeric string such as ZIP
4975 # code or credit card number. String must have length 1. If not supplied, we
4976 # will default to "*" for strings, 0 for digits.
4977 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
4978 # '0', number_to_mask is 14, and `reverse_order` is false, then
4979 # 1234-5678-9012-3456 -> 00000000000000-3456
4980 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
4981 # is true, then 12345 -> 12***
4982 },
4983 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
4984 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
4985 # output would be 'My phone number is '.
4986 },
4987 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
4988 # input. Outputs a base64 encoded representation of the encrypted output.
4989 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
4990 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
4991 # a key encryption key (KEK) stored by KMS).
4992 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4993 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4994 # unwrap the data crypto key.
4995 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
4996 # The wrapped key must be a 128/192/256 bit key.
4997 # Authorization requires the following IAM permissions when sending a request
4998 # to perform a crypto transformation using a kms-wrapped crypto key:
4999 # dlp.kms.encrypt
5000 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5001 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5002 },
5003 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5004 # leaking the key. Choose another type of key if possible.
5005 "key": "A String", # A 128/192/256 bit key. [required]
5006 },
5007 "transient": { # Use this to have a random data crypto key generated.
5008 # It will be discarded after the request finishes.
5009 "name": "A String", # Name of the key. [required]
5010 # This is an arbitrary string used to differentiate different keys.
5011 # A unique key is generated per name: two separate `TransientCryptoKey`
5012 # protos share the same generated key if their names are the same.
5013 # When the data crypto key is generated, this name is not used in any way
5014 # (repeating the api call will result in a different key being generated).
5015 },
5016 },
5017 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
5018 # referential integrity such that the same identifier in two different
5019 # contexts will be given a distinct surrogate. The context is appended to
5020 # plaintext value being encrypted. On decryption the provided context is
5021 # validated against the value used during encryption. If a context was
5022 # provided during encryption, same context must be provided during decryption
5023 # as well.
5024 #
5025 # If the context is not set, plaintext would be used as is for encryption.
5026 # If the context is set but:
5027 #
5028 # 1. there is no record present when transforming a given value or
5029 # 2. the field is not present when transforming a given value,
5030 #
5031 # plaintext would be used as is for encryption.
5032 #
5033 # Note that case (1) is expected when an `InfoTypeTransformation` is
5034 # applied to both structured and non-structured `ContentItem`s.
5035 "name": "A String", # Name describing the field.
5036 },
5037 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
5038 # This annotation will be applied to the surrogate by prefixing it with
5039 # the name of the custom info type followed by the number of
5040 # characters comprising the surrogate. The following scheme defines the
5041 # format: <info type name>(<surrogate character count>):<surrogate>
5042 #
5043 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
5044 # the surrogate is 'abc', the full replacement value
5045 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5046 #
5047 # This annotation identifies the surrogate when inspecting content using the
5048 # custom info type 'Surrogate'. This facilitates reversal of the
5049 # surrogate when it occurs in free text.
5050 #
5051 # In order for inspection to work properly, the name of this info type must
5052 # not occur naturally anywhere in your data; otherwise, inspection may either
5053 #
5054 # - reverse a surrogate that does not correspond to an actual identifier
5055 # - be unable to parse the surrogate and result in an error
5056 #
5057 # Therefore, choose your custom info type name carefully after considering
5058 # what your data looks like. One way to select a name that has a high chance
5059 # of yielding reliable detection is to include one or more unicode characters
5060 # that are highly improbable to exist in your data.
5061 # For example, assuming your data is entered from a regular ASCII keyboard,
5062 # the symbol with the hex code point 29DD might be used like so:
5063 # ⧝MY_TOKEN_TYPE
5064 "name": "A String", # Name of the information type. Either a name of your choosing when
5065 # creating a CustomInfoType, or one of the names listed
5066 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5067 # a built-in type. InfoType names should conform to the pattern
5068 # [a-zA-Z0-9_]{1,64}.
5069 },
5070 },
5071 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
5072 # Bucketing transformation can provide all of this functionality,
5073 # but requires more configuration. This message is provided as a convenience to
5074 # the user for simple bucketing strategies.
5075 #
5076 # The transformed value will be a hyphenated string of
5077 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
5078 # all values that are within this bucket will be replaced with "10-20".
5079 #
5080 # This can be used on data of type: double, long.
5081 #
5082 # If the bound Value type differs from the type of data
5083 # being transformed, we will first attempt converting the type of the data to
5084 # be transformed to match the type of the bound before comparing.
5085 #
5086 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5087 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
5088 # grouped together into a single bucket; for example if `lower_bound` = 10,
5089 # then all values less than 10 are replaced with the value “-10”. [Required].
5090 # Note that for the purposes of inspection or transformation, the number
5091 # of bytes considered to comprise a 'Value' is based on its representation
5092 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5093 # 123456789, the number of bytes would be counted as 9, even though an
5094 # int64 only holds up to 8 bytes of data.
5095 "floatValue": 3.14,
5096 "timestampValue": "A String",
5097 "dayOfWeekValue": "A String",
5098 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5099 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5100 # types are google.type.Date and `google.protobuf.Timestamp`.
5101 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5102 # to allow the value "24:00:00" for scenarios like business closing time.
5103 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5104 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5105 # allow the value 60 if it allows leap-seconds.
5106 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5107 },
5108 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5109 # and time zone are either specified elsewhere or are not significant. The date
5110 # is relative to the Proleptic Gregorian Calendar. This can represent:
5111 #
5112 # * A full date, with non-zero year, month and day values
5113 # * A month and day value, with a zero year, e.g. an anniversary
5114 # * A year on its own, with zero month and day values
5115 # * A year and month value, with a zero day, e.g. a credit card expiration date
5116 #
5117 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5118 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5119 # a year.
5120 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5121 # if specifying a year by itself or a year and month where the day is not
5122 # significant.
5123 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5124 # month and day.
5125 },
5126 "stringValue": "A String",
5127 "booleanValue": True or False,
5128 "integerValue": "A String",
5129 },
5130 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
5131 # grouped together into a single bucket; for example if `upper_bound` = 89,
5132 # then all values greater than 89 are replaced with the value “89+”.
5133 # [Required].
5134 # Note that for the purposes of inspection or transformation, the number
5135 # of bytes considered to comprise a 'Value' is based on its representation
5136 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5137 # 123456789, the number of bytes would be counted as 9, even though an
5138 # int64 only holds up to 8 bytes of data.
5139 "floatValue": 3.14,
5140 "timestampValue": "A String",
5141 "dayOfWeekValue": "A String",
5142 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5143 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5144 # types are google.type.Date and `google.protobuf.Timestamp`.
5145 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5146 # to allow the value "24:00:00" for scenarios like business closing time.
5147 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5148 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5149 # allow the value 60 if it allows leap-seconds.
5150 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5151 },
5152 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5153 # and time zone are either specified elsewhere or are not significant. The date
5154 # is relative to the Proleptic Gregorian Calendar. This can represent:
5155 #
5156 # * A full date, with non-zero year, month and day values
5157 # * A month and day value, with a zero year, e.g. an anniversary
5158 # * A year on its own, with zero month and day values
5159 # * A year and month value, with a zero day, e.g. a credit card expiration date
5160 #
5161 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5162 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5163 # a year.
5164 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5165 # if specifying a year by itself or a year and month where the day is not
5166 # significant.
5167 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5168 # month and day.
5169 },
5170 "stringValue": "A String",
5171 "booleanValue": True or False,
5172 "integerValue": "A String",
5173 },
5174 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
5175 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
5176 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
5177 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
5178 },
5179 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
5180 },
5181 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
5182 # portion of the value.
5183 "partToExtract": "A String",
5184 },
5185 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
5186 # Uses SHA-256.
5187 # The key size must be either 32 or 64 bytes.
5188 # Outputs a base64 encoded representation of the hashed output
5189 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
5190 # Currently, only string and integer values can be hashed.
5191 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
5192 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
5193 # a key encryption key (KEK) stored by KMS).
5194 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5195 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5196 # unwrap the data crypto key.
5197 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
5198 # The wrapped key must be a 128/192/256 bit key.
5199 # Authorization requires the following IAM permissions when sending a request
5200 # to perform a crypto transformation using a kms-wrapped crypto key:
5201 # dlp.kms.encrypt
5202 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5203 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5204 },
5205 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5206 # leaking the key. Choose another type of key if possible.
5207 "key": "A String", # A 128/192/256 bit key. [required]
5208 },
5209 "transient": { # Use this to have a random data crypto key generated.
5210 # It will be discarded after the request finishes.
5211 "name": "A String", # Name of the key. [required]
5212 # This is an arbitrary string used to differentiate different keys.
5213 # A unique key is generated per name: two separate `TransientCryptoKey`
5214 # protos share the same generated key if their names are the same.
5215 # When the data crypto key is generated, this name is not used in any way
5216 # (repeating the api call will result in a different key being generated).
5217 },
5218 },
5219 },
5220 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
5221 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
5222 # to learn more.
5223 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
5224 # results in the same shift for the same context and crypto_key.
5225 # a key encryption key (KEK) stored by KMS).
5226 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5227 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5228 # unwrap the data crypto key.
5229 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
5230 # The wrapped key must be a 128/192/256 bit key.
5231 # Authorization requires the following IAM permissions when sending a request
5232 # to perform a crypto transformation using a kms-wrapped crypto key:
5233 # dlp.kms.encrypt
5234 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5235 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5236 },
5237 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5238 # leaking the key. Choose another type of key if possible.
5239 "key": "A String", # A 128/192/256 bit key. [required]
5240 },
5241 "transient": { # Use this to have a random data crypto key generated.
5242 # It will be discarded after the request finishes.
5243 "name": "A String", # Name of the key. [required]
5244 # This is an arbitrary string used to differentiate different keys.
5245 # A unique key is generated per name: two separate `TransientCryptoKey`
5246 # protos share the same generated key if their names are the same.
5247 # When the data crypto key is generated, this name is not used in any way
5248 # (repeating the api call will result in a different key being generated).
5249 },
5250 },
5251 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
5252 # [Required]
5253 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
5254 # range (inclusive ends). Negative means shift to earlier in time. Must not
5255 # be more than 365250 days (1000 years) each direction.
5256 #
5257 # For example, 3 means shift date to at most 3 days into the future.
5258 # [Required]
5259 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
5260 # If set, must also set method. If set, shift will be consistent for the
5261 # given context.
5262 "name": "A String", # Name describing the field.
5263 },
5264 },
5265 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
5266 # replacement values are dynamically provided by the user for custom behavior,
5267 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
5268 # This can be used on
5269 # data of type: number, long, string, timestamp.
5270 # If the bound `Value` type differs from the type of data being transformed, we
5271 # will first attempt converting the type of the data to be transformed to match
5272 # the type of the bound before comparing.
5273 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5274 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
5275 { # Bucket is represented as a range, along with replacement values.
5276 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
5277 # Note that for the purposes of inspection or transformation, the number
5278 # of bytes considered to comprise a 'Value' is based on its representation
5279 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5280 # 123456789, the number of bytes would be counted as 9, even though an
5281 # int64 only holds up to 8 bytes of data.
5282 "floatValue": 3.14,
5283 "timestampValue": "A String",
5284 "dayOfWeekValue": "A String",
5285 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5286 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5287 # types are google.type.Date and `google.protobuf.Timestamp`.
5288 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5289 # to allow the value "24:00:00" for scenarios like business closing time.
5290 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5291 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5292 # allow the value 60 if it allows leap-seconds.
5293 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5294 },
5295 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5296 # and time zone are either specified elsewhere or are not significant. The date
5297 # is relative to the Proleptic Gregorian Calendar. This can represent:
5298 #
5299 # * A full date, with non-zero year, month and day values
5300 # * A month and day value, with a zero year, e.g. an anniversary
5301 # * A year on its own, with zero month and day values
5302 # * A year and month value, with a zero day, e.g. a credit card expiration date
5303 #
5304 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5305 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5306 # a year.
5307 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5308 # if specifying a year by itself or a year and month where the day is not
5309 # significant.
5310 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5311 # month and day.
5312 },
5313 "stringValue": "A String",
5314 "booleanValue": True or False,
5315 "integerValue": "A String",
5316 },
5317 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
5318 # the default behavior will be to hyphenate the min-max range.
5319 # Note that for the purposes of inspection or transformation, the number
5320 # of bytes considered to comprise a 'Value' is based on its representation
5321 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5322 # 123456789, the number of bytes would be counted as 9, even though an
5323 # int64 only holds up to 8 bytes of data.
5324 "floatValue": 3.14,
5325 "timestampValue": "A String",
5326 "dayOfWeekValue": "A String",
5327 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5328 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5329 # types are google.type.Date and `google.protobuf.Timestamp`.
5330 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5331 # to allow the value "24:00:00" for scenarios like business closing time.
5332 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5333 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5334 # allow the value 60 if it allows leap-seconds.
5335 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5336 },
5337 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5338 # and time zone are either specified elsewhere or are not significant. The date
5339 # is relative to the Proleptic Gregorian Calendar. This can represent:
5340 #
5341 # * A full date, with non-zero year, month and day values
5342 # * A month and day value, with a zero year, e.g. an anniversary
5343 # * A year on its own, with zero month and day values
5344 # * A year and month value, with a zero day, e.g. a credit card expiration date
5345 #
5346 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5347 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5348 # a year.
5349 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5350 # if specifying a year by itself or a year and month where the day is not
5351 # significant.
5352 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5353 # month and day.
5354 },
5355 "stringValue": "A String",
5356 "booleanValue": True or False,
5357 "integerValue": "A String",
5358 },
5359 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
5360 # used.
5361 # Note that for the purposes of inspection or transformation, the number
5362 # of bytes considered to comprise a 'Value' is based on its representation
5363 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5364 # 123456789, the number of bytes would be counted as 9, even though an
5365 # int64 only holds up to 8 bytes of data.
5366 "floatValue": 3.14,
5367 "timestampValue": "A String",
5368 "dayOfWeekValue": "A String",
5369 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5370 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5371 # types are google.type.Date and `google.protobuf.Timestamp`.
5372 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5373 # to allow the value "24:00:00" for scenarios like business closing time.
5374 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5375 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5376 # allow the value 60 if it allows leap-seconds.
5377 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5378 },
5379 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5380 # and time zone are either specified elsewhere or are not significant. The date
5381 # is relative to the Proleptic Gregorian Calendar. This can represent:
5382 #
5383 # * A full date, with non-zero year, month and day values
5384 # * A month and day value, with a zero year, e.g. an anniversary
5385 # * A year on its own, with zero month and day values
5386 # * A year and month value, with a zero day, e.g. a credit card expiration date
5387 #
5388 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5389 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5390 # a year.
5391 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5392 # if specifying a year by itself or a year and month where the day is not
5393 # significant.
5394 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5395 # month and day.
5396 },
5397 "stringValue": "A String",
5398 "booleanValue": True or False,
5399 "integerValue": "A String",
5400 },
5401 },
5402 ],
5403 },
5404 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
5405 # (FPE) with the FFX mode of operation; however when used in the
5406 # `ReidentifyContent` API method, it serves the opposite function by reversing
5407 # the surrogate back into the original identifier. The identifier must be
5408 # encoded as ASCII. For a given crypto key and context, the same identifier
5409 # will be replaced with the same surrogate. Identifiers must be at least two
5410 # characters long. In the case that the identifier is the empty string, it will
5411 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
5412 # more.
5413 #
5414 # Note: We recommend using CryptoDeterministicConfig for all use cases which
5415 # do not require preserving the input alphabet space and size, plus warrant
5416 # referential integrity.
5417 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
5418 # a key encryption key (KEK) stored by KMS).
5419 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5420 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5421 # unwrap the data crypto key.
5422 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
5423 # The wrapped key must be a 128/192/256 bit key.
5424 # Authorization requires the following IAM permissions when sending a request
5425 # to perform a crypto transformation using a kms-wrapped crypto key:
5426 # dlp.kms.encrypt
5427 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5428 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5429 },
5430 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5431 # leaking the key. Choose another type of key if possible.
5432 "key": "A String", # A 128/192/256 bit key. [required]
5433 },
5434 "transient": { # Use this to have a random data crypto key generated.
5435 # It will be discarded after the request finishes.
5436 "name": "A String", # Name of the key. [required]
5437 # This is an arbitrary string used to differentiate different keys.
5438 # A unique key is generated per name: two separate `TransientCryptoKey`
5439 # protos share the same generated key if their names are the same.
5440 # When the data crypto key is generated, this name is not used in any way
5441 # (repeating the api call will result in a different key being generated).
5442 },
5443 },
5444 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
5445 "commonAlphabet": "A String",
5446 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
5447 # that the FFX mode natively supports. This happens before/after
5448 # encryption/decryption.
5449 # Each character listed must appear only once.
5450 # Number of characters must be in the range [2, 62].
5451 # This must be encoded as ASCII.
5452 # The order of characters does not matter.
5453 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
5454 # identifier in two different contexts won't be given the same surrogate. If
5455 # the context is not set, a default tweak will be used.
5456 #
5457 # If the context is set but:
5458 #
5459 # 1. there is no record present when transforming a given value or
5460 # 1. the field is not present when transforming a given value,
5461 #
5462 # a default tweak will be used.
5463 #
5464 # Note that case (1) is expected when an `InfoTypeTransformation` is
5465 # applied to both structured and non-structured `ContentItem`s.
5466 # Currently, the referenced field may be of value type integer or string.
5467 #
5468 # The tweak is constructed as a sequence of bytes in big endian byte order
5469 # such that:
5470 #
5471 # - a 64 bit integer is encoded followed by a single byte of value 1
5472 # - a string is encoded in UTF-8 format followed by a single byte of value 2
5473 "name": "A String", # Name describing the field.
5474 },
5475 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
5476 # This annotation will be applied to the surrogate by prefixing it with
5477 # the name of the custom infoType followed by the number of
5478 # characters comprising the surrogate. The following scheme defines the
5479 # format: info_type_name(surrogate_character_count):surrogate
5480 #
5481 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
5482 # the surrogate is 'abc', the full replacement value
5483 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5484 #
5485 # This annotation identifies the surrogate when inspecting content using the
5486 # custom infoType
5487 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
5488 # This facilitates reversal of the surrogate when it occurs in free text.
5489 #
5490 # In order for inspection to work properly, the name of this infoType must
5491 # not occur naturally anywhere in your data; otherwise, inspection may
5492 # find a surrogate that does not correspond to an actual identifier.
5493 # Therefore, choose your custom infoType name carefully after considering
5494 # what your data looks like. One way to select a name that has a high chance
5495 # of yielding reliable detection is to include one or more unicode characters
5496 # that are highly improbable to exist in your data.
5497 # For example, assuming your data is entered from a regular ASCII keyboard,
5498 # the symbol with the hex code point 29DD might be used like so:
5499 # ⧝MY_TOKEN_TYPE
5500 "name": "A String", # Name of the information type. Either a name of your choosing when
5501 # creating a CustomInfoType, or one of the names listed
5502 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5503 # a built-in type. InfoType names should conform to the pattern
5504 # [a-zA-Z0-9_]{1,64}.
5505 },
5506 },
5507 "replaceConfig": { # Replace each input value with a given `Value`.
5508 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
5509 # Note that for the purposes of inspection or transformation, the number
5510 # of bytes considered to comprise a 'Value' is based on its representation
5511 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5512 # 123456789, the number of bytes would be counted as 9, even though an
5513 # int64 only holds up to 8 bytes of data.
5514 "floatValue": 3.14,
5515 "timestampValue": "A String",
5516 "dayOfWeekValue": "A String",
5517 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5518 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5519 # types are google.type.Date and `google.protobuf.Timestamp`.
5520 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5521 # to allow the value "24:00:00" for scenarios like business closing time.
5522 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5523 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5524 # allow the value 60 if it allows leap-seconds.
5525 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5526 },
5527 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5528 # and time zone are either specified elsewhere or are not significant. The date
5529 # is relative to the Proleptic Gregorian Calendar. This can represent:
5530 #
5531 # * A full date, with non-zero year, month and day values
5532 # * A month and day value, with a zero year, e.g. an anniversary
5533 # * A year on its own, with zero month and day values
5534 # * A year and month value, with a zero day, e.g. a credit card expiration date
5535 #
5536 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5537 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5538 # a year.
5539 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5540 # if specifying a year by itself or a year and month where the day is not
5541 # significant.
5542 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5543 # month and day.
5544 },
5545 "stringValue": "A String",
5546 "booleanValue": True or False,
5547 "integerValue": "A String",
5548 },
5549 },
5550 },
5551 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
5552 # this transformation to apply to all findings that correspond to
5553 # infoTypes that were requested in `InspectConfig`.
5554 { # Type of information detected by the API.
5555 "name": "A String", # Name of the information type. Either a name of your choosing when
5556 # creating a CustomInfoType, or one of the names listed
5557 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5558 # a built-in type. InfoType names should conform to the pattern
5559 # [a-zA-Z0-9_]{1,64}.
5560 },
5561 ],
5562 },
5563 ],
5564 },
5565 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
5566 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
5567 # fixed character. Masking can start from the beginning or end of the string.
5568 # This can be used on data of any type (numbers, longs, and so on) and when
5569 # de-identifying structured data we'll attempt to preserve the original data's
5570 # type. (This allows you to take a long like 123 and modify it to a string like
5571 # **3.
5572 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
5573 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
5574 # mask 5 chars with * we would produce ***-*55-5555.
5575 { # Characters to skip when doing deidentification of a value. These will be left
5576 # alone and skipped.
5577 "commonCharactersToIgnore": "A String",
5578 "charactersToSkip": "A String",
5579 },
5580 ],
5581 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
5582 # masked. Skipped characters do not count towards this tally.
5583 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
5584 # alphabetic string such as name, or "0" for a numeric string such as ZIP
5585 # code or credit card number. String must have length 1. If not supplied, we
5586 # will default to "*" for strings, 0 for digits.
5587 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
5588 # '0', number_to_mask is 14, and `reverse_order` is false, then
5589 # 1234-5678-9012-3456 -> 00000000000000-3456
5590 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
5591 # is true, then 12345 -> 12***
5592 },
5593 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
5594 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
5595 # output would be 'My phone number is '.
5596 },
5597 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
5598 # input. Outputs a base64 encoded representation of the encrypted output.
5599 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
5600 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
5601 # a key encryption key (KEK) stored by KMS).
5602 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5603 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5604 # unwrap the data crypto key.
5605 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
5606 # The wrapped key must be a 128/192/256 bit key.
5607 # Authorization requires the following IAM permissions when sending a request
5608 # to perform a crypto transformation using a kms-wrapped crypto key:
5609 # dlp.kms.encrypt
5610 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5611 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5612 },
5613 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5614 # leaking the key. Choose another type of key if possible.
5615 "key": "A String", # A 128/192/256 bit key. [required]
5616 },
5617 "transient": { # Use this to have a random data crypto key generated.
5618 # It will be discarded after the request finishes.
5619 "name": "A String", # Name of the key. [required]
5620 # This is an arbitrary string used to differentiate different keys.
5621 # A unique key is generated per name: two separate `TransientCryptoKey`
5622 # protos share the same generated key if their names are the same.
5623 # When the data crypto key is generated, this name is not used in any way
5624 # (repeating the api call will result in a different key being generated).
5625 },
5626 },
5627 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
5628 # referential integrity such that the same identifier in two different
5629 # contexts will be given a distinct surrogate. The context is appended to
5630 # plaintext value being encrypted. On decryption the provided context is
5631 # validated against the value used during encryption. If a context was
5632 # provided during encryption, same context must be provided during decryption
5633 # as well.
5634 #
5635 # If the context is not set, plaintext would be used as is for encryption.
5636 # If the context is set but:
5637 #
5638 # 1. there is no record present when transforming a given value or
5639 # 2. the field is not present when transforming a given value,
5640 #
5641 # plaintext would be used as is for encryption.
5642 #
5643 # Note that case (1) is expected when an `InfoTypeTransformation` is
5644 # applied to both structured and non-structured `ContentItem`s.
5645 "name": "A String", # Name describing the field.
5646 },
5647 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
5648 # This annotation will be applied to the surrogate by prefixing it with
5649 # the name of the custom info type followed by the number of
5650 # characters comprising the surrogate. The following scheme defines the
5651 # format: <info type name>(<surrogate character count>):<surrogate>
5652 #
5653 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
5654 # the surrogate is 'abc', the full replacement value
5655 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5656 #
5657 # This annotation identifies the surrogate when inspecting content using the
5658 # custom info type 'Surrogate'. This facilitates reversal of the
5659 # surrogate when it occurs in free text.
5660 #
5661 # In order for inspection to work properly, the name of this info type must
5662 # not occur naturally anywhere in your data; otherwise, inspection may either
5663 #
5664 # - reverse a surrogate that does not correspond to an actual identifier
5665 # - be unable to parse the surrogate and result in an error
5666 #
5667 # Therefore, choose your custom info type name carefully after considering
5668 # what your data looks like. One way to select a name that has a high chance
5669 # of yielding reliable detection is to include one or more unicode characters
5670 # that are highly improbable to exist in your data.
5671 # For example, assuming your data is entered from a regular ASCII keyboard,
5672 # the symbol with the hex code point 29DD might be used like so:
5673 # ⧝MY_TOKEN_TYPE
5674 "name": "A String", # Name of the information type. Either a name of your choosing when
5675 # creating a CustomInfoType, or one of the names listed
5676 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5677 # a built-in type. InfoType names should conform to the pattern
5678 # [a-zA-Z0-9_]{1,64}.
5679 },
5680 },
5681 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
5682 # Bucketing transformation can provide all of this functionality,
5683 # but requires more configuration. This message is provided as a convenience to
5684 # the user for simple bucketing strategies.
5685 #
5686 # The transformed value will be a hyphenated string of
5687 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
5688 # all values that are within this bucket will be replaced with "10-20".
5689 #
5690 # This can be used on data of type: double, long.
5691 #
5692 # If the bound Value type differs from the type of data
5693 # being transformed, we will first attempt converting the type of the data to
5694 # be transformed to match the type of the bound before comparing.
5695 #
5696 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5697 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
5698 # grouped together into a single bucket; for example if `lower_bound` = 10,
5699 # then all values less than 10 are replaced with the value “-10”. [Required].
5700 # Note that for the purposes of inspection or transformation, the number
5701 # of bytes considered to comprise a 'Value' is based on its representation
5702 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5703 # 123456789, the number of bytes would be counted as 9, even though an
5704 # int64 only holds up to 8 bytes of data.
5705 "floatValue": 3.14,
5706 "timestampValue": "A String",
5707 "dayOfWeekValue": "A String",
5708 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5709 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5710 # types are google.type.Date and `google.protobuf.Timestamp`.
5711 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5712 # to allow the value "24:00:00" for scenarios like business closing time.
5713 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5714 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5715 # allow the value 60 if it allows leap-seconds.
5716 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5717 },
5718 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5719 # and time zone are either specified elsewhere or are not significant. The date
5720 # is relative to the Proleptic Gregorian Calendar. This can represent:
5721 #
5722 # * A full date, with non-zero year, month and day values
5723 # * A month and day value, with a zero year, e.g. an anniversary
5724 # * A year on its own, with zero month and day values
5725 # * A year and month value, with a zero day, e.g. a credit card expiration date
5726 #
5727 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5728 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5729 # a year.
5730 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5731 # if specifying a year by itself or a year and month where the day is not
5732 # significant.
5733 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5734 # month and day.
5735 },
5736 "stringValue": "A String",
5737 "booleanValue": True or False,
5738 "integerValue": "A String",
5739 },
5740 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
5741 # grouped together into a single bucket; for example if `upper_bound` = 89,
5742 # then all values greater than 89 are replaced with the value “89+”.
5743 # [Required].
5744 # Note that for the purposes of inspection or transformation, the number
5745 # of bytes considered to comprise a 'Value' is based on its representation
5746 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5747 # 123456789, the number of bytes would be counted as 9, even though an
5748 # int64 only holds up to 8 bytes of data.
5749 "floatValue": 3.14,
5750 "timestampValue": "A String",
5751 "dayOfWeekValue": "A String",
5752 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5753 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5754 # types are google.type.Date and `google.protobuf.Timestamp`.
5755 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5756 # to allow the value "24:00:00" for scenarios like business closing time.
5757 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5758 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5759 # allow the value 60 if it allows leap-seconds.
5760 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5761 },
5762 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5763 # and time zone are either specified elsewhere or are not significant. The date
5764 # is relative to the Proleptic Gregorian Calendar. This can represent:
5765 #
5766 # * A full date, with non-zero year, month and day values
5767 # * A month and day value, with a zero year, e.g. an anniversary
5768 # * A year on its own, with zero month and day values
5769 # * A year and month value, with a zero day, e.g. a credit card expiration date
5770 #
5771 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5772 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5773 # a year.
5774 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5775 # if specifying a year by itself or a year and month where the day is not
5776 # significant.
5777 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5778 # month and day.
5779 },
5780 "stringValue": "A String",
5781 "booleanValue": True or False,
5782 "integerValue": "A String",
5783 },
5784 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
5785 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
5786 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
5787 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
5788 },
5789 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
5790 },
5791 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
5792 # portion of the value.
5793 "partToExtract": "A String",
5794 },
5795 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
5796 # Uses SHA-256.
5797 # The key size must be either 32 or 64 bytes.
5798 # Outputs a base64 encoded representation of the hashed output
5799 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
5800 # Currently, only string and integer values can be hashed.
5801 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
5802 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
5803 # a key encryption key (KEK) stored by KMS).
5804 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5805 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5806 # unwrap the data crypto key.
5807 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
5808 # The wrapped key must be a 128/192/256 bit key.
5809 # Authorization requires the following IAM permissions when sending a request
5810 # to perform a crypto transformation using a kms-wrapped crypto key:
5811 # dlp.kms.encrypt
5812 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5813 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5814 },
5815 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5816 # leaking the key. Choose another type of key if possible.
5817 "key": "A String", # A 128/192/256 bit key. [required]
5818 },
5819 "transient": { # Use this to have a random data crypto key generated.
5820 # It will be discarded after the request finishes.
5821 "name": "A String", # Name of the key. [required]
5822 # This is an arbitrary string used to differentiate different keys.
5823 # A unique key is generated per name: two separate `TransientCryptoKey`
5824 # protos share the same generated key if their names are the same.
5825 # When the data crypto key is generated, this name is not used in any way
5826 # (repeating the api call will result in a different key being generated).
5827 },
5828 },
5829 },
5830 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
5831 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
5832 # to learn more.
5833 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
5834 # results in the same shift for the same context and crypto_key.
5835 # a key encryption key (KEK) stored by KMS).
5836 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5837 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5838 # unwrap the data crypto key.
5839 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
5840 # The wrapped key must be a 128/192/256 bit key.
5841 # Authorization requires the following IAM permissions when sending a request
5842 # to perform a crypto transformation using a kms-wrapped crypto key:
5843 # dlp.kms.encrypt
5844 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
5845 "wrappedKey": "A String", # The wrapped data crypto key. [required]
5846 },
5847 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
5848 # leaking the key. Choose another type of key if possible.
5849 "key": "A String", # A 128/192/256 bit key. [required]
5850 },
5851 "transient": { # Use this to have a random data crypto key generated.
5852 # It will be discarded after the request finishes.
5853 "name": "A String", # Name of the key. [required]
5854 # This is an arbitrary string used to differentiate different keys.
5855 # A unique key is generated per name: two separate `TransientCryptoKey`
5856 # protos share the same generated key if their names are the same.
5857 # When the data crypto key is generated, this name is not used in any way
5858 # (repeating the api call will result in a different key being generated).
5859 },
5860 },
5861 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
5862 # [Required]
5863 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
5864 # range (inclusive ends). Negative means shift to earlier in time. Must not
5865 # be more than 365250 days (1000 years) each direction.
5866 #
5867 # For example, 3 means shift date to at most 3 days into the future.
5868 # [Required]
5869 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
5870 # If set, must also set method. If set, shift will be consistent for the
5871 # given context.
5872 "name": "A String", # Name describing the field.
5873 },
5874 },
5875 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
5876 # replacement values are dynamically provided by the user for custom behavior,
5877 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
5878 # This can be used on
5879 # data of type: number, long, string, timestamp.
5880 # If the bound `Value` type differs from the type of data being transformed, we
5881 # will first attempt converting the type of the data to be transformed to match
5882 # the type of the bound before comparing.
5883 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5884 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
5885 { # Bucket is represented as a range, along with replacement values.
5886 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
5887 # Note that for the purposes of inspection or transformation, the number
5888 # of bytes considered to comprise a 'Value' is based on its representation
5889 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5890 # 123456789, the number of bytes would be counted as 9, even though an
5891 # int64 only holds up to 8 bytes of data.
5892 "floatValue": 3.14,
5893 "timestampValue": "A String",
5894 "dayOfWeekValue": "A String",
5895 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5896 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5897 # types are google.type.Date and `google.protobuf.Timestamp`.
5898 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5899 # to allow the value "24:00:00" for scenarios like business closing time.
5900 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5901 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5902 # allow the value 60 if it allows leap-seconds.
5903 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5904 },
5905 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5906 # and time zone are either specified elsewhere or are not significant. The date
5907 # is relative to the Proleptic Gregorian Calendar. This can represent:
5908 #
5909 # * A full date, with non-zero year, month and day values
5910 # * A month and day value, with a zero year, e.g. an anniversary
5911 # * A year on its own, with zero month and day values
5912 # * A year and month value, with a zero day, e.g. a credit card expiration date
5913 #
5914 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5915 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5916 # a year.
5917 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5918 # if specifying a year by itself or a year and month where the day is not
5919 # significant.
5920 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5921 # month and day.
5922 },
5923 "stringValue": "A String",
5924 "booleanValue": True or False,
5925 "integerValue": "A String",
5926 },
5927 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
5928 # the default behavior will be to hyphenate the min-max range.
5929 # Note that for the purposes of inspection or transformation, the number
5930 # of bytes considered to comprise a 'Value' is based on its representation
5931 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5932 # 123456789, the number of bytes would be counted as 9, even though an
5933 # int64 only holds up to 8 bytes of data.
5934 "floatValue": 3.14,
5935 "timestampValue": "A String",
5936 "dayOfWeekValue": "A String",
5937 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5938 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5939 # types are google.type.Date and `google.protobuf.Timestamp`.
5940 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5941 # to allow the value "24:00:00" for scenarios like business closing time.
5942 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5943 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5944 # allow the value 60 if it allows leap-seconds.
5945 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5946 },
5947 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5948 # and time zone are either specified elsewhere or are not significant. The date
5949 # is relative to the Proleptic Gregorian Calendar. This can represent:
5950 #
5951 # * A full date, with non-zero year, month and day values
5952 # * A month and day value, with a zero year, e.g. an anniversary
5953 # * A year on its own, with zero month and day values
5954 # * A year and month value, with a zero day, e.g. a credit card expiration date
5955 #
5956 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5957 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5958 # a year.
5959 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5960 # if specifying a year by itself or a year and month where the day is not
5961 # significant.
5962 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5963 # month and day.
5964 },
5965 "stringValue": "A String",
5966 "booleanValue": True or False,
5967 "integerValue": "A String",
5968 },
5969 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
5970 # used.
5971 # Note that for the purposes of inspection or transformation, the number
5972 # of bytes considered to comprise a 'Value' is based on its representation
5973 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5974 # 123456789, the number of bytes would be counted as 9, even though an
5975 # int64 only holds up to 8 bytes of data.
5976 "floatValue": 3.14,
5977 "timestampValue": "A String",
5978 "dayOfWeekValue": "A String",
5979 "timeValue": { # Represents a time of day. The date and time zone are either not significant
5980 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5981 # types are google.type.Date and `google.protobuf.Timestamp`.
5982 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5983 # to allow the value "24:00:00" for scenarios like business closing time.
5984 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5985 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5986 # allow the value 60 if it allows leap-seconds.
5987 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5988 },
5989 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
5990 # and time zone are either specified elsewhere or are not significant. The date
5991 # is relative to the Proleptic Gregorian Calendar. This can represent:
5992 #
5993 # * A full date, with non-zero year, month and day values
5994 # * A month and day value, with a zero year, e.g. an anniversary
5995 # * A year on its own, with zero month and day values
5996 # * A year and month value, with a zero day, e.g. a credit card expiration date
5997 #
5998 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5999 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6000 # a year.
6001 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6002 # if specifying a year by itself or a year and month where the day is not
6003 # significant.
6004 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6005 # month and day.
6006 },
6007 "stringValue": "A String",
6008 "booleanValue": True or False,
6009 "integerValue": "A String",
6010 },
6011 },
6012 ],
6013 },
6014 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
6015 # (FPE) with the FFX mode of operation; however when used in the
6016 # `ReidentifyContent` API method, it serves the opposite function by reversing
6017 # the surrogate back into the original identifier. The identifier must be
6018 # encoded as ASCII. For a given crypto key and context, the same identifier
6019 # will be replaced with the same surrogate. Identifiers must be at least two
6020 # characters long. In the case that the identifier is the empty string, it will
6021 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
6022 # more.
6023 #
6024 # Note: We recommend using CryptoDeterministicConfig for all use cases which
6025 # do not require preserving the input alphabet space and size, plus warrant
6026 # referential integrity.
6027 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
6028 # a key encryption key (KEK) stored by KMS).
6029 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6030 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6031 # unwrap the data crypto key.
6032 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
6033 # The wrapped key must be a 128/192/256 bit key.
6034 # Authorization requires the following IAM permissions when sending a request
6035 # to perform a crypto transformation using a kms-wrapped crypto key:
6036 # dlp.kms.encrypt
6037 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
6038 "wrappedKey": "A String", # The wrapped data crypto key. [required]
6039 },
6040 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
6041 # leaking the key. Choose another type of key if possible.
6042 "key": "A String", # A 128/192/256 bit key. [required]
6043 },
6044 "transient": { # Use this to have a random data crypto key generated.
6045 # It will be discarded after the request finishes.
6046 "name": "A String", # Name of the key. [required]
6047 # This is an arbitrary string used to differentiate different keys.
6048 # A unique key is generated per name: two separate `TransientCryptoKey`
6049 # protos share the same generated key if their names are the same.
6050 # When the data crypto key is generated, this name is not used in any way
6051 # (repeating the api call will result in a different key being generated).
6052 },
6053 },
6054 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
6055 "commonAlphabet": "A String",
6056 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
6057 # that the FFX mode natively supports. This happens before/after
6058 # encryption/decryption.
6059 # Each character listed must appear only once.
6060 # Number of characters must be in the range [2, 62].
6061 # This must be encoded as ASCII.
6062 # The order of characters does not matter.
6063 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
6064 # identifier in two different contexts won't be given the same surrogate. If
6065 # the context is not set, a default tweak will be used.
6066 #
6067 # If the context is set but:
6068 #
6069 # 1. there is no record present when transforming a given value or
6070 # 1. the field is not present when transforming a given value,
6071 #
6072 # a default tweak will be used.
6073 #
6074 # Note that case (1) is expected when an `InfoTypeTransformation` is
6075 # applied to both structured and non-structured `ContentItem`s.
6076 # Currently, the referenced field may be of value type integer or string.
6077 #
6078 # The tweak is constructed as a sequence of bytes in big endian byte order
6079 # such that:
6080 #
6081 # - a 64 bit integer is encoded followed by a single byte of value 1
6082 # - a string is encoded in UTF-8 format followed by a single byte of value 2
6083 "name": "A String", # Name describing the field.
6084 },
6085 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
6086 # This annotation will be applied to the surrogate by prefixing it with
6087 # the name of the custom infoType followed by the number of
6088 # characters comprising the surrogate. The following scheme defines the
6089 # format: info_type_name(surrogate_character_count):surrogate
6090 #
6091 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
6092 # the surrogate is 'abc', the full replacement value
6093 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6094 #
6095 # This annotation identifies the surrogate when inspecting content using the
6096 # custom infoType
6097 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
6098 # This facilitates reversal of the surrogate when it occurs in free text.
6099 #
6100 # In order for inspection to work properly, the name of this infoType must
6101 # not occur naturally anywhere in your data; otherwise, inspection may
6102 # find a surrogate that does not correspond to an actual identifier.
6103 # Therefore, choose your custom infoType name carefully after considering
6104 # what your data looks like. One way to select a name that has a high chance
6105 # of yielding reliable detection is to include one or more unicode characters
6106 # that are highly improbable to exist in your data.
6107 # For example, assuming your data is entered from a regular ASCII keyboard,
6108 # the symbol with the hex code point 29DD might be used like so:
6109 # ⧝MY_TOKEN_TYPE
6110 "name": "A String", # Name of the information type. Either a name of your choosing when
6111 # creating a CustomInfoType, or one of the names listed
6112 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6113 # a built-in type. InfoType names should conform to the pattern
6114 # [a-zA-Z0-9_]{1,64}.
6115 },
6116 },
6117 "replaceConfig": { # Replace each input value with a given `Value`.
6118 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
6119 # Note that for the purposes of inspection or transformation, the number
6120 # of bytes considered to comprise a 'Value' is based on its representation
6121 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6122 # 123456789, the number of bytes would be counted as 9, even though an
6123 # int64 only holds up to 8 bytes of data.
6124 "floatValue": 3.14,
6125 "timestampValue": "A String",
6126 "dayOfWeekValue": "A String",
6127 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6128 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6129 # types are google.type.Date and `google.protobuf.Timestamp`.
6130 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6131 # to allow the value "24:00:00" for scenarios like business closing time.
6132 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6133 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6134 # allow the value 60 if it allows leap-seconds.
6135 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6136 },
6137 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6138 # and time zone are either specified elsewhere or are not significant. The date
6139 # is relative to the Proleptic Gregorian Calendar. This can represent:
6140 #
6141 # * A full date, with non-zero year, month and day values
6142 # * A month and day value, with a zero year, e.g. an anniversary
6143 # * A year on its own, with zero month and day values
6144 # * A year and month value, with a zero day, e.g. a credit card expiration date
6145 #
6146 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6147 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6148 # a year.
6149 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6150 # if specifying a year by itself or a year and month where the day is not
6151 # significant.
6152 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6153 # month and day.
6154 },
6155 "stringValue": "A String",
6156 "booleanValue": True or False,
6157 "integerValue": "A String",
6158 },
6159 },
6160 },
6161 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
6162 # given `RecordCondition`. The conditions are allowed to reference fields
6163 # that are not used in the actual transformation. [optional]
6164 #
6165 # Example Use Cases:
6166 #
6167 # - Apply a different bucket transformation to an age column if the zip code
6168 # column for the same record is within a specific range.
6169 # - Redact a field if the date of birth field is greater than 85.
6170 # a field.
6171 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
6172 "conditions": { # A collection of conditions.
6173 "conditions": [
6174 { # The field type of `value` and `field` do not need to match to be
6175 # considered equal, but not all comparisons are possible.
6176 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
6177 # but all other comparisons are invalid with incompatible types.
6178 # A `value` of type:
6179 #
6180 # - `string` can be compared against all other types
6181 # - `boolean` can only be compared against other booleans
6182 # - `integer` can be compared against doubles or a string if the string value
6183 # can be parsed as an integer.
6184 # - `double` can be compared against integers or a string if the string can
6185 # be parsed as a double.
6186 # - `Timestamp` can be compared against strings in RFC 3339 date string
6187 # format.
6188 # - `TimeOfDay` can be compared against timestamps and strings in the format
6189 # of 'HH:mm:ss'.
6190 #
6191 # If we fail to compare do to type mismatch, a warning will be given and
6192 # the condition will evaluate to false.
6193 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
6194 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
6195 "name": "A String", # Name describing the field.
6196 },
6197 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
6198 # Note that for the purposes of inspection or transformation, the number
6199 # of bytes considered to comprise a 'Value' is based on its representation
6200 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6201 # 123456789, the number of bytes would be counted as 9, even though an
6202 # int64 only holds up to 8 bytes of data.
6203 "floatValue": 3.14,
6204 "timestampValue": "A String",
6205 "dayOfWeekValue": "A String",
6206 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6207 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6208 # types are google.type.Date and `google.protobuf.Timestamp`.
6209 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6210 # to allow the value "24:00:00" for scenarios like business closing time.
6211 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6212 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6213 # allow the value 60 if it allows leap-seconds.
6214 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6215 },
6216 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6217 # and time zone are either specified elsewhere or are not significant. The date
6218 # is relative to the Proleptic Gregorian Calendar. This can represent:
6219 #
6220 # * A full date, with non-zero year, month and day values
6221 # * A month and day value, with a zero year, e.g. an anniversary
6222 # * A year on its own, with zero month and day values
6223 # * A year and month value, with a zero day, e.g. a credit card expiration date
6224 #
6225 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6226 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6227 # a year.
6228 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6229 # if specifying a year by itself or a year and month where the day is not
6230 # significant.
6231 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6232 # month and day.
6233 },
6234 "stringValue": "A String",
6235 "booleanValue": True or False,
6236 "integerValue": "A String",
6237 },
6238 },
6239 ],
6240 },
6241 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
6242 # only supported value is `AND`.
6243 },
6244 },
6245 "fields": [ # Input field(s) to apply the transformation to. [required]
6246 { # General identifier of a data field in a storage service.
6247 "name": "A String", # Name describing the field.
6248 },
6249 ],
6250 },
6251 ],
6252 },
6253 },
6254 "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
6255 "name": "A String", # The template name. Output only.
6256 #
6257 # The template will have one of the following formats:
6258 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
6259 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
6260 }</pre>
6261</div>
6262
6263<div class="method">
6264 <code class="details" id="list">list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)</code>
6265 <pre>Lists DeidentifyTemplates.
6266See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
6267more.
6268
6269Args:
6270 parent: string, The parent resource name, for example projects/my-project-id or
6271organizations/my-org-id. (required)
6272 orderBy: string, Optional comma separated list of fields to order by,
6273followed by `asc` or `desc` postfix. This list is case-insensitive,
6274default sorting order is ascending, redundant space characters are
6275insignificant.
6276
6277Example: `name asc,update_time, create_time desc`
6278
6279Supported fields are:
6280
6281- `create_time`: corresponds to time the template was created.
6282- `update_time`: corresponds to time the template was last updated.
6283- `name`: corresponds to template's name.
6284- `display_name`: corresponds to template's display name.
6285 pageToken: string, Optional page token to continue retrieval. Comes from previous call
6286to `ListDeidentifyTemplates`.
6287 x__xgafv: string, V1 error format.
6288 Allowed values
6289 1 - v1 error format
6290 2 - v2 error format
6291 pageSize: integer, Optional size of the page, can be limited by server. If zero server returns
6292a page of max size 100.
6293
6294Returns:
6295 An object of the form:
6296
6297 { # Response message for ListDeidentifyTemplates.
6298 "nextPageToken": "A String", # If the next page is available then the next page token to be used
6299 # in following ListDeidentifyTemplates request.
6300 "deidentifyTemplates": [ # List of deidentify templates, up to page_size in
6301 # ListDeidentifyTemplatesRequest.
6302 { # The DeidentifyTemplates contains instructions on how to deidentify content.
6303 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
6304 "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
6305 "displayName": "A String", # Display name (max 256 chars).
6306 "description": "A String", # Short description (max 256 chars).
6307 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
6308 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
6309 # transformation everywhere.
6310 # apply various `PrimitiveTransformation`s to each finding, where the
6311 # transformation is applied to only values that were identified as a specific
6312 # info_type.
6313 "transformations": [ # Transformation for each infoType. Cannot specify more than one
6314 # for a given infoType. [required]
6315 { # A transformation to apply to text that is identified as a specific
6316 # info_type.
6317 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
6318 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
6319 # fixed character. Masking can start from the beginning or end of the string.
6320 # This can be used on data of any type (numbers, longs, and so on) and when
6321 # de-identifying structured data we'll attempt to preserve the original data's
6322 # type. (This allows you to take a long like 123 and modify it to a string like
6323 # **3.
6324 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
6325 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
6326 # mask 5 chars with * we would produce ***-*55-5555.
6327 { # Characters to skip when doing deidentification of a value. These will be left
6328 # alone and skipped.
6329 "commonCharactersToIgnore": "A String",
6330 "charactersToSkip": "A String",
6331 },
6332 ],
6333 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
6334 # masked. Skipped characters do not count towards this tally.
6335 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
6336 # alphabetic string such as name, or "0" for a numeric string such as ZIP
6337 # code or credit card number. String must have length 1. If not supplied, we
6338 # will default to "*" for strings, 0 for digits.
6339 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
6340 # '0', number_to_mask is 14, and `reverse_order` is false, then
6341 # 1234-5678-9012-3456 -> 00000000000000-3456
6342 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
6343 # is true, then 12345 -> 12***
6344 },
6345 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
6346 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
6347 # output would be 'My phone number is '.
6348 },
6349 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
6350 # input. Outputs a base64 encoded representation of the encrypted output.
6351 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
6352 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
6353 # a key encryption key (KEK) stored by KMS).
6354 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6355 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6356 # unwrap the data crypto key.
6357 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
6358 # The wrapped key must be a 128/192/256 bit key.
6359 # Authorization requires the following IAM permissions when sending a request
6360 # to perform a crypto transformation using a kms-wrapped crypto key:
6361 # dlp.kms.encrypt
6362 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
6363 "wrappedKey": "A String", # The wrapped data crypto key. [required]
6364 },
6365 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
6366 # leaking the key. Choose another type of key if possible.
6367 "key": "A String", # A 128/192/256 bit key. [required]
6368 },
6369 "transient": { # Use this to have a random data crypto key generated.
6370 # It will be discarded after the request finishes.
6371 "name": "A String", # Name of the key. [required]
6372 # This is an arbitrary string used to differentiate different keys.
6373 # A unique key is generated per name: two separate `TransientCryptoKey`
6374 # protos share the same generated key if their names are the same.
6375 # When the data crypto key is generated, this name is not used in any way
6376 # (repeating the api call will result in a different key being generated).
6377 },
6378 },
6379 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
6380 # referential integrity such that the same identifier in two different
6381 # contexts will be given a distinct surrogate. The context is appended to
6382 # plaintext value being encrypted. On decryption the provided context is
6383 # validated against the value used during encryption. If a context was
6384 # provided during encryption, same context must be provided during decryption
6385 # as well.
6386 #
6387 # If the context is not set, plaintext would be used as is for encryption.
6388 # If the context is set but:
6389 #
6390 # 1. there is no record present when transforming a given value or
6391 # 2. the field is not present when transforming a given value,
6392 #
6393 # plaintext would be used as is for encryption.
6394 #
6395 # Note that case (1) is expected when an `InfoTypeTransformation` is
6396 # applied to both structured and non-structured `ContentItem`s.
6397 "name": "A String", # Name describing the field.
6398 },
6399 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
6400 # This annotation will be applied to the surrogate by prefixing it with
6401 # the name of the custom info type followed by the number of
6402 # characters comprising the surrogate. The following scheme defines the
6403 # format: <info type name>(<surrogate character count>):<surrogate>
6404 #
6405 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
6406 # the surrogate is 'abc', the full replacement value
6407 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6408 #
6409 # This annotation identifies the surrogate when inspecting content using the
6410 # custom info type 'Surrogate'. This facilitates reversal of the
6411 # surrogate when it occurs in free text.
6412 #
6413 # In order for inspection to work properly, the name of this info type must
6414 # not occur naturally anywhere in your data; otherwise, inspection may either
6415 #
6416 # - reverse a surrogate that does not correspond to an actual identifier
6417 # - be unable to parse the surrogate and result in an error
6418 #
6419 # Therefore, choose your custom info type name carefully after considering
6420 # what your data looks like. One way to select a name that has a high chance
6421 # of yielding reliable detection is to include one or more unicode characters
6422 # that are highly improbable to exist in your data.
6423 # For example, assuming your data is entered from a regular ASCII keyboard,
6424 # the symbol with the hex code point 29DD might be used like so:
6425 # ⧝MY_TOKEN_TYPE
6426 "name": "A String", # Name of the information type. Either a name of your choosing when
6427 # creating a CustomInfoType, or one of the names listed
6428 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6429 # a built-in type. InfoType names should conform to the pattern
6430 # [a-zA-Z0-9_]{1,64}.
6431 },
6432 },
6433 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
6434 # Bucketing transformation can provide all of this functionality,
6435 # but requires more configuration. This message is provided as a convenience to
6436 # the user for simple bucketing strategies.
6437 #
6438 # The transformed value will be a hyphenated string of
6439 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
6440 # all values that are within this bucket will be replaced with "10-20".
6441 #
6442 # This can be used on data of type: double, long.
6443 #
6444 # If the bound Value type differs from the type of data
6445 # being transformed, we will first attempt converting the type of the data to
6446 # be transformed to match the type of the bound before comparing.
6447 #
6448 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
6449 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
6450 # grouped together into a single bucket; for example if `lower_bound` = 10,
6451 # then all values less than 10 are replaced with the value “-10”. [Required].
6452 # Note that for the purposes of inspection or transformation, the number
6453 # of bytes considered to comprise a 'Value' is based on its representation
6454 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6455 # 123456789, the number of bytes would be counted as 9, even though an
6456 # int64 only holds up to 8 bytes of data.
6457 "floatValue": 3.14,
6458 "timestampValue": "A String",
6459 "dayOfWeekValue": "A String",
6460 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6461 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6462 # types are google.type.Date and `google.protobuf.Timestamp`.
6463 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6464 # to allow the value "24:00:00" for scenarios like business closing time.
6465 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6466 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6467 # allow the value 60 if it allows leap-seconds.
6468 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6469 },
6470 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6471 # and time zone are either specified elsewhere or are not significant. The date
6472 # is relative to the Proleptic Gregorian Calendar. This can represent:
6473 #
6474 # * A full date, with non-zero year, month and day values
6475 # * A month and day value, with a zero year, e.g. an anniversary
6476 # * A year on its own, with zero month and day values
6477 # * A year and month value, with a zero day, e.g. a credit card expiration date
6478 #
6479 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6480 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6481 # a year.
6482 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6483 # if specifying a year by itself or a year and month where the day is not
6484 # significant.
6485 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6486 # month and day.
6487 },
6488 "stringValue": "A String",
6489 "booleanValue": True or False,
6490 "integerValue": "A String",
6491 },
6492 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
6493 # grouped together into a single bucket; for example if `upper_bound` = 89,
6494 # then all values greater than 89 are replaced with the value “89+”.
6495 # [Required].
6496 # Note that for the purposes of inspection or transformation, the number
6497 # of bytes considered to comprise a 'Value' is based on its representation
6498 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6499 # 123456789, the number of bytes would be counted as 9, even though an
6500 # int64 only holds up to 8 bytes of data.
6501 "floatValue": 3.14,
6502 "timestampValue": "A String",
6503 "dayOfWeekValue": "A String",
6504 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6505 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6506 # types are google.type.Date and `google.protobuf.Timestamp`.
6507 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6508 # to allow the value "24:00:00" for scenarios like business closing time.
6509 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6510 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6511 # allow the value 60 if it allows leap-seconds.
6512 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6513 },
6514 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6515 # and time zone are either specified elsewhere or are not significant. The date
6516 # is relative to the Proleptic Gregorian Calendar. This can represent:
6517 #
6518 # * A full date, with non-zero year, month and day values
6519 # * A month and day value, with a zero year, e.g. an anniversary
6520 # * A year on its own, with zero month and day values
6521 # * A year and month value, with a zero day, e.g. a credit card expiration date
6522 #
6523 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6524 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6525 # a year.
6526 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6527 # if specifying a year by itself or a year and month where the day is not
6528 # significant.
6529 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6530 # month and day.
6531 },
6532 "stringValue": "A String",
6533 "booleanValue": True or False,
6534 "integerValue": "A String",
6535 },
6536 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
6537 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
6538 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
6539 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
6540 },
6541 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
6542 },
6543 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
6544 # portion of the value.
6545 "partToExtract": "A String",
6546 },
6547 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
6548 # Uses SHA-256.
6549 # The key size must be either 32 or 64 bytes.
6550 # Outputs a base64 encoded representation of the hashed output
6551 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
6552 # Currently, only string and integer values can be hashed.
6553 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
6554 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
6555 # a key encryption key (KEK) stored by KMS).
6556 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6557 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6558 # unwrap the data crypto key.
6559 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
6560 # The wrapped key must be a 128/192/256 bit key.
6561 # Authorization requires the following IAM permissions when sending a request
6562 # to perform a crypto transformation using a kms-wrapped crypto key:
6563 # dlp.kms.encrypt
6564 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
6565 "wrappedKey": "A String", # The wrapped data crypto key. [required]
6566 },
6567 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
6568 # leaking the key. Choose another type of key if possible.
6569 "key": "A String", # A 128/192/256 bit key. [required]
6570 },
6571 "transient": { # Use this to have a random data crypto key generated.
6572 # It will be discarded after the request finishes.
6573 "name": "A String", # Name of the key. [required]
6574 # This is an arbitrary string used to differentiate different keys.
6575 # A unique key is generated per name: two separate `TransientCryptoKey`
6576 # protos share the same generated key if their names are the same.
6577 # When the data crypto key is generated, this name is not used in any way
6578 # (repeating the api call will result in a different key being generated).
6579 },
6580 },
6581 },
6582 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
6583 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
6584 # to learn more.
6585 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
6586 # results in the same shift for the same context and crypto_key.
6587 # a key encryption key (KEK) stored by KMS).
6588 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6589 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6590 # unwrap the data crypto key.
6591 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
6592 # The wrapped key must be a 128/192/256 bit key.
6593 # Authorization requires the following IAM permissions when sending a request
6594 # to perform a crypto transformation using a kms-wrapped crypto key:
6595 # dlp.kms.encrypt
6596 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
6597 "wrappedKey": "A String", # The wrapped data crypto key. [required]
6598 },
6599 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
6600 # leaking the key. Choose another type of key if possible.
6601 "key": "A String", # A 128/192/256 bit key. [required]
6602 },
6603 "transient": { # Use this to have a random data crypto key generated.
6604 # It will be discarded after the request finishes.
6605 "name": "A String", # Name of the key. [required]
6606 # This is an arbitrary string used to differentiate different keys.
6607 # A unique key is generated per name: two separate `TransientCryptoKey`
6608 # protos share the same generated key if their names are the same.
6609 # When the data crypto key is generated, this name is not used in any way
6610 # (repeating the api call will result in a different key being generated).
6611 },
6612 },
6613 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
6614 # [Required]
6615 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
6616 # range (inclusive ends). Negative means shift to earlier in time. Must not
6617 # be more than 365250 days (1000 years) each direction.
6618 #
6619 # For example, 3 means shift date to at most 3 days into the future.
6620 # [Required]
6621 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
6622 # If set, must also set method. If set, shift will be consistent for the
6623 # given context.
6624 "name": "A String", # Name describing the field.
6625 },
6626 },
6627 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
6628 # replacement values are dynamically provided by the user for custom behavior,
6629 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
6630 # This can be used on
6631 # data of type: number, long, string, timestamp.
6632 # If the bound `Value` type differs from the type of data being transformed, we
6633 # will first attempt converting the type of the data to be transformed to match
6634 # the type of the bound before comparing.
6635 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
6636 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
6637 { # Bucket is represented as a range, along with replacement values.
6638 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
6639 # Note that for the purposes of inspection or transformation, the number
6640 # of bytes considered to comprise a 'Value' is based on its representation
6641 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6642 # 123456789, the number of bytes would be counted as 9, even though an
6643 # int64 only holds up to 8 bytes of data.
6644 "floatValue": 3.14,
6645 "timestampValue": "A String",
6646 "dayOfWeekValue": "A String",
6647 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6648 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6649 # types are google.type.Date and `google.protobuf.Timestamp`.
6650 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6651 # to allow the value "24:00:00" for scenarios like business closing time.
6652 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6653 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6654 # allow the value 60 if it allows leap-seconds.
6655 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6656 },
6657 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6658 # and time zone are either specified elsewhere or are not significant. The date
6659 # is relative to the Proleptic Gregorian Calendar. This can represent:
6660 #
6661 # * A full date, with non-zero year, month and day values
6662 # * A month and day value, with a zero year, e.g. an anniversary
6663 # * A year on its own, with zero month and day values
6664 # * A year and month value, with a zero day, e.g. a credit card expiration date
6665 #
6666 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6667 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6668 # a year.
6669 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6670 # if specifying a year by itself or a year and month where the day is not
6671 # significant.
6672 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6673 # month and day.
6674 },
6675 "stringValue": "A String",
6676 "booleanValue": True or False,
6677 "integerValue": "A String",
6678 },
6679 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
6680 # the default behavior will be to hyphenate the min-max range.
6681 # Note that for the purposes of inspection or transformation, the number
6682 # of bytes considered to comprise a 'Value' is based on its representation
6683 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6684 # 123456789, the number of bytes would be counted as 9, even though an
6685 # int64 only holds up to 8 bytes of data.
6686 "floatValue": 3.14,
6687 "timestampValue": "A String",
6688 "dayOfWeekValue": "A String",
6689 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6690 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6691 # types are google.type.Date and `google.protobuf.Timestamp`.
6692 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6693 # to allow the value "24:00:00" for scenarios like business closing time.
6694 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6695 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6696 # allow the value 60 if it allows leap-seconds.
6697 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6698 },
6699 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6700 # and time zone are either specified elsewhere or are not significant. The date
6701 # is relative to the Proleptic Gregorian Calendar. This can represent:
6702 #
6703 # * A full date, with non-zero year, month and day values
6704 # * A month and day value, with a zero year, e.g. an anniversary
6705 # * A year on its own, with zero month and day values
6706 # * A year and month value, with a zero day, e.g. a credit card expiration date
6707 #
6708 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6709 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6710 # a year.
6711 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6712 # if specifying a year by itself or a year and month where the day is not
6713 # significant.
6714 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6715 # month and day.
6716 },
6717 "stringValue": "A String",
6718 "booleanValue": True or False,
6719 "integerValue": "A String",
6720 },
6721 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
6722 # used.
6723 # Note that for the purposes of inspection or transformation, the number
6724 # of bytes considered to comprise a 'Value' is based on its representation
6725 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6726 # 123456789, the number of bytes would be counted as 9, even though an
6727 # int64 only holds up to 8 bytes of data.
6728 "floatValue": 3.14,
6729 "timestampValue": "A String",
6730 "dayOfWeekValue": "A String",
6731 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6732 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6733 # types are google.type.Date and `google.protobuf.Timestamp`.
6734 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6735 # to allow the value "24:00:00" for scenarios like business closing time.
6736 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6737 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6738 # allow the value 60 if it allows leap-seconds.
6739 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6740 },
6741 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6742 # and time zone are either specified elsewhere or are not significant. The date
6743 # is relative to the Proleptic Gregorian Calendar. This can represent:
6744 #
6745 # * A full date, with non-zero year, month and day values
6746 # * A month and day value, with a zero year, e.g. an anniversary
6747 # * A year on its own, with zero month and day values
6748 # * A year and month value, with a zero day, e.g. a credit card expiration date
6749 #
6750 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6751 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6752 # a year.
6753 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6754 # if specifying a year by itself or a year and month where the day is not
6755 # significant.
6756 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6757 # month and day.
6758 },
6759 "stringValue": "A String",
6760 "booleanValue": True or False,
6761 "integerValue": "A String",
6762 },
6763 },
6764 ],
6765 },
6766 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
6767 # (FPE) with the FFX mode of operation; however when used in the
6768 # `ReidentifyContent` API method, it serves the opposite function by reversing
6769 # the surrogate back into the original identifier. The identifier must be
6770 # encoded as ASCII. For a given crypto key and context, the same identifier
6771 # will be replaced with the same surrogate. Identifiers must be at least two
6772 # characters long. In the case that the identifier is the empty string, it will
6773 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
6774 # more.
6775 #
6776 # Note: We recommend using CryptoDeterministicConfig for all use cases which
6777 # do not require preserving the input alphabet space and size, plus warrant
6778 # referential integrity.
6779 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
6780 # a key encryption key (KEK) stored by KMS).
6781 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6782 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6783 # unwrap the data crypto key.
6784 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
6785 # The wrapped key must be a 128/192/256 bit key.
6786 # Authorization requires the following IAM permissions when sending a request
6787 # to perform a crypto transformation using a kms-wrapped crypto key:
6788 # dlp.kms.encrypt
6789 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
6790 "wrappedKey": "A String", # The wrapped data crypto key. [required]
6791 },
6792 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
6793 # leaking the key. Choose another type of key if possible.
6794 "key": "A String", # A 128/192/256 bit key. [required]
6795 },
6796 "transient": { # Use this to have a random data crypto key generated.
6797 # It will be discarded after the request finishes.
6798 "name": "A String", # Name of the key. [required]
6799 # This is an arbitrary string used to differentiate different keys.
6800 # A unique key is generated per name: two separate `TransientCryptoKey`
6801 # protos share the same generated key if their names are the same.
6802 # When the data crypto key is generated, this name is not used in any way
6803 # (repeating the api call will result in a different key being generated).
6804 },
6805 },
6806 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
6807 "commonAlphabet": "A String",
6808 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
6809 # that the FFX mode natively supports. This happens before/after
6810 # encryption/decryption.
6811 # Each character listed must appear only once.
6812 # Number of characters must be in the range [2, 62].
6813 # This must be encoded as ASCII.
6814 # The order of characters does not matter.
6815 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
6816 # identifier in two different contexts won't be given the same surrogate. If
6817 # the context is not set, a default tweak will be used.
6818 #
6819 # If the context is set but:
6820 #
6821 # 1. there is no record present when transforming a given value or
6822 # 1. the field is not present when transforming a given value,
6823 #
6824 # a default tweak will be used.
6825 #
6826 # Note that case (1) is expected when an `InfoTypeTransformation` is
6827 # applied to both structured and non-structured `ContentItem`s.
6828 # Currently, the referenced field may be of value type integer or string.
6829 #
6830 # The tweak is constructed as a sequence of bytes in big endian byte order
6831 # such that:
6832 #
6833 # - a 64 bit integer is encoded followed by a single byte of value 1
6834 # - a string is encoded in UTF-8 format followed by a single byte of value 2
6835 "name": "A String", # Name describing the field.
6836 },
6837 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
6838 # This annotation will be applied to the surrogate by prefixing it with
6839 # the name of the custom infoType followed by the number of
6840 # characters comprising the surrogate. The following scheme defines the
6841 # format: info_type_name(surrogate_character_count):surrogate
6842 #
6843 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
6844 # the surrogate is 'abc', the full replacement value
6845 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6846 #
6847 # This annotation identifies the surrogate when inspecting content using the
6848 # custom infoType
6849 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
6850 # This facilitates reversal of the surrogate when it occurs in free text.
6851 #
6852 # In order for inspection to work properly, the name of this infoType must
6853 # not occur naturally anywhere in your data; otherwise, inspection may
6854 # find a surrogate that does not correspond to an actual identifier.
6855 # Therefore, choose your custom infoType name carefully after considering
6856 # what your data looks like. One way to select a name that has a high chance
6857 # of yielding reliable detection is to include one or more unicode characters
6858 # that are highly improbable to exist in your data.
6859 # For example, assuming your data is entered from a regular ASCII keyboard,
6860 # the symbol with the hex code point 29DD might be used like so:
6861 # ⧝MY_TOKEN_TYPE
6862 "name": "A String", # Name of the information type. Either a name of your choosing when
6863 # creating a CustomInfoType, or one of the names listed
6864 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6865 # a built-in type. InfoType names should conform to the pattern
6866 # [a-zA-Z0-9_]{1,64}.
6867 },
6868 },
6869 "replaceConfig": { # Replace each input value with a given `Value`.
6870 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
6871 # Note that for the purposes of inspection or transformation, the number
6872 # of bytes considered to comprise a 'Value' is based on its representation
6873 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6874 # 123456789, the number of bytes would be counted as 9, even though an
6875 # int64 only holds up to 8 bytes of data.
6876 "floatValue": 3.14,
6877 "timestampValue": "A String",
6878 "dayOfWeekValue": "A String",
6879 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6880 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6881 # types are google.type.Date and `google.protobuf.Timestamp`.
6882 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6883 # to allow the value "24:00:00" for scenarios like business closing time.
6884 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6885 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6886 # allow the value 60 if it allows leap-seconds.
6887 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6888 },
6889 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6890 # and time zone are either specified elsewhere or are not significant. The date
6891 # is relative to the Proleptic Gregorian Calendar. This can represent:
6892 #
6893 # * A full date, with non-zero year, month and day values
6894 # * A month and day value, with a zero year, e.g. an anniversary
6895 # * A year on its own, with zero month and day values
6896 # * A year and month value, with a zero day, e.g. a credit card expiration date
6897 #
6898 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6899 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6900 # a year.
6901 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6902 # if specifying a year by itself or a year and month where the day is not
6903 # significant.
6904 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6905 # month and day.
6906 },
6907 "stringValue": "A String",
6908 "booleanValue": True or False,
6909 "integerValue": "A String",
6910 },
6911 },
6912 },
6913 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
6914 # this transformation to apply to all findings that correspond to
6915 # infoTypes that were requested in `InspectConfig`.
6916 { # Type of information detected by the API.
6917 "name": "A String", # Name of the information type. Either a name of your choosing when
6918 # creating a CustomInfoType, or one of the names listed
6919 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6920 # a built-in type. InfoType names should conform to the pattern
6921 # [a-zA-Z0-9_]{1,64}.
6922 },
6923 ],
6924 },
6925 ],
6926 },
6927 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
6928 # specific locations within structured datasets, such as transforming
6929 # a column within a table.
6930 # table.
6931 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
6932 # match any suppression rule are omitted from the output [optional].
6933 { # Configuration to suppress records whose suppression conditions evaluate to
6934 # true.
6935 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
6936 # evaluated to be suppressed from the transformed content.
6937 # a field.
6938 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
6939 "conditions": { # A collection of conditions.
6940 "conditions": [
6941 { # The field type of `value` and `field` do not need to match to be
6942 # considered equal, but not all comparisons are possible.
6943 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
6944 # but all other comparisons are invalid with incompatible types.
6945 # A `value` of type:
6946 #
6947 # - `string` can be compared against all other types
6948 # - `boolean` can only be compared against other booleans
6949 # - `integer` can be compared against doubles or a string if the string value
6950 # can be parsed as an integer.
6951 # - `double` can be compared against integers or a string if the string can
6952 # be parsed as a double.
6953 # - `Timestamp` can be compared against strings in RFC 3339 date string
6954 # format.
6955 # - `TimeOfDay` can be compared against timestamps and strings in the format
6956 # of 'HH:mm:ss'.
6957 #
6958 # If we fail to compare do to type mismatch, a warning will be given and
6959 # the condition will evaluate to false.
6960 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
6961 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
6962 "name": "A String", # Name describing the field.
6963 },
6964 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
6965 # Note that for the purposes of inspection or transformation, the number
6966 # of bytes considered to comprise a 'Value' is based on its representation
6967 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6968 # 123456789, the number of bytes would be counted as 9, even though an
6969 # int64 only holds up to 8 bytes of data.
6970 "floatValue": 3.14,
6971 "timestampValue": "A String",
6972 "dayOfWeekValue": "A String",
6973 "timeValue": { # Represents a time of day. The date and time zone are either not significant
6974 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6975 # types are google.type.Date and `google.protobuf.Timestamp`.
6976 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6977 # to allow the value "24:00:00" for scenarios like business closing time.
6978 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6979 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6980 # allow the value 60 if it allows leap-seconds.
6981 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6982 },
6983 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
6984 # and time zone are either specified elsewhere or are not significant. The date
6985 # is relative to the Proleptic Gregorian Calendar. This can represent:
6986 #
6987 # * A full date, with non-zero year, month and day values
6988 # * A month and day value, with a zero year, e.g. an anniversary
6989 # * A year on its own, with zero month and day values
6990 # * A year and month value, with a zero day, e.g. a credit card expiration date
6991 #
6992 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6993 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6994 # a year.
6995 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6996 # if specifying a year by itself or a year and month where the day is not
6997 # significant.
6998 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6999 # month and day.
7000 },
7001 "stringValue": "A String",
7002 "booleanValue": True or False,
7003 "integerValue": "A String",
7004 },
7005 },
7006 ],
7007 },
7008 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
7009 # only supported value is `AND`.
7010 },
7011 },
7012 },
7013 ],
7014 "fieldTransformations": [ # Transform the record by applying various field transformations.
7015 { # The transformation to apply to the field.
7016 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
7017 # transform content that matches an `InfoType`.
7018 # apply various `PrimitiveTransformation`s to each finding, where the
7019 # transformation is applied to only values that were identified as a specific
7020 # info_type.
7021 "transformations": [ # Transformation for each infoType. Cannot specify more than one
7022 # for a given infoType. [required]
7023 { # A transformation to apply to text that is identified as a specific
7024 # info_type.
7025 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
7026 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
7027 # fixed character. Masking can start from the beginning or end of the string.
7028 # This can be used on data of any type (numbers, longs, and so on) and when
7029 # de-identifying structured data we'll attempt to preserve the original data's
7030 # type. (This allows you to take a long like 123 and modify it to a string like
7031 # **3.
7032 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
7033 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
7034 # mask 5 chars with * we would produce ***-*55-5555.
7035 { # Characters to skip when doing deidentification of a value. These will be left
7036 # alone and skipped.
7037 "commonCharactersToIgnore": "A String",
7038 "charactersToSkip": "A String",
7039 },
7040 ],
7041 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
7042 # masked. Skipped characters do not count towards this tally.
7043 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
7044 # alphabetic string such as name, or "0" for a numeric string such as ZIP
7045 # code or credit card number. String must have length 1. If not supplied, we
7046 # will default to "*" for strings, 0 for digits.
7047 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
7048 # '0', number_to_mask is 14, and `reverse_order` is false, then
7049 # 1234-5678-9012-3456 -> 00000000000000-3456
7050 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
7051 # is true, then 12345 -> 12***
7052 },
7053 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
7054 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
7055 # output would be 'My phone number is '.
7056 },
7057 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
7058 # input. Outputs a base64 encoded representation of the encrypted output.
7059 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
7060 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
7061 # a key encryption key (KEK) stored by KMS).
7062 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7063 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7064 # unwrap the data crypto key.
7065 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7066 # The wrapped key must be a 128/192/256 bit key.
7067 # Authorization requires the following IAM permissions when sending a request
7068 # to perform a crypto transformation using a kms-wrapped crypto key:
7069 # dlp.kms.encrypt
7070 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7071 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7072 },
7073 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7074 # leaking the key. Choose another type of key if possible.
7075 "key": "A String", # A 128/192/256 bit key. [required]
7076 },
7077 "transient": { # Use this to have a random data crypto key generated.
7078 # It will be discarded after the request finishes.
7079 "name": "A String", # Name of the key. [required]
7080 # This is an arbitrary string used to differentiate different keys.
7081 # A unique key is generated per name: two separate `TransientCryptoKey`
7082 # protos share the same generated key if their names are the same.
7083 # When the data crypto key is generated, this name is not used in any way
7084 # (repeating the api call will result in a different key being generated).
7085 },
7086 },
7087 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
7088 # referential integrity such that the same identifier in two different
7089 # contexts will be given a distinct surrogate. The context is appended to
7090 # plaintext value being encrypted. On decryption the provided context is
7091 # validated against the value used during encryption. If a context was
7092 # provided during encryption, same context must be provided during decryption
7093 # as well.
7094 #
7095 # If the context is not set, plaintext would be used as is for encryption.
7096 # If the context is set but:
7097 #
7098 # 1. there is no record present when transforming a given value or
7099 # 2. the field is not present when transforming a given value,
7100 #
7101 # plaintext would be used as is for encryption.
7102 #
7103 # Note that case (1) is expected when an `InfoTypeTransformation` is
7104 # applied to both structured and non-structured `ContentItem`s.
7105 "name": "A String", # Name describing the field.
7106 },
7107 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
7108 # This annotation will be applied to the surrogate by prefixing it with
7109 # the name of the custom info type followed by the number of
7110 # characters comprising the surrogate. The following scheme defines the
7111 # format: <info type name>(<surrogate character count>):<surrogate>
7112 #
7113 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
7114 # the surrogate is 'abc', the full replacement value
7115 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7116 #
7117 # This annotation identifies the surrogate when inspecting content using the
7118 # custom info type 'Surrogate'. This facilitates reversal of the
7119 # surrogate when it occurs in free text.
7120 #
7121 # In order for inspection to work properly, the name of this info type must
7122 # not occur naturally anywhere in your data; otherwise, inspection may either
7123 #
7124 # - reverse a surrogate that does not correspond to an actual identifier
7125 # - be unable to parse the surrogate and result in an error
7126 #
7127 # Therefore, choose your custom info type name carefully after considering
7128 # what your data looks like. One way to select a name that has a high chance
7129 # of yielding reliable detection is to include one or more unicode characters
7130 # that are highly improbable to exist in your data.
7131 # For example, assuming your data is entered from a regular ASCII keyboard,
7132 # the symbol with the hex code point 29DD might be used like so:
7133 # ⧝MY_TOKEN_TYPE
7134 "name": "A String", # Name of the information type. Either a name of your choosing when
7135 # creating a CustomInfoType, or one of the names listed
7136 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7137 # a built-in type. InfoType names should conform to the pattern
7138 # [a-zA-Z0-9_]{1,64}.
7139 },
7140 },
7141 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
7142 # Bucketing transformation can provide all of this functionality,
7143 # but requires more configuration. This message is provided as a convenience to
7144 # the user for simple bucketing strategies.
7145 #
7146 # The transformed value will be a hyphenated string of
7147 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
7148 # all values that are within this bucket will be replaced with "10-20".
7149 #
7150 # This can be used on data of type: double, long.
7151 #
7152 # If the bound Value type differs from the type of data
7153 # being transformed, we will first attempt converting the type of the data to
7154 # be transformed to match the type of the bound before comparing.
7155 #
7156 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7157 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
7158 # grouped together into a single bucket; for example if `lower_bound` = 10,
7159 # then all values less than 10 are replaced with the value “-10”. [Required].
7160 # Note that for the purposes of inspection or transformation, the number
7161 # of bytes considered to comprise a 'Value' is based on its representation
7162 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7163 # 123456789, the number of bytes would be counted as 9, even though an
7164 # int64 only holds up to 8 bytes of data.
7165 "floatValue": 3.14,
7166 "timestampValue": "A String",
7167 "dayOfWeekValue": "A String",
7168 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7169 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7170 # types are google.type.Date and `google.protobuf.Timestamp`.
7171 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7172 # to allow the value "24:00:00" for scenarios like business closing time.
7173 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7174 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7175 # allow the value 60 if it allows leap-seconds.
7176 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7177 },
7178 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7179 # and time zone are either specified elsewhere or are not significant. The date
7180 # is relative to the Proleptic Gregorian Calendar. This can represent:
7181 #
7182 # * A full date, with non-zero year, month and day values
7183 # * A month and day value, with a zero year, e.g. an anniversary
7184 # * A year on its own, with zero month and day values
7185 # * A year and month value, with a zero day, e.g. a credit card expiration date
7186 #
7187 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7188 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7189 # a year.
7190 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7191 # if specifying a year by itself or a year and month where the day is not
7192 # significant.
7193 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7194 # month and day.
7195 },
7196 "stringValue": "A String",
7197 "booleanValue": True or False,
7198 "integerValue": "A String",
7199 },
7200 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
7201 # grouped together into a single bucket; for example if `upper_bound` = 89,
7202 # then all values greater than 89 are replaced with the value “89+”.
7203 # [Required].
7204 # Note that for the purposes of inspection or transformation, the number
7205 # of bytes considered to comprise a 'Value' is based on its representation
7206 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7207 # 123456789, the number of bytes would be counted as 9, even though an
7208 # int64 only holds up to 8 bytes of data.
7209 "floatValue": 3.14,
7210 "timestampValue": "A String",
7211 "dayOfWeekValue": "A String",
7212 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7213 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7214 # types are google.type.Date and `google.protobuf.Timestamp`.
7215 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7216 # to allow the value "24:00:00" for scenarios like business closing time.
7217 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7218 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7219 # allow the value 60 if it allows leap-seconds.
7220 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7221 },
7222 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7223 # and time zone are either specified elsewhere or are not significant. The date
7224 # is relative to the Proleptic Gregorian Calendar. This can represent:
7225 #
7226 # * A full date, with non-zero year, month and day values
7227 # * A month and day value, with a zero year, e.g. an anniversary
7228 # * A year on its own, with zero month and day values
7229 # * A year and month value, with a zero day, e.g. a credit card expiration date
7230 #
7231 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7232 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7233 # a year.
7234 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7235 # if specifying a year by itself or a year and month where the day is not
7236 # significant.
7237 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7238 # month and day.
7239 },
7240 "stringValue": "A String",
7241 "booleanValue": True or False,
7242 "integerValue": "A String",
7243 },
7244 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
7245 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
7246 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
7247 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
7248 },
7249 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
7250 },
7251 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
7252 # portion of the value.
7253 "partToExtract": "A String",
7254 },
7255 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
7256 # Uses SHA-256.
7257 # The key size must be either 32 or 64 bytes.
7258 # Outputs a base64 encoded representation of the hashed output
7259 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
7260 # Currently, only string and integer values can be hashed.
7261 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
7262 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
7263 # a key encryption key (KEK) stored by KMS).
7264 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7265 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7266 # unwrap the data crypto key.
7267 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7268 # The wrapped key must be a 128/192/256 bit key.
7269 # Authorization requires the following IAM permissions when sending a request
7270 # to perform a crypto transformation using a kms-wrapped crypto key:
7271 # dlp.kms.encrypt
7272 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7273 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7274 },
7275 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7276 # leaking the key. Choose another type of key if possible.
7277 "key": "A String", # A 128/192/256 bit key. [required]
7278 },
7279 "transient": { # Use this to have a random data crypto key generated.
7280 # It will be discarded after the request finishes.
7281 "name": "A String", # Name of the key. [required]
7282 # This is an arbitrary string used to differentiate different keys.
7283 # A unique key is generated per name: two separate `TransientCryptoKey`
7284 # protos share the same generated key if their names are the same.
7285 # When the data crypto key is generated, this name is not used in any way
7286 # (repeating the api call will result in a different key being generated).
7287 },
7288 },
7289 },
7290 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
7291 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
7292 # to learn more.
7293 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
7294 # results in the same shift for the same context and crypto_key.
7295 # a key encryption key (KEK) stored by KMS).
7296 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7297 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7298 # unwrap the data crypto key.
7299 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7300 # The wrapped key must be a 128/192/256 bit key.
7301 # Authorization requires the following IAM permissions when sending a request
7302 # to perform a crypto transformation using a kms-wrapped crypto key:
7303 # dlp.kms.encrypt
7304 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7305 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7306 },
7307 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7308 # leaking the key. Choose another type of key if possible.
7309 "key": "A String", # A 128/192/256 bit key. [required]
7310 },
7311 "transient": { # Use this to have a random data crypto key generated.
7312 # It will be discarded after the request finishes.
7313 "name": "A String", # Name of the key. [required]
7314 # This is an arbitrary string used to differentiate different keys.
7315 # A unique key is generated per name: two separate `TransientCryptoKey`
7316 # protos share the same generated key if their names are the same.
7317 # When the data crypto key is generated, this name is not used in any way
7318 # (repeating the api call will result in a different key being generated).
7319 },
7320 },
7321 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
7322 # [Required]
7323 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
7324 # range (inclusive ends). Negative means shift to earlier in time. Must not
7325 # be more than 365250 days (1000 years) each direction.
7326 #
7327 # For example, 3 means shift date to at most 3 days into the future.
7328 # [Required]
7329 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
7330 # If set, must also set method. If set, shift will be consistent for the
7331 # given context.
7332 "name": "A String", # Name describing the field.
7333 },
7334 },
7335 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
7336 # replacement values are dynamically provided by the user for custom behavior,
7337 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
7338 # This can be used on
7339 # data of type: number, long, string, timestamp.
7340 # If the bound `Value` type differs from the type of data being transformed, we
7341 # will first attempt converting the type of the data to be transformed to match
7342 # the type of the bound before comparing.
7343 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7344 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
7345 { # Bucket is represented as a range, along with replacement values.
7346 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
7347 # Note that for the purposes of inspection or transformation, the number
7348 # of bytes considered to comprise a 'Value' is based on its representation
7349 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7350 # 123456789, the number of bytes would be counted as 9, even though an
7351 # int64 only holds up to 8 bytes of data.
7352 "floatValue": 3.14,
7353 "timestampValue": "A String",
7354 "dayOfWeekValue": "A String",
7355 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7356 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7357 # types are google.type.Date and `google.protobuf.Timestamp`.
7358 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7359 # to allow the value "24:00:00" for scenarios like business closing time.
7360 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7361 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7362 # allow the value 60 if it allows leap-seconds.
7363 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7364 },
7365 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7366 # and time zone are either specified elsewhere or are not significant. The date
7367 # is relative to the Proleptic Gregorian Calendar. This can represent:
7368 #
7369 # * A full date, with non-zero year, month and day values
7370 # * A month and day value, with a zero year, e.g. an anniversary
7371 # * A year on its own, with zero month and day values
7372 # * A year and month value, with a zero day, e.g. a credit card expiration date
7373 #
7374 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7375 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7376 # a year.
7377 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7378 # if specifying a year by itself or a year and month where the day is not
7379 # significant.
7380 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7381 # month and day.
7382 },
7383 "stringValue": "A String",
7384 "booleanValue": True or False,
7385 "integerValue": "A String",
7386 },
7387 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
7388 # the default behavior will be to hyphenate the min-max range.
7389 # Note that for the purposes of inspection or transformation, the number
7390 # of bytes considered to comprise a 'Value' is based on its representation
7391 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7392 # 123456789, the number of bytes would be counted as 9, even though an
7393 # int64 only holds up to 8 bytes of data.
7394 "floatValue": 3.14,
7395 "timestampValue": "A String",
7396 "dayOfWeekValue": "A String",
7397 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7398 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7399 # types are google.type.Date and `google.protobuf.Timestamp`.
7400 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7401 # to allow the value "24:00:00" for scenarios like business closing time.
7402 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7403 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7404 # allow the value 60 if it allows leap-seconds.
7405 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7406 },
7407 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7408 # and time zone are either specified elsewhere or are not significant. The date
7409 # is relative to the Proleptic Gregorian Calendar. This can represent:
7410 #
7411 # * A full date, with non-zero year, month and day values
7412 # * A month and day value, with a zero year, e.g. an anniversary
7413 # * A year on its own, with zero month and day values
7414 # * A year and month value, with a zero day, e.g. a credit card expiration date
7415 #
7416 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7417 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7418 # a year.
7419 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7420 # if specifying a year by itself or a year and month where the day is not
7421 # significant.
7422 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7423 # month and day.
7424 },
7425 "stringValue": "A String",
7426 "booleanValue": True or False,
7427 "integerValue": "A String",
7428 },
7429 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
7430 # used.
7431 # Note that for the purposes of inspection or transformation, the number
7432 # of bytes considered to comprise a 'Value' is based on its representation
7433 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7434 # 123456789, the number of bytes would be counted as 9, even though an
7435 # int64 only holds up to 8 bytes of data.
7436 "floatValue": 3.14,
7437 "timestampValue": "A String",
7438 "dayOfWeekValue": "A String",
7439 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7440 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7441 # types are google.type.Date and `google.protobuf.Timestamp`.
7442 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7443 # to allow the value "24:00:00" for scenarios like business closing time.
7444 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7445 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7446 # allow the value 60 if it allows leap-seconds.
7447 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7448 },
7449 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7450 # and time zone are either specified elsewhere or are not significant. The date
7451 # is relative to the Proleptic Gregorian Calendar. This can represent:
7452 #
7453 # * A full date, with non-zero year, month and day values
7454 # * A month and day value, with a zero year, e.g. an anniversary
7455 # * A year on its own, with zero month and day values
7456 # * A year and month value, with a zero day, e.g. a credit card expiration date
7457 #
7458 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7459 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7460 # a year.
7461 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7462 # if specifying a year by itself or a year and month where the day is not
7463 # significant.
7464 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7465 # month and day.
7466 },
7467 "stringValue": "A String",
7468 "booleanValue": True or False,
7469 "integerValue": "A String",
7470 },
7471 },
7472 ],
7473 },
7474 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
7475 # (FPE) with the FFX mode of operation; however when used in the
7476 # `ReidentifyContent` API method, it serves the opposite function by reversing
7477 # the surrogate back into the original identifier. The identifier must be
7478 # encoded as ASCII. For a given crypto key and context, the same identifier
7479 # will be replaced with the same surrogate. Identifiers must be at least two
7480 # characters long. In the case that the identifier is the empty string, it will
7481 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
7482 # more.
7483 #
7484 # Note: We recommend using CryptoDeterministicConfig for all use cases which
7485 # do not require preserving the input alphabet space and size, plus warrant
7486 # referential integrity.
7487 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
7488 # a key encryption key (KEK) stored by KMS).
7489 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7490 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7491 # unwrap the data crypto key.
7492 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7493 # The wrapped key must be a 128/192/256 bit key.
7494 # Authorization requires the following IAM permissions when sending a request
7495 # to perform a crypto transformation using a kms-wrapped crypto key:
7496 # dlp.kms.encrypt
7497 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7498 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7499 },
7500 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7501 # leaking the key. Choose another type of key if possible.
7502 "key": "A String", # A 128/192/256 bit key. [required]
7503 },
7504 "transient": { # Use this to have a random data crypto key generated.
7505 # It will be discarded after the request finishes.
7506 "name": "A String", # Name of the key. [required]
7507 # This is an arbitrary string used to differentiate different keys.
7508 # A unique key is generated per name: two separate `TransientCryptoKey`
7509 # protos share the same generated key if their names are the same.
7510 # When the data crypto key is generated, this name is not used in any way
7511 # (repeating the api call will result in a different key being generated).
7512 },
7513 },
7514 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
7515 "commonAlphabet": "A String",
7516 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
7517 # that the FFX mode natively supports. This happens before/after
7518 # encryption/decryption.
7519 # Each character listed must appear only once.
7520 # Number of characters must be in the range [2, 62].
7521 # This must be encoded as ASCII.
7522 # The order of characters does not matter.
7523 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
7524 # identifier in two different contexts won't be given the same surrogate. If
7525 # the context is not set, a default tweak will be used.
7526 #
7527 # If the context is set but:
7528 #
7529 # 1. there is no record present when transforming a given value or
7530 # 1. the field is not present when transforming a given value,
7531 #
7532 # a default tweak will be used.
7533 #
7534 # Note that case (1) is expected when an `InfoTypeTransformation` is
7535 # applied to both structured and non-structured `ContentItem`s.
7536 # Currently, the referenced field may be of value type integer or string.
7537 #
7538 # The tweak is constructed as a sequence of bytes in big endian byte order
7539 # such that:
7540 #
7541 # - a 64 bit integer is encoded followed by a single byte of value 1
7542 # - a string is encoded in UTF-8 format followed by a single byte of value 2
7543 "name": "A String", # Name describing the field.
7544 },
7545 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
7546 # This annotation will be applied to the surrogate by prefixing it with
7547 # the name of the custom infoType followed by the number of
7548 # characters comprising the surrogate. The following scheme defines the
7549 # format: info_type_name(surrogate_character_count):surrogate
7550 #
7551 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
7552 # the surrogate is 'abc', the full replacement value
7553 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7554 #
7555 # This annotation identifies the surrogate when inspecting content using the
7556 # custom infoType
7557 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
7558 # This facilitates reversal of the surrogate when it occurs in free text.
7559 #
7560 # In order for inspection to work properly, the name of this infoType must
7561 # not occur naturally anywhere in your data; otherwise, inspection may
7562 # find a surrogate that does not correspond to an actual identifier.
7563 # Therefore, choose your custom infoType name carefully after considering
7564 # what your data looks like. One way to select a name that has a high chance
7565 # of yielding reliable detection is to include one or more unicode characters
7566 # that are highly improbable to exist in your data.
7567 # For example, assuming your data is entered from a regular ASCII keyboard,
7568 # the symbol with the hex code point 29DD might be used like so:
7569 # ⧝MY_TOKEN_TYPE
7570 "name": "A String", # Name of the information type. Either a name of your choosing when
7571 # creating a CustomInfoType, or one of the names listed
7572 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7573 # a built-in type. InfoType names should conform to the pattern
7574 # [a-zA-Z0-9_]{1,64}.
7575 },
7576 },
7577 "replaceConfig": { # Replace each input value with a given `Value`.
7578 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
7579 # Note that for the purposes of inspection or transformation, the number
7580 # of bytes considered to comprise a 'Value' is based on its representation
7581 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7582 # 123456789, the number of bytes would be counted as 9, even though an
7583 # int64 only holds up to 8 bytes of data.
7584 "floatValue": 3.14,
7585 "timestampValue": "A String",
7586 "dayOfWeekValue": "A String",
7587 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7588 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7589 # types are google.type.Date and `google.protobuf.Timestamp`.
7590 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7591 # to allow the value "24:00:00" for scenarios like business closing time.
7592 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7593 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7594 # allow the value 60 if it allows leap-seconds.
7595 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7596 },
7597 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7598 # and time zone are either specified elsewhere or are not significant. The date
7599 # is relative to the Proleptic Gregorian Calendar. This can represent:
7600 #
7601 # * A full date, with non-zero year, month and day values
7602 # * A month and day value, with a zero year, e.g. an anniversary
7603 # * A year on its own, with zero month and day values
7604 # * A year and month value, with a zero day, e.g. a credit card expiration date
7605 #
7606 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7607 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7608 # a year.
7609 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7610 # if specifying a year by itself or a year and month where the day is not
7611 # significant.
7612 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7613 # month and day.
7614 },
7615 "stringValue": "A String",
7616 "booleanValue": True or False,
7617 "integerValue": "A String",
7618 },
7619 },
7620 },
7621 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
7622 # this transformation to apply to all findings that correspond to
7623 # infoTypes that were requested in `InspectConfig`.
7624 { # Type of information detected by the API.
7625 "name": "A String", # Name of the information type. Either a name of your choosing when
7626 # creating a CustomInfoType, or one of the names listed
7627 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7628 # a built-in type. InfoType names should conform to the pattern
7629 # [a-zA-Z0-9_]{1,64}.
7630 },
7631 ],
7632 },
7633 ],
7634 },
7635 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
7636 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
7637 # fixed character. Masking can start from the beginning or end of the string.
7638 # This can be used on data of any type (numbers, longs, and so on) and when
7639 # de-identifying structured data we'll attempt to preserve the original data's
7640 # type. (This allows you to take a long like 123 and modify it to a string like
7641 # **3.
7642 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
7643 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
7644 # mask 5 chars with * we would produce ***-*55-5555.
7645 { # Characters to skip when doing deidentification of a value. These will be left
7646 # alone and skipped.
7647 "commonCharactersToIgnore": "A String",
7648 "charactersToSkip": "A String",
7649 },
7650 ],
7651 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
7652 # masked. Skipped characters do not count towards this tally.
7653 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
7654 # alphabetic string such as name, or "0" for a numeric string such as ZIP
7655 # code or credit card number. String must have length 1. If not supplied, we
7656 # will default to "*" for strings, 0 for digits.
7657 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
7658 # '0', number_to_mask is 14, and `reverse_order` is false, then
7659 # 1234-5678-9012-3456 -> 00000000000000-3456
7660 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
7661 # is true, then 12345 -> 12***
7662 },
7663 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
7664 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
7665 # output would be 'My phone number is '.
7666 },
7667 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
7668 # input. Outputs a base64 encoded representation of the encrypted output.
7669 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
7670 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
7671 # a key encryption key (KEK) stored by KMS).
7672 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7673 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7674 # unwrap the data crypto key.
7675 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7676 # The wrapped key must be a 128/192/256 bit key.
7677 # Authorization requires the following IAM permissions when sending a request
7678 # to perform a crypto transformation using a kms-wrapped crypto key:
7679 # dlp.kms.encrypt
7680 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7681 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7682 },
7683 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7684 # leaking the key. Choose another type of key if possible.
7685 "key": "A String", # A 128/192/256 bit key. [required]
7686 },
7687 "transient": { # Use this to have a random data crypto key generated.
7688 # It will be discarded after the request finishes.
7689 "name": "A String", # Name of the key. [required]
7690 # This is an arbitrary string used to differentiate different keys.
7691 # A unique key is generated per name: two separate `TransientCryptoKey`
7692 # protos share the same generated key if their names are the same.
7693 # When the data crypto key is generated, this name is not used in any way
7694 # (repeating the api call will result in a different key being generated).
7695 },
7696 },
7697 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
7698 # referential integrity such that the same identifier in two different
7699 # contexts will be given a distinct surrogate. The context is appended to
7700 # plaintext value being encrypted. On decryption the provided context is
7701 # validated against the value used during encryption. If a context was
7702 # provided during encryption, same context must be provided during decryption
7703 # as well.
7704 #
7705 # If the context is not set, plaintext would be used as is for encryption.
7706 # If the context is set but:
7707 #
7708 # 1. there is no record present when transforming a given value or
7709 # 2. the field is not present when transforming a given value,
7710 #
7711 # plaintext would be used as is for encryption.
7712 #
7713 # Note that case (1) is expected when an `InfoTypeTransformation` is
7714 # applied to both structured and non-structured `ContentItem`s.
7715 "name": "A String", # Name describing the field.
7716 },
7717 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
7718 # This annotation will be applied to the surrogate by prefixing it with
7719 # the name of the custom info type followed by the number of
7720 # characters comprising the surrogate. The following scheme defines the
7721 # format: <info type name>(<surrogate character count>):<surrogate>
7722 #
7723 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
7724 # the surrogate is 'abc', the full replacement value
7725 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7726 #
7727 # This annotation identifies the surrogate when inspecting content using the
7728 # custom info type 'Surrogate'. This facilitates reversal of the
7729 # surrogate when it occurs in free text.
7730 #
7731 # In order for inspection to work properly, the name of this info type must
7732 # not occur naturally anywhere in your data; otherwise, inspection may either
7733 #
7734 # - reverse a surrogate that does not correspond to an actual identifier
7735 # - be unable to parse the surrogate and result in an error
7736 #
7737 # Therefore, choose your custom info type name carefully after considering
7738 # what your data looks like. One way to select a name that has a high chance
7739 # of yielding reliable detection is to include one or more unicode characters
7740 # that are highly improbable to exist in your data.
7741 # For example, assuming your data is entered from a regular ASCII keyboard,
7742 # the symbol with the hex code point 29DD might be used like so:
7743 # ⧝MY_TOKEN_TYPE
7744 "name": "A String", # Name of the information type. Either a name of your choosing when
7745 # creating a CustomInfoType, or one of the names listed
7746 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7747 # a built-in type. InfoType names should conform to the pattern
7748 # [a-zA-Z0-9_]{1,64}.
7749 },
7750 },
7751 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
7752 # Bucketing transformation can provide all of this functionality,
7753 # but requires more configuration. This message is provided as a convenience to
7754 # the user for simple bucketing strategies.
7755 #
7756 # The transformed value will be a hyphenated string of
7757 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
7758 # all values that are within this bucket will be replaced with "10-20".
7759 #
7760 # This can be used on data of type: double, long.
7761 #
7762 # If the bound Value type differs from the type of data
7763 # being transformed, we will first attempt converting the type of the data to
7764 # be transformed to match the type of the bound before comparing.
7765 #
7766 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7767 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
7768 # grouped together into a single bucket; for example if `lower_bound` = 10,
7769 # then all values less than 10 are replaced with the value “-10”. [Required].
7770 # Note that for the purposes of inspection or transformation, the number
7771 # of bytes considered to comprise a 'Value' is based on its representation
7772 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7773 # 123456789, the number of bytes would be counted as 9, even though an
7774 # int64 only holds up to 8 bytes of data.
7775 "floatValue": 3.14,
7776 "timestampValue": "A String",
7777 "dayOfWeekValue": "A String",
7778 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7779 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7780 # types are google.type.Date and `google.protobuf.Timestamp`.
7781 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7782 # to allow the value "24:00:00" for scenarios like business closing time.
7783 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7784 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7785 # allow the value 60 if it allows leap-seconds.
7786 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7787 },
7788 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7789 # and time zone are either specified elsewhere or are not significant. The date
7790 # is relative to the Proleptic Gregorian Calendar. This can represent:
7791 #
7792 # * A full date, with non-zero year, month and day values
7793 # * A month and day value, with a zero year, e.g. an anniversary
7794 # * A year on its own, with zero month and day values
7795 # * A year and month value, with a zero day, e.g. a credit card expiration date
7796 #
7797 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7798 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7799 # a year.
7800 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7801 # if specifying a year by itself or a year and month where the day is not
7802 # significant.
7803 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7804 # month and day.
7805 },
7806 "stringValue": "A String",
7807 "booleanValue": True or False,
7808 "integerValue": "A String",
7809 },
7810 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
7811 # grouped together into a single bucket; for example if `upper_bound` = 89,
7812 # then all values greater than 89 are replaced with the value “89+”.
7813 # [Required].
7814 # Note that for the purposes of inspection or transformation, the number
7815 # of bytes considered to comprise a 'Value' is based on its representation
7816 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7817 # 123456789, the number of bytes would be counted as 9, even though an
7818 # int64 only holds up to 8 bytes of data.
7819 "floatValue": 3.14,
7820 "timestampValue": "A String",
7821 "dayOfWeekValue": "A String",
7822 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7823 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7824 # types are google.type.Date and `google.protobuf.Timestamp`.
7825 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7826 # to allow the value "24:00:00" for scenarios like business closing time.
7827 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7828 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7829 # allow the value 60 if it allows leap-seconds.
7830 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7831 },
7832 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7833 # and time zone are either specified elsewhere or are not significant. The date
7834 # is relative to the Proleptic Gregorian Calendar. This can represent:
7835 #
7836 # * A full date, with non-zero year, month and day values
7837 # * A month and day value, with a zero year, e.g. an anniversary
7838 # * A year on its own, with zero month and day values
7839 # * A year and month value, with a zero day, e.g. a credit card expiration date
7840 #
7841 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7842 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7843 # a year.
7844 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7845 # if specifying a year by itself or a year and month where the day is not
7846 # significant.
7847 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7848 # month and day.
7849 },
7850 "stringValue": "A String",
7851 "booleanValue": True or False,
7852 "integerValue": "A String",
7853 },
7854 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
7855 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
7856 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
7857 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
7858 },
7859 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
7860 },
7861 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
7862 # portion of the value.
7863 "partToExtract": "A String",
7864 },
7865 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
7866 # Uses SHA-256.
7867 # The key size must be either 32 or 64 bytes.
7868 # Outputs a base64 encoded representation of the hashed output
7869 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
7870 # Currently, only string and integer values can be hashed.
7871 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
7872 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
7873 # a key encryption key (KEK) stored by KMS).
7874 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7875 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7876 # unwrap the data crypto key.
7877 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7878 # The wrapped key must be a 128/192/256 bit key.
7879 # Authorization requires the following IAM permissions when sending a request
7880 # to perform a crypto transformation using a kms-wrapped crypto key:
7881 # dlp.kms.encrypt
7882 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7883 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7884 },
7885 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7886 # leaking the key. Choose another type of key if possible.
7887 "key": "A String", # A 128/192/256 bit key. [required]
7888 },
7889 "transient": { # Use this to have a random data crypto key generated.
7890 # It will be discarded after the request finishes.
7891 "name": "A String", # Name of the key. [required]
7892 # This is an arbitrary string used to differentiate different keys.
7893 # A unique key is generated per name: two separate `TransientCryptoKey`
7894 # protos share the same generated key if their names are the same.
7895 # When the data crypto key is generated, this name is not used in any way
7896 # (repeating the api call will result in a different key being generated).
7897 },
7898 },
7899 },
7900 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
7901 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
7902 # to learn more.
7903 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
7904 # results in the same shift for the same context and crypto_key.
7905 # a key encryption key (KEK) stored by KMS).
7906 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7907 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7908 # unwrap the data crypto key.
7909 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
7910 # The wrapped key must be a 128/192/256 bit key.
7911 # Authorization requires the following IAM permissions when sending a request
7912 # to perform a crypto transformation using a kms-wrapped crypto key:
7913 # dlp.kms.encrypt
7914 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
7915 "wrappedKey": "A String", # The wrapped data crypto key. [required]
7916 },
7917 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
7918 # leaking the key. Choose another type of key if possible.
7919 "key": "A String", # A 128/192/256 bit key. [required]
7920 },
7921 "transient": { # Use this to have a random data crypto key generated.
7922 # It will be discarded after the request finishes.
7923 "name": "A String", # Name of the key. [required]
7924 # This is an arbitrary string used to differentiate different keys.
7925 # A unique key is generated per name: two separate `TransientCryptoKey`
7926 # protos share the same generated key if their names are the same.
7927 # When the data crypto key is generated, this name is not used in any way
7928 # (repeating the api call will result in a different key being generated).
7929 },
7930 },
7931 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
7932 # [Required]
7933 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
7934 # range (inclusive ends). Negative means shift to earlier in time. Must not
7935 # be more than 365250 days (1000 years) each direction.
7936 #
7937 # For example, 3 means shift date to at most 3 days into the future.
7938 # [Required]
7939 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
7940 # If set, must also set method. If set, shift will be consistent for the
7941 # given context.
7942 "name": "A String", # Name describing the field.
7943 },
7944 },
7945 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
7946 # replacement values are dynamically provided by the user for custom behavior,
7947 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
7948 # This can be used on
7949 # data of type: number, long, string, timestamp.
7950 # If the bound `Value` type differs from the type of data being transformed, we
7951 # will first attempt converting the type of the data to be transformed to match
7952 # the type of the bound before comparing.
7953 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7954 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
7955 { # Bucket is represented as a range, along with replacement values.
7956 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
7957 # Note that for the purposes of inspection or transformation, the number
7958 # of bytes considered to comprise a 'Value' is based on its representation
7959 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7960 # 123456789, the number of bytes would be counted as 9, even though an
7961 # int64 only holds up to 8 bytes of data.
7962 "floatValue": 3.14,
7963 "timestampValue": "A String",
7964 "dayOfWeekValue": "A String",
7965 "timeValue": { # Represents a time of day. The date and time zone are either not significant
7966 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7967 # types are google.type.Date and `google.protobuf.Timestamp`.
7968 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7969 # to allow the value "24:00:00" for scenarios like business closing time.
7970 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7971 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7972 # allow the value 60 if it allows leap-seconds.
7973 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7974 },
7975 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
7976 # and time zone are either specified elsewhere or are not significant. The date
7977 # is relative to the Proleptic Gregorian Calendar. This can represent:
7978 #
7979 # * A full date, with non-zero year, month and day values
7980 # * A month and day value, with a zero year, e.g. an anniversary
7981 # * A year on its own, with zero month and day values
7982 # * A year and month value, with a zero day, e.g. a credit card expiration date
7983 #
7984 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7985 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7986 # a year.
7987 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7988 # if specifying a year by itself or a year and month where the day is not
7989 # significant.
7990 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7991 # month and day.
7992 },
7993 "stringValue": "A String",
7994 "booleanValue": True or False,
7995 "integerValue": "A String",
7996 },
7997 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
7998 # the default behavior will be to hyphenate the min-max range.
7999 # Note that for the purposes of inspection or transformation, the number
8000 # of bytes considered to comprise a 'Value' is based on its representation
8001 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8002 # 123456789, the number of bytes would be counted as 9, even though an
8003 # int64 only holds up to 8 bytes of data.
8004 "floatValue": 3.14,
8005 "timestampValue": "A String",
8006 "dayOfWeekValue": "A String",
8007 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8008 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8009 # types are google.type.Date and `google.protobuf.Timestamp`.
8010 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8011 # to allow the value "24:00:00" for scenarios like business closing time.
8012 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8013 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8014 # allow the value 60 if it allows leap-seconds.
8015 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8016 },
8017 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8018 # and time zone are either specified elsewhere or are not significant. The date
8019 # is relative to the Proleptic Gregorian Calendar. This can represent:
8020 #
8021 # * A full date, with non-zero year, month and day values
8022 # * A month and day value, with a zero year, e.g. an anniversary
8023 # * A year on its own, with zero month and day values
8024 # * A year and month value, with a zero day, e.g. a credit card expiration date
8025 #
8026 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8027 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8028 # a year.
8029 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8030 # if specifying a year by itself or a year and month where the day is not
8031 # significant.
8032 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8033 # month and day.
8034 },
8035 "stringValue": "A String",
8036 "booleanValue": True or False,
8037 "integerValue": "A String",
8038 },
8039 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
8040 # used.
8041 # Note that for the purposes of inspection or transformation, the number
8042 # of bytes considered to comprise a 'Value' is based on its representation
8043 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8044 # 123456789, the number of bytes would be counted as 9, even though an
8045 # int64 only holds up to 8 bytes of data.
8046 "floatValue": 3.14,
8047 "timestampValue": "A String",
8048 "dayOfWeekValue": "A String",
8049 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8050 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8051 # types are google.type.Date and `google.protobuf.Timestamp`.
8052 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8053 # to allow the value "24:00:00" for scenarios like business closing time.
8054 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8055 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8056 # allow the value 60 if it allows leap-seconds.
8057 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8058 },
8059 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8060 # and time zone are either specified elsewhere or are not significant. The date
8061 # is relative to the Proleptic Gregorian Calendar. This can represent:
8062 #
8063 # * A full date, with non-zero year, month and day values
8064 # * A month and day value, with a zero year, e.g. an anniversary
8065 # * A year on its own, with zero month and day values
8066 # * A year and month value, with a zero day, e.g. a credit card expiration date
8067 #
8068 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8069 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8070 # a year.
8071 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8072 # if specifying a year by itself or a year and month where the day is not
8073 # significant.
8074 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8075 # month and day.
8076 },
8077 "stringValue": "A String",
8078 "booleanValue": True or False,
8079 "integerValue": "A String",
8080 },
8081 },
8082 ],
8083 },
8084 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
8085 # (FPE) with the FFX mode of operation; however when used in the
8086 # `ReidentifyContent` API method, it serves the opposite function by reversing
8087 # the surrogate back into the original identifier. The identifier must be
8088 # encoded as ASCII. For a given crypto key and context, the same identifier
8089 # will be replaced with the same surrogate. Identifiers must be at least two
8090 # characters long. In the case that the identifier is the empty string, it will
8091 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
8092 # more.
8093 #
8094 # Note: We recommend using CryptoDeterministicConfig for all use cases which
8095 # do not require preserving the input alphabet space and size, plus warrant
8096 # referential integrity.
8097 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
8098 # a key encryption key (KEK) stored by KMS).
8099 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8100 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8101 # unwrap the data crypto key.
8102 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
8103 # The wrapped key must be a 128/192/256 bit key.
8104 # Authorization requires the following IAM permissions when sending a request
8105 # to perform a crypto transformation using a kms-wrapped crypto key:
8106 # dlp.kms.encrypt
8107 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
8108 "wrappedKey": "A String", # The wrapped data crypto key. [required]
8109 },
8110 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
8111 # leaking the key. Choose another type of key if possible.
8112 "key": "A String", # A 128/192/256 bit key. [required]
8113 },
8114 "transient": { # Use this to have a random data crypto key generated.
8115 # It will be discarded after the request finishes.
8116 "name": "A String", # Name of the key. [required]
8117 # This is an arbitrary string used to differentiate different keys.
8118 # A unique key is generated per name: two separate `TransientCryptoKey`
8119 # protos share the same generated key if their names are the same.
8120 # When the data crypto key is generated, this name is not used in any way
8121 # (repeating the api call will result in a different key being generated).
8122 },
8123 },
8124 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
8125 "commonAlphabet": "A String",
8126 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
8127 # that the FFX mode natively supports. This happens before/after
8128 # encryption/decryption.
8129 # Each character listed must appear only once.
8130 # Number of characters must be in the range [2, 62].
8131 # This must be encoded as ASCII.
8132 # The order of characters does not matter.
8133 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
8134 # identifier in two different contexts won't be given the same surrogate. If
8135 # the context is not set, a default tweak will be used.
8136 #
8137 # If the context is set but:
8138 #
8139 # 1. there is no record present when transforming a given value or
8140 # 1. the field is not present when transforming a given value,
8141 #
8142 # a default tweak will be used.
8143 #
8144 # Note that case (1) is expected when an `InfoTypeTransformation` is
8145 # applied to both structured and non-structured `ContentItem`s.
8146 # Currently, the referenced field may be of value type integer or string.
8147 #
8148 # The tweak is constructed as a sequence of bytes in big endian byte order
8149 # such that:
8150 #
8151 # - a 64 bit integer is encoded followed by a single byte of value 1
8152 # - a string is encoded in UTF-8 format followed by a single byte of value 2
8153 "name": "A String", # Name describing the field.
8154 },
8155 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
8156 # This annotation will be applied to the surrogate by prefixing it with
8157 # the name of the custom infoType followed by the number of
8158 # characters comprising the surrogate. The following scheme defines the
8159 # format: info_type_name(surrogate_character_count):surrogate
8160 #
8161 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
8162 # the surrogate is 'abc', the full replacement value
8163 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8164 #
8165 # This annotation identifies the surrogate when inspecting content using the
8166 # custom infoType
8167 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
8168 # This facilitates reversal of the surrogate when it occurs in free text.
8169 #
8170 # In order for inspection to work properly, the name of this infoType must
8171 # not occur naturally anywhere in your data; otherwise, inspection may
8172 # find a surrogate that does not correspond to an actual identifier.
8173 # Therefore, choose your custom infoType name carefully after considering
8174 # what your data looks like. One way to select a name that has a high chance
8175 # of yielding reliable detection is to include one or more unicode characters
8176 # that are highly improbable to exist in your data.
8177 # For example, assuming your data is entered from a regular ASCII keyboard,
8178 # the symbol with the hex code point 29DD might be used like so:
8179 # ⧝MY_TOKEN_TYPE
8180 "name": "A String", # Name of the information type. Either a name of your choosing when
8181 # creating a CustomInfoType, or one of the names listed
8182 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8183 # a built-in type. InfoType names should conform to the pattern
8184 # [a-zA-Z0-9_]{1,64}.
8185 },
8186 },
8187 "replaceConfig": { # Replace each input value with a given `Value`.
8188 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
8189 # Note that for the purposes of inspection or transformation, the number
8190 # of bytes considered to comprise a 'Value' is based on its representation
8191 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8192 # 123456789, the number of bytes would be counted as 9, even though an
8193 # int64 only holds up to 8 bytes of data.
8194 "floatValue": 3.14,
8195 "timestampValue": "A String",
8196 "dayOfWeekValue": "A String",
8197 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8198 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8199 # types are google.type.Date and `google.protobuf.Timestamp`.
8200 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8201 # to allow the value "24:00:00" for scenarios like business closing time.
8202 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8203 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8204 # allow the value 60 if it allows leap-seconds.
8205 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8206 },
8207 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8208 # and time zone are either specified elsewhere or are not significant. The date
8209 # is relative to the Proleptic Gregorian Calendar. This can represent:
8210 #
8211 # * A full date, with non-zero year, month and day values
8212 # * A month and day value, with a zero year, e.g. an anniversary
8213 # * A year on its own, with zero month and day values
8214 # * A year and month value, with a zero day, e.g. a credit card expiration date
8215 #
8216 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8217 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8218 # a year.
8219 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8220 # if specifying a year by itself or a year and month where the day is not
8221 # significant.
8222 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8223 # month and day.
8224 },
8225 "stringValue": "A String",
8226 "booleanValue": True or False,
8227 "integerValue": "A String",
8228 },
8229 },
8230 },
8231 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
8232 # given `RecordCondition`. The conditions are allowed to reference fields
8233 # that are not used in the actual transformation. [optional]
8234 #
8235 # Example Use Cases:
8236 #
8237 # - Apply a different bucket transformation to an age column if the zip code
8238 # column for the same record is within a specific range.
8239 # - Redact a field if the date of birth field is greater than 85.
8240 # a field.
8241 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
8242 "conditions": { # A collection of conditions.
8243 "conditions": [
8244 { # The field type of `value` and `field` do not need to match to be
8245 # considered equal, but not all comparisons are possible.
8246 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
8247 # but all other comparisons are invalid with incompatible types.
8248 # A `value` of type:
8249 #
8250 # - `string` can be compared against all other types
8251 # - `boolean` can only be compared against other booleans
8252 # - `integer` can be compared against doubles or a string if the string value
8253 # can be parsed as an integer.
8254 # - `double` can be compared against integers or a string if the string can
8255 # be parsed as a double.
8256 # - `Timestamp` can be compared against strings in RFC 3339 date string
8257 # format.
8258 # - `TimeOfDay` can be compared against timestamps and strings in the format
8259 # of 'HH:mm:ss'.
8260 #
8261 # If we fail to compare do to type mismatch, a warning will be given and
8262 # the condition will evaluate to false.
8263 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
8264 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
8265 "name": "A String", # Name describing the field.
8266 },
8267 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
8268 # Note that for the purposes of inspection or transformation, the number
8269 # of bytes considered to comprise a 'Value' is based on its representation
8270 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8271 # 123456789, the number of bytes would be counted as 9, even though an
8272 # int64 only holds up to 8 bytes of data.
8273 "floatValue": 3.14,
8274 "timestampValue": "A String",
8275 "dayOfWeekValue": "A String",
8276 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8277 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8278 # types are google.type.Date and `google.protobuf.Timestamp`.
8279 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8280 # to allow the value "24:00:00" for scenarios like business closing time.
8281 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8282 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8283 # allow the value 60 if it allows leap-seconds.
8284 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8285 },
8286 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8287 # and time zone are either specified elsewhere or are not significant. The date
8288 # is relative to the Proleptic Gregorian Calendar. This can represent:
8289 #
8290 # * A full date, with non-zero year, month and day values
8291 # * A month and day value, with a zero year, e.g. an anniversary
8292 # * A year on its own, with zero month and day values
8293 # * A year and month value, with a zero day, e.g. a credit card expiration date
8294 #
8295 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8296 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8297 # a year.
8298 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8299 # if specifying a year by itself or a year and month where the day is not
8300 # significant.
8301 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8302 # month and day.
8303 },
8304 "stringValue": "A String",
8305 "booleanValue": True or False,
8306 "integerValue": "A String",
8307 },
8308 },
8309 ],
8310 },
8311 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
8312 # only supported value is `AND`.
8313 },
8314 },
8315 "fields": [ # Input field(s) to apply the transformation to. [required]
8316 { # General identifier of a data field in a storage service.
8317 "name": "A String", # Name describing the field.
8318 },
8319 ],
8320 },
8321 ],
8322 },
8323 },
8324 "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
8325 "name": "A String", # The template name. Output only.
8326 #
8327 # The template will have one of the following formats:
8328 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
8329 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
8330 },
8331 ],
8332 }</pre>
8333</div>
8334
8335<div class="method">
8336 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
8337 <pre>Retrieves the next page of results.
8338
8339Args:
8340 previous_request: The request for the previous page. (required)
8341 previous_response: The response from the request for the previous page. (required)
8342
8343Returns:
8344 A request object that you can call 'execute()' on to request the next
8345 page. Returns None if there are no more items in the collection.
8346 </pre>
8347</div>
8348
8349<div class="method">
8350 <code class="details" id="patch">patch(name, body, x__xgafv=None)</code>
8351 <pre>Updates the DeidentifyTemplate.
8352See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
8353more.
8354
8355Args:
8356 name: string, Resource name of organization and deidentify template to be updated, for
8357example `organizations/433245324/deidentifyTemplates/432452342` or
8358projects/project-id/deidentifyTemplates/432452342. (required)
8359 body: object, The request body. (required)
8360 The object takes the form of:
8361
8362{ # Request message for UpdateDeidentifyTemplate.
8363 "deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # New DeidentifyTemplate value.
8364 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
8365 "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
8366 "displayName": "A String", # Display name (max 256 chars).
8367 "description": "A String", # Short description (max 256 chars).
8368 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
8369 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
8370 # transformation everywhere.
8371 # apply various `PrimitiveTransformation`s to each finding, where the
8372 # transformation is applied to only values that were identified as a specific
8373 # info_type.
8374 "transformations": [ # Transformation for each infoType. Cannot specify more than one
8375 # for a given infoType. [required]
8376 { # A transformation to apply to text that is identified as a specific
8377 # info_type.
8378 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
8379 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
8380 # fixed character. Masking can start from the beginning or end of the string.
8381 # This can be used on data of any type (numbers, longs, and so on) and when
8382 # de-identifying structured data we'll attempt to preserve the original data's
8383 # type. (This allows you to take a long like 123 and modify it to a string like
8384 # **3.
8385 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
8386 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
8387 # mask 5 chars with * we would produce ***-*55-5555.
8388 { # Characters to skip when doing deidentification of a value. These will be left
8389 # alone and skipped.
8390 "commonCharactersToIgnore": "A String",
8391 "charactersToSkip": "A String",
8392 },
8393 ],
8394 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
8395 # masked. Skipped characters do not count towards this tally.
8396 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
8397 # alphabetic string such as name, or "0" for a numeric string such as ZIP
8398 # code or credit card number. String must have length 1. If not supplied, we
8399 # will default to "*" for strings, 0 for digits.
8400 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
8401 # '0', number_to_mask is 14, and `reverse_order` is false, then
8402 # 1234-5678-9012-3456 -> 00000000000000-3456
8403 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
8404 # is true, then 12345 -> 12***
8405 },
8406 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
8407 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
8408 # output would be 'My phone number is '.
8409 },
8410 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
8411 # input. Outputs a base64 encoded representation of the encrypted output.
8412 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
8413 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
8414 # a key encryption key (KEK) stored by KMS).
8415 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8416 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8417 # unwrap the data crypto key.
8418 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
8419 # The wrapped key must be a 128/192/256 bit key.
8420 # Authorization requires the following IAM permissions when sending a request
8421 # to perform a crypto transformation using a kms-wrapped crypto key:
8422 # dlp.kms.encrypt
8423 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
8424 "wrappedKey": "A String", # The wrapped data crypto key. [required]
8425 },
8426 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
8427 # leaking the key. Choose another type of key if possible.
8428 "key": "A String", # A 128/192/256 bit key. [required]
8429 },
8430 "transient": { # Use this to have a random data crypto key generated.
8431 # It will be discarded after the request finishes.
8432 "name": "A String", # Name of the key. [required]
8433 # This is an arbitrary string used to differentiate different keys.
8434 # A unique key is generated per name: two separate `TransientCryptoKey`
8435 # protos share the same generated key if their names are the same.
8436 # When the data crypto key is generated, this name is not used in any way
8437 # (repeating the api call will result in a different key being generated).
8438 },
8439 },
8440 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
8441 # referential integrity such that the same identifier in two different
8442 # contexts will be given a distinct surrogate. The context is appended to
8443 # plaintext value being encrypted. On decryption the provided context is
8444 # validated against the value used during encryption. If a context was
8445 # provided during encryption, same context must be provided during decryption
8446 # as well.
8447 #
8448 # If the context is not set, plaintext would be used as is for encryption.
8449 # If the context is set but:
8450 #
8451 # 1. there is no record present when transforming a given value or
8452 # 2. the field is not present when transforming a given value,
8453 #
8454 # plaintext would be used as is for encryption.
8455 #
8456 # Note that case (1) is expected when an `InfoTypeTransformation` is
8457 # applied to both structured and non-structured `ContentItem`s.
8458 "name": "A String", # Name describing the field.
8459 },
8460 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
8461 # This annotation will be applied to the surrogate by prefixing it with
8462 # the name of the custom info type followed by the number of
8463 # characters comprising the surrogate. The following scheme defines the
8464 # format: <info type name>(<surrogate character count>):<surrogate>
8465 #
8466 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
8467 # the surrogate is 'abc', the full replacement value
8468 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8469 #
8470 # This annotation identifies the surrogate when inspecting content using the
8471 # custom info type 'Surrogate'. This facilitates reversal of the
8472 # surrogate when it occurs in free text.
8473 #
8474 # In order for inspection to work properly, the name of this info type must
8475 # not occur naturally anywhere in your data; otherwise, inspection may either
8476 #
8477 # - reverse a surrogate that does not correspond to an actual identifier
8478 # - be unable to parse the surrogate and result in an error
8479 #
8480 # Therefore, choose your custom info type name carefully after considering
8481 # what your data looks like. One way to select a name that has a high chance
8482 # of yielding reliable detection is to include one or more unicode characters
8483 # that are highly improbable to exist in your data.
8484 # For example, assuming your data is entered from a regular ASCII keyboard,
8485 # the symbol with the hex code point 29DD might be used like so:
8486 # ⧝MY_TOKEN_TYPE
8487 "name": "A String", # Name of the information type. Either a name of your choosing when
8488 # creating a CustomInfoType, or one of the names listed
8489 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8490 # a built-in type. InfoType names should conform to the pattern
8491 # [a-zA-Z0-9_]{1,64}.
8492 },
8493 },
8494 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
8495 # Bucketing transformation can provide all of this functionality,
8496 # but requires more configuration. This message is provided as a convenience to
8497 # the user for simple bucketing strategies.
8498 #
8499 # The transformed value will be a hyphenated string of
8500 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
8501 # all values that are within this bucket will be replaced with "10-20".
8502 #
8503 # This can be used on data of type: double, long.
8504 #
8505 # If the bound Value type differs from the type of data
8506 # being transformed, we will first attempt converting the type of the data to
8507 # be transformed to match the type of the bound before comparing.
8508 #
8509 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
8510 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
8511 # grouped together into a single bucket; for example if `lower_bound` = 10,
8512 # then all values less than 10 are replaced with the value “-10”. [Required].
8513 # Note that for the purposes of inspection or transformation, the number
8514 # of bytes considered to comprise a 'Value' is based on its representation
8515 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8516 # 123456789, the number of bytes would be counted as 9, even though an
8517 # int64 only holds up to 8 bytes of data.
8518 "floatValue": 3.14,
8519 "timestampValue": "A String",
8520 "dayOfWeekValue": "A String",
8521 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8522 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8523 # types are google.type.Date and `google.protobuf.Timestamp`.
8524 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8525 # to allow the value "24:00:00" for scenarios like business closing time.
8526 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8527 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8528 # allow the value 60 if it allows leap-seconds.
8529 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8530 },
8531 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8532 # and time zone are either specified elsewhere or are not significant. The date
8533 # is relative to the Proleptic Gregorian Calendar. This can represent:
8534 #
8535 # * A full date, with non-zero year, month and day values
8536 # * A month and day value, with a zero year, e.g. an anniversary
8537 # * A year on its own, with zero month and day values
8538 # * A year and month value, with a zero day, e.g. a credit card expiration date
8539 #
8540 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8541 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8542 # a year.
8543 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8544 # if specifying a year by itself or a year and month where the day is not
8545 # significant.
8546 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8547 # month and day.
8548 },
8549 "stringValue": "A String",
8550 "booleanValue": True or False,
8551 "integerValue": "A String",
8552 },
8553 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
8554 # grouped together into a single bucket; for example if `upper_bound` = 89,
8555 # then all values greater than 89 are replaced with the value “89+”.
8556 # [Required].
8557 # Note that for the purposes of inspection or transformation, the number
8558 # of bytes considered to comprise a 'Value' is based on its representation
8559 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8560 # 123456789, the number of bytes would be counted as 9, even though an
8561 # int64 only holds up to 8 bytes of data.
8562 "floatValue": 3.14,
8563 "timestampValue": "A String",
8564 "dayOfWeekValue": "A String",
8565 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8566 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8567 # types are google.type.Date and `google.protobuf.Timestamp`.
8568 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8569 # to allow the value "24:00:00" for scenarios like business closing time.
8570 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8571 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8572 # allow the value 60 if it allows leap-seconds.
8573 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8574 },
8575 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8576 # and time zone are either specified elsewhere or are not significant. The date
8577 # is relative to the Proleptic Gregorian Calendar. This can represent:
8578 #
8579 # * A full date, with non-zero year, month and day values
8580 # * A month and day value, with a zero year, e.g. an anniversary
8581 # * A year on its own, with zero month and day values
8582 # * A year and month value, with a zero day, e.g. a credit card expiration date
8583 #
8584 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8585 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8586 # a year.
8587 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8588 # if specifying a year by itself or a year and month where the day is not
8589 # significant.
8590 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8591 # month and day.
8592 },
8593 "stringValue": "A String",
8594 "booleanValue": True or False,
8595 "integerValue": "A String",
8596 },
8597 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
8598 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
8599 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
8600 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
8601 },
8602 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
8603 },
8604 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
8605 # portion of the value.
8606 "partToExtract": "A String",
8607 },
8608 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
8609 # Uses SHA-256.
8610 # The key size must be either 32 or 64 bytes.
8611 # Outputs a base64 encoded representation of the hashed output
8612 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
8613 # Currently, only string and integer values can be hashed.
8614 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
8615 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
8616 # a key encryption key (KEK) stored by KMS).
8617 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8618 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8619 # unwrap the data crypto key.
8620 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
8621 # The wrapped key must be a 128/192/256 bit key.
8622 # Authorization requires the following IAM permissions when sending a request
8623 # to perform a crypto transformation using a kms-wrapped crypto key:
8624 # dlp.kms.encrypt
8625 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
8626 "wrappedKey": "A String", # The wrapped data crypto key. [required]
8627 },
8628 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
8629 # leaking the key. Choose another type of key if possible.
8630 "key": "A String", # A 128/192/256 bit key. [required]
8631 },
8632 "transient": { # Use this to have a random data crypto key generated.
8633 # It will be discarded after the request finishes.
8634 "name": "A String", # Name of the key. [required]
8635 # This is an arbitrary string used to differentiate different keys.
8636 # A unique key is generated per name: two separate `TransientCryptoKey`
8637 # protos share the same generated key if their names are the same.
8638 # When the data crypto key is generated, this name is not used in any way
8639 # (repeating the api call will result in a different key being generated).
8640 },
8641 },
8642 },
8643 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
8644 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
8645 # to learn more.
8646 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
8647 # results in the same shift for the same context and crypto_key.
8648 # a key encryption key (KEK) stored by KMS).
8649 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8650 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8651 # unwrap the data crypto key.
8652 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
8653 # The wrapped key must be a 128/192/256 bit key.
8654 # Authorization requires the following IAM permissions when sending a request
8655 # to perform a crypto transformation using a kms-wrapped crypto key:
8656 # dlp.kms.encrypt
8657 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
8658 "wrappedKey": "A String", # The wrapped data crypto key. [required]
8659 },
8660 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
8661 # leaking the key. Choose another type of key if possible.
8662 "key": "A String", # A 128/192/256 bit key. [required]
8663 },
8664 "transient": { # Use this to have a random data crypto key generated.
8665 # It will be discarded after the request finishes.
8666 "name": "A String", # Name of the key. [required]
8667 # This is an arbitrary string used to differentiate different keys.
8668 # A unique key is generated per name: two separate `TransientCryptoKey`
8669 # protos share the same generated key if their names are the same.
8670 # When the data crypto key is generated, this name is not used in any way
8671 # (repeating the api call will result in a different key being generated).
8672 },
8673 },
8674 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
8675 # [Required]
8676 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
8677 # range (inclusive ends). Negative means shift to earlier in time. Must not
8678 # be more than 365250 days (1000 years) each direction.
8679 #
8680 # For example, 3 means shift date to at most 3 days into the future.
8681 # [Required]
8682 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
8683 # If set, must also set method. If set, shift will be consistent for the
8684 # given context.
8685 "name": "A String", # Name describing the field.
8686 },
8687 },
8688 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
8689 # replacement values are dynamically provided by the user for custom behavior,
8690 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
8691 # This can be used on
8692 # data of type: number, long, string, timestamp.
8693 # If the bound `Value` type differs from the type of data being transformed, we
8694 # will first attempt converting the type of the data to be transformed to match
8695 # the type of the bound before comparing.
8696 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
8697 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
8698 { # Bucket is represented as a range, along with replacement values.
8699 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
8700 # Note that for the purposes of inspection or transformation, the number
8701 # of bytes considered to comprise a 'Value' is based on its representation
8702 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8703 # 123456789, the number of bytes would be counted as 9, even though an
8704 # int64 only holds up to 8 bytes of data.
8705 "floatValue": 3.14,
8706 "timestampValue": "A String",
8707 "dayOfWeekValue": "A String",
8708 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8709 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8710 # types are google.type.Date and `google.protobuf.Timestamp`.
8711 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8712 # to allow the value "24:00:00" for scenarios like business closing time.
8713 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8714 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8715 # allow the value 60 if it allows leap-seconds.
8716 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8717 },
8718 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8719 # and time zone are either specified elsewhere or are not significant. The date
8720 # is relative to the Proleptic Gregorian Calendar. This can represent:
8721 #
8722 # * A full date, with non-zero year, month and day values
8723 # * A month and day value, with a zero year, e.g. an anniversary
8724 # * A year on its own, with zero month and day values
8725 # * A year and month value, with a zero day, e.g. a credit card expiration date
8726 #
8727 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8728 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8729 # a year.
8730 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8731 # if specifying a year by itself or a year and month where the day is not
8732 # significant.
8733 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8734 # month and day.
8735 },
8736 "stringValue": "A String",
8737 "booleanValue": True or False,
8738 "integerValue": "A String",
8739 },
8740 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
8741 # the default behavior will be to hyphenate the min-max range.
8742 # Note that for the purposes of inspection or transformation, the number
8743 # of bytes considered to comprise a 'Value' is based on its representation
8744 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8745 # 123456789, the number of bytes would be counted as 9, even though an
8746 # int64 only holds up to 8 bytes of data.
8747 "floatValue": 3.14,
8748 "timestampValue": "A String",
8749 "dayOfWeekValue": "A String",
8750 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8751 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8752 # types are google.type.Date and `google.protobuf.Timestamp`.
8753 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8754 # to allow the value "24:00:00" for scenarios like business closing time.
8755 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8756 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8757 # allow the value 60 if it allows leap-seconds.
8758 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8759 },
8760 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8761 # and time zone are either specified elsewhere or are not significant. The date
8762 # is relative to the Proleptic Gregorian Calendar. This can represent:
8763 #
8764 # * A full date, with non-zero year, month and day values
8765 # * A month and day value, with a zero year, e.g. an anniversary
8766 # * A year on its own, with zero month and day values
8767 # * A year and month value, with a zero day, e.g. a credit card expiration date
8768 #
8769 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8770 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8771 # a year.
8772 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8773 # if specifying a year by itself or a year and month where the day is not
8774 # significant.
8775 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8776 # month and day.
8777 },
8778 "stringValue": "A String",
8779 "booleanValue": True or False,
8780 "integerValue": "A String",
8781 },
8782 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
8783 # used.
8784 # Note that for the purposes of inspection or transformation, the number
8785 # of bytes considered to comprise a 'Value' is based on its representation
8786 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8787 # 123456789, the number of bytes would be counted as 9, even though an
8788 # int64 only holds up to 8 bytes of data.
8789 "floatValue": 3.14,
8790 "timestampValue": "A String",
8791 "dayOfWeekValue": "A String",
8792 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8793 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8794 # types are google.type.Date and `google.protobuf.Timestamp`.
8795 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8796 # to allow the value "24:00:00" for scenarios like business closing time.
8797 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8798 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8799 # allow the value 60 if it allows leap-seconds.
8800 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8801 },
8802 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8803 # and time zone are either specified elsewhere or are not significant. The date
8804 # is relative to the Proleptic Gregorian Calendar. This can represent:
8805 #
8806 # * A full date, with non-zero year, month and day values
8807 # * A month and day value, with a zero year, e.g. an anniversary
8808 # * A year on its own, with zero month and day values
8809 # * A year and month value, with a zero day, e.g. a credit card expiration date
8810 #
8811 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8812 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8813 # a year.
8814 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8815 # if specifying a year by itself or a year and month where the day is not
8816 # significant.
8817 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8818 # month and day.
8819 },
8820 "stringValue": "A String",
8821 "booleanValue": True or False,
8822 "integerValue": "A String",
8823 },
8824 },
8825 ],
8826 },
8827 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
8828 # (FPE) with the FFX mode of operation; however when used in the
8829 # `ReidentifyContent` API method, it serves the opposite function by reversing
8830 # the surrogate back into the original identifier. The identifier must be
8831 # encoded as ASCII. For a given crypto key and context, the same identifier
8832 # will be replaced with the same surrogate. Identifiers must be at least two
8833 # characters long. In the case that the identifier is the empty string, it will
8834 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
8835 # more.
8836 #
8837 # Note: We recommend using CryptoDeterministicConfig for all use cases which
8838 # do not require preserving the input alphabet space and size, plus warrant
8839 # referential integrity.
8840 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
8841 # a key encryption key (KEK) stored by KMS).
8842 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8843 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8844 # unwrap the data crypto key.
8845 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
8846 # The wrapped key must be a 128/192/256 bit key.
8847 # Authorization requires the following IAM permissions when sending a request
8848 # to perform a crypto transformation using a kms-wrapped crypto key:
8849 # dlp.kms.encrypt
8850 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
8851 "wrappedKey": "A String", # The wrapped data crypto key. [required]
8852 },
8853 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
8854 # leaking the key. Choose another type of key if possible.
8855 "key": "A String", # A 128/192/256 bit key. [required]
8856 },
8857 "transient": { # Use this to have a random data crypto key generated.
8858 # It will be discarded after the request finishes.
8859 "name": "A String", # Name of the key. [required]
8860 # This is an arbitrary string used to differentiate different keys.
8861 # A unique key is generated per name: two separate `TransientCryptoKey`
8862 # protos share the same generated key if their names are the same.
8863 # When the data crypto key is generated, this name is not used in any way
8864 # (repeating the api call will result in a different key being generated).
8865 },
8866 },
8867 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
8868 "commonAlphabet": "A String",
8869 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
8870 # that the FFX mode natively supports. This happens before/after
8871 # encryption/decryption.
8872 # Each character listed must appear only once.
8873 # Number of characters must be in the range [2, 62].
8874 # This must be encoded as ASCII.
8875 # The order of characters does not matter.
8876 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
8877 # identifier in two different contexts won't be given the same surrogate. If
8878 # the context is not set, a default tweak will be used.
8879 #
8880 # If the context is set but:
8881 #
8882 # 1. there is no record present when transforming a given value or
8883 # 1. the field is not present when transforming a given value,
8884 #
8885 # a default tweak will be used.
8886 #
8887 # Note that case (1) is expected when an `InfoTypeTransformation` is
8888 # applied to both structured and non-structured `ContentItem`s.
8889 # Currently, the referenced field may be of value type integer or string.
8890 #
8891 # The tweak is constructed as a sequence of bytes in big endian byte order
8892 # such that:
8893 #
8894 # - a 64 bit integer is encoded followed by a single byte of value 1
8895 # - a string is encoded in UTF-8 format followed by a single byte of value 2
8896 "name": "A String", # Name describing the field.
8897 },
8898 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
8899 # This annotation will be applied to the surrogate by prefixing it with
8900 # the name of the custom infoType followed by the number of
8901 # characters comprising the surrogate. The following scheme defines the
8902 # format: info_type_name(surrogate_character_count):surrogate
8903 #
8904 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
8905 # the surrogate is 'abc', the full replacement value
8906 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8907 #
8908 # This annotation identifies the surrogate when inspecting content using the
8909 # custom infoType
8910 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
8911 # This facilitates reversal of the surrogate when it occurs in free text.
8912 #
8913 # In order for inspection to work properly, the name of this infoType must
8914 # not occur naturally anywhere in your data; otherwise, inspection may
8915 # find a surrogate that does not correspond to an actual identifier.
8916 # Therefore, choose your custom infoType name carefully after considering
8917 # what your data looks like. One way to select a name that has a high chance
8918 # of yielding reliable detection is to include one or more unicode characters
8919 # that are highly improbable to exist in your data.
8920 # For example, assuming your data is entered from a regular ASCII keyboard,
8921 # the symbol with the hex code point 29DD might be used like so:
8922 # ⧝MY_TOKEN_TYPE
8923 "name": "A String", # Name of the information type. Either a name of your choosing when
8924 # creating a CustomInfoType, or one of the names listed
8925 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8926 # a built-in type. InfoType names should conform to the pattern
8927 # [a-zA-Z0-9_]{1,64}.
8928 },
8929 },
8930 "replaceConfig": { # Replace each input value with a given `Value`.
8931 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
8932 # Note that for the purposes of inspection or transformation, the number
8933 # of bytes considered to comprise a 'Value' is based on its representation
8934 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8935 # 123456789, the number of bytes would be counted as 9, even though an
8936 # int64 only holds up to 8 bytes of data.
8937 "floatValue": 3.14,
8938 "timestampValue": "A String",
8939 "dayOfWeekValue": "A String",
8940 "timeValue": { # Represents a time of day. The date and time zone are either not significant
8941 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8942 # types are google.type.Date and `google.protobuf.Timestamp`.
8943 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8944 # to allow the value "24:00:00" for scenarios like business closing time.
8945 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8946 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8947 # allow the value 60 if it allows leap-seconds.
8948 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8949 },
8950 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
8951 # and time zone are either specified elsewhere or are not significant. The date
8952 # is relative to the Proleptic Gregorian Calendar. This can represent:
8953 #
8954 # * A full date, with non-zero year, month and day values
8955 # * A month and day value, with a zero year, e.g. an anniversary
8956 # * A year on its own, with zero month and day values
8957 # * A year and month value, with a zero day, e.g. a credit card expiration date
8958 #
8959 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8960 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8961 # a year.
8962 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8963 # if specifying a year by itself or a year and month where the day is not
8964 # significant.
8965 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8966 # month and day.
8967 },
8968 "stringValue": "A String",
8969 "booleanValue": True or False,
8970 "integerValue": "A String",
8971 },
8972 },
8973 },
8974 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
8975 # this transformation to apply to all findings that correspond to
8976 # infoTypes that were requested in `InspectConfig`.
8977 { # Type of information detected by the API.
8978 "name": "A String", # Name of the information type. Either a name of your choosing when
8979 # creating a CustomInfoType, or one of the names listed
8980 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8981 # a built-in type. InfoType names should conform to the pattern
8982 # [a-zA-Z0-9_]{1,64}.
8983 },
8984 ],
8985 },
8986 ],
8987 },
8988 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
8989 # specific locations within structured datasets, such as transforming
8990 # a column within a table.
8991 # table.
8992 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
8993 # match any suppression rule are omitted from the output [optional].
8994 { # Configuration to suppress records whose suppression conditions evaluate to
8995 # true.
8996 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
8997 # evaluated to be suppressed from the transformed content.
8998 # a field.
8999 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
9000 "conditions": { # A collection of conditions.
9001 "conditions": [
9002 { # The field type of `value` and `field` do not need to match to be
9003 # considered equal, but not all comparisons are possible.
9004 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
9005 # but all other comparisons are invalid with incompatible types.
9006 # A `value` of type:
9007 #
9008 # - `string` can be compared against all other types
9009 # - `boolean` can only be compared against other booleans
9010 # - `integer` can be compared against doubles or a string if the string value
9011 # can be parsed as an integer.
9012 # - `double` can be compared against integers or a string if the string can
9013 # be parsed as a double.
9014 # - `Timestamp` can be compared against strings in RFC 3339 date string
9015 # format.
9016 # - `TimeOfDay` can be compared against timestamps and strings in the format
9017 # of 'HH:mm:ss'.
9018 #
9019 # If we fail to compare do to type mismatch, a warning will be given and
9020 # the condition will evaluate to false.
9021 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
9022 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
9023 "name": "A String", # Name describing the field.
9024 },
9025 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
9026 # Note that for the purposes of inspection or transformation, the number
9027 # of bytes considered to comprise a 'Value' is based on its representation
9028 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9029 # 123456789, the number of bytes would be counted as 9, even though an
9030 # int64 only holds up to 8 bytes of data.
9031 "floatValue": 3.14,
9032 "timestampValue": "A String",
9033 "dayOfWeekValue": "A String",
9034 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9035 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9036 # types are google.type.Date and `google.protobuf.Timestamp`.
9037 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9038 # to allow the value "24:00:00" for scenarios like business closing time.
9039 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9040 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9041 # allow the value 60 if it allows leap-seconds.
9042 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9043 },
9044 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9045 # and time zone are either specified elsewhere or are not significant. The date
9046 # is relative to the Proleptic Gregorian Calendar. This can represent:
9047 #
9048 # * A full date, with non-zero year, month and day values
9049 # * A month and day value, with a zero year, e.g. an anniversary
9050 # * A year on its own, with zero month and day values
9051 # * A year and month value, with a zero day, e.g. a credit card expiration date
9052 #
9053 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9054 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9055 # a year.
9056 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9057 # if specifying a year by itself or a year and month where the day is not
9058 # significant.
9059 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9060 # month and day.
9061 },
9062 "stringValue": "A String",
9063 "booleanValue": True or False,
9064 "integerValue": "A String",
9065 },
9066 },
9067 ],
9068 },
9069 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
9070 # only supported value is `AND`.
9071 },
9072 },
9073 },
9074 ],
9075 "fieldTransformations": [ # Transform the record by applying various field transformations.
9076 { # The transformation to apply to the field.
9077 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
9078 # transform content that matches an `InfoType`.
9079 # apply various `PrimitiveTransformation`s to each finding, where the
9080 # transformation is applied to only values that were identified as a specific
9081 # info_type.
9082 "transformations": [ # Transformation for each infoType. Cannot specify more than one
9083 # for a given infoType. [required]
9084 { # A transformation to apply to text that is identified as a specific
9085 # info_type.
9086 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
9087 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
9088 # fixed character. Masking can start from the beginning or end of the string.
9089 # This can be used on data of any type (numbers, longs, and so on) and when
9090 # de-identifying structured data we'll attempt to preserve the original data's
9091 # type. (This allows you to take a long like 123 and modify it to a string like
9092 # **3.
9093 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
9094 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
9095 # mask 5 chars with * we would produce ***-*55-5555.
9096 { # Characters to skip when doing deidentification of a value. These will be left
9097 # alone and skipped.
9098 "commonCharactersToIgnore": "A String",
9099 "charactersToSkip": "A String",
9100 },
9101 ],
9102 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
9103 # masked. Skipped characters do not count towards this tally.
9104 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
9105 # alphabetic string such as name, or "0" for a numeric string such as ZIP
9106 # code or credit card number. String must have length 1. If not supplied, we
9107 # will default to "*" for strings, 0 for digits.
9108 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
9109 # '0', number_to_mask is 14, and `reverse_order` is false, then
9110 # 1234-5678-9012-3456 -> 00000000000000-3456
9111 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
9112 # is true, then 12345 -> 12***
9113 },
9114 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
9115 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
9116 # output would be 'My phone number is '.
9117 },
9118 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
9119 # input. Outputs a base64 encoded representation of the encrypted output.
9120 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
9121 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
9122 # a key encryption key (KEK) stored by KMS).
9123 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9124 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9125 # unwrap the data crypto key.
9126 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9127 # The wrapped key must be a 128/192/256 bit key.
9128 # Authorization requires the following IAM permissions when sending a request
9129 # to perform a crypto transformation using a kms-wrapped crypto key:
9130 # dlp.kms.encrypt
9131 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9132 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9133 },
9134 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9135 # leaking the key. Choose another type of key if possible.
9136 "key": "A String", # A 128/192/256 bit key. [required]
9137 },
9138 "transient": { # Use this to have a random data crypto key generated.
9139 # It will be discarded after the request finishes.
9140 "name": "A String", # Name of the key. [required]
9141 # This is an arbitrary string used to differentiate different keys.
9142 # A unique key is generated per name: two separate `TransientCryptoKey`
9143 # protos share the same generated key if their names are the same.
9144 # When the data crypto key is generated, this name is not used in any way
9145 # (repeating the api call will result in a different key being generated).
9146 },
9147 },
9148 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
9149 # referential integrity such that the same identifier in two different
9150 # contexts will be given a distinct surrogate. The context is appended to
9151 # plaintext value being encrypted. On decryption the provided context is
9152 # validated against the value used during encryption. If a context was
9153 # provided during encryption, same context must be provided during decryption
9154 # as well.
9155 #
9156 # If the context is not set, plaintext would be used as is for encryption.
9157 # If the context is set but:
9158 #
9159 # 1. there is no record present when transforming a given value or
9160 # 2. the field is not present when transforming a given value,
9161 #
9162 # plaintext would be used as is for encryption.
9163 #
9164 # Note that case (1) is expected when an `InfoTypeTransformation` is
9165 # applied to both structured and non-structured `ContentItem`s.
9166 "name": "A String", # Name describing the field.
9167 },
9168 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
9169 # This annotation will be applied to the surrogate by prefixing it with
9170 # the name of the custom info type followed by the number of
9171 # characters comprising the surrogate. The following scheme defines the
9172 # format: <info type name>(<surrogate character count>):<surrogate>
9173 #
9174 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
9175 # the surrogate is 'abc', the full replacement value
9176 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9177 #
9178 # This annotation identifies the surrogate when inspecting content using the
9179 # custom info type 'Surrogate'. This facilitates reversal of the
9180 # surrogate when it occurs in free text.
9181 #
9182 # In order for inspection to work properly, the name of this info type must
9183 # not occur naturally anywhere in your data; otherwise, inspection may either
9184 #
9185 # - reverse a surrogate that does not correspond to an actual identifier
9186 # - be unable to parse the surrogate and result in an error
9187 #
9188 # Therefore, choose your custom info type name carefully after considering
9189 # what your data looks like. One way to select a name that has a high chance
9190 # of yielding reliable detection is to include one or more unicode characters
9191 # that are highly improbable to exist in your data.
9192 # For example, assuming your data is entered from a regular ASCII keyboard,
9193 # the symbol with the hex code point 29DD might be used like so:
9194 # ⧝MY_TOKEN_TYPE
9195 "name": "A String", # Name of the information type. Either a name of your choosing when
9196 # creating a CustomInfoType, or one of the names listed
9197 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9198 # a built-in type. InfoType names should conform to the pattern
9199 # [a-zA-Z0-9_]{1,64}.
9200 },
9201 },
9202 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
9203 # Bucketing transformation can provide all of this functionality,
9204 # but requires more configuration. This message is provided as a convenience to
9205 # the user for simple bucketing strategies.
9206 #
9207 # The transformed value will be a hyphenated string of
9208 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
9209 # all values that are within this bucket will be replaced with "10-20".
9210 #
9211 # This can be used on data of type: double, long.
9212 #
9213 # If the bound Value type differs from the type of data
9214 # being transformed, we will first attempt converting the type of the data to
9215 # be transformed to match the type of the bound before comparing.
9216 #
9217 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9218 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
9219 # grouped together into a single bucket; for example if `lower_bound` = 10,
9220 # then all values less than 10 are replaced with the value “-10”. [Required].
9221 # Note that for the purposes of inspection or transformation, the number
9222 # of bytes considered to comprise a 'Value' is based on its representation
9223 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9224 # 123456789, the number of bytes would be counted as 9, even though an
9225 # int64 only holds up to 8 bytes of data.
9226 "floatValue": 3.14,
9227 "timestampValue": "A String",
9228 "dayOfWeekValue": "A String",
9229 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9230 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9231 # types are google.type.Date and `google.protobuf.Timestamp`.
9232 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9233 # to allow the value "24:00:00" for scenarios like business closing time.
9234 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9235 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9236 # allow the value 60 if it allows leap-seconds.
9237 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9238 },
9239 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9240 # and time zone are either specified elsewhere or are not significant. The date
9241 # is relative to the Proleptic Gregorian Calendar. This can represent:
9242 #
9243 # * A full date, with non-zero year, month and day values
9244 # * A month and day value, with a zero year, e.g. an anniversary
9245 # * A year on its own, with zero month and day values
9246 # * A year and month value, with a zero day, e.g. a credit card expiration date
9247 #
9248 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9249 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9250 # a year.
9251 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9252 # if specifying a year by itself or a year and month where the day is not
9253 # significant.
9254 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9255 # month and day.
9256 },
9257 "stringValue": "A String",
9258 "booleanValue": True or False,
9259 "integerValue": "A String",
9260 },
9261 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
9262 # grouped together into a single bucket; for example if `upper_bound` = 89,
9263 # then all values greater than 89 are replaced with the value “89+”.
9264 # [Required].
9265 # Note that for the purposes of inspection or transformation, the number
9266 # of bytes considered to comprise a 'Value' is based on its representation
9267 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9268 # 123456789, the number of bytes would be counted as 9, even though an
9269 # int64 only holds up to 8 bytes of data.
9270 "floatValue": 3.14,
9271 "timestampValue": "A String",
9272 "dayOfWeekValue": "A String",
9273 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9274 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9275 # types are google.type.Date and `google.protobuf.Timestamp`.
9276 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9277 # to allow the value "24:00:00" for scenarios like business closing time.
9278 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9279 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9280 # allow the value 60 if it allows leap-seconds.
9281 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9282 },
9283 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9284 # and time zone are either specified elsewhere or are not significant. The date
9285 # is relative to the Proleptic Gregorian Calendar. This can represent:
9286 #
9287 # * A full date, with non-zero year, month and day values
9288 # * A month and day value, with a zero year, e.g. an anniversary
9289 # * A year on its own, with zero month and day values
9290 # * A year and month value, with a zero day, e.g. a credit card expiration date
9291 #
9292 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9293 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9294 # a year.
9295 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9296 # if specifying a year by itself or a year and month where the day is not
9297 # significant.
9298 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9299 # month and day.
9300 },
9301 "stringValue": "A String",
9302 "booleanValue": True or False,
9303 "integerValue": "A String",
9304 },
9305 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
9306 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
9307 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
9308 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
9309 },
9310 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
9311 },
9312 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
9313 # portion of the value.
9314 "partToExtract": "A String",
9315 },
9316 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
9317 # Uses SHA-256.
9318 # The key size must be either 32 or 64 bytes.
9319 # Outputs a base64 encoded representation of the hashed output
9320 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
9321 # Currently, only string and integer values can be hashed.
9322 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
9323 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
9324 # a key encryption key (KEK) stored by KMS).
9325 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9326 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9327 # unwrap the data crypto key.
9328 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9329 # The wrapped key must be a 128/192/256 bit key.
9330 # Authorization requires the following IAM permissions when sending a request
9331 # to perform a crypto transformation using a kms-wrapped crypto key:
9332 # dlp.kms.encrypt
9333 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9334 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9335 },
9336 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9337 # leaking the key. Choose another type of key if possible.
9338 "key": "A String", # A 128/192/256 bit key. [required]
9339 },
9340 "transient": { # Use this to have a random data crypto key generated.
9341 # It will be discarded after the request finishes.
9342 "name": "A String", # Name of the key. [required]
9343 # This is an arbitrary string used to differentiate different keys.
9344 # A unique key is generated per name: two separate `TransientCryptoKey`
9345 # protos share the same generated key if their names are the same.
9346 # When the data crypto key is generated, this name is not used in any way
9347 # (repeating the api call will result in a different key being generated).
9348 },
9349 },
9350 },
9351 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
9352 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
9353 # to learn more.
9354 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
9355 # results in the same shift for the same context and crypto_key.
9356 # a key encryption key (KEK) stored by KMS).
9357 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9358 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9359 # unwrap the data crypto key.
9360 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9361 # The wrapped key must be a 128/192/256 bit key.
9362 # Authorization requires the following IAM permissions when sending a request
9363 # to perform a crypto transformation using a kms-wrapped crypto key:
9364 # dlp.kms.encrypt
9365 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9366 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9367 },
9368 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9369 # leaking the key. Choose another type of key if possible.
9370 "key": "A String", # A 128/192/256 bit key. [required]
9371 },
9372 "transient": { # Use this to have a random data crypto key generated.
9373 # It will be discarded after the request finishes.
9374 "name": "A String", # Name of the key. [required]
9375 # This is an arbitrary string used to differentiate different keys.
9376 # A unique key is generated per name: two separate `TransientCryptoKey`
9377 # protos share the same generated key if their names are the same.
9378 # When the data crypto key is generated, this name is not used in any way
9379 # (repeating the api call will result in a different key being generated).
9380 },
9381 },
9382 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
9383 # [Required]
9384 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
9385 # range (inclusive ends). Negative means shift to earlier in time. Must not
9386 # be more than 365250 days (1000 years) each direction.
9387 #
9388 # For example, 3 means shift date to at most 3 days into the future.
9389 # [Required]
9390 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
9391 # If set, must also set method. If set, shift will be consistent for the
9392 # given context.
9393 "name": "A String", # Name describing the field.
9394 },
9395 },
9396 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
9397 # replacement values are dynamically provided by the user for custom behavior,
9398 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
9399 # This can be used on
9400 # data of type: number, long, string, timestamp.
9401 # If the bound `Value` type differs from the type of data being transformed, we
9402 # will first attempt converting the type of the data to be transformed to match
9403 # the type of the bound before comparing.
9404 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9405 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
9406 { # Bucket is represented as a range, along with replacement values.
9407 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
9408 # Note that for the purposes of inspection or transformation, the number
9409 # of bytes considered to comprise a 'Value' is based on its representation
9410 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9411 # 123456789, the number of bytes would be counted as 9, even though an
9412 # int64 only holds up to 8 bytes of data.
9413 "floatValue": 3.14,
9414 "timestampValue": "A String",
9415 "dayOfWeekValue": "A String",
9416 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9417 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9418 # types are google.type.Date and `google.protobuf.Timestamp`.
9419 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9420 # to allow the value "24:00:00" for scenarios like business closing time.
9421 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9422 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9423 # allow the value 60 if it allows leap-seconds.
9424 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9425 },
9426 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9427 # and time zone are either specified elsewhere or are not significant. The date
9428 # is relative to the Proleptic Gregorian Calendar. This can represent:
9429 #
9430 # * A full date, with non-zero year, month and day values
9431 # * A month and day value, with a zero year, e.g. an anniversary
9432 # * A year on its own, with zero month and day values
9433 # * A year and month value, with a zero day, e.g. a credit card expiration date
9434 #
9435 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9436 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9437 # a year.
9438 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9439 # if specifying a year by itself or a year and month where the day is not
9440 # significant.
9441 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9442 # month and day.
9443 },
9444 "stringValue": "A String",
9445 "booleanValue": True or False,
9446 "integerValue": "A String",
9447 },
9448 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
9449 # the default behavior will be to hyphenate the min-max range.
9450 # Note that for the purposes of inspection or transformation, the number
9451 # of bytes considered to comprise a 'Value' is based on its representation
9452 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9453 # 123456789, the number of bytes would be counted as 9, even though an
9454 # int64 only holds up to 8 bytes of data.
9455 "floatValue": 3.14,
9456 "timestampValue": "A String",
9457 "dayOfWeekValue": "A String",
9458 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9459 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9460 # types are google.type.Date and `google.protobuf.Timestamp`.
9461 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9462 # to allow the value "24:00:00" for scenarios like business closing time.
9463 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9464 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9465 # allow the value 60 if it allows leap-seconds.
9466 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9467 },
9468 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9469 # and time zone are either specified elsewhere or are not significant. The date
9470 # is relative to the Proleptic Gregorian Calendar. This can represent:
9471 #
9472 # * A full date, with non-zero year, month and day values
9473 # * A month and day value, with a zero year, e.g. an anniversary
9474 # * A year on its own, with zero month and day values
9475 # * A year and month value, with a zero day, e.g. a credit card expiration date
9476 #
9477 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9478 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9479 # a year.
9480 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9481 # if specifying a year by itself or a year and month where the day is not
9482 # significant.
9483 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9484 # month and day.
9485 },
9486 "stringValue": "A String",
9487 "booleanValue": True or False,
9488 "integerValue": "A String",
9489 },
9490 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
9491 # used.
9492 # Note that for the purposes of inspection or transformation, the number
9493 # of bytes considered to comprise a 'Value' is based on its representation
9494 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9495 # 123456789, the number of bytes would be counted as 9, even though an
9496 # int64 only holds up to 8 bytes of data.
9497 "floatValue": 3.14,
9498 "timestampValue": "A String",
9499 "dayOfWeekValue": "A String",
9500 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9501 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9502 # types are google.type.Date and `google.protobuf.Timestamp`.
9503 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9504 # to allow the value "24:00:00" for scenarios like business closing time.
9505 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9506 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9507 # allow the value 60 if it allows leap-seconds.
9508 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9509 },
9510 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9511 # and time zone are either specified elsewhere or are not significant. The date
9512 # is relative to the Proleptic Gregorian Calendar. This can represent:
9513 #
9514 # * A full date, with non-zero year, month and day values
9515 # * A month and day value, with a zero year, e.g. an anniversary
9516 # * A year on its own, with zero month and day values
9517 # * A year and month value, with a zero day, e.g. a credit card expiration date
9518 #
9519 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9520 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9521 # a year.
9522 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9523 # if specifying a year by itself or a year and month where the day is not
9524 # significant.
9525 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9526 # month and day.
9527 },
9528 "stringValue": "A String",
9529 "booleanValue": True or False,
9530 "integerValue": "A String",
9531 },
9532 },
9533 ],
9534 },
9535 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
9536 # (FPE) with the FFX mode of operation; however when used in the
9537 # `ReidentifyContent` API method, it serves the opposite function by reversing
9538 # the surrogate back into the original identifier. The identifier must be
9539 # encoded as ASCII. For a given crypto key and context, the same identifier
9540 # will be replaced with the same surrogate. Identifiers must be at least two
9541 # characters long. In the case that the identifier is the empty string, it will
9542 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
9543 # more.
9544 #
9545 # Note: We recommend using CryptoDeterministicConfig for all use cases which
9546 # do not require preserving the input alphabet space and size, plus warrant
9547 # referential integrity.
9548 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
9549 # a key encryption key (KEK) stored by KMS).
9550 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9551 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9552 # unwrap the data crypto key.
9553 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9554 # The wrapped key must be a 128/192/256 bit key.
9555 # Authorization requires the following IAM permissions when sending a request
9556 # to perform a crypto transformation using a kms-wrapped crypto key:
9557 # dlp.kms.encrypt
9558 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9559 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9560 },
9561 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9562 # leaking the key. Choose another type of key if possible.
9563 "key": "A String", # A 128/192/256 bit key. [required]
9564 },
9565 "transient": { # Use this to have a random data crypto key generated.
9566 # It will be discarded after the request finishes.
9567 "name": "A String", # Name of the key. [required]
9568 # This is an arbitrary string used to differentiate different keys.
9569 # A unique key is generated per name: two separate `TransientCryptoKey`
9570 # protos share the same generated key if their names are the same.
9571 # When the data crypto key is generated, this name is not used in any way
9572 # (repeating the api call will result in a different key being generated).
9573 },
9574 },
9575 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
9576 "commonAlphabet": "A String",
9577 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
9578 # that the FFX mode natively supports. This happens before/after
9579 # encryption/decryption.
9580 # Each character listed must appear only once.
9581 # Number of characters must be in the range [2, 62].
9582 # This must be encoded as ASCII.
9583 # The order of characters does not matter.
9584 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
9585 # identifier in two different contexts won't be given the same surrogate. If
9586 # the context is not set, a default tweak will be used.
9587 #
9588 # If the context is set but:
9589 #
9590 # 1. there is no record present when transforming a given value or
9591 # 1. the field is not present when transforming a given value,
9592 #
9593 # a default tweak will be used.
9594 #
9595 # Note that case (1) is expected when an `InfoTypeTransformation` is
9596 # applied to both structured and non-structured `ContentItem`s.
9597 # Currently, the referenced field may be of value type integer or string.
9598 #
9599 # The tweak is constructed as a sequence of bytes in big endian byte order
9600 # such that:
9601 #
9602 # - a 64 bit integer is encoded followed by a single byte of value 1
9603 # - a string is encoded in UTF-8 format followed by a single byte of value 2
9604 "name": "A String", # Name describing the field.
9605 },
9606 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
9607 # This annotation will be applied to the surrogate by prefixing it with
9608 # the name of the custom infoType followed by the number of
9609 # characters comprising the surrogate. The following scheme defines the
9610 # format: info_type_name(surrogate_character_count):surrogate
9611 #
9612 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
9613 # the surrogate is 'abc', the full replacement value
9614 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9615 #
9616 # This annotation identifies the surrogate when inspecting content using the
9617 # custom infoType
9618 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
9619 # This facilitates reversal of the surrogate when it occurs in free text.
9620 #
9621 # In order for inspection to work properly, the name of this infoType must
9622 # not occur naturally anywhere in your data; otherwise, inspection may
9623 # find a surrogate that does not correspond to an actual identifier.
9624 # Therefore, choose your custom infoType name carefully after considering
9625 # what your data looks like. One way to select a name that has a high chance
9626 # of yielding reliable detection is to include one or more unicode characters
9627 # that are highly improbable to exist in your data.
9628 # For example, assuming your data is entered from a regular ASCII keyboard,
9629 # the symbol with the hex code point 29DD might be used like so:
9630 # ⧝MY_TOKEN_TYPE
9631 "name": "A String", # Name of the information type. Either a name of your choosing when
9632 # creating a CustomInfoType, or one of the names listed
9633 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9634 # a built-in type. InfoType names should conform to the pattern
9635 # [a-zA-Z0-9_]{1,64}.
9636 },
9637 },
9638 "replaceConfig": { # Replace each input value with a given `Value`.
9639 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
9640 # Note that for the purposes of inspection or transformation, the number
9641 # of bytes considered to comprise a 'Value' is based on its representation
9642 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9643 # 123456789, the number of bytes would be counted as 9, even though an
9644 # int64 only holds up to 8 bytes of data.
9645 "floatValue": 3.14,
9646 "timestampValue": "A String",
9647 "dayOfWeekValue": "A String",
9648 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9649 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9650 # types are google.type.Date and `google.protobuf.Timestamp`.
9651 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9652 # to allow the value "24:00:00" for scenarios like business closing time.
9653 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9654 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9655 # allow the value 60 if it allows leap-seconds.
9656 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9657 },
9658 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9659 # and time zone are either specified elsewhere or are not significant. The date
9660 # is relative to the Proleptic Gregorian Calendar. This can represent:
9661 #
9662 # * A full date, with non-zero year, month and day values
9663 # * A month and day value, with a zero year, e.g. an anniversary
9664 # * A year on its own, with zero month and day values
9665 # * A year and month value, with a zero day, e.g. a credit card expiration date
9666 #
9667 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9668 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9669 # a year.
9670 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9671 # if specifying a year by itself or a year and month where the day is not
9672 # significant.
9673 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9674 # month and day.
9675 },
9676 "stringValue": "A String",
9677 "booleanValue": True or False,
9678 "integerValue": "A String",
9679 },
9680 },
9681 },
9682 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
9683 # this transformation to apply to all findings that correspond to
9684 # infoTypes that were requested in `InspectConfig`.
9685 { # Type of information detected by the API.
9686 "name": "A String", # Name of the information type. Either a name of your choosing when
9687 # creating a CustomInfoType, or one of the names listed
9688 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9689 # a built-in type. InfoType names should conform to the pattern
9690 # [a-zA-Z0-9_]{1,64}.
9691 },
9692 ],
9693 },
9694 ],
9695 },
9696 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
9697 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
9698 # fixed character. Masking can start from the beginning or end of the string.
9699 # This can be used on data of any type (numbers, longs, and so on) and when
9700 # de-identifying structured data we'll attempt to preserve the original data's
9701 # type. (This allows you to take a long like 123 and modify it to a string like
9702 # **3.
9703 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
9704 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
9705 # mask 5 chars with * we would produce ***-*55-5555.
9706 { # Characters to skip when doing deidentification of a value. These will be left
9707 # alone and skipped.
9708 "commonCharactersToIgnore": "A String",
9709 "charactersToSkip": "A String",
9710 },
9711 ],
9712 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
9713 # masked. Skipped characters do not count towards this tally.
9714 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
9715 # alphabetic string such as name, or "0" for a numeric string such as ZIP
9716 # code or credit card number. String must have length 1. If not supplied, we
9717 # will default to "*" for strings, 0 for digits.
9718 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
9719 # '0', number_to_mask is 14, and `reverse_order` is false, then
9720 # 1234-5678-9012-3456 -> 00000000000000-3456
9721 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
9722 # is true, then 12345 -> 12***
9723 },
9724 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
9725 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
9726 # output would be 'My phone number is '.
9727 },
9728 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
9729 # input. Outputs a base64 encoded representation of the encrypted output.
9730 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
9731 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
9732 # a key encryption key (KEK) stored by KMS).
9733 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9734 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9735 # unwrap the data crypto key.
9736 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9737 # The wrapped key must be a 128/192/256 bit key.
9738 # Authorization requires the following IAM permissions when sending a request
9739 # to perform a crypto transformation using a kms-wrapped crypto key:
9740 # dlp.kms.encrypt
9741 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9742 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9743 },
9744 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9745 # leaking the key. Choose another type of key if possible.
9746 "key": "A String", # A 128/192/256 bit key. [required]
9747 },
9748 "transient": { # Use this to have a random data crypto key generated.
9749 # It will be discarded after the request finishes.
9750 "name": "A String", # Name of the key. [required]
9751 # This is an arbitrary string used to differentiate different keys.
9752 # A unique key is generated per name: two separate `TransientCryptoKey`
9753 # protos share the same generated key if their names are the same.
9754 # When the data crypto key is generated, this name is not used in any way
9755 # (repeating the api call will result in a different key being generated).
9756 },
9757 },
9758 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
9759 # referential integrity such that the same identifier in two different
9760 # contexts will be given a distinct surrogate. The context is appended to
9761 # plaintext value being encrypted. On decryption the provided context is
9762 # validated against the value used during encryption. If a context was
9763 # provided during encryption, same context must be provided during decryption
9764 # as well.
9765 #
9766 # If the context is not set, plaintext would be used as is for encryption.
9767 # If the context is set but:
9768 #
9769 # 1. there is no record present when transforming a given value or
9770 # 2. the field is not present when transforming a given value,
9771 #
9772 # plaintext would be used as is for encryption.
9773 #
9774 # Note that case (1) is expected when an `InfoTypeTransformation` is
9775 # applied to both structured and non-structured `ContentItem`s.
9776 "name": "A String", # Name describing the field.
9777 },
9778 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
9779 # This annotation will be applied to the surrogate by prefixing it with
9780 # the name of the custom info type followed by the number of
9781 # characters comprising the surrogate. The following scheme defines the
9782 # format: <info type name>(<surrogate character count>):<surrogate>
9783 #
9784 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
9785 # the surrogate is 'abc', the full replacement value
9786 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9787 #
9788 # This annotation identifies the surrogate when inspecting content using the
9789 # custom info type 'Surrogate'. This facilitates reversal of the
9790 # surrogate when it occurs in free text.
9791 #
9792 # In order for inspection to work properly, the name of this info type must
9793 # not occur naturally anywhere in your data; otherwise, inspection may either
9794 #
9795 # - reverse a surrogate that does not correspond to an actual identifier
9796 # - be unable to parse the surrogate and result in an error
9797 #
9798 # Therefore, choose your custom info type name carefully after considering
9799 # what your data looks like. One way to select a name that has a high chance
9800 # of yielding reliable detection is to include one or more unicode characters
9801 # that are highly improbable to exist in your data.
9802 # For example, assuming your data is entered from a regular ASCII keyboard,
9803 # the symbol with the hex code point 29DD might be used like so:
9804 # ⧝MY_TOKEN_TYPE
9805 "name": "A String", # Name of the information type. Either a name of your choosing when
9806 # creating a CustomInfoType, or one of the names listed
9807 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9808 # a built-in type. InfoType names should conform to the pattern
9809 # [a-zA-Z0-9_]{1,64}.
9810 },
9811 },
9812 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
9813 # Bucketing transformation can provide all of this functionality,
9814 # but requires more configuration. This message is provided as a convenience to
9815 # the user for simple bucketing strategies.
9816 #
9817 # The transformed value will be a hyphenated string of
9818 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
9819 # all values that are within this bucket will be replaced with "10-20".
9820 #
9821 # This can be used on data of type: double, long.
9822 #
9823 # If the bound Value type differs from the type of data
9824 # being transformed, we will first attempt converting the type of the data to
9825 # be transformed to match the type of the bound before comparing.
9826 #
9827 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9828 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
9829 # grouped together into a single bucket; for example if `lower_bound` = 10,
9830 # then all values less than 10 are replaced with the value “-10”. [Required].
9831 # Note that for the purposes of inspection or transformation, the number
9832 # of bytes considered to comprise a 'Value' is based on its representation
9833 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9834 # 123456789, the number of bytes would be counted as 9, even though an
9835 # int64 only holds up to 8 bytes of data.
9836 "floatValue": 3.14,
9837 "timestampValue": "A String",
9838 "dayOfWeekValue": "A String",
9839 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9840 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9841 # types are google.type.Date and `google.protobuf.Timestamp`.
9842 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9843 # to allow the value "24:00:00" for scenarios like business closing time.
9844 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9845 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9846 # allow the value 60 if it allows leap-seconds.
9847 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9848 },
9849 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9850 # and time zone are either specified elsewhere or are not significant. The date
9851 # is relative to the Proleptic Gregorian Calendar. This can represent:
9852 #
9853 # * A full date, with non-zero year, month and day values
9854 # * A month and day value, with a zero year, e.g. an anniversary
9855 # * A year on its own, with zero month and day values
9856 # * A year and month value, with a zero day, e.g. a credit card expiration date
9857 #
9858 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9859 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9860 # a year.
9861 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9862 # if specifying a year by itself or a year and month where the day is not
9863 # significant.
9864 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9865 # month and day.
9866 },
9867 "stringValue": "A String",
9868 "booleanValue": True or False,
9869 "integerValue": "A String",
9870 },
9871 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
9872 # grouped together into a single bucket; for example if `upper_bound` = 89,
9873 # then all values greater than 89 are replaced with the value “89+”.
9874 # [Required].
9875 # Note that for the purposes of inspection or transformation, the number
9876 # of bytes considered to comprise a 'Value' is based on its representation
9877 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9878 # 123456789, the number of bytes would be counted as 9, even though an
9879 # int64 only holds up to 8 bytes of data.
9880 "floatValue": 3.14,
9881 "timestampValue": "A String",
9882 "dayOfWeekValue": "A String",
9883 "timeValue": { # Represents a time of day. The date and time zone are either not significant
9884 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9885 # types are google.type.Date and `google.protobuf.Timestamp`.
9886 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9887 # to allow the value "24:00:00" for scenarios like business closing time.
9888 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9889 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9890 # allow the value 60 if it allows leap-seconds.
9891 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9892 },
9893 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
9894 # and time zone are either specified elsewhere or are not significant. The date
9895 # is relative to the Proleptic Gregorian Calendar. This can represent:
9896 #
9897 # * A full date, with non-zero year, month and day values
9898 # * A month and day value, with a zero year, e.g. an anniversary
9899 # * A year on its own, with zero month and day values
9900 # * A year and month value, with a zero day, e.g. a credit card expiration date
9901 #
9902 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9903 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9904 # a year.
9905 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9906 # if specifying a year by itself or a year and month where the day is not
9907 # significant.
9908 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9909 # month and day.
9910 },
9911 "stringValue": "A String",
9912 "booleanValue": True or False,
9913 "integerValue": "A String",
9914 },
9915 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
9916 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
9917 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
9918 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
9919 },
9920 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
9921 },
9922 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
9923 # portion of the value.
9924 "partToExtract": "A String",
9925 },
9926 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
9927 # Uses SHA-256.
9928 # The key size must be either 32 or 64 bytes.
9929 # Outputs a base64 encoded representation of the hashed output
9930 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
9931 # Currently, only string and integer values can be hashed.
9932 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
9933 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
9934 # a key encryption key (KEK) stored by KMS).
9935 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9936 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9937 # unwrap the data crypto key.
9938 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9939 # The wrapped key must be a 128/192/256 bit key.
9940 # Authorization requires the following IAM permissions when sending a request
9941 # to perform a crypto transformation using a kms-wrapped crypto key:
9942 # dlp.kms.encrypt
9943 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9944 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9945 },
9946 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9947 # leaking the key. Choose another type of key if possible.
9948 "key": "A String", # A 128/192/256 bit key. [required]
9949 },
9950 "transient": { # Use this to have a random data crypto key generated.
9951 # It will be discarded after the request finishes.
9952 "name": "A String", # Name of the key. [required]
9953 # This is an arbitrary string used to differentiate different keys.
9954 # A unique key is generated per name: two separate `TransientCryptoKey`
9955 # protos share the same generated key if their names are the same.
9956 # When the data crypto key is generated, this name is not used in any way
9957 # (repeating the api call will result in a different key being generated).
9958 },
9959 },
9960 },
9961 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
9962 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
9963 # to learn more.
9964 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
9965 # results in the same shift for the same context and crypto_key.
9966 # a key encryption key (KEK) stored by KMS).
9967 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9968 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9969 # unwrap the data crypto key.
9970 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
9971 # The wrapped key must be a 128/192/256 bit key.
9972 # Authorization requires the following IAM permissions when sending a request
9973 # to perform a crypto transformation using a kms-wrapped crypto key:
9974 # dlp.kms.encrypt
9975 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
9976 "wrappedKey": "A String", # The wrapped data crypto key. [required]
9977 },
9978 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
9979 # leaking the key. Choose another type of key if possible.
9980 "key": "A String", # A 128/192/256 bit key. [required]
9981 },
9982 "transient": { # Use this to have a random data crypto key generated.
9983 # It will be discarded after the request finishes.
9984 "name": "A String", # Name of the key. [required]
9985 # This is an arbitrary string used to differentiate different keys.
9986 # A unique key is generated per name: two separate `TransientCryptoKey`
9987 # protos share the same generated key if their names are the same.
9988 # When the data crypto key is generated, this name is not used in any way
9989 # (repeating the api call will result in a different key being generated).
9990 },
9991 },
9992 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
9993 # [Required]
9994 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
9995 # range (inclusive ends). Negative means shift to earlier in time. Must not
9996 # be more than 365250 days (1000 years) each direction.
9997 #
9998 # For example, 3 means shift date to at most 3 days into the future.
9999 # [Required]
10000 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
10001 # If set, must also set method. If set, shift will be consistent for the
10002 # given context.
10003 "name": "A String", # Name describing the field.
10004 },
10005 },
10006 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
10007 # replacement values are dynamically provided by the user for custom behavior,
10008 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
10009 # This can be used on
10010 # data of type: number, long, string, timestamp.
10011 # If the bound `Value` type differs from the type of data being transformed, we
10012 # will first attempt converting the type of the data to be transformed to match
10013 # the type of the bound before comparing.
10014 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
10015 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
10016 { # Bucket is represented as a range, along with replacement values.
10017 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
10018 # Note that for the purposes of inspection or transformation, the number
10019 # of bytes considered to comprise a 'Value' is based on its representation
10020 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10021 # 123456789, the number of bytes would be counted as 9, even though an
10022 # int64 only holds up to 8 bytes of data.
10023 "floatValue": 3.14,
10024 "timestampValue": "A String",
10025 "dayOfWeekValue": "A String",
10026 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10027 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10028 # types are google.type.Date and `google.protobuf.Timestamp`.
10029 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10030 # to allow the value "24:00:00" for scenarios like business closing time.
10031 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10032 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10033 # allow the value 60 if it allows leap-seconds.
10034 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10035 },
10036 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10037 # and time zone are either specified elsewhere or are not significant. The date
10038 # is relative to the Proleptic Gregorian Calendar. This can represent:
10039 #
10040 # * A full date, with non-zero year, month and day values
10041 # * A month and day value, with a zero year, e.g. an anniversary
10042 # * A year on its own, with zero month and day values
10043 # * A year and month value, with a zero day, e.g. a credit card expiration date
10044 #
10045 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10046 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10047 # a year.
10048 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10049 # if specifying a year by itself or a year and month where the day is not
10050 # significant.
10051 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10052 # month and day.
10053 },
10054 "stringValue": "A String",
10055 "booleanValue": True or False,
10056 "integerValue": "A String",
10057 },
10058 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
10059 # the default behavior will be to hyphenate the min-max range.
10060 # Note that for the purposes of inspection or transformation, the number
10061 # of bytes considered to comprise a 'Value' is based on its representation
10062 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10063 # 123456789, the number of bytes would be counted as 9, even though an
10064 # int64 only holds up to 8 bytes of data.
10065 "floatValue": 3.14,
10066 "timestampValue": "A String",
10067 "dayOfWeekValue": "A String",
10068 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10069 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10070 # types are google.type.Date and `google.protobuf.Timestamp`.
10071 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10072 # to allow the value "24:00:00" for scenarios like business closing time.
10073 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10074 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10075 # allow the value 60 if it allows leap-seconds.
10076 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10077 },
10078 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10079 # and time zone are either specified elsewhere or are not significant. The date
10080 # is relative to the Proleptic Gregorian Calendar. This can represent:
10081 #
10082 # * A full date, with non-zero year, month and day values
10083 # * A month and day value, with a zero year, e.g. an anniversary
10084 # * A year on its own, with zero month and day values
10085 # * A year and month value, with a zero day, e.g. a credit card expiration date
10086 #
10087 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10088 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10089 # a year.
10090 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10091 # if specifying a year by itself or a year and month where the day is not
10092 # significant.
10093 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10094 # month and day.
10095 },
10096 "stringValue": "A String",
10097 "booleanValue": True or False,
10098 "integerValue": "A String",
10099 },
10100 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
10101 # used.
10102 # Note that for the purposes of inspection or transformation, the number
10103 # of bytes considered to comprise a 'Value' is based on its representation
10104 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10105 # 123456789, the number of bytes would be counted as 9, even though an
10106 # int64 only holds up to 8 bytes of data.
10107 "floatValue": 3.14,
10108 "timestampValue": "A String",
10109 "dayOfWeekValue": "A String",
10110 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10111 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10112 # types are google.type.Date and `google.protobuf.Timestamp`.
10113 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10114 # to allow the value "24:00:00" for scenarios like business closing time.
10115 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10116 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10117 # allow the value 60 if it allows leap-seconds.
10118 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10119 },
10120 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10121 # and time zone are either specified elsewhere or are not significant. The date
10122 # is relative to the Proleptic Gregorian Calendar. This can represent:
10123 #
10124 # * A full date, with non-zero year, month and day values
10125 # * A month and day value, with a zero year, e.g. an anniversary
10126 # * A year on its own, with zero month and day values
10127 # * A year and month value, with a zero day, e.g. a credit card expiration date
10128 #
10129 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10130 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10131 # a year.
10132 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10133 # if specifying a year by itself or a year and month where the day is not
10134 # significant.
10135 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10136 # month and day.
10137 },
10138 "stringValue": "A String",
10139 "booleanValue": True or False,
10140 "integerValue": "A String",
10141 },
10142 },
10143 ],
10144 },
10145 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
10146 # (FPE) with the FFX mode of operation; however when used in the
10147 # `ReidentifyContent` API method, it serves the opposite function by reversing
10148 # the surrogate back into the original identifier. The identifier must be
10149 # encoded as ASCII. For a given crypto key and context, the same identifier
10150 # will be replaced with the same surrogate. Identifiers must be at least two
10151 # characters long. In the case that the identifier is the empty string, it will
10152 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
10153 # more.
10154 #
10155 # Note: We recommend using CryptoDeterministicConfig for all use cases which
10156 # do not require preserving the input alphabet space and size, plus warrant
10157 # referential integrity.
10158 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
10159 # a key encryption key (KEK) stored by KMS).
10160 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10161 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10162 # unwrap the data crypto key.
10163 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
10164 # The wrapped key must be a 128/192/256 bit key.
10165 # Authorization requires the following IAM permissions when sending a request
10166 # to perform a crypto transformation using a kms-wrapped crypto key:
10167 # dlp.kms.encrypt
10168 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
10169 "wrappedKey": "A String", # The wrapped data crypto key. [required]
10170 },
10171 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
10172 # leaking the key. Choose another type of key if possible.
10173 "key": "A String", # A 128/192/256 bit key. [required]
10174 },
10175 "transient": { # Use this to have a random data crypto key generated.
10176 # It will be discarded after the request finishes.
10177 "name": "A String", # Name of the key. [required]
10178 # This is an arbitrary string used to differentiate different keys.
10179 # A unique key is generated per name: two separate `TransientCryptoKey`
10180 # protos share the same generated key if their names are the same.
10181 # When the data crypto key is generated, this name is not used in any way
10182 # (repeating the api call will result in a different key being generated).
10183 },
10184 },
10185 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
10186 "commonAlphabet": "A String",
10187 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
10188 # that the FFX mode natively supports. This happens before/after
10189 # encryption/decryption.
10190 # Each character listed must appear only once.
10191 # Number of characters must be in the range [2, 62].
10192 # This must be encoded as ASCII.
10193 # The order of characters does not matter.
10194 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
10195 # identifier in two different contexts won't be given the same surrogate. If
10196 # the context is not set, a default tweak will be used.
10197 #
10198 # If the context is set but:
10199 #
10200 # 1. there is no record present when transforming a given value or
10201 # 1. the field is not present when transforming a given value,
10202 #
10203 # a default tweak will be used.
10204 #
10205 # Note that case (1) is expected when an `InfoTypeTransformation` is
10206 # applied to both structured and non-structured `ContentItem`s.
10207 # Currently, the referenced field may be of value type integer or string.
10208 #
10209 # The tweak is constructed as a sequence of bytes in big endian byte order
10210 # such that:
10211 #
10212 # - a 64 bit integer is encoded followed by a single byte of value 1
10213 # - a string is encoded in UTF-8 format followed by a single byte of value 2
10214 "name": "A String", # Name describing the field.
10215 },
10216 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
10217 # This annotation will be applied to the surrogate by prefixing it with
10218 # the name of the custom infoType followed by the number of
10219 # characters comprising the surrogate. The following scheme defines the
10220 # format: info_type_name(surrogate_character_count):surrogate
10221 #
10222 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
10223 # the surrogate is 'abc', the full replacement value
10224 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
10225 #
10226 # This annotation identifies the surrogate when inspecting content using the
10227 # custom infoType
10228 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
10229 # This facilitates reversal of the surrogate when it occurs in free text.
10230 #
10231 # In order for inspection to work properly, the name of this infoType must
10232 # not occur naturally anywhere in your data; otherwise, inspection may
10233 # find a surrogate that does not correspond to an actual identifier.
10234 # Therefore, choose your custom infoType name carefully after considering
10235 # what your data looks like. One way to select a name that has a high chance
10236 # of yielding reliable detection is to include one or more unicode characters
10237 # that are highly improbable to exist in your data.
10238 # For example, assuming your data is entered from a regular ASCII keyboard,
10239 # the symbol with the hex code point 29DD might be used like so:
10240 # ⧝MY_TOKEN_TYPE
10241 "name": "A String", # Name of the information type. Either a name of your choosing when
10242 # creating a CustomInfoType, or one of the names listed
10243 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10244 # a built-in type. InfoType names should conform to the pattern
10245 # [a-zA-Z0-9_]{1,64}.
10246 },
10247 },
10248 "replaceConfig": { # Replace each input value with a given `Value`.
10249 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
10250 # Note that for the purposes of inspection or transformation, the number
10251 # of bytes considered to comprise a 'Value' is based on its representation
10252 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10253 # 123456789, the number of bytes would be counted as 9, even though an
10254 # int64 only holds up to 8 bytes of data.
10255 "floatValue": 3.14,
10256 "timestampValue": "A String",
10257 "dayOfWeekValue": "A String",
10258 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10259 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10260 # types are google.type.Date and `google.protobuf.Timestamp`.
10261 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10262 # to allow the value "24:00:00" for scenarios like business closing time.
10263 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10264 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10265 # allow the value 60 if it allows leap-seconds.
10266 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10267 },
10268 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10269 # and time zone are either specified elsewhere or are not significant. The date
10270 # is relative to the Proleptic Gregorian Calendar. This can represent:
10271 #
10272 # * A full date, with non-zero year, month and day values
10273 # * A month and day value, with a zero year, e.g. an anniversary
10274 # * A year on its own, with zero month and day values
10275 # * A year and month value, with a zero day, e.g. a credit card expiration date
10276 #
10277 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10278 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10279 # a year.
10280 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10281 # if specifying a year by itself or a year and month where the day is not
10282 # significant.
10283 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10284 # month and day.
10285 },
10286 "stringValue": "A String",
10287 "booleanValue": True or False,
10288 "integerValue": "A String",
10289 },
10290 },
10291 },
10292 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
10293 # given `RecordCondition`. The conditions are allowed to reference fields
10294 # that are not used in the actual transformation. [optional]
10295 #
10296 # Example Use Cases:
10297 #
10298 # - Apply a different bucket transformation to an age column if the zip code
10299 # column for the same record is within a specific range.
10300 # - Redact a field if the date of birth field is greater than 85.
10301 # a field.
10302 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
10303 "conditions": { # A collection of conditions.
10304 "conditions": [
10305 { # The field type of `value` and `field` do not need to match to be
10306 # considered equal, but not all comparisons are possible.
10307 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
10308 # but all other comparisons are invalid with incompatible types.
10309 # A `value` of type:
10310 #
10311 # - `string` can be compared against all other types
10312 # - `boolean` can only be compared against other booleans
10313 # - `integer` can be compared against doubles or a string if the string value
10314 # can be parsed as an integer.
10315 # - `double` can be compared against integers or a string if the string can
10316 # be parsed as a double.
10317 # - `Timestamp` can be compared against strings in RFC 3339 date string
10318 # format.
10319 # - `TimeOfDay` can be compared against timestamps and strings in the format
10320 # of 'HH:mm:ss'.
10321 #
10322 # If we fail to compare do to type mismatch, a warning will be given and
10323 # the condition will evaluate to false.
10324 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
10325 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
10326 "name": "A String", # Name describing the field.
10327 },
10328 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
10329 # Note that for the purposes of inspection or transformation, the number
10330 # of bytes considered to comprise a 'Value' is based on its representation
10331 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10332 # 123456789, the number of bytes would be counted as 9, even though an
10333 # int64 only holds up to 8 bytes of data.
10334 "floatValue": 3.14,
10335 "timestampValue": "A String",
10336 "dayOfWeekValue": "A String",
10337 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10338 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10339 # types are google.type.Date and `google.protobuf.Timestamp`.
10340 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10341 # to allow the value "24:00:00" for scenarios like business closing time.
10342 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10343 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10344 # allow the value 60 if it allows leap-seconds.
10345 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10346 },
10347 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10348 # and time zone are either specified elsewhere or are not significant. The date
10349 # is relative to the Proleptic Gregorian Calendar. This can represent:
10350 #
10351 # * A full date, with non-zero year, month and day values
10352 # * A month and day value, with a zero year, e.g. an anniversary
10353 # * A year on its own, with zero month and day values
10354 # * A year and month value, with a zero day, e.g. a credit card expiration date
10355 #
10356 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10357 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10358 # a year.
10359 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10360 # if specifying a year by itself or a year and month where the day is not
10361 # significant.
10362 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10363 # month and day.
10364 },
10365 "stringValue": "A String",
10366 "booleanValue": True or False,
10367 "integerValue": "A String",
10368 },
10369 },
10370 ],
10371 },
10372 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
10373 # only supported value is `AND`.
10374 },
10375 },
10376 "fields": [ # Input field(s) to apply the transformation to. [required]
10377 { # General identifier of a data field in a storage service.
10378 "name": "A String", # Name describing the field.
10379 },
10380 ],
10381 },
10382 ],
10383 },
10384 },
10385 "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
10386 "name": "A String", # The template name. Output only.
10387 #
10388 # The template will have one of the following formats:
10389 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
10390 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
10391 },
10392 "updateMask": "A String", # Mask to control which fields get updated.
10393 }
10394
10395 x__xgafv: string, V1 error format.
10396 Allowed values
10397 1 - v1 error format
10398 2 - v2 error format
10399
10400Returns:
10401 An object of the form:
10402
10403 { # The DeidentifyTemplates contains instructions on how to deidentify content.
10404 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
10405 "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
10406 "displayName": "A String", # Display name (max 256 chars).
10407 "description": "A String", # Short description (max 256 chars).
10408 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
10409 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
10410 # transformation everywhere.
10411 # apply various `PrimitiveTransformation`s to each finding, where the
10412 # transformation is applied to only values that were identified as a specific
10413 # info_type.
10414 "transformations": [ # Transformation for each infoType. Cannot specify more than one
10415 # for a given infoType. [required]
10416 { # A transformation to apply to text that is identified as a specific
10417 # info_type.
10418 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
10419 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
10420 # fixed character. Masking can start from the beginning or end of the string.
10421 # This can be used on data of any type (numbers, longs, and so on) and when
10422 # de-identifying structured data we'll attempt to preserve the original data's
10423 # type. (This allows you to take a long like 123 and modify it to a string like
10424 # **3.
10425 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
10426 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
10427 # mask 5 chars with * we would produce ***-*55-5555.
10428 { # Characters to skip when doing deidentification of a value. These will be left
10429 # alone and skipped.
10430 "commonCharactersToIgnore": "A String",
10431 "charactersToSkip": "A String",
10432 },
10433 ],
10434 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
10435 # masked. Skipped characters do not count towards this tally.
10436 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
10437 # alphabetic string such as name, or "0" for a numeric string such as ZIP
10438 # code or credit card number. String must have length 1. If not supplied, we
10439 # will default to "*" for strings, 0 for digits.
10440 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
10441 # '0', number_to_mask is 14, and `reverse_order` is false, then
10442 # 1234-5678-9012-3456 -> 00000000000000-3456
10443 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
10444 # is true, then 12345 -> 12***
10445 },
10446 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
10447 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
10448 # output would be 'My phone number is '.
10449 },
10450 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
10451 # input. Outputs a base64 encoded representation of the encrypted output.
10452 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
10453 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
10454 # a key encryption key (KEK) stored by KMS).
10455 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10456 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10457 # unwrap the data crypto key.
10458 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
10459 # The wrapped key must be a 128/192/256 bit key.
10460 # Authorization requires the following IAM permissions when sending a request
10461 # to perform a crypto transformation using a kms-wrapped crypto key:
10462 # dlp.kms.encrypt
10463 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
10464 "wrappedKey": "A String", # The wrapped data crypto key. [required]
10465 },
10466 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
10467 # leaking the key. Choose another type of key if possible.
10468 "key": "A String", # A 128/192/256 bit key. [required]
10469 },
10470 "transient": { # Use this to have a random data crypto key generated.
10471 # It will be discarded after the request finishes.
10472 "name": "A String", # Name of the key. [required]
10473 # This is an arbitrary string used to differentiate different keys.
10474 # A unique key is generated per name: two separate `TransientCryptoKey`
10475 # protos share the same generated key if their names are the same.
10476 # When the data crypto key is generated, this name is not used in any way
10477 # (repeating the api call will result in a different key being generated).
10478 },
10479 },
10480 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
10481 # referential integrity such that the same identifier in two different
10482 # contexts will be given a distinct surrogate. The context is appended to
10483 # plaintext value being encrypted. On decryption the provided context is
10484 # validated against the value used during encryption. If a context was
10485 # provided during encryption, same context must be provided during decryption
10486 # as well.
10487 #
10488 # If the context is not set, plaintext would be used as is for encryption.
10489 # If the context is set but:
10490 #
10491 # 1. there is no record present when transforming a given value or
10492 # 2. the field is not present when transforming a given value,
10493 #
10494 # plaintext would be used as is for encryption.
10495 #
10496 # Note that case (1) is expected when an `InfoTypeTransformation` is
10497 # applied to both structured and non-structured `ContentItem`s.
10498 "name": "A String", # Name describing the field.
10499 },
10500 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
10501 # This annotation will be applied to the surrogate by prefixing it with
10502 # the name of the custom info type followed by the number of
10503 # characters comprising the surrogate. The following scheme defines the
10504 # format: <info type name>(<surrogate character count>):<surrogate>
10505 #
10506 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
10507 # the surrogate is 'abc', the full replacement value
10508 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
10509 #
10510 # This annotation identifies the surrogate when inspecting content using the
10511 # custom info type 'Surrogate'. This facilitates reversal of the
10512 # surrogate when it occurs in free text.
10513 #
10514 # In order for inspection to work properly, the name of this info type must
10515 # not occur naturally anywhere in your data; otherwise, inspection may either
10516 #
10517 # - reverse a surrogate that does not correspond to an actual identifier
10518 # - be unable to parse the surrogate and result in an error
10519 #
10520 # Therefore, choose your custom info type name carefully after considering
10521 # what your data looks like. One way to select a name that has a high chance
10522 # of yielding reliable detection is to include one or more unicode characters
10523 # that are highly improbable to exist in your data.
10524 # For example, assuming your data is entered from a regular ASCII keyboard,
10525 # the symbol with the hex code point 29DD might be used like so:
10526 # ⧝MY_TOKEN_TYPE
10527 "name": "A String", # Name of the information type. Either a name of your choosing when
10528 # creating a CustomInfoType, or one of the names listed
10529 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10530 # a built-in type. InfoType names should conform to the pattern
10531 # [a-zA-Z0-9_]{1,64}.
10532 },
10533 },
10534 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
10535 # Bucketing transformation can provide all of this functionality,
10536 # but requires more configuration. This message is provided as a convenience to
10537 # the user for simple bucketing strategies.
10538 #
10539 # The transformed value will be a hyphenated string of
10540 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
10541 # all values that are within this bucket will be replaced with "10-20".
10542 #
10543 # This can be used on data of type: double, long.
10544 #
10545 # If the bound Value type differs from the type of data
10546 # being transformed, we will first attempt converting the type of the data to
10547 # be transformed to match the type of the bound before comparing.
10548 #
10549 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
10550 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
10551 # grouped together into a single bucket; for example if `lower_bound` = 10,
10552 # then all values less than 10 are replaced with the value “-10”. [Required].
10553 # Note that for the purposes of inspection or transformation, the number
10554 # of bytes considered to comprise a 'Value' is based on its representation
10555 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10556 # 123456789, the number of bytes would be counted as 9, even though an
10557 # int64 only holds up to 8 bytes of data.
10558 "floatValue": 3.14,
10559 "timestampValue": "A String",
10560 "dayOfWeekValue": "A String",
10561 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10562 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10563 # types are google.type.Date and `google.protobuf.Timestamp`.
10564 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10565 # to allow the value "24:00:00" for scenarios like business closing time.
10566 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10567 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10568 # allow the value 60 if it allows leap-seconds.
10569 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10570 },
10571 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10572 # and time zone are either specified elsewhere or are not significant. The date
10573 # is relative to the Proleptic Gregorian Calendar. This can represent:
10574 #
10575 # * A full date, with non-zero year, month and day values
10576 # * A month and day value, with a zero year, e.g. an anniversary
10577 # * A year on its own, with zero month and day values
10578 # * A year and month value, with a zero day, e.g. a credit card expiration date
10579 #
10580 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10581 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10582 # a year.
10583 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10584 # if specifying a year by itself or a year and month where the day is not
10585 # significant.
10586 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10587 # month and day.
10588 },
10589 "stringValue": "A String",
10590 "booleanValue": True or False,
10591 "integerValue": "A String",
10592 },
10593 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
10594 # grouped together into a single bucket; for example if `upper_bound` = 89,
10595 # then all values greater than 89 are replaced with the value “89+”.
10596 # [Required].
10597 # Note that for the purposes of inspection or transformation, the number
10598 # of bytes considered to comprise a 'Value' is based on its representation
10599 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10600 # 123456789, the number of bytes would be counted as 9, even though an
10601 # int64 only holds up to 8 bytes of data.
10602 "floatValue": 3.14,
10603 "timestampValue": "A String",
10604 "dayOfWeekValue": "A String",
10605 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10606 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10607 # types are google.type.Date and `google.protobuf.Timestamp`.
10608 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10609 # to allow the value "24:00:00" for scenarios like business closing time.
10610 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10611 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10612 # allow the value 60 if it allows leap-seconds.
10613 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10614 },
10615 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10616 # and time zone are either specified elsewhere or are not significant. The date
10617 # is relative to the Proleptic Gregorian Calendar. This can represent:
10618 #
10619 # * A full date, with non-zero year, month and day values
10620 # * A month and day value, with a zero year, e.g. an anniversary
10621 # * A year on its own, with zero month and day values
10622 # * A year and month value, with a zero day, e.g. a credit card expiration date
10623 #
10624 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10625 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10626 # a year.
10627 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10628 # if specifying a year by itself or a year and month where the day is not
10629 # significant.
10630 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10631 # month and day.
10632 },
10633 "stringValue": "A String",
10634 "booleanValue": True or False,
10635 "integerValue": "A String",
10636 },
10637 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
10638 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
10639 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
10640 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
10641 },
10642 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
10643 },
10644 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
10645 # portion of the value.
10646 "partToExtract": "A String",
10647 },
10648 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
10649 # Uses SHA-256.
10650 # The key size must be either 32 or 64 bytes.
10651 # Outputs a base64 encoded representation of the hashed output
10652 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
10653 # Currently, only string and integer values can be hashed.
10654 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
10655 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
10656 # a key encryption key (KEK) stored by KMS).
10657 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10658 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10659 # unwrap the data crypto key.
10660 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
10661 # The wrapped key must be a 128/192/256 bit key.
10662 # Authorization requires the following IAM permissions when sending a request
10663 # to perform a crypto transformation using a kms-wrapped crypto key:
10664 # dlp.kms.encrypt
10665 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
10666 "wrappedKey": "A String", # The wrapped data crypto key. [required]
10667 },
10668 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
10669 # leaking the key. Choose another type of key if possible.
10670 "key": "A String", # A 128/192/256 bit key. [required]
10671 },
10672 "transient": { # Use this to have a random data crypto key generated.
10673 # It will be discarded after the request finishes.
10674 "name": "A String", # Name of the key. [required]
10675 # This is an arbitrary string used to differentiate different keys.
10676 # A unique key is generated per name: two separate `TransientCryptoKey`
10677 # protos share the same generated key if their names are the same.
10678 # When the data crypto key is generated, this name is not used in any way
10679 # (repeating the api call will result in a different key being generated).
10680 },
10681 },
10682 },
10683 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
10684 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
10685 # to learn more.
10686 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
10687 # results in the same shift for the same context and crypto_key.
10688 # a key encryption key (KEK) stored by KMS).
10689 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10690 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10691 # unwrap the data crypto key.
10692 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
10693 # The wrapped key must be a 128/192/256 bit key.
10694 # Authorization requires the following IAM permissions when sending a request
10695 # to perform a crypto transformation using a kms-wrapped crypto key:
10696 # dlp.kms.encrypt
10697 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
10698 "wrappedKey": "A String", # The wrapped data crypto key. [required]
10699 },
10700 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
10701 # leaking the key. Choose another type of key if possible.
10702 "key": "A String", # A 128/192/256 bit key. [required]
10703 },
10704 "transient": { # Use this to have a random data crypto key generated.
10705 # It will be discarded after the request finishes.
10706 "name": "A String", # Name of the key. [required]
10707 # This is an arbitrary string used to differentiate different keys.
10708 # A unique key is generated per name: two separate `TransientCryptoKey`
10709 # protos share the same generated key if their names are the same.
10710 # When the data crypto key is generated, this name is not used in any way
10711 # (repeating the api call will result in a different key being generated).
10712 },
10713 },
10714 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
10715 # [Required]
10716 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
10717 # range (inclusive ends). Negative means shift to earlier in time. Must not
10718 # be more than 365250 days (1000 years) each direction.
10719 #
10720 # For example, 3 means shift date to at most 3 days into the future.
10721 # [Required]
10722 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
10723 # If set, must also set method. If set, shift will be consistent for the
10724 # given context.
10725 "name": "A String", # Name describing the field.
10726 },
10727 },
10728 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
10729 # replacement values are dynamically provided by the user for custom behavior,
10730 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
10731 # This can be used on
10732 # data of type: number, long, string, timestamp.
10733 # If the bound `Value` type differs from the type of data being transformed, we
10734 # will first attempt converting the type of the data to be transformed to match
10735 # the type of the bound before comparing.
10736 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
10737 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
10738 { # Bucket is represented as a range, along with replacement values.
10739 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
10740 # Note that for the purposes of inspection or transformation, the number
10741 # of bytes considered to comprise a 'Value' is based on its representation
10742 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10743 # 123456789, the number of bytes would be counted as 9, even though an
10744 # int64 only holds up to 8 bytes of data.
10745 "floatValue": 3.14,
10746 "timestampValue": "A String",
10747 "dayOfWeekValue": "A String",
10748 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10749 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10750 # types are google.type.Date and `google.protobuf.Timestamp`.
10751 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10752 # to allow the value "24:00:00" for scenarios like business closing time.
10753 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10754 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10755 # allow the value 60 if it allows leap-seconds.
10756 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10757 },
10758 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10759 # and time zone are either specified elsewhere or are not significant. The date
10760 # is relative to the Proleptic Gregorian Calendar. This can represent:
10761 #
10762 # * A full date, with non-zero year, month and day values
10763 # * A month and day value, with a zero year, e.g. an anniversary
10764 # * A year on its own, with zero month and day values
10765 # * A year and month value, with a zero day, e.g. a credit card expiration date
10766 #
10767 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10768 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10769 # a year.
10770 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10771 # if specifying a year by itself or a year and month where the day is not
10772 # significant.
10773 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10774 # month and day.
10775 },
10776 "stringValue": "A String",
10777 "booleanValue": True or False,
10778 "integerValue": "A String",
10779 },
10780 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
10781 # the default behavior will be to hyphenate the min-max range.
10782 # Note that for the purposes of inspection or transformation, the number
10783 # of bytes considered to comprise a 'Value' is based on its representation
10784 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10785 # 123456789, the number of bytes would be counted as 9, even though an
10786 # int64 only holds up to 8 bytes of data.
10787 "floatValue": 3.14,
10788 "timestampValue": "A String",
10789 "dayOfWeekValue": "A String",
10790 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10791 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10792 # types are google.type.Date and `google.protobuf.Timestamp`.
10793 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10794 # to allow the value "24:00:00" for scenarios like business closing time.
10795 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10796 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10797 # allow the value 60 if it allows leap-seconds.
10798 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10799 },
10800 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10801 # and time zone are either specified elsewhere or are not significant. The date
10802 # is relative to the Proleptic Gregorian Calendar. This can represent:
10803 #
10804 # * A full date, with non-zero year, month and day values
10805 # * A month and day value, with a zero year, e.g. an anniversary
10806 # * A year on its own, with zero month and day values
10807 # * A year and month value, with a zero day, e.g. a credit card expiration date
10808 #
10809 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10810 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10811 # a year.
10812 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10813 # if specifying a year by itself or a year and month where the day is not
10814 # significant.
10815 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10816 # month and day.
10817 },
10818 "stringValue": "A String",
10819 "booleanValue": True or False,
10820 "integerValue": "A String",
10821 },
10822 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
10823 # used.
10824 # Note that for the purposes of inspection or transformation, the number
10825 # of bytes considered to comprise a 'Value' is based on its representation
10826 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10827 # 123456789, the number of bytes would be counted as 9, even though an
10828 # int64 only holds up to 8 bytes of data.
10829 "floatValue": 3.14,
10830 "timestampValue": "A String",
10831 "dayOfWeekValue": "A String",
10832 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10833 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10834 # types are google.type.Date and `google.protobuf.Timestamp`.
10835 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10836 # to allow the value "24:00:00" for scenarios like business closing time.
10837 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10838 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10839 # allow the value 60 if it allows leap-seconds.
10840 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10841 },
10842 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10843 # and time zone are either specified elsewhere or are not significant. The date
10844 # is relative to the Proleptic Gregorian Calendar. This can represent:
10845 #
10846 # * A full date, with non-zero year, month and day values
10847 # * A month and day value, with a zero year, e.g. an anniversary
10848 # * A year on its own, with zero month and day values
10849 # * A year and month value, with a zero day, e.g. a credit card expiration date
10850 #
10851 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10852 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10853 # a year.
10854 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10855 # if specifying a year by itself or a year and month where the day is not
10856 # significant.
10857 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10858 # month and day.
10859 },
10860 "stringValue": "A String",
10861 "booleanValue": True or False,
10862 "integerValue": "A String",
10863 },
10864 },
10865 ],
10866 },
10867 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
10868 # (FPE) with the FFX mode of operation; however when used in the
10869 # `ReidentifyContent` API method, it serves the opposite function by reversing
10870 # the surrogate back into the original identifier. The identifier must be
10871 # encoded as ASCII. For a given crypto key and context, the same identifier
10872 # will be replaced with the same surrogate. Identifiers must be at least two
10873 # characters long. In the case that the identifier is the empty string, it will
10874 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
10875 # more.
10876 #
10877 # Note: We recommend using CryptoDeterministicConfig for all use cases which
10878 # do not require preserving the input alphabet space and size, plus warrant
10879 # referential integrity.
10880 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
10881 # a key encryption key (KEK) stored by KMS).
10882 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10883 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10884 # unwrap the data crypto key.
10885 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
10886 # The wrapped key must be a 128/192/256 bit key.
10887 # Authorization requires the following IAM permissions when sending a request
10888 # to perform a crypto transformation using a kms-wrapped crypto key:
10889 # dlp.kms.encrypt
10890 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
10891 "wrappedKey": "A String", # The wrapped data crypto key. [required]
10892 },
10893 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
10894 # leaking the key. Choose another type of key if possible.
10895 "key": "A String", # A 128/192/256 bit key. [required]
10896 },
10897 "transient": { # Use this to have a random data crypto key generated.
10898 # It will be discarded after the request finishes.
10899 "name": "A String", # Name of the key. [required]
10900 # This is an arbitrary string used to differentiate different keys.
10901 # A unique key is generated per name: two separate `TransientCryptoKey`
10902 # protos share the same generated key if their names are the same.
10903 # When the data crypto key is generated, this name is not used in any way
10904 # (repeating the api call will result in a different key being generated).
10905 },
10906 },
10907 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
10908 "commonAlphabet": "A String",
10909 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
10910 # that the FFX mode natively supports. This happens before/after
10911 # encryption/decryption.
10912 # Each character listed must appear only once.
10913 # Number of characters must be in the range [2, 62].
10914 # This must be encoded as ASCII.
10915 # The order of characters does not matter.
10916 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
10917 # identifier in two different contexts won't be given the same surrogate. If
10918 # the context is not set, a default tweak will be used.
10919 #
10920 # If the context is set but:
10921 #
10922 # 1. there is no record present when transforming a given value or
10923 # 1. the field is not present when transforming a given value,
10924 #
10925 # a default tweak will be used.
10926 #
10927 # Note that case (1) is expected when an `InfoTypeTransformation` is
10928 # applied to both structured and non-structured `ContentItem`s.
10929 # Currently, the referenced field may be of value type integer or string.
10930 #
10931 # The tweak is constructed as a sequence of bytes in big endian byte order
10932 # such that:
10933 #
10934 # - a 64 bit integer is encoded followed by a single byte of value 1
10935 # - a string is encoded in UTF-8 format followed by a single byte of value 2
10936 "name": "A String", # Name describing the field.
10937 },
10938 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
10939 # This annotation will be applied to the surrogate by prefixing it with
10940 # the name of the custom infoType followed by the number of
10941 # characters comprising the surrogate. The following scheme defines the
10942 # format: info_type_name(surrogate_character_count):surrogate
10943 #
10944 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
10945 # the surrogate is 'abc', the full replacement value
10946 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
10947 #
10948 # This annotation identifies the surrogate when inspecting content using the
10949 # custom infoType
10950 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
10951 # This facilitates reversal of the surrogate when it occurs in free text.
10952 #
10953 # In order for inspection to work properly, the name of this infoType must
10954 # not occur naturally anywhere in your data; otherwise, inspection may
10955 # find a surrogate that does not correspond to an actual identifier.
10956 # Therefore, choose your custom infoType name carefully after considering
10957 # what your data looks like. One way to select a name that has a high chance
10958 # of yielding reliable detection is to include one or more unicode characters
10959 # that are highly improbable to exist in your data.
10960 # For example, assuming your data is entered from a regular ASCII keyboard,
10961 # the symbol with the hex code point 29DD might be used like so:
10962 # ⧝MY_TOKEN_TYPE
10963 "name": "A String", # Name of the information type. Either a name of your choosing when
10964 # creating a CustomInfoType, or one of the names listed
10965 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10966 # a built-in type. InfoType names should conform to the pattern
10967 # [a-zA-Z0-9_]{1,64}.
10968 },
10969 },
10970 "replaceConfig": { # Replace each input value with a given `Value`.
10971 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
10972 # Note that for the purposes of inspection or transformation, the number
10973 # of bytes considered to comprise a 'Value' is based on its representation
10974 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10975 # 123456789, the number of bytes would be counted as 9, even though an
10976 # int64 only holds up to 8 bytes of data.
10977 "floatValue": 3.14,
10978 "timestampValue": "A String",
10979 "dayOfWeekValue": "A String",
10980 "timeValue": { # Represents a time of day. The date and time zone are either not significant
10981 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10982 # types are google.type.Date and `google.protobuf.Timestamp`.
10983 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10984 # to allow the value "24:00:00" for scenarios like business closing time.
10985 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10986 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10987 # allow the value 60 if it allows leap-seconds.
10988 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10989 },
10990 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
10991 # and time zone are either specified elsewhere or are not significant. The date
10992 # is relative to the Proleptic Gregorian Calendar. This can represent:
10993 #
10994 # * A full date, with non-zero year, month and day values
10995 # * A month and day value, with a zero year, e.g. an anniversary
10996 # * A year on its own, with zero month and day values
10997 # * A year and month value, with a zero day, e.g. a credit card expiration date
10998 #
10999 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11000 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11001 # a year.
11002 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11003 # if specifying a year by itself or a year and month where the day is not
11004 # significant.
11005 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11006 # month and day.
11007 },
11008 "stringValue": "A String",
11009 "booleanValue": True or False,
11010 "integerValue": "A String",
11011 },
11012 },
11013 },
11014 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
11015 # this transformation to apply to all findings that correspond to
11016 # infoTypes that were requested in `InspectConfig`.
11017 { # Type of information detected by the API.
11018 "name": "A String", # Name of the information type. Either a name of your choosing when
11019 # creating a CustomInfoType, or one of the names listed
11020 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11021 # a built-in type. InfoType names should conform to the pattern
11022 # [a-zA-Z0-9_]{1,64}.
11023 },
11024 ],
11025 },
11026 ],
11027 },
11028 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
11029 # specific locations within structured datasets, such as transforming
11030 # a column within a table.
11031 # table.
11032 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
11033 # match any suppression rule are omitted from the output [optional].
11034 { # Configuration to suppress records whose suppression conditions evaluate to
11035 # true.
11036 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
11037 # evaluated to be suppressed from the transformed content.
11038 # a field.
11039 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
11040 "conditions": { # A collection of conditions.
11041 "conditions": [
11042 { # The field type of `value` and `field` do not need to match to be
11043 # considered equal, but not all comparisons are possible.
11044 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
11045 # but all other comparisons are invalid with incompatible types.
11046 # A `value` of type:
11047 #
11048 # - `string` can be compared against all other types
11049 # - `boolean` can only be compared against other booleans
11050 # - `integer` can be compared against doubles or a string if the string value
11051 # can be parsed as an integer.
11052 # - `double` can be compared against integers or a string if the string can
11053 # be parsed as a double.
11054 # - `Timestamp` can be compared against strings in RFC 3339 date string
11055 # format.
11056 # - `TimeOfDay` can be compared against timestamps and strings in the format
11057 # of 'HH:mm:ss'.
11058 #
11059 # If we fail to compare do to type mismatch, a warning will be given and
11060 # the condition will evaluate to false.
11061 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
11062 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
11063 "name": "A String", # Name describing the field.
11064 },
11065 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
11066 # Note that for the purposes of inspection or transformation, the number
11067 # of bytes considered to comprise a 'Value' is based on its representation
11068 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11069 # 123456789, the number of bytes would be counted as 9, even though an
11070 # int64 only holds up to 8 bytes of data.
11071 "floatValue": 3.14,
11072 "timestampValue": "A String",
11073 "dayOfWeekValue": "A String",
11074 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11075 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11076 # types are google.type.Date and `google.protobuf.Timestamp`.
11077 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11078 # to allow the value "24:00:00" for scenarios like business closing time.
11079 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11080 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11081 # allow the value 60 if it allows leap-seconds.
11082 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11083 },
11084 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11085 # and time zone are either specified elsewhere or are not significant. The date
11086 # is relative to the Proleptic Gregorian Calendar. This can represent:
11087 #
11088 # * A full date, with non-zero year, month and day values
11089 # * A month and day value, with a zero year, e.g. an anniversary
11090 # * A year on its own, with zero month and day values
11091 # * A year and month value, with a zero day, e.g. a credit card expiration date
11092 #
11093 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11094 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11095 # a year.
11096 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11097 # if specifying a year by itself or a year and month where the day is not
11098 # significant.
11099 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11100 # month and day.
11101 },
11102 "stringValue": "A String",
11103 "booleanValue": True or False,
11104 "integerValue": "A String",
11105 },
11106 },
11107 ],
11108 },
11109 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
11110 # only supported value is `AND`.
11111 },
11112 },
11113 },
11114 ],
11115 "fieldTransformations": [ # Transform the record by applying various field transformations.
11116 { # The transformation to apply to the field.
11117 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
11118 # transform content that matches an `InfoType`.
11119 # apply various `PrimitiveTransformation`s to each finding, where the
11120 # transformation is applied to only values that were identified as a specific
11121 # info_type.
11122 "transformations": [ # Transformation for each infoType. Cannot specify more than one
11123 # for a given infoType. [required]
11124 { # A transformation to apply to text that is identified as a specific
11125 # info_type.
11126 "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
11127 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
11128 # fixed character. Masking can start from the beginning or end of the string.
11129 # This can be used on data of any type (numbers, longs, and so on) and when
11130 # de-identifying structured data we'll attempt to preserve the original data's
11131 # type. (This allows you to take a long like 123 and modify it to a string like
11132 # **3.
11133 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
11134 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
11135 # mask 5 chars with * we would produce ***-*55-5555.
11136 { # Characters to skip when doing deidentification of a value. These will be left
11137 # alone and skipped.
11138 "commonCharactersToIgnore": "A String",
11139 "charactersToSkip": "A String",
11140 },
11141 ],
11142 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
11143 # masked. Skipped characters do not count towards this tally.
11144 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
11145 # alphabetic string such as name, or "0" for a numeric string such as ZIP
11146 # code or credit card number. String must have length 1. If not supplied, we
11147 # will default to "*" for strings, 0 for digits.
11148 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
11149 # '0', number_to_mask is 14, and `reverse_order` is false, then
11150 # 1234-5678-9012-3456 -> 00000000000000-3456
11151 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
11152 # is true, then 12345 -> 12***
11153 },
11154 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
11155 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
11156 # output would be 'My phone number is '.
11157 },
11158 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
11159 # input. Outputs a base64 encoded representation of the encrypted output.
11160 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
11161 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
11162 # a key encryption key (KEK) stored by KMS).
11163 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11164 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11165 # unwrap the data crypto key.
11166 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
11167 # The wrapped key must be a 128/192/256 bit key.
11168 # Authorization requires the following IAM permissions when sending a request
11169 # to perform a crypto transformation using a kms-wrapped crypto key:
11170 # dlp.kms.encrypt
11171 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
11172 "wrappedKey": "A String", # The wrapped data crypto key. [required]
11173 },
11174 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
11175 # leaking the key. Choose another type of key if possible.
11176 "key": "A String", # A 128/192/256 bit key. [required]
11177 },
11178 "transient": { # Use this to have a random data crypto key generated.
11179 # It will be discarded after the request finishes.
11180 "name": "A String", # Name of the key. [required]
11181 # This is an arbitrary string used to differentiate different keys.
11182 # A unique key is generated per name: two separate `TransientCryptoKey`
11183 # protos share the same generated key if their names are the same.
11184 # When the data crypto key is generated, this name is not used in any way
11185 # (repeating the api call will result in a different key being generated).
11186 },
11187 },
11188 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
11189 # referential integrity such that the same identifier in two different
11190 # contexts will be given a distinct surrogate. The context is appended to
11191 # plaintext value being encrypted. On decryption the provided context is
11192 # validated against the value used during encryption. If a context was
11193 # provided during encryption, same context must be provided during decryption
11194 # as well.
11195 #
11196 # If the context is not set, plaintext would be used as is for encryption.
11197 # If the context is set but:
11198 #
11199 # 1. there is no record present when transforming a given value or
11200 # 2. the field is not present when transforming a given value,
11201 #
11202 # plaintext would be used as is for encryption.
11203 #
11204 # Note that case (1) is expected when an `InfoTypeTransformation` is
11205 # applied to both structured and non-structured `ContentItem`s.
11206 "name": "A String", # Name describing the field.
11207 },
11208 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
11209 # This annotation will be applied to the surrogate by prefixing it with
11210 # the name of the custom info type followed by the number of
11211 # characters comprising the surrogate. The following scheme defines the
11212 # format: <info type name>(<surrogate character count>):<surrogate>
11213 #
11214 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
11215 # the surrogate is 'abc', the full replacement value
11216 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
11217 #
11218 # This annotation identifies the surrogate when inspecting content using the
11219 # custom info type 'Surrogate'. This facilitates reversal of the
11220 # surrogate when it occurs in free text.
11221 #
11222 # In order for inspection to work properly, the name of this info type must
11223 # not occur naturally anywhere in your data; otherwise, inspection may either
11224 #
11225 # - reverse a surrogate that does not correspond to an actual identifier
11226 # - be unable to parse the surrogate and result in an error
11227 #
11228 # Therefore, choose your custom info type name carefully after considering
11229 # what your data looks like. One way to select a name that has a high chance
11230 # of yielding reliable detection is to include one or more unicode characters
11231 # that are highly improbable to exist in your data.
11232 # For example, assuming your data is entered from a regular ASCII keyboard,
11233 # the symbol with the hex code point 29DD might be used like so:
11234 # ⧝MY_TOKEN_TYPE
11235 "name": "A String", # Name of the information type. Either a name of your choosing when
11236 # creating a CustomInfoType, or one of the names listed
11237 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11238 # a built-in type. InfoType names should conform to the pattern
11239 # [a-zA-Z0-9_]{1,64}.
11240 },
11241 },
11242 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
11243 # Bucketing transformation can provide all of this functionality,
11244 # but requires more configuration. This message is provided as a convenience to
11245 # the user for simple bucketing strategies.
11246 #
11247 # The transformed value will be a hyphenated string of
11248 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
11249 # all values that are within this bucket will be replaced with "10-20".
11250 #
11251 # This can be used on data of type: double, long.
11252 #
11253 # If the bound Value type differs from the type of data
11254 # being transformed, we will first attempt converting the type of the data to
11255 # be transformed to match the type of the bound before comparing.
11256 #
11257 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
11258 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
11259 # grouped together into a single bucket; for example if `lower_bound` = 10,
11260 # then all values less than 10 are replaced with the value “-10”. [Required].
11261 # Note that for the purposes of inspection or transformation, the number
11262 # of bytes considered to comprise a 'Value' is based on its representation
11263 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11264 # 123456789, the number of bytes would be counted as 9, even though an
11265 # int64 only holds up to 8 bytes of data.
11266 "floatValue": 3.14,
11267 "timestampValue": "A String",
11268 "dayOfWeekValue": "A String",
11269 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11270 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11271 # types are google.type.Date and `google.protobuf.Timestamp`.
11272 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11273 # to allow the value "24:00:00" for scenarios like business closing time.
11274 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11275 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11276 # allow the value 60 if it allows leap-seconds.
11277 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11278 },
11279 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11280 # and time zone are either specified elsewhere or are not significant. The date
11281 # is relative to the Proleptic Gregorian Calendar. This can represent:
11282 #
11283 # * A full date, with non-zero year, month and day values
11284 # * A month and day value, with a zero year, e.g. an anniversary
11285 # * A year on its own, with zero month and day values
11286 # * A year and month value, with a zero day, e.g. a credit card expiration date
11287 #
11288 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11289 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11290 # a year.
11291 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11292 # if specifying a year by itself or a year and month where the day is not
11293 # significant.
11294 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11295 # month and day.
11296 },
11297 "stringValue": "A String",
11298 "booleanValue": True or False,
11299 "integerValue": "A String",
11300 },
11301 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
11302 # grouped together into a single bucket; for example if `upper_bound` = 89,
11303 # then all values greater than 89 are replaced with the value “89+”.
11304 # [Required].
11305 # Note that for the purposes of inspection or transformation, the number
11306 # of bytes considered to comprise a 'Value' is based on its representation
11307 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11308 # 123456789, the number of bytes would be counted as 9, even though an
11309 # int64 only holds up to 8 bytes of data.
11310 "floatValue": 3.14,
11311 "timestampValue": "A String",
11312 "dayOfWeekValue": "A String",
11313 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11314 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11315 # types are google.type.Date and `google.protobuf.Timestamp`.
11316 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11317 # to allow the value "24:00:00" for scenarios like business closing time.
11318 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11319 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11320 # allow the value 60 if it allows leap-seconds.
11321 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11322 },
11323 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11324 # and time zone are either specified elsewhere or are not significant. The date
11325 # is relative to the Proleptic Gregorian Calendar. This can represent:
11326 #
11327 # * A full date, with non-zero year, month and day values
11328 # * A month and day value, with a zero year, e.g. an anniversary
11329 # * A year on its own, with zero month and day values
11330 # * A year and month value, with a zero day, e.g. a credit card expiration date
11331 #
11332 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11333 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11334 # a year.
11335 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11336 # if specifying a year by itself or a year and month where the day is not
11337 # significant.
11338 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11339 # month and day.
11340 },
11341 "stringValue": "A String",
11342 "booleanValue": True or False,
11343 "integerValue": "A String",
11344 },
11345 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
11346 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
11347 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
11348 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
11349 },
11350 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
11351 },
11352 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
11353 # portion of the value.
11354 "partToExtract": "A String",
11355 },
11356 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
11357 # Uses SHA-256.
11358 # The key size must be either 32 or 64 bytes.
11359 # Outputs a base64 encoded representation of the hashed output
11360 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
11361 # Currently, only string and integer values can be hashed.
11362 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
11363 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
11364 # a key encryption key (KEK) stored by KMS).
11365 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11366 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11367 # unwrap the data crypto key.
11368 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
11369 # The wrapped key must be a 128/192/256 bit key.
11370 # Authorization requires the following IAM permissions when sending a request
11371 # to perform a crypto transformation using a kms-wrapped crypto key:
11372 # dlp.kms.encrypt
11373 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
11374 "wrappedKey": "A String", # The wrapped data crypto key. [required]
11375 },
11376 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
11377 # leaking the key. Choose another type of key if possible.
11378 "key": "A String", # A 128/192/256 bit key. [required]
11379 },
11380 "transient": { # Use this to have a random data crypto key generated.
11381 # It will be discarded after the request finishes.
11382 "name": "A String", # Name of the key. [required]
11383 # This is an arbitrary string used to differentiate different keys.
11384 # A unique key is generated per name: two separate `TransientCryptoKey`
11385 # protos share the same generated key if their names are the same.
11386 # When the data crypto key is generated, this name is not used in any way
11387 # (repeating the api call will result in a different key being generated).
11388 },
11389 },
11390 },
11391 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
11392 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
11393 # to learn more.
11394 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
11395 # results in the same shift for the same context and crypto_key.
11396 # a key encryption key (KEK) stored by KMS).
11397 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11398 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11399 # unwrap the data crypto key.
11400 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
11401 # The wrapped key must be a 128/192/256 bit key.
11402 # Authorization requires the following IAM permissions when sending a request
11403 # to perform a crypto transformation using a kms-wrapped crypto key:
11404 # dlp.kms.encrypt
11405 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
11406 "wrappedKey": "A String", # The wrapped data crypto key. [required]
11407 },
11408 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
11409 # leaking the key. Choose another type of key if possible.
11410 "key": "A String", # A 128/192/256 bit key. [required]
11411 },
11412 "transient": { # Use this to have a random data crypto key generated.
11413 # It will be discarded after the request finishes.
11414 "name": "A String", # Name of the key. [required]
11415 # This is an arbitrary string used to differentiate different keys.
11416 # A unique key is generated per name: two separate `TransientCryptoKey`
11417 # protos share the same generated key if their names are the same.
11418 # When the data crypto key is generated, this name is not used in any way
11419 # (repeating the api call will result in a different key being generated).
11420 },
11421 },
11422 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
11423 # [Required]
11424 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
11425 # range (inclusive ends). Negative means shift to earlier in time. Must not
11426 # be more than 365250 days (1000 years) each direction.
11427 #
11428 # For example, 3 means shift date to at most 3 days into the future.
11429 # [Required]
11430 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
11431 # If set, must also set method. If set, shift will be consistent for the
11432 # given context.
11433 "name": "A String", # Name describing the field.
11434 },
11435 },
11436 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
11437 # replacement values are dynamically provided by the user for custom behavior,
11438 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
11439 # This can be used on
11440 # data of type: number, long, string, timestamp.
11441 # If the bound `Value` type differs from the type of data being transformed, we
11442 # will first attempt converting the type of the data to be transformed to match
11443 # the type of the bound before comparing.
11444 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
11445 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
11446 { # Bucket is represented as a range, along with replacement values.
11447 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
11448 # Note that for the purposes of inspection or transformation, the number
11449 # of bytes considered to comprise a 'Value' is based on its representation
11450 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11451 # 123456789, the number of bytes would be counted as 9, even though an
11452 # int64 only holds up to 8 bytes of data.
11453 "floatValue": 3.14,
11454 "timestampValue": "A String",
11455 "dayOfWeekValue": "A String",
11456 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11457 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11458 # types are google.type.Date and `google.protobuf.Timestamp`.
11459 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11460 # to allow the value "24:00:00" for scenarios like business closing time.
11461 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11462 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11463 # allow the value 60 if it allows leap-seconds.
11464 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11465 },
11466 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11467 # and time zone are either specified elsewhere or are not significant. The date
11468 # is relative to the Proleptic Gregorian Calendar. This can represent:
11469 #
11470 # * A full date, with non-zero year, month and day values
11471 # * A month and day value, with a zero year, e.g. an anniversary
11472 # * A year on its own, with zero month and day values
11473 # * A year and month value, with a zero day, e.g. a credit card expiration date
11474 #
11475 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11476 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11477 # a year.
11478 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11479 # if specifying a year by itself or a year and month where the day is not
11480 # significant.
11481 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11482 # month and day.
11483 },
11484 "stringValue": "A String",
11485 "booleanValue": True or False,
11486 "integerValue": "A String",
11487 },
11488 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
11489 # the default behavior will be to hyphenate the min-max range.
11490 # Note that for the purposes of inspection or transformation, the number
11491 # of bytes considered to comprise a 'Value' is based on its representation
11492 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11493 # 123456789, the number of bytes would be counted as 9, even though an
11494 # int64 only holds up to 8 bytes of data.
11495 "floatValue": 3.14,
11496 "timestampValue": "A String",
11497 "dayOfWeekValue": "A String",
11498 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11499 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11500 # types are google.type.Date and `google.protobuf.Timestamp`.
11501 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11502 # to allow the value "24:00:00" for scenarios like business closing time.
11503 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11504 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11505 # allow the value 60 if it allows leap-seconds.
11506 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11507 },
11508 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11509 # and time zone are either specified elsewhere or are not significant. The date
11510 # is relative to the Proleptic Gregorian Calendar. This can represent:
11511 #
11512 # * A full date, with non-zero year, month and day values
11513 # * A month and day value, with a zero year, e.g. an anniversary
11514 # * A year on its own, with zero month and day values
11515 # * A year and month value, with a zero day, e.g. a credit card expiration date
11516 #
11517 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11518 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11519 # a year.
11520 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11521 # if specifying a year by itself or a year and month where the day is not
11522 # significant.
11523 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11524 # month and day.
11525 },
11526 "stringValue": "A String",
11527 "booleanValue": True or False,
11528 "integerValue": "A String",
11529 },
11530 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
11531 # used.
11532 # Note that for the purposes of inspection or transformation, the number
11533 # of bytes considered to comprise a 'Value' is based on its representation
11534 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11535 # 123456789, the number of bytes would be counted as 9, even though an
11536 # int64 only holds up to 8 bytes of data.
11537 "floatValue": 3.14,
11538 "timestampValue": "A String",
11539 "dayOfWeekValue": "A String",
11540 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11541 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11542 # types are google.type.Date and `google.protobuf.Timestamp`.
11543 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11544 # to allow the value "24:00:00" for scenarios like business closing time.
11545 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11546 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11547 # allow the value 60 if it allows leap-seconds.
11548 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11549 },
11550 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11551 # and time zone are either specified elsewhere or are not significant. The date
11552 # is relative to the Proleptic Gregorian Calendar. This can represent:
11553 #
11554 # * A full date, with non-zero year, month and day values
11555 # * A month and day value, with a zero year, e.g. an anniversary
11556 # * A year on its own, with zero month and day values
11557 # * A year and month value, with a zero day, e.g. a credit card expiration date
11558 #
11559 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11560 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11561 # a year.
11562 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11563 # if specifying a year by itself or a year and month where the day is not
11564 # significant.
11565 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11566 # month and day.
11567 },
11568 "stringValue": "A String",
11569 "booleanValue": True or False,
11570 "integerValue": "A String",
11571 },
11572 },
11573 ],
11574 },
11575 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
11576 # (FPE) with the FFX mode of operation; however when used in the
11577 # `ReidentifyContent` API method, it serves the opposite function by reversing
11578 # the surrogate back into the original identifier. The identifier must be
11579 # encoded as ASCII. For a given crypto key and context, the same identifier
11580 # will be replaced with the same surrogate. Identifiers must be at least two
11581 # characters long. In the case that the identifier is the empty string, it will
11582 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
11583 # more.
11584 #
11585 # Note: We recommend using CryptoDeterministicConfig for all use cases which
11586 # do not require preserving the input alphabet space and size, plus warrant
11587 # referential integrity.
11588 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
11589 # a key encryption key (KEK) stored by KMS).
11590 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11591 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11592 # unwrap the data crypto key.
11593 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
11594 # The wrapped key must be a 128/192/256 bit key.
11595 # Authorization requires the following IAM permissions when sending a request
11596 # to perform a crypto transformation using a kms-wrapped crypto key:
11597 # dlp.kms.encrypt
11598 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
11599 "wrappedKey": "A String", # The wrapped data crypto key. [required]
11600 },
11601 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
11602 # leaking the key. Choose another type of key if possible.
11603 "key": "A String", # A 128/192/256 bit key. [required]
11604 },
11605 "transient": { # Use this to have a random data crypto key generated.
11606 # It will be discarded after the request finishes.
11607 "name": "A String", # Name of the key. [required]
11608 # This is an arbitrary string used to differentiate different keys.
11609 # A unique key is generated per name: two separate `TransientCryptoKey`
11610 # protos share the same generated key if their names are the same.
11611 # When the data crypto key is generated, this name is not used in any way
11612 # (repeating the api call will result in a different key being generated).
11613 },
11614 },
11615 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
11616 "commonAlphabet": "A String",
11617 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
11618 # that the FFX mode natively supports. This happens before/after
11619 # encryption/decryption.
11620 # Each character listed must appear only once.
11621 # Number of characters must be in the range [2, 62].
11622 # This must be encoded as ASCII.
11623 # The order of characters does not matter.
11624 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
11625 # identifier in two different contexts won't be given the same surrogate. If
11626 # the context is not set, a default tweak will be used.
11627 #
11628 # If the context is set but:
11629 #
11630 # 1. there is no record present when transforming a given value or
11631 # 1. the field is not present when transforming a given value,
11632 #
11633 # a default tweak will be used.
11634 #
11635 # Note that case (1) is expected when an `InfoTypeTransformation` is
11636 # applied to both structured and non-structured `ContentItem`s.
11637 # Currently, the referenced field may be of value type integer or string.
11638 #
11639 # The tweak is constructed as a sequence of bytes in big endian byte order
11640 # such that:
11641 #
11642 # - a 64 bit integer is encoded followed by a single byte of value 1
11643 # - a string is encoded in UTF-8 format followed by a single byte of value 2
11644 "name": "A String", # Name describing the field.
11645 },
11646 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
11647 # This annotation will be applied to the surrogate by prefixing it with
11648 # the name of the custom infoType followed by the number of
11649 # characters comprising the surrogate. The following scheme defines the
11650 # format: info_type_name(surrogate_character_count):surrogate
11651 #
11652 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
11653 # the surrogate is 'abc', the full replacement value
11654 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
11655 #
11656 # This annotation identifies the surrogate when inspecting content using the
11657 # custom infoType
11658 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
11659 # This facilitates reversal of the surrogate when it occurs in free text.
11660 #
11661 # In order for inspection to work properly, the name of this infoType must
11662 # not occur naturally anywhere in your data; otherwise, inspection may
11663 # find a surrogate that does not correspond to an actual identifier.
11664 # Therefore, choose your custom infoType name carefully after considering
11665 # what your data looks like. One way to select a name that has a high chance
11666 # of yielding reliable detection is to include one or more unicode characters
11667 # that are highly improbable to exist in your data.
11668 # For example, assuming your data is entered from a regular ASCII keyboard,
11669 # the symbol with the hex code point 29DD might be used like so:
11670 # ⧝MY_TOKEN_TYPE
11671 "name": "A String", # Name of the information type. Either a name of your choosing when
11672 # creating a CustomInfoType, or one of the names listed
11673 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11674 # a built-in type. InfoType names should conform to the pattern
11675 # [a-zA-Z0-9_]{1,64}.
11676 },
11677 },
11678 "replaceConfig": { # Replace each input value with a given `Value`.
11679 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
11680 # Note that for the purposes of inspection or transformation, the number
11681 # of bytes considered to comprise a 'Value' is based on its representation
11682 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11683 # 123456789, the number of bytes would be counted as 9, even though an
11684 # int64 only holds up to 8 bytes of data.
11685 "floatValue": 3.14,
11686 "timestampValue": "A String",
11687 "dayOfWeekValue": "A String",
11688 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11689 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11690 # types are google.type.Date and `google.protobuf.Timestamp`.
11691 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11692 # to allow the value "24:00:00" for scenarios like business closing time.
11693 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11694 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11695 # allow the value 60 if it allows leap-seconds.
11696 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11697 },
11698 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11699 # and time zone are either specified elsewhere or are not significant. The date
11700 # is relative to the Proleptic Gregorian Calendar. This can represent:
11701 #
11702 # * A full date, with non-zero year, month and day values
11703 # * A month and day value, with a zero year, e.g. an anniversary
11704 # * A year on its own, with zero month and day values
11705 # * A year and month value, with a zero day, e.g. a credit card expiration date
11706 #
11707 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11708 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11709 # a year.
11710 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11711 # if specifying a year by itself or a year and month where the day is not
11712 # significant.
11713 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11714 # month and day.
11715 },
11716 "stringValue": "A String",
11717 "booleanValue": True or False,
11718 "integerValue": "A String",
11719 },
11720 },
11721 },
11722 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
11723 # this transformation to apply to all findings that correspond to
11724 # infoTypes that were requested in `InspectConfig`.
11725 { # Type of information detected by the API.
11726 "name": "A String", # Name of the information type. Either a name of your choosing when
11727 # creating a CustomInfoType, or one of the names listed
11728 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11729 # a built-in type. InfoType names should conform to the pattern
11730 # [a-zA-Z0-9_]{1,64}.
11731 },
11732 ],
11733 },
11734 ],
11735 },
11736 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
11737 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
11738 # fixed character. Masking can start from the beginning or end of the string.
11739 # This can be used on data of any type (numbers, longs, and so on) and when
11740 # de-identifying structured data we'll attempt to preserve the original data's
11741 # type. (This allows you to take a long like 123 and modify it to a string like
11742 # **3.
11743 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
11744 # For example, if your string is 555-555-5555 and you ask us to skip `-` and
11745 # mask 5 chars with * we would produce ***-*55-5555.
11746 { # Characters to skip when doing deidentification of a value. These will be left
11747 # alone and skipped.
11748 "commonCharactersToIgnore": "A String",
11749 "charactersToSkip": "A String",
11750 },
11751 ],
11752 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
11753 # masked. Skipped characters do not count towards this tally.
11754 "maskingCharacter": "A String", # Character to mask the sensitive values&mdash;for example, "*" for an
11755 # alphabetic string such as name, or "0" for a numeric string such as ZIP
11756 # code or credit card number. String must have length 1. If not supplied, we
11757 # will default to "*" for strings, 0 for digits.
11758 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
11759 # '0', number_to_mask is 14, and `reverse_order` is false, then
11760 # 1234-5678-9012-3456 -> 00000000000000-3456
11761 # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
11762 # is true, then 12345 -> 12***
11763 },
11764 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
11765 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
11766 # output would be 'My phone number is '.
11767 },
11768 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
11769 # input. Outputs a base64 encoded representation of the encrypted output.
11770 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
11771 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
11772 # a key encryption key (KEK) stored by KMS).
11773 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11774 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11775 # unwrap the data crypto key.
11776 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
11777 # The wrapped key must be a 128/192/256 bit key.
11778 # Authorization requires the following IAM permissions when sending a request
11779 # to perform a crypto transformation using a kms-wrapped crypto key:
11780 # dlp.kms.encrypt
11781 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
11782 "wrappedKey": "A String", # The wrapped data crypto key. [required]
11783 },
11784 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
11785 # leaking the key. Choose another type of key if possible.
11786 "key": "A String", # A 128/192/256 bit key. [required]
11787 },
11788 "transient": { # Use this to have a random data crypto key generated.
11789 # It will be discarded after the request finishes.
11790 "name": "A String", # Name of the key. [required]
11791 # This is an arbitrary string used to differentiate different keys.
11792 # A unique key is generated per name: two separate `TransientCryptoKey`
11793 # protos share the same generated key if their names are the same.
11794 # When the data crypto key is generated, this name is not used in any way
11795 # (repeating the api call will result in a different key being generated).
11796 },
11797 },
11798 "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
11799 # referential integrity such that the same identifier in two different
11800 # contexts will be given a distinct surrogate. The context is appended to
11801 # plaintext value being encrypted. On decryption the provided context is
11802 # validated against the value used during encryption. If a context was
11803 # provided during encryption, same context must be provided during decryption
11804 # as well.
11805 #
11806 # If the context is not set, plaintext would be used as is for encryption.
11807 # If the context is set but:
11808 #
11809 # 1. there is no record present when transforming a given value or
11810 # 2. the field is not present when transforming a given value,
11811 #
11812 # plaintext would be used as is for encryption.
11813 #
11814 # Note that case (1) is expected when an `InfoTypeTransformation` is
11815 # applied to both structured and non-structured `ContentItem`s.
11816 "name": "A String", # Name describing the field.
11817 },
11818 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
11819 # This annotation will be applied to the surrogate by prefixing it with
11820 # the name of the custom info type followed by the number of
11821 # characters comprising the surrogate. The following scheme defines the
11822 # format: <info type name>(<surrogate character count>):<surrogate>
11823 #
11824 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
11825 # the surrogate is 'abc', the full replacement value
11826 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
11827 #
11828 # This annotation identifies the surrogate when inspecting content using the
11829 # custom info type 'Surrogate'. This facilitates reversal of the
11830 # surrogate when it occurs in free text.
11831 #
11832 # In order for inspection to work properly, the name of this info type must
11833 # not occur naturally anywhere in your data; otherwise, inspection may either
11834 #
11835 # - reverse a surrogate that does not correspond to an actual identifier
11836 # - be unable to parse the surrogate and result in an error
11837 #
11838 # Therefore, choose your custom info type name carefully after considering
11839 # what your data looks like. One way to select a name that has a high chance
11840 # of yielding reliable detection is to include one or more unicode characters
11841 # that are highly improbable to exist in your data.
11842 # For example, assuming your data is entered from a regular ASCII keyboard,
11843 # the symbol with the hex code point 29DD might be used like so:
11844 # ⧝MY_TOKEN_TYPE
11845 "name": "A String", # Name of the information type. Either a name of your choosing when
11846 # creating a CustomInfoType, or one of the names listed
11847 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11848 # a built-in type. InfoType names should conform to the pattern
11849 # [a-zA-Z0-9_]{1,64}.
11850 },
11851 },
11852 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
11853 # Bucketing transformation can provide all of this functionality,
11854 # but requires more configuration. This message is provided as a convenience to
11855 # the user for simple bucketing strategies.
11856 #
11857 # The transformed value will be a hyphenated string of
11858 # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
11859 # all values that are within this bucket will be replaced with "10-20".
11860 #
11861 # This can be used on data of type: double, long.
11862 #
11863 # If the bound Value type differs from the type of data
11864 # being transformed, we will first attempt converting the type of the data to
11865 # be transformed to match the type of the bound before comparing.
11866 #
11867 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
11868 "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
11869 # grouped together into a single bucket; for example if `lower_bound` = 10,
11870 # then all values less than 10 are replaced with the value “-10”. [Required].
11871 # Note that for the purposes of inspection or transformation, the number
11872 # of bytes considered to comprise a 'Value' is based on its representation
11873 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11874 # 123456789, the number of bytes would be counted as 9, even though an
11875 # int64 only holds up to 8 bytes of data.
11876 "floatValue": 3.14,
11877 "timestampValue": "A String",
11878 "dayOfWeekValue": "A String",
11879 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11880 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11881 # types are google.type.Date and `google.protobuf.Timestamp`.
11882 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11883 # to allow the value "24:00:00" for scenarios like business closing time.
11884 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11885 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11886 # allow the value 60 if it allows leap-seconds.
11887 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11888 },
11889 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11890 # and time zone are either specified elsewhere or are not significant. The date
11891 # is relative to the Proleptic Gregorian Calendar. This can represent:
11892 #
11893 # * A full date, with non-zero year, month and day values
11894 # * A month and day value, with a zero year, e.g. an anniversary
11895 # * A year on its own, with zero month and day values
11896 # * A year and month value, with a zero day, e.g. a credit card expiration date
11897 #
11898 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11899 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11900 # a year.
11901 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11902 # if specifying a year by itself or a year and month where the day is not
11903 # significant.
11904 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11905 # month and day.
11906 },
11907 "stringValue": "A String",
11908 "booleanValue": True or False,
11909 "integerValue": "A String",
11910 },
11911 "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
11912 # grouped together into a single bucket; for example if `upper_bound` = 89,
11913 # then all values greater than 89 are replaced with the value “89+”.
11914 # [Required].
11915 # Note that for the purposes of inspection or transformation, the number
11916 # of bytes considered to comprise a 'Value' is based on its representation
11917 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11918 # 123456789, the number of bytes would be counted as 9, even though an
11919 # int64 only holds up to 8 bytes of data.
11920 "floatValue": 3.14,
11921 "timestampValue": "A String",
11922 "dayOfWeekValue": "A String",
11923 "timeValue": { # Represents a time of day. The date and time zone are either not significant
11924 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11925 # types are google.type.Date and `google.protobuf.Timestamp`.
11926 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11927 # to allow the value "24:00:00" for scenarios like business closing time.
11928 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11929 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11930 # allow the value 60 if it allows leap-seconds.
11931 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11932 },
11933 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
11934 # and time zone are either specified elsewhere or are not significant. The date
11935 # is relative to the Proleptic Gregorian Calendar. This can represent:
11936 #
11937 # * A full date, with non-zero year, month and day values
11938 # * A month and day value, with a zero year, e.g. an anniversary
11939 # * A year on its own, with zero month and day values
11940 # * A year and month value, with a zero day, e.g. a credit card expiration date
11941 #
11942 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11943 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11944 # a year.
11945 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11946 # if specifying a year by itself or a year and month where the day is not
11947 # significant.
11948 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11949 # month and day.
11950 },
11951 "stringValue": "A String",
11952 "booleanValue": True or False,
11953 "integerValue": "A String",
11954 },
11955 "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
11956 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
11957 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
11958 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
11959 },
11960 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
11961 },
11962 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
11963 # portion of the value.
11964 "partToExtract": "A String",
11965 },
11966 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
11967 # Uses SHA-256.
11968 # The key size must be either 32 or 64 bytes.
11969 # Outputs a base64 encoded representation of the hashed output
11970 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
11971 # Currently, only string and integer values can be hashed.
11972 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
11973 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
11974 # a key encryption key (KEK) stored by KMS).
11975 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11976 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11977 # unwrap the data crypto key.
11978 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
11979 # The wrapped key must be a 128/192/256 bit key.
11980 # Authorization requires the following IAM permissions when sending a request
11981 # to perform a crypto transformation using a kms-wrapped crypto key:
11982 # dlp.kms.encrypt
11983 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
11984 "wrappedKey": "A String", # The wrapped data crypto key. [required]
11985 },
11986 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
11987 # leaking the key. Choose another type of key if possible.
11988 "key": "A String", # A 128/192/256 bit key. [required]
11989 },
11990 "transient": { # Use this to have a random data crypto key generated.
11991 # It will be discarded after the request finishes.
11992 "name": "A String", # Name of the key. [required]
11993 # This is an arbitrary string used to differentiate different keys.
11994 # A unique key is generated per name: two separate `TransientCryptoKey`
11995 # protos share the same generated key if their names are the same.
11996 # When the data crypto key is generated, this name is not used in any way
11997 # (repeating the api call will result in a different key being generated).
11998 },
11999 },
12000 },
12001 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
12002 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
12003 # to learn more.
12004 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
12005 # results in the same shift for the same context and crypto_key.
12006 # a key encryption key (KEK) stored by KMS).
12007 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
12008 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
12009 # unwrap the data crypto key.
12010 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
12011 # The wrapped key must be a 128/192/256 bit key.
12012 # Authorization requires the following IAM permissions when sending a request
12013 # to perform a crypto transformation using a kms-wrapped crypto key:
12014 # dlp.kms.encrypt
12015 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
12016 "wrappedKey": "A String", # The wrapped data crypto key. [required]
12017 },
12018 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
12019 # leaking the key. Choose another type of key if possible.
12020 "key": "A String", # A 128/192/256 bit key. [required]
12021 },
12022 "transient": { # Use this to have a random data crypto key generated.
12023 # It will be discarded after the request finishes.
12024 "name": "A String", # Name of the key. [required]
12025 # This is an arbitrary string used to differentiate different keys.
12026 # A unique key is generated per name: two separate `TransientCryptoKey`
12027 # protos share the same generated key if their names are the same.
12028 # When the data crypto key is generated, this name is not used in any way
12029 # (repeating the api call will result in a different key being generated).
12030 },
12031 },
12032 "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
12033 # [Required]
12034 "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
12035 # range (inclusive ends). Negative means shift to earlier in time. Must not
12036 # be more than 365250 days (1000 years) each direction.
12037 #
12038 # For example, 3 means shift date to at most 3 days into the future.
12039 # [Required]
12040 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
12041 # If set, must also set method. If set, shift will be consistent for the
12042 # given context.
12043 "name": "A String", # Name describing the field.
12044 },
12045 },
12046 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
12047 # replacement values are dynamically provided by the user for custom behavior,
12048 # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
12049 # This can be used on
12050 # data of type: number, long, string, timestamp.
12051 # If the bound `Value` type differs from the type of data being transformed, we
12052 # will first attempt converting the type of the data to be transformed to match
12053 # the type of the bound before comparing.
12054 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
12055 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
12056 { # Bucket is represented as a range, along with replacement values.
12057 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
12058 # Note that for the purposes of inspection or transformation, the number
12059 # of bytes considered to comprise a 'Value' is based on its representation
12060 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12061 # 123456789, the number of bytes would be counted as 9, even though an
12062 # int64 only holds up to 8 bytes of data.
12063 "floatValue": 3.14,
12064 "timestampValue": "A String",
12065 "dayOfWeekValue": "A String",
12066 "timeValue": { # Represents a time of day. The date and time zone are either not significant
12067 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12068 # types are google.type.Date and `google.protobuf.Timestamp`.
12069 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12070 # to allow the value "24:00:00" for scenarios like business closing time.
12071 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12072 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12073 # allow the value 60 if it allows leap-seconds.
12074 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12075 },
12076 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
12077 # and time zone are either specified elsewhere or are not significant. The date
12078 # is relative to the Proleptic Gregorian Calendar. This can represent:
12079 #
12080 # * A full date, with non-zero year, month and day values
12081 # * A month and day value, with a zero year, e.g. an anniversary
12082 # * A year on its own, with zero month and day values
12083 # * A year and month value, with a zero day, e.g. a credit card expiration date
12084 #
12085 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12086 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12087 # a year.
12088 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12089 # if specifying a year by itself or a year and month where the day is not
12090 # significant.
12091 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12092 # month and day.
12093 },
12094 "stringValue": "A String",
12095 "booleanValue": True or False,
12096 "integerValue": "A String",
12097 },
12098 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
12099 # the default behavior will be to hyphenate the min-max range.
12100 # Note that for the purposes of inspection or transformation, the number
12101 # of bytes considered to comprise a 'Value' is based on its representation
12102 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12103 # 123456789, the number of bytes would be counted as 9, even though an
12104 # int64 only holds up to 8 bytes of data.
12105 "floatValue": 3.14,
12106 "timestampValue": "A String",
12107 "dayOfWeekValue": "A String",
12108 "timeValue": { # Represents a time of day. The date and time zone are either not significant
12109 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12110 # types are google.type.Date and `google.protobuf.Timestamp`.
12111 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12112 # to allow the value "24:00:00" for scenarios like business closing time.
12113 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12114 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12115 # allow the value 60 if it allows leap-seconds.
12116 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12117 },
12118 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
12119 # and time zone are either specified elsewhere or are not significant. The date
12120 # is relative to the Proleptic Gregorian Calendar. This can represent:
12121 #
12122 # * A full date, with non-zero year, month and day values
12123 # * A month and day value, with a zero year, e.g. an anniversary
12124 # * A year on its own, with zero month and day values
12125 # * A year and month value, with a zero day, e.g. a credit card expiration date
12126 #
12127 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12128 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12129 # a year.
12130 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12131 # if specifying a year by itself or a year and month where the day is not
12132 # significant.
12133 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12134 # month and day.
12135 },
12136 "stringValue": "A String",
12137 "booleanValue": True or False,
12138 "integerValue": "A String",
12139 },
12140 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
12141 # used.
12142 # Note that for the purposes of inspection or transformation, the number
12143 # of bytes considered to comprise a 'Value' is based on its representation
12144 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12145 # 123456789, the number of bytes would be counted as 9, even though an
12146 # int64 only holds up to 8 bytes of data.
12147 "floatValue": 3.14,
12148 "timestampValue": "A String",
12149 "dayOfWeekValue": "A String",
12150 "timeValue": { # Represents a time of day. The date and time zone are either not significant
12151 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12152 # types are google.type.Date and `google.protobuf.Timestamp`.
12153 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12154 # to allow the value "24:00:00" for scenarios like business closing time.
12155 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12156 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12157 # allow the value 60 if it allows leap-seconds.
12158 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12159 },
12160 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
12161 # and time zone are either specified elsewhere or are not significant. The date
12162 # is relative to the Proleptic Gregorian Calendar. This can represent:
12163 #
12164 # * A full date, with non-zero year, month and day values
12165 # * A month and day value, with a zero year, e.g. an anniversary
12166 # * A year on its own, with zero month and day values
12167 # * A year and month value, with a zero day, e.g. a credit card expiration date
12168 #
12169 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12170 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12171 # a year.
12172 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12173 # if specifying a year by itself or a year and month where the day is not
12174 # significant.
12175 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12176 # month and day.
12177 },
12178 "stringValue": "A String",
12179 "booleanValue": True or False,
12180 "integerValue": "A String",
12181 },
12182 },
12183 ],
12184 },
12185 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
12186 # (FPE) with the FFX mode of operation; however when used in the
12187 # `ReidentifyContent` API method, it serves the opposite function by reversing
12188 # the surrogate back into the original identifier. The identifier must be
12189 # encoded as ASCII. For a given crypto key and context, the same identifier
12190 # will be replaced with the same surrogate. Identifiers must be at least two
12191 # characters long. In the case that the identifier is the empty string, it will
12192 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
12193 # more.
12194 #
12195 # Note: We recommend using CryptoDeterministicConfig for all use cases which
12196 # do not require preserving the input alphabet space and size, plus warrant
12197 # referential integrity.
12198 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
12199 # a key encryption key (KEK) stored by KMS).
12200 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
12201 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
12202 # unwrap the data crypto key.
12203 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
12204 # The wrapped key must be a 128/192/256 bit key.
12205 # Authorization requires the following IAM permissions when sending a request
12206 # to perform a crypto transformation using a kms-wrapped crypto key:
12207 # dlp.kms.encrypt
12208 "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
12209 "wrappedKey": "A String", # The wrapped data crypto key. [required]
12210 },
12211 "unwrapped": { # Using raw keys is prone to security risks due to accidentally
12212 # leaking the key. Choose another type of key if possible.
12213 "key": "A String", # A 128/192/256 bit key. [required]
12214 },
12215 "transient": { # Use this to have a random data crypto key generated.
12216 # It will be discarded after the request finishes.
12217 "name": "A String", # Name of the key. [required]
12218 # This is an arbitrary string used to differentiate different keys.
12219 # A unique key is generated per name: two separate `TransientCryptoKey`
12220 # protos share the same generated key if their names are the same.
12221 # When the data crypto key is generated, this name is not used in any way
12222 # (repeating the api call will result in a different key being generated).
12223 },
12224 },
12225 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
12226 "commonAlphabet": "A String",
12227 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
12228 # that the FFX mode natively supports. This happens before/after
12229 # encryption/decryption.
12230 # Each character listed must appear only once.
12231 # Number of characters must be in the range [2, 62].
12232 # This must be encoded as ASCII.
12233 # The order of characters does not matter.
12234 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
12235 # identifier in two different contexts won't be given the same surrogate. If
12236 # the context is not set, a default tweak will be used.
12237 #
12238 # If the context is set but:
12239 #
12240 # 1. there is no record present when transforming a given value or
12241 # 1. the field is not present when transforming a given value,
12242 #
12243 # a default tweak will be used.
12244 #
12245 # Note that case (1) is expected when an `InfoTypeTransformation` is
12246 # applied to both structured and non-structured `ContentItem`s.
12247 # Currently, the referenced field may be of value type integer or string.
12248 #
12249 # The tweak is constructed as a sequence of bytes in big endian byte order
12250 # such that:
12251 #
12252 # - a 64 bit integer is encoded followed by a single byte of value 1
12253 # - a string is encoded in UTF-8 format followed by a single byte of value 2
12254 "name": "A String", # Name describing the field.
12255 },
12256 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
12257 # This annotation will be applied to the surrogate by prefixing it with
12258 # the name of the custom infoType followed by the number of
12259 # characters comprising the surrogate. The following scheme defines the
12260 # format: info_type_name(surrogate_character_count):surrogate
12261 #
12262 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
12263 # the surrogate is 'abc', the full replacement value
12264 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
12265 #
12266 # This annotation identifies the surrogate when inspecting content using the
12267 # custom infoType
12268 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
12269 # This facilitates reversal of the surrogate when it occurs in free text.
12270 #
12271 # In order for inspection to work properly, the name of this infoType must
12272 # not occur naturally anywhere in your data; otherwise, inspection may
12273 # find a surrogate that does not correspond to an actual identifier.
12274 # Therefore, choose your custom infoType name carefully after considering
12275 # what your data looks like. One way to select a name that has a high chance
12276 # of yielding reliable detection is to include one or more unicode characters
12277 # that are highly improbable to exist in your data.
12278 # For example, assuming your data is entered from a regular ASCII keyboard,
12279 # the symbol with the hex code point 29DD might be used like so:
12280 # ⧝MY_TOKEN_TYPE
12281 "name": "A String", # Name of the information type. Either a name of your choosing when
12282 # creating a CustomInfoType, or one of the names listed
12283 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
12284 # a built-in type. InfoType names should conform to the pattern
12285 # [a-zA-Z0-9_]{1,64}.
12286 },
12287 },
12288 "replaceConfig": { # Replace each input value with a given `Value`.
12289 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
12290 # Note that for the purposes of inspection or transformation, the number
12291 # of bytes considered to comprise a 'Value' is based on its representation
12292 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12293 # 123456789, the number of bytes would be counted as 9, even though an
12294 # int64 only holds up to 8 bytes of data.
12295 "floatValue": 3.14,
12296 "timestampValue": "A String",
12297 "dayOfWeekValue": "A String",
12298 "timeValue": { # Represents a time of day. The date and time zone are either not significant
12299 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12300 # types are google.type.Date and `google.protobuf.Timestamp`.
12301 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12302 # to allow the value "24:00:00" for scenarios like business closing time.
12303 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12304 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12305 # allow the value 60 if it allows leap-seconds.
12306 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12307 },
12308 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
12309 # and time zone are either specified elsewhere or are not significant. The date
12310 # is relative to the Proleptic Gregorian Calendar. This can represent:
12311 #
12312 # * A full date, with non-zero year, month and day values
12313 # * A month and day value, with a zero year, e.g. an anniversary
12314 # * A year on its own, with zero month and day values
12315 # * A year and month value, with a zero day, e.g. a credit card expiration date
12316 #
12317 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12318 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12319 # a year.
12320 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12321 # if specifying a year by itself or a year and month where the day is not
12322 # significant.
12323 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12324 # month and day.
12325 },
12326 "stringValue": "A String",
12327 "booleanValue": True or False,
12328 "integerValue": "A String",
12329 },
12330 },
12331 },
12332 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
12333 # given `RecordCondition`. The conditions are allowed to reference fields
12334 # that are not used in the actual transformation. [optional]
12335 #
12336 # Example Use Cases:
12337 #
12338 # - Apply a different bucket transformation to an age column if the zip code
12339 # column for the same record is within a specific range.
12340 # - Redact a field if the date of birth field is greater than 85.
12341 # a field.
12342 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
12343 "conditions": { # A collection of conditions.
12344 "conditions": [
12345 { # The field type of `value` and `field` do not need to match to be
12346 # considered equal, but not all comparisons are possible.
12347 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
12348 # but all other comparisons are invalid with incompatible types.
12349 # A `value` of type:
12350 #
12351 # - `string` can be compared against all other types
12352 # - `boolean` can only be compared against other booleans
12353 # - `integer` can be compared against doubles or a string if the string value
12354 # can be parsed as an integer.
12355 # - `double` can be compared against integers or a string if the string can
12356 # be parsed as a double.
12357 # - `Timestamp` can be compared against strings in RFC 3339 date string
12358 # format.
12359 # - `TimeOfDay` can be compared against timestamps and strings in the format
12360 # of 'HH:mm:ss'.
12361 #
12362 # If we fail to compare do to type mismatch, a warning will be given and
12363 # the condition will evaluate to false.
12364 "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
12365 "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
12366 "name": "A String", # Name describing the field.
12367 },
12368 "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
12369 # Note that for the purposes of inspection or transformation, the number
12370 # of bytes considered to comprise a 'Value' is based on its representation
12371 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12372 # 123456789, the number of bytes would be counted as 9, even though an
12373 # int64 only holds up to 8 bytes of data.
12374 "floatValue": 3.14,
12375 "timestampValue": "A String",
12376 "dayOfWeekValue": "A String",
12377 "timeValue": { # Represents a time of day. The date and time zone are either not significant
12378 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12379 # types are google.type.Date and `google.protobuf.Timestamp`.
12380 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12381 # to allow the value "24:00:00" for scenarios like business closing time.
12382 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12383 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12384 # allow the value 60 if it allows leap-seconds.
12385 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12386 },
12387 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
12388 # and time zone are either specified elsewhere or are not significant. The date
12389 # is relative to the Proleptic Gregorian Calendar. This can represent:
12390 #
12391 # * A full date, with non-zero year, month and day values
12392 # * A month and day value, with a zero year, e.g. an anniversary
12393 # * A year on its own, with zero month and day values
12394 # * A year and month value, with a zero day, e.g. a credit card expiration date
12395 #
12396 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12397 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12398 # a year.
12399 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12400 # if specifying a year by itself or a year and month where the day is not
12401 # significant.
12402 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12403 # month and day.
12404 },
12405 "stringValue": "A String",
12406 "booleanValue": True or False,
12407 "integerValue": "A String",
12408 },
12409 },
12410 ],
12411 },
12412 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
12413 # only supported value is `AND`.
12414 },
12415 },
12416 "fields": [ # Input field(s) to apply the transformation to. [required]
12417 { # General identifier of a data field in a storage service.
12418 "name": "A String", # Name describing the field.
12419 },
12420 ],
12421 },
12422 ],
12423 },
12424 },
12425 "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
12426 "name": "A String", # The template name. Output only.
12427 #
12428 # The template will have one of the following formats:
12429 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
12430 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
12431 }</pre>
12432</div>
12433
12434</body></html>