Blame - docs/dyn/dlp_v2.projects.deidentifyTemplates.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

78

<code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>

80

81

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

82

<p class="firstline">Deletes a DeidentifyTemplate.</p>

83

84

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Gets a DeidentifyTemplate.</p>

86

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

87

<code><a href="#list">list(parent, pageToken=None, locationId=None, pageSize=None, orderBy=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

88

<p class="firstline">Lists DeidentifyTemplates.</p>

89

90

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

91

<p class="firstline">Retrieves the next page of results.</p>

92

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

93

<code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

94

<p class="firstline">Updates the DeidentifyTemplate.</p>

95

<h3>Method Details</h3>

96

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

97

<code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

<pre>Creates a DeidentifyTemplate for re-using frequently used configuration

99

for de-identifying content, images, and storage.

100

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

101

more.

102

103

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

104

parent: string, Required. The parent resource name, for example projects/my-project-id or

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

105

organizations/my-org-id. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

106

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

107

The object takes the form of:

108

109

{ # Request message for CreateDeidentifyTemplate.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

110

"templateId": "A String", # The template id can contain uppercase and lowercase letters,

111

# numbers, and hyphens; that is, it must match the regular

112

# expression: `[a-zA-Z\\d-_]+`. The maximum length is 100

113

# characters. Can be empty to allow the system to generate one.

114

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

115

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

116

"name": "A String", # Output only. The template name.

117

#

118

# The template will have one of the following formats:

119

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

120

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

121

"description": "A String", # Short description (max 256 chars).

122

"displayName": "A String", # Display name (max 256 chars).

123

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

124

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

125

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

126

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

127

# mode is `TransformationErrorHandling.ThrowError`.

128

# transformation error occurs when the requested transformation is incompatible

129

# with the data. For example, trying to de-identify an IP address using a

130

# `DateShift` transformation would result in a transformation error, since date

131

# info cannot be extracted from an IP address.

132

# Information about any incompatible transformations, and how they were

133

# handled, is returned in the response as part of the

134

# `TransformationOverviews`.

135

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

136

},

137

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

138

# cause an error. For example, if a `DateShift` transformation were applied

139

# an an IP address, this mode would leave the IP address unchanged in the

140

# response.

141

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

142

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

143

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

144

# specific locations within structured datasets, such as transforming

145

# a column within a table.

146

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

147

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

148

# match any suppression rule are omitted from the output.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

149

{ # Configuration to suppress records whose suppression conditions evaluate to

150

# true.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

151

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

152

# evaluated to be suppressed from the transformed content.

153

# a field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

154

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

155

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

156

# only supported value is `AND`.

157

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

158

"conditions": [ # A collection of conditions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

159

{ # The field type of `value` and `field` do not need to match to be

160

# considered equal, but not all comparisons are possible.

161

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

162

# but all other comparisons are invalid with incompatible types.

163

# A `value` of type:

164

#

165

# - `string` can be compared against all other types

166

# - `boolean` can only be compared against other booleans

167

# - `integer` can be compared against doubles or a string if the string value

168

# can be parsed as an integer.

169

# - `double` can be compared against integers or a string if the string can

170

# be parsed as a double.

171

# - `Timestamp` can be compared against strings in RFC 3339 date string

172

# format.

173

# - `TimeOfDay` can be compared against timestamps and strings in the format

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

174

# of 'HH:mm:ss'.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

175

#

176

# If we fail to compare do to type mismatch, a warning will be given and

177

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

178

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

179

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

180

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

181

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

182

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

183

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

184

# of bytes considered to comprise a 'Value' is based on its representation

185

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

186

# 123456789, the number of bytes would be counted as 9, even though an

187

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

188

"booleanValue": True or False, # boolean

189

"floatValue": 3.14, # float

190

"dayOfWeekValue": "A String", # day of week

191

"timestampValue": "A String", # timestamp

192

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

193

# and time zone are either specified elsewhere or are not significant. The date

194

# is relative to the Proleptic Gregorian Calendar. This can represent:

195

#

196

# * A full date, with non-zero year, month and day values

197

# * A month and day value, with a zero year, e.g. an anniversary

198

# * A year on its own, with zero month and day values

199

# * A year and month value, with a zero day, e.g. a credit card expiration date

200

#

201

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

202

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

203

# a year.

204

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

205

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

206

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

207

# if specifying a year by itself or a year and month where the day is not

208

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

209

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

210

"stringValue": "A String", # string

211

"integerValue": "A String", # integer

212

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

213

# or are specified elsewhere. An API may choose to allow leap seconds. Related

214

# types are google.type.Date and `google.protobuf.Timestamp`.

215

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

216

# allow the value 60 if it allows leap-seconds.

217

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

218

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

219

# to allow the value "24:00:00" for scenarios like business closing time.

220

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

221

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

230

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

231

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

232

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

233

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

234

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

235

},

236

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

237

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

238

# transform content that matches an `InfoType`.

239

# apply various `PrimitiveTransformation`s to each finding, where the

240

# transformation is applied to only values that were identified as a specific

241

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

242

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

243

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

244

{ # A transformation to apply to text that is identified as a specific

245

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

246

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

247

# this transformation to apply to all findings that correspond to

248

# infoTypes that were requested in `InspectConfig`.

249

{ # Type of information detected by the API.

250

"name": "A String", # Name of the information type. Either a name of your choosing when

251

# creating a CustomInfoType, or one of the names listed

252

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

253

# a built-in type. InfoType names should conform to the pattern

254

# `[a-zA-Z0-9_]{1,64}`.

255

},

256

],

257

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

258

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

259

# portion of the value.

260

"partToExtract": "A String", # The part of the time to keep.

261

},

262

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

263

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

264

# to learn more.

265

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

266

# If set, must also set cryptoKey. If set, shift will be consistent for the

267

# given context.

268

"name": "A String", # Name describing the field.

269

},

270

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

271

# range (inclusive ends). Negative means shift to earlier in time. Must not

272

# be more than 365250 days (1000 years) each direction.

273

#

274

# For example, 3 means shift date to at most 3 days into the future.

275

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

276

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

277

# results in the same shift for the same context and crypto_key. If

278

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

279

# a key encryption key (KEK) stored by KMS).

280

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

281

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

282

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

283

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

284

# The wrapped key must be a 128/192/256 bit key.

285

# Authorization requires the following IAM permissions when sending a request

286

# to perform a crypto transformation using a kms-wrapped crypto key:

287

# dlp.kms.encrypt

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

288

"wrappedKey": "A String", # Required. The wrapped data crypto key.

289

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

290

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

291

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

292

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

293

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

294

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

295

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

296

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

297

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

298

# This is an arbitrary string used to differentiate different keys.

299

# A unique key is generated per name: two separate `TransientCryptoKey`

300

# protos share the same generated key if their names are the same.

301

# When the data crypto key is generated, this name is not used in any way

302

# (repeating the api call will result in a different key being generated).

303

},

304

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

305

},

306

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

307

},

308

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

309

# Uses SHA-256.

310

# The key size must be either 32 or 64 bytes.

311

# Outputs a base64 encoded representation of the hashed output

312

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

313

# Currently, only string and integer values can be hashed.

314

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

315

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

316

# a key encryption key (KEK) stored by KMS).

317

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

318

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

319

# unwrap the data crypto key.

320

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

321

# The wrapped key must be a 128/192/256 bit key.

322

# Authorization requires the following IAM permissions when sending a request

323

# to perform a crypto transformation using a kms-wrapped crypto key:

324

# dlp.kms.encrypt

325

"wrappedKey": "A String", # Required. The wrapped data crypto key.

326

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

327

},

328

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

329

# leaking the key. Choose another type of key if possible.

330

"key": "A String", # Required. A 128/192/256 bit key.

331

},

332

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

333

# It will be discarded after the request finishes.

334

"name": "A String", # Required. Name of the key.

335

# This is an arbitrary string used to differentiate different keys.

336

# A unique key is generated per name: two separate `TransientCryptoKey`

337

# protos share the same generated key if their names are the same.

338

# When the data crypto key is generated, this name is not used in any way

339

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

344

# (FPE) with the FFX mode of operation; however when used in the

345

# `ReidentifyContent` API method, it serves the opposite function by reversing

346

# the surrogate back into the original identifier. The identifier must be

347

# encoded as ASCII. For a given crypto key and context, the same identifier

348

# will be replaced with the same surrogate. Identifiers must be at least two

349

# characters long. In the case that the identifier is the empty string, it will

350

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

351

# more.

352

#

353

# Note: We recommend using CryptoDeterministicConfig for all use cases which

354

# do not require preserving the input alphabet space and size, plus warrant

355

# referential integrity.

356

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

357

# that the FFX mode natively supports. This happens before/after

358

# encryption/decryption.

359

# Each character listed must appear only once.

360

# Number of characters must be in the range [2, 95].

361

# This must be encoded as ASCII.

362

# The order of characters does not matter.

363

"commonAlphabet": "A String", # Common alphabets.

364

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

365

# This annotation will be applied to the surrogate by prefixing it with

366

# the name of the custom infoType followed by the number of

367

# characters comprising the surrogate. The following scheme defines the

368

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

369

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

370

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

371

# the surrogate is 'abc', the full replacement value

372

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

373

#

374

# This annotation identifies the surrogate when inspecting content using the

375

# custom infoType

376

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

377

# This facilitates reversal of the surrogate when it occurs in free text.

378

#

379

# In order for inspection to work properly, the name of this infoType must

380

# not occur naturally anywhere in your data; otherwise, inspection may

381

# find a surrogate that does not correspond to an actual identifier.

382

# Therefore, choose your custom infoType name carefully after considering

383

# what your data looks like. One way to select a name that has a high chance

384

# of yielding reliable detection is to include one or more unicode characters

385

# that are highly improbable to exist in your data.

386

# For example, assuming your data is entered from a regular ASCII keyboard,

387

# the symbol with the hex code point 29DD might be used like so:

388

# ⧝MY_TOKEN_TYPE

389

"name": "A String", # Name of the information type. Either a name of your choosing when

390

# creating a CustomInfoType, or one of the names listed

391

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

392

# a built-in type. InfoType names should conform to the pattern

393

# `[a-zA-Z0-9_]{1,64}`.

394

},

395

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

396

# identifier in two different contexts won't be given the same surrogate. If

397

# the context is not set, a default tweak will be used.

398

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

399

# If the context is set but:

400

#

401

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

402

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

403

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

404

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

405

#

406

# Note that case (1) is expected when an `InfoTypeTransformation` is

407

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

408

# Currently, the referenced field may be of value type integer or string.

409

#

410

# The tweak is constructed as a sequence of bytes in big endian byte order

411

# such that:

412

#

413

# - a 64 bit integer is encoded followed by a single byte of value 1

414

# - a string is encoded in UTF-8 format followed by a single byte of value 2

415

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

416

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

417

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

418

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

419

# a key encryption key (KEK) stored by KMS).

420

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

421

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

422

# unwrap the data crypto key.

423

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

424

# The wrapped key must be a 128/192/256 bit key.

425

# Authorization requires the following IAM permissions when sending a request

426

# to perform a crypto transformation using a kms-wrapped crypto key:

427

# dlp.kms.encrypt

428

"wrappedKey": "A String", # Required. The wrapped data crypto key.

429

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

430

},

431

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

432

# leaking the key. Choose another type of key if possible.

433

"key": "A String", # Required. A 128/192/256 bit key.

434

},

435

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

436

# It will be discarded after the request finishes.

437

"name": "A String", # Required. Name of the key.

438

# This is an arbitrary string used to differentiate different keys.

439

# A unique key is generated per name: two separate `TransientCryptoKey`

440

# protos share the same generated key if their names are the same.

441

# When the data crypto key is generated, this name is not used in any way

442

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

447

# input. Outputs a base64 encoded representation of the encrypted output.

448

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

449

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

450

# This annotation will be applied to the surrogate by prefixing it with

451

# the name of the custom info type followed by the number of

452

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

453

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

454

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

455

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

456

# the surrogate is 'abc', the full replacement value

457

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

458

#

459

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

460

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

461

# surrogate when it occurs in free text.

462

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

463

# Note: For record transformations where the entire cell in a table is being

464

# transformed, surrogates are not mandatory. Surrogates are used to denote

465

# the location of the token and are necessary for re-identification in free

466

# form text.

467

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

468

# In order for inspection to work properly, the name of this info type must

469

# not occur naturally anywhere in your data; otherwise, inspection may either

470

#

471

# - reverse a surrogate that does not correspond to an actual identifier

472

# - be unable to parse the surrogate and result in an error

473

#

474

# Therefore, choose your custom info type name carefully after considering

475

# what your data looks like. One way to select a name that has a high chance

476

# of yielding reliable detection is to include one or more unicode characters

477

# that are highly improbable to exist in your data.

478

# For example, assuming your data is entered from a regular ASCII keyboard,

479

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

480

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

481

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

482

# creating a CustomInfoType, or one of the names listed

483

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

484

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

485

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

486

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

487

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

488

# referential integrity such that the same identifier in two different

489

# contexts will be given a distinct surrogate. The context is appended to

490

# plaintext value being encrypted. On decryption the provided context is

491

# validated against the value used during encryption. If a context was

492

# provided during encryption, same context must be provided during decryption

493

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

494

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

495

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

496

# If the context is set but:

497

#

498

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

499

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

500

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

501

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

502

#

503

# Note that case (1) is expected when an `InfoTypeTransformation` is

504

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

505

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

506

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

507

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

508

# a key encryption key (KEK) stored by KMS).

509

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

510

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

511

# unwrap the data crypto key.

512

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

513

# The wrapped key must be a 128/192/256 bit key.

514

# Authorization requires the following IAM permissions when sending a request

515

# to perform a crypto transformation using a kms-wrapped crypto key:

516

# dlp.kms.encrypt

517

"wrappedKey": "A String", # Required. The wrapped data crypto key.

518

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

519

},

520

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

521

# leaking the key. Choose another type of key if possible.

522

"key": "A String", # Required. A 128/192/256 bit key.

523

},

524

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

525

# It will be discarded after the request finishes.

526

"name": "A String", # Required. Name of the key.

527

# This is an arbitrary string used to differentiate different keys.

528

# A unique key is generated per name: two separate `TransientCryptoKey`

529

# protos share the same generated key if their names are the same.

530

# When the data crypto key is generated, this name is not used in any way

531

# (repeating the api call will result in a different key being generated).

532

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

533

},

534

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

535

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

536

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

537

# output would be 'My phone number is '.

538

},

539

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

540

# replacement values are dynamically provided by the user for custom behavior,

541

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

542

# This can be used on

543

# data of type: number, long, string, timestamp.

544

# If the bound `Value` type differs from the type of data being transformed, we

545

# will first attempt converting the type of the data to be transformed to match

546

# the type of the bound before comparing.

547

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

548

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

549

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

550

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

551

# used.

552

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

553

# of bytes considered to comprise a 'Value' is based on its representation

554

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

555

# 123456789, the number of bytes would be counted as 9, even though an

556

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

557

"booleanValue": True or False, # boolean

558

"floatValue": 3.14, # float

559

"dayOfWeekValue": "A String", # day of week

560

"timestampValue": "A String", # timestamp

561

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

562

# and time zone are either specified elsewhere or are not significant. The date

563

# is relative to the Proleptic Gregorian Calendar. This can represent:

564

#

565

# * A full date, with non-zero year, month and day values

566

# * A month and day value, with a zero year, e.g. an anniversary

567

# * A year on its own, with zero month and day values

568

# * A year and month value, with a zero day, e.g. a credit card expiration date

569

#

570

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

571

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

572

# a year.

573

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

574

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

575

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

576

# if specifying a year by itself or a year and month where the day is not

577

# significant.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

578

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

579

"stringValue": "A String", # string

580

"integerValue": "A String", # integer

581

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

582

# or are specified elsewhere. An API may choose to allow leap seconds. Related

583

# types are google.type.Date and `google.protobuf.Timestamp`.

584

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

585

# allow the value 60 if it allows leap-seconds.

586

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

587

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

588

# to allow the value "24:00:00" for scenarios like business closing time.

589

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

590

},

591

},

592

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

593

# Note that for the purposes of inspection or transformation, the number

594

# of bytes considered to comprise a 'Value' is based on its representation

595

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

596

# 123456789, the number of bytes would be counted as 9, even though an

597

# int64 only holds up to 8 bytes of data.

598

"booleanValue": True or False, # boolean

599

"floatValue": 3.14, # float

600

"dayOfWeekValue": "A String", # day of week

601

"timestampValue": "A String", # timestamp

602

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

603

# and time zone are either specified elsewhere or are not significant. The date

604

# is relative to the Proleptic Gregorian Calendar. This can represent:

605

#

606

# * A full date, with non-zero year, month and day values

607

# * A month and day value, with a zero year, e.g. an anniversary

608

# * A year on its own, with zero month and day values

609

# * A year and month value, with a zero day, e.g. a credit card expiration date

610

#

611

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

612

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

613

# a year.

614

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

615

# month and day.

616

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

617

# if specifying a year by itself or a year and month where the day is not

618

# significant.

619

},

620

"stringValue": "A String", # string

621

"integerValue": "A String", # integer

622

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

623

# or are specified elsewhere. An API may choose to allow leap seconds. Related

624

# types are google.type.Date and `google.protobuf.Timestamp`.

625

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

626

# allow the value 60 if it allows leap-seconds.

627

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

628

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

629

# to allow the value "24:00:00" for scenarios like business closing time.

630

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

631

},

632

},

633

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

634

# the default behavior will be to hyphenate the min-max range.

635

# Note that for the purposes of inspection or transformation, the number

636

# of bytes considered to comprise a 'Value' is based on its representation

637

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

638

# 123456789, the number of bytes would be counted as 9, even though an

639

# int64 only holds up to 8 bytes of data.

640

"booleanValue": True or False, # boolean

641

"floatValue": 3.14, # float

642

"dayOfWeekValue": "A String", # day of week

643

"timestampValue": "A String", # timestamp

644

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

645

# and time zone are either specified elsewhere or are not significant. The date

646

# is relative to the Proleptic Gregorian Calendar. This can represent:

647

#

648

# * A full date, with non-zero year, month and day values

649

# * A month and day value, with a zero year, e.g. an anniversary

650

# * A year on its own, with zero month and day values

651

# * A year and month value, with a zero day, e.g. a credit card expiration date

652

#

653

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

654

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

655

# a year.

656

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

657

# month and day.

658

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

659

# if specifying a year by itself or a year and month where the day is not

660

# significant.

661

},

662

"stringValue": "A String", # string

663

"integerValue": "A String", # integer

664

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

665

# or are specified elsewhere. An API may choose to allow leap seconds. Related

666

# types are google.type.Date and `google.protobuf.Timestamp`.

667

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

668

# allow the value 60 if it allows leap-seconds.

669

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

670

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

671

# to allow the value "24:00:00" for scenarios like business closing time.

672

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

673

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

678

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

679

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

680

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

681

# of bytes considered to comprise a 'Value' is based on its representation

682

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

683

# 123456789, the number of bytes would be counted as 9, even though an

684

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

685

"booleanValue": True or False, # boolean

686

"floatValue": 3.14, # float

687

"dayOfWeekValue": "A String", # day of week

688

"timestampValue": "A String", # timestamp

689

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

690

# and time zone are either specified elsewhere or are not significant. The date

691

# is relative to the Proleptic Gregorian Calendar. This can represent:

692

#

693

# * A full date, with non-zero year, month and day values

694

# * A month and day value, with a zero year, e.g. an anniversary

695

# * A year on its own, with zero month and day values

696

# * A year and month value, with a zero day, e.g. a credit card expiration date

697

#

698

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

699

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

700

# a year.

701

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

702

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

703

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

704

# if specifying a year by itself or a year and month where the day is not

705

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

706

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

707

"stringValue": "A String", # string

708

"integerValue": "A String", # integer

709

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

710

# or are specified elsewhere. An API may choose to allow leap seconds. Related

711

# types are google.type.Date and `google.protobuf.Timestamp`.

712

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

713

# allow the value 60 if it allows leap-seconds.

714

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

715

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

716

# to allow the value "24:00:00" for scenarios like business closing time.

717

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

722

# fixed character. Masking can start from the beginning or end of the string.

723

# This can be used on data of any type (numbers, longs, and so on) and when

724

# de-identifying structured data we'll attempt to preserve the original data's

725

# type. (This allows you to take a long like 123 and modify it to a string like

726

# **3.

727

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

728

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

729

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

730

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

731

# is `true`, then the string `12345` is masked as `12***`.

732

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

733

# characters. For example, if the input string is `555-555-5555` and you

734

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

735

# returns `***-**5-5555`.

736

{ # Characters to skip when doing deidentification of a value. These will be left

737

# alone and skipped.

738

"charactersToSkip": "A String", # Characters to not transform when masking.

739

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

744

# masked. Skipped characters do not count towards this tally.

745

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

746

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

747

# code or credit card number. This string must have a length of 1. If not

748

# supplied, this value defaults to `*` for strings, and `0` for digits.

749

},

750

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

751

# Bucketing transformation can provide all of this functionality,

752

# but requires more configuration. This message is provided as a convenience to

753

# the user for simple bucketing strategies.

754

#

755

# The transformed value will be a hyphenated string of

756

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

757

# all values that are within this bucket will be replaced with "10-20".

758

#

759

# This can be used on data of type: double, long.

760

#

761

# If the bound Value type differs from the type of data

762

# being transformed, we will first attempt converting the type of the data to

763

# be transformed to match the type of the bound before comparing.

764

#

765

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

766

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

767

# grouped together into a single bucket; for example if `lower_bound` = 10,

768

# then all values less than 10 are replaced with the value "-10".

769

# Note that for the purposes of inspection or transformation, the number

770

# of bytes considered to comprise a 'Value' is based on its representation

771

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

772

# 123456789, the number of bytes would be counted as 9, even though an

773

# int64 only holds up to 8 bytes of data.

774

"booleanValue": True or False, # boolean

775

"floatValue": 3.14, # float

776

"dayOfWeekValue": "A String", # day of week

777

"timestampValue": "A String", # timestamp

778

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

779

# and time zone are either specified elsewhere or are not significant. The date

780

# is relative to the Proleptic Gregorian Calendar. This can represent:

781

#

782

# * A full date, with non-zero year, month and day values

783

# * A month and day value, with a zero year, e.g. an anniversary

784

# * A year on its own, with zero month and day values

785

# * A year and month value, with a zero day, e.g. a credit card expiration date

786

#

787

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

788

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

789

# a year.

790

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

791

# month and day.

792

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

793

# if specifying a year by itself or a year and month where the day is not

794

# significant.

795

},

796

"stringValue": "A String", # string

797

"integerValue": "A String", # integer

798

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

799

# or are specified elsewhere. An API may choose to allow leap seconds. Related

800

# types are google.type.Date and `google.protobuf.Timestamp`.

801

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

802

# allow the value 60 if it allows leap-seconds.

803

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

804

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

805

# to allow the value "24:00:00" for scenarios like business closing time.

806

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

807

},

808

},

809

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

810

# grouped together into a single bucket; for example if `upper_bound` = 89,

811

# then all values greater than 89 are replaced with the value "89+".

812

# Note that for the purposes of inspection or transformation, the number

813

# of bytes considered to comprise a 'Value' is based on its representation

814

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

815

# 123456789, the number of bytes would be counted as 9, even though an

816

# int64 only holds up to 8 bytes of data.

817

"booleanValue": True or False, # boolean

818

"floatValue": 3.14, # float

819

"dayOfWeekValue": "A String", # day of week

820

"timestampValue": "A String", # timestamp

821

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

822

# and time zone are either specified elsewhere or are not significant. The date

823

# is relative to the Proleptic Gregorian Calendar. This can represent:

824

#

825

# * A full date, with non-zero year, month and day values

826

# * A month and day value, with a zero year, e.g. an anniversary

827

# * A year on its own, with zero month and day values

828

# * A year and month value, with a zero day, e.g. a credit card expiration date

829

#

830

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

831

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

832

# a year.

833

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

834

# month and day.

835

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

836

# if specifying a year by itself or a year and month where the day is not

837

# significant.

838

},

839

"stringValue": "A String", # string

840

"integerValue": "A String", # integer

841

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

842

# or are specified elsewhere. An API may choose to allow leap seconds. Related

843

# types are google.type.Date and `google.protobuf.Timestamp`.

844

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

845

# allow the value 60 if it allows leap-seconds.

846

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

847

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

848

# to allow the value "24:00:00" for scenarios like business closing time.

849

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

850

},

851

},

852

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

853

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

854

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

855

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

862

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

863

# portion of the value.

864

"partToExtract": "A String", # The part of the time to keep.

865

},

866

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

867

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

868

# to learn more.

869

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

870

# If set, must also set cryptoKey. If set, shift will be consistent for the

871

# given context.

872

"name": "A String", # Name describing the field.

873

},

874

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

875

# range (inclusive ends). Negative means shift to earlier in time. Must not

876

# be more than 365250 days (1000 years) each direction.

877

#

878

# For example, 3 means shift date to at most 3 days into the future.

879

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

880

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

881

# results in the same shift for the same context and crypto_key. If

882

# set, must also set context. Can only be applied to table items.

883

# a key encryption key (KEK) stored by KMS).

884

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

885

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

886

# unwrap the data crypto key.

887

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

888

# The wrapped key must be a 128/192/256 bit key.

889

# Authorization requires the following IAM permissions when sending a request

890

# to perform a crypto transformation using a kms-wrapped crypto key:

891

# dlp.kms.encrypt

892

"wrappedKey": "A String", # Required. The wrapped data crypto key.

893

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

894

},

895

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

896

# leaking the key. Choose another type of key if possible.

897

"key": "A String", # Required. A 128/192/256 bit key.

898

},

899

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

900

# It will be discarded after the request finishes.

901

"name": "A String", # Required. Name of the key.

902

# This is an arbitrary string used to differentiate different keys.

903

# A unique key is generated per name: two separate `TransientCryptoKey`

904

# protos share the same generated key if their names are the same.

905

# When the data crypto key is generated, this name is not used in any way

906

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

911

},

912

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

913

# Uses SHA-256.

914

# The key size must be either 32 or 64 bytes.

915

# Outputs a base64 encoded representation of the hashed output

916

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

917

# Currently, only string and integer values can be hashed.

918

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

919

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

920

# a key encryption key (KEK) stored by KMS).

921

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

922

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

923

# unwrap the data crypto key.

924

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

925

# The wrapped key must be a 128/192/256 bit key.

926

# Authorization requires the following IAM permissions when sending a request

927

# to perform a crypto transformation using a kms-wrapped crypto key:

928

# dlp.kms.encrypt

929

"wrappedKey": "A String", # Required. The wrapped data crypto key.

930

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

931

},

932

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

933

# leaking the key. Choose another type of key if possible.

934

"key": "A String", # Required. A 128/192/256 bit key.

935

},

936

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

937

# It will be discarded after the request finishes.

938

"name": "A String", # Required. Name of the key.

939

# This is an arbitrary string used to differentiate different keys.

940

# A unique key is generated per name: two separate `TransientCryptoKey`

941

# protos share the same generated key if their names are the same.

942

# When the data crypto key is generated, this name is not used in any way

943

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

948

# (FPE) with the FFX mode of operation; however when used in the

949

# `ReidentifyContent` API method, it serves the opposite function by reversing

950

# the surrogate back into the original identifier. The identifier must be

951

# encoded as ASCII. For a given crypto key and context, the same identifier

952

# will be replaced with the same surrogate. Identifiers must be at least two

953

# characters long. In the case that the identifier is the empty string, it will

954

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

955

# more.

956

#

957

# Note: We recommend using CryptoDeterministicConfig for all use cases which

958

# do not require preserving the input alphabet space and size, plus warrant

959

# referential integrity.

960

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

961

# that the FFX mode natively supports. This happens before/after

962

# encryption/decryption.

963

# Each character listed must appear only once.

964

# Number of characters must be in the range [2, 95].

965

# This must be encoded as ASCII.

966

# The order of characters does not matter.

967

"commonAlphabet": "A String", # Common alphabets.

968

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

969

# This annotation will be applied to the surrogate by prefixing it with

970

# the name of the custom infoType followed by the number of

971

# characters comprising the surrogate. The following scheme defines the

972

# format: info_type_name(surrogate_character_count):surrogate

973

#

974

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

975

# the surrogate is 'abc', the full replacement value

976

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

977

#

978

# This annotation identifies the surrogate when inspecting content using the

979

# custom infoType

980

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

981

# This facilitates reversal of the surrogate when it occurs in free text.

982

#

983

# In order for inspection to work properly, the name of this infoType must

984

# not occur naturally anywhere in your data; otherwise, inspection may

985

# find a surrogate that does not correspond to an actual identifier.

986

# Therefore, choose your custom infoType name carefully after considering

987

# what your data looks like. One way to select a name that has a high chance

988

# of yielding reliable detection is to include one or more unicode characters

989

# that are highly improbable to exist in your data.

990

# For example, assuming your data is entered from a regular ASCII keyboard,

991

# the symbol with the hex code point 29DD might be used like so:

992

# ⧝MY_TOKEN_TYPE

993

"name": "A String", # Name of the information type. Either a name of your choosing when

994

# creating a CustomInfoType, or one of the names listed

995

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

996

# a built-in type. InfoType names should conform to the pattern

997

# `[a-zA-Z0-9_]{1,64}`.

998

},

999

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1000

# identifier in two different contexts won't be given the same surrogate. If

1001

# the context is not set, a default tweak will be used.

1002

#

1003

# If the context is set but:

1004

#

1005

# 1. there is no record present when transforming a given value or

1006

# 1. the field is not present when transforming a given value,

1007

#

1008

# a default tweak will be used.

1009

#

1010

# Note that case (1) is expected when an `InfoTypeTransformation` is

1011

# applied to both structured and non-structured `ContentItem`s.

1012

# Currently, the referenced field may be of value type integer or string.

1013

#

1014

# The tweak is constructed as a sequence of bytes in big endian byte order

1015

# such that:

1016

#

1017

# - a 64 bit integer is encoded followed by a single byte of value 1

1018

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1019

"name": "A String", # Name describing the field.

1020

},

1021

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1022

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1023

# a key encryption key (KEK) stored by KMS).

1024

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1025

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1026

# unwrap the data crypto key.

1027

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1028

# The wrapped key must be a 128/192/256 bit key.

1029

# Authorization requires the following IAM permissions when sending a request

1030

# to perform a crypto transformation using a kms-wrapped crypto key:

1031

# dlp.kms.encrypt

1032

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1033

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1034

},

1035

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1036

# leaking the key. Choose another type of key if possible.

1037

"key": "A String", # Required. A 128/192/256 bit key.

1038

},

1039

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1040

# It will be discarded after the request finishes.

1041

"name": "A String", # Required. Name of the key.

1042

# This is an arbitrary string used to differentiate different keys.

1043

# A unique key is generated per name: two separate `TransientCryptoKey`

1044

# protos share the same generated key if their names are the same.

1045

# When the data crypto key is generated, this name is not used in any way

1046

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1051

# input. Outputs a base64 encoded representation of the encrypted output.

1052

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1053

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1054

# This annotation will be applied to the surrogate by prefixing it with

1055

# the name of the custom info type followed by the number of

1056

# characters comprising the surrogate. The following scheme defines the

1057

# format: {info type name}({surrogate character count}):{surrogate}

1058

#

1059

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1060

# the surrogate is 'abc', the full replacement value

1061

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1062

#

1063

# This annotation identifies the surrogate when inspecting content using the

1064

# custom info type 'Surrogate'. This facilitates reversal of the

1065

# surrogate when it occurs in free text.

1066

#

1067

# Note: For record transformations where the entire cell in a table is being

1068

# transformed, surrogates are not mandatory. Surrogates are used to denote

1069

# the location of the token and are necessary for re-identification in free

1070

# form text.

1071

#

1072

# In order for inspection to work properly, the name of this info type must

1073

# not occur naturally anywhere in your data; otherwise, inspection may either

1074

#

1075

# - reverse a surrogate that does not correspond to an actual identifier

1076

# - be unable to parse the surrogate and result in an error

1077

#

1078

# Therefore, choose your custom info type name carefully after considering

1079

# what your data looks like. One way to select a name that has a high chance

1080

# of yielding reliable detection is to include one or more unicode characters

1081

# that are highly improbable to exist in your data.

1082

# For example, assuming your data is entered from a regular ASCII keyboard,

1083

# the symbol with the hex code point 29DD might be used like so:

1084

# ⧝MY_TOKEN_TYPE.

1085

"name": "A String", # Name of the information type. Either a name of your choosing when

1086

# creating a CustomInfoType, or one of the names listed

1087

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1088

# a built-in type. InfoType names should conform to the pattern

1089

# `[a-zA-Z0-9_]{1,64}`.

1090

},

1091

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1092

# referential integrity such that the same identifier in two different

1093

# contexts will be given a distinct surrogate. The context is appended to

1094

# plaintext value being encrypted. On decryption the provided context is

1095

# validated against the value used during encryption. If a context was

1096

# provided during encryption, same context must be provided during decryption

1097

# as well.

1098

#

1099

# If the context is not set, plaintext would be used as is for encryption.

1100

# If the context is set but:

1101

#

1102

# 1. there is no record present when transforming a given value or

1103

# 2. the field is not present when transforming a given value,

1104

#

1105

# plaintext would be used as is for encryption.

1106

#

1107

# Note that case (1) is expected when an `InfoTypeTransformation` is

1108

# applied to both structured and non-structured `ContentItem`s.

1109

"name": "A String", # Name describing the field.

1110

},

1111

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1112

# a key encryption key (KEK) stored by KMS).

1113

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1114

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1115

# unwrap the data crypto key.

1116

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1117

# The wrapped key must be a 128/192/256 bit key.

1118

# Authorization requires the following IAM permissions when sending a request

1119

# to perform a crypto transformation using a kms-wrapped crypto key:

1120

# dlp.kms.encrypt

1121

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1122

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1123

},

1124

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1125

# leaking the key. Choose another type of key if possible.

1126

"key": "A String", # Required. A 128/192/256 bit key.

1127

},

1128

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1129

# It will be discarded after the request finishes.

1130

"name": "A String", # Required. Name of the key.

1131

# This is an arbitrary string used to differentiate different keys.

1132

# A unique key is generated per name: two separate `TransientCryptoKey`

1133

# protos share the same generated key if their names are the same.

1134

# When the data crypto key is generated, this name is not used in any way

1135

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1140

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1141

# output would be 'My phone number is '.

1142

},

1143

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1144

# replacement values are dynamically provided by the user for custom behavior,

1145

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1146

# This can be used on

1147

# data of type: number, long, string, timestamp.

1148

# If the bound `Value` type differs from the type of data being transformed, we

1149

# will first attempt converting the type of the data to be transformed to match

1150

# the type of the bound before comparing.

1151

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1152

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1153

{ # Bucket is represented as a range, along with replacement values.

1154

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1155

# used.

1156

# Note that for the purposes of inspection or transformation, the number

1157

# of bytes considered to comprise a 'Value' is based on its representation

1158

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1159

# 123456789, the number of bytes would be counted as 9, even though an

1160

# int64 only holds up to 8 bytes of data.

1161

"booleanValue": True or False, # boolean

1162

"floatValue": 3.14, # float

1163

"dayOfWeekValue": "A String", # day of week

1164

"timestampValue": "A String", # timestamp

1165

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1166

# and time zone are either specified elsewhere or are not significant. The date

1167

# is relative to the Proleptic Gregorian Calendar. This can represent:

1168

#

1169

# * A full date, with non-zero year, month and day values

1170

# * A month and day value, with a zero year, e.g. an anniversary

1171

# * A year on its own, with zero month and day values

1172

# * A year and month value, with a zero day, e.g. a credit card expiration date

1173

#

1174

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1175

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1176

# a year.

1177

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1178

# month and day.

1179

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1180

# if specifying a year by itself or a year and month where the day is not

1181

# significant.

1182

},

1183

"stringValue": "A String", # string

1184

"integerValue": "A String", # integer

1185

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1186

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1187

# types are google.type.Date and `google.protobuf.Timestamp`.

1188

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1189

# allow the value 60 if it allows leap-seconds.

1190

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1191

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1192

# to allow the value "24:00:00" for scenarios like business closing time.

1193

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1194

},

1195

},

1196

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1197

# Note that for the purposes of inspection or transformation, the number

1198

# of bytes considered to comprise a 'Value' is based on its representation

1199

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1200

# 123456789, the number of bytes would be counted as 9, even though an

1201

# int64 only holds up to 8 bytes of data.

1202

"booleanValue": True or False, # boolean

1203

"floatValue": 3.14, # float

1204

"dayOfWeekValue": "A String", # day of week

1205

"timestampValue": "A String", # timestamp

1206

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1207

# and time zone are either specified elsewhere or are not significant. The date

1208

# is relative to the Proleptic Gregorian Calendar. This can represent:

1209

#

1210

# * A full date, with non-zero year, month and day values

1211

# * A month and day value, with a zero year, e.g. an anniversary

1212

# * A year on its own, with zero month and day values

1213

# * A year and month value, with a zero day, e.g. a credit card expiration date

1214

#

1215

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1216

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1217

# a year.

1218

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1219

# month and day.

1220

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1221

# if specifying a year by itself or a year and month where the day is not

1222

# significant.

1223

},

1224

"stringValue": "A String", # string

1225

"integerValue": "A String", # integer

1226

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1227

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1228

# types are google.type.Date and `google.protobuf.Timestamp`.

1229

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1230

# allow the value 60 if it allows leap-seconds.

1231

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1232

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1233

# to allow the value "24:00:00" for scenarios like business closing time.

1234

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1235

},

1236

},

1237

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1238

# the default behavior will be to hyphenate the min-max range.

1239

# Note that for the purposes of inspection or transformation, the number

1240

# of bytes considered to comprise a 'Value' is based on its representation

1241

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1242

# 123456789, the number of bytes would be counted as 9, even though an

1243

# int64 only holds up to 8 bytes of data.

1244

"booleanValue": True or False, # boolean

1245

"floatValue": 3.14, # float

1246

"dayOfWeekValue": "A String", # day of week

1247

"timestampValue": "A String", # timestamp

1248

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1249

# and time zone are either specified elsewhere or are not significant. The date

1250

# is relative to the Proleptic Gregorian Calendar. This can represent:

1251

#

1252

# * A full date, with non-zero year, month and day values

1253

# * A month and day value, with a zero year, e.g. an anniversary

1254

# * A year on its own, with zero month and day values

1255

# * A year and month value, with a zero day, e.g. a credit card expiration date

1256

#

1257

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1258

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1259

# a year.

1260

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1261

# month and day.

1262

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1263

# if specifying a year by itself or a year and month where the day is not

1264

# significant.

1265

},

1266

"stringValue": "A String", # string

1267

"integerValue": "A String", # integer

1268

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1269

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1270

# types are google.type.Date and `google.protobuf.Timestamp`.

1271

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1272

# allow the value 60 if it allows leap-seconds.

1273

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1274

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1275

# to allow the value "24:00:00" for scenarios like business closing time.

1276

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1277

},

1278

},

1279

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1280

],

1281

},

1282

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1283

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1284

# Note that for the purposes of inspection or transformation, the number

1285

# of bytes considered to comprise a 'Value' is based on its representation

1286

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1287

# 123456789, the number of bytes would be counted as 9, even though an

1288

# int64 only holds up to 8 bytes of data.

1289

"booleanValue": True or False, # boolean

1290

"floatValue": 3.14, # float

1291

"dayOfWeekValue": "A String", # day of week

1292

"timestampValue": "A String", # timestamp

1293

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1294

# and time zone are either specified elsewhere or are not significant. The date

1295

# is relative to the Proleptic Gregorian Calendar. This can represent:

1296

#

1297

# * A full date, with non-zero year, month and day values

1298

# * A month and day value, with a zero year, e.g. an anniversary

1299

# * A year on its own, with zero month and day values

1300

# * A year and month value, with a zero day, e.g. a credit card expiration date

1301

#

1302

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1303

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1304

# a year.

1305

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1306

# month and day.

1307

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1308

# if specifying a year by itself or a year and month where the day is not

1309

# significant.

1310

},

1311

"stringValue": "A String", # string

1312

"integerValue": "A String", # integer

1313

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1314

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1315

# types are google.type.Date and `google.protobuf.Timestamp`.

1316

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1317

# allow the value 60 if it allows leap-seconds.

1318

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1319

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1320

# to allow the value "24:00:00" for scenarios like business closing time.

1321

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1326

# fixed character. Masking can start from the beginning or end of the string.

1327

# This can be used on data of any type (numbers, longs, and so on) and when

1328

# de-identifying structured data we'll attempt to preserve the original data's

1329

# type. (This allows you to take a long like 123 and modify it to a string like

1330

# **3.

1331

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1332

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1333

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1334

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

1335

# is `true`, then the string `12345` is masked as `12***`.

1336

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1337

# characters. For example, if the input string is `555-555-5555` and you

1338

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1339

# returns `***-**5-5555`.

1340

{ # Characters to skip when doing deidentification of a value. These will be left

1341

# alone and skipped.

1342

"charactersToSkip": "A String", # Characters to not transform when masking.

1343

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1348

# masked. Skipped characters do not count towards this tally.

1349

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1350

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1351

# code or credit card number. This string must have a length of 1. If not

1352

# supplied, this value defaults to `*` for strings, and `0` for digits.

1353

},

1354

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1355

# Bucketing transformation can provide all of this functionality,

1356

# but requires more configuration. This message is provided as a convenience to

1357

# the user for simple bucketing strategies.

1358

#

1359

# The transformed value will be a hyphenated string of

1360

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1361

# all values that are within this bucket will be replaced with "10-20".

1362

#

1363

# This can be used on data of type: double, long.

1364

#

1365

# If the bound Value type differs from the type of data

1366

# being transformed, we will first attempt converting the type of the data to

1367

# be transformed to match the type of the bound before comparing.

1368

#

1369

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1370

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1371

# grouped together into a single bucket; for example if `lower_bound` = 10,

1372

# then all values less than 10 are replaced with the value "-10".

1373

# Note that for the purposes of inspection or transformation, the number

1374

# of bytes considered to comprise a 'Value' is based on its representation

1375

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1376

# 123456789, the number of bytes would be counted as 9, even though an

1377

# int64 only holds up to 8 bytes of data.

1378

"booleanValue": True or False, # boolean

1379

"floatValue": 3.14, # float

1380

"dayOfWeekValue": "A String", # day of week

1381

"timestampValue": "A String", # timestamp

1382

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1383

# and time zone are either specified elsewhere or are not significant. The date

1384

# is relative to the Proleptic Gregorian Calendar. This can represent:

1385

#

1386

# * A full date, with non-zero year, month and day values

1387

# * A month and day value, with a zero year, e.g. an anniversary

1388

# * A year on its own, with zero month and day values

1389

# * A year and month value, with a zero day, e.g. a credit card expiration date

1390

#

1391

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1392

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1393

# a year.

1394

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1395

# month and day.

1396

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1397

# if specifying a year by itself or a year and month where the day is not

1398

# significant.

1399

},

1400

"stringValue": "A String", # string

1401

"integerValue": "A String", # integer

1402

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1403

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1404

# types are google.type.Date and `google.protobuf.Timestamp`.

1405

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1406

# allow the value 60 if it allows leap-seconds.

1407

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1408

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1409

# to allow the value "24:00:00" for scenarios like business closing time.

1410

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1411

},

1412

},

1413

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1414

# grouped together into a single bucket; for example if `upper_bound` = 89,

1415

# then all values greater than 89 are replaced with the value "89+".

1416

# Note that for the purposes of inspection or transformation, the number

1417

# of bytes considered to comprise a 'Value' is based on its representation

1418

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1419

# 123456789, the number of bytes would be counted as 9, even though an

1420

# int64 only holds up to 8 bytes of data.

1421

"booleanValue": True or False, # boolean

1422

"floatValue": 3.14, # float

1423

"dayOfWeekValue": "A String", # day of week

1424

"timestampValue": "A String", # timestamp

1425

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1426

# and time zone are either specified elsewhere or are not significant. The date

1427

# is relative to the Proleptic Gregorian Calendar. This can represent:

1428

#

1429

# * A full date, with non-zero year, month and day values

1430

# * A month and day value, with a zero year, e.g. an anniversary

1431

# * A year on its own, with zero month and day values

1432

# * A year and month value, with a zero day, e.g. a credit card expiration date

1433

#

1434

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1435

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1436

# a year.

1437

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1438

# month and day.

1439

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1440

# if specifying a year by itself or a year and month where the day is not

1441

# significant.

1442

},

1443

"stringValue": "A String", # string

1444

"integerValue": "A String", # integer

1445

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1446

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1447

# types are google.type.Date and `google.protobuf.Timestamp`.

1448

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1449

# allow the value 60 if it allows leap-seconds.

1450

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1451

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1452

# to allow the value "24:00:00" for scenarios like business closing time.

1453

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1454

},

1455

},

1456

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1457

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1458

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1459

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

1460

},

1461

},

1462

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

1463

# given `RecordCondition`. The conditions are allowed to reference fields

1464

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

1469

# column for the same record is within a specific range.

1470

# - Redact a field if the date of birth field is greater than 85.

1471

# a field.

1472

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

1473

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

1474

# only supported value is `AND`.

1475

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

1476

"conditions": [ # A collection of conditions.

1477

{ # The field type of `value` and `field` do not need to match to be

1478

# considered equal, but not all comparisons are possible.

1479

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

1480

# but all other comparisons are invalid with incompatible types.

1481

# A `value` of type:

1482

#

1483

# - `string` can be compared against all other types

1484

# - `boolean` can only be compared against other booleans

1485

# - `integer` can be compared against doubles or a string if the string value

1486

# can be parsed as an integer.

1487

# - `double` can be compared against integers or a string if the string can

1488

# be parsed as a double.

1489

# - `Timestamp` can be compared against strings in RFC 3339 date string

1490

# format.

1491

# - `TimeOfDay` can be compared against timestamps and strings in the format

1492

# of 'HH:mm:ss'.

1493

#

1494

# If we fail to compare do to type mismatch, a warning will be given and

1495

# the condition will evaluate to false.

1496

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

1497

"name": "A String", # Name describing the field.

1498

},

1499

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

1500

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

1501

# Note that for the purposes of inspection or transformation, the number

1502

# of bytes considered to comprise a 'Value' is based on its representation

1503

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1504

# 123456789, the number of bytes would be counted as 9, even though an

1505

# int64 only holds up to 8 bytes of data.

1506

"booleanValue": True or False, # boolean

1507

"floatValue": 3.14, # float

1508

"dayOfWeekValue": "A String", # day of week

1509

"timestampValue": "A String", # timestamp

1510

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1511

# and time zone are either specified elsewhere or are not significant. The date

1512

# is relative to the Proleptic Gregorian Calendar. This can represent:

1513

#

1514

# * A full date, with non-zero year, month and day values

1515

# * A month and day value, with a zero year, e.g. an anniversary

1516

# * A year on its own, with zero month and day values

1517

# * A year and month value, with a zero day, e.g. a credit card expiration date

1518

#

1519

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1520

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1521

# a year.

1522

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1523

# month and day.

1524

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1525

# if specifying a year by itself or a year and month where the day is not

1526

# significant.

1527

},

1528

"stringValue": "A String", # string

1529

"integerValue": "A String", # integer

1530

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1531

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1532

# types are google.type.Date and `google.protobuf.Timestamp`.

1533

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1534

# allow the value 60 if it allows leap-seconds.

1535

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1536

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1537

# to allow the value "24:00:00" for scenarios like business closing time.

1538

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1539

},

1540

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1541

},

1542

],

1543

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1544

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1545

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1546

},

1547

],

1548

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1549

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

1550

# transformation everywhere.

1551

# apply various `PrimitiveTransformation`s to each finding, where the

1552

# transformation is applied to only values that were identified as a specific

1553

# info_type.

1554

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

1555

# for a given infoType.

1556

{ # A transformation to apply to text that is identified as a specific

1557

# info_type.

1558

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

1559

# this transformation to apply to all findings that correspond to

1560

# infoTypes that were requested in `InspectConfig`.

1561

{ # Type of information detected by the API.

1562

"name": "A String", # Name of the information type. Either a name of your choosing when

1563

# creating a CustomInfoType, or one of the names listed

1564

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1565

# a built-in type. InfoType names should conform to the pattern

1566

# `[a-zA-Z0-9_]{1,64}`.

1567

},

1568

],

1569

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

1570

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

1571

# portion of the value.

1572

"partToExtract": "A String", # The part of the time to keep.

1573

},

1574

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

1575

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

1576

# to learn more.

1577

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

1578

# If set, must also set cryptoKey. If set, shift will be consistent for the

1579

# given context.

1580

"name": "A String", # Name describing the field.

1581

},

1582

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

1583

# range (inclusive ends). Negative means shift to earlier in time. Must not

1584

# be more than 365250 days (1000 years) each direction.

1585

#

1586

# For example, 3 means shift date to at most 3 days into the future.

1587

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1588

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

1589

# results in the same shift for the same context and crypto_key. If

1590

# set, must also set context. Can only be applied to table items.

1591

# a key encryption key (KEK) stored by KMS).

1592

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1593

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1594

# unwrap the data crypto key.

1595

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1596

# The wrapped key must be a 128/192/256 bit key.

1597

# Authorization requires the following IAM permissions when sending a request

1598

# to perform a crypto transformation using a kms-wrapped crypto key:

1599

# dlp.kms.encrypt

1600

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1601

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1602

},

1603

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1604

# leaking the key. Choose another type of key if possible.

1605

"key": "A String", # Required. A 128/192/256 bit key.

1606

},

1607

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1608

# It will be discarded after the request finishes.

1609

"name": "A String", # Required. Name of the key.

1610

# This is an arbitrary string used to differentiate different keys.

1611

# A unique key is generated per name: two separate `TransientCryptoKey`

1612

# protos share the same generated key if their names are the same.

1613

# When the data crypto key is generated, this name is not used in any way

1614

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1619

},

1620

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

1621

# Uses SHA-256.

1622

# The key size must be either 32 or 64 bytes.

1623

# Outputs a base64 encoded representation of the hashed output

1624

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

1625

# Currently, only string and integer values can be hashed.

1626

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

1627

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

1628

# a key encryption key (KEK) stored by KMS).

1629

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1630

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1631

# unwrap the data crypto key.

1632

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1633

# The wrapped key must be a 128/192/256 bit key.

1634

# Authorization requires the following IAM permissions when sending a request

1635

# to perform a crypto transformation using a kms-wrapped crypto key:

1636

# dlp.kms.encrypt

1637

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1638

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1639

},

1640

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1641

# leaking the key. Choose another type of key if possible.

1642

"key": "A String", # Required. A 128/192/256 bit key.

1643

},

1644

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1645

# It will be discarded after the request finishes.

1646

"name": "A String", # Required. Name of the key.

1647

# This is an arbitrary string used to differentiate different keys.

1648

# A unique key is generated per name: two separate `TransientCryptoKey`

1649

# protos share the same generated key if their names are the same.

1650

# When the data crypto key is generated, this name is not used in any way

1651

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

1656

# (FPE) with the FFX mode of operation; however when used in the

1657

# `ReidentifyContent` API method, it serves the opposite function by reversing

1658

# the surrogate back into the original identifier. The identifier must be

1659

# encoded as ASCII. For a given crypto key and context, the same identifier

1660

# will be replaced with the same surrogate. Identifiers must be at least two

1661

# characters long. In the case that the identifier is the empty string, it will

1662

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

1663

# more.

1664

#

1665

# Note: We recommend using CryptoDeterministicConfig for all use cases which

1666

# do not require preserving the input alphabet space and size, plus warrant

1667

# referential integrity.

1668

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

1669

# that the FFX mode natively supports. This happens before/after

1670

# encryption/decryption.

1671

# Each character listed must appear only once.

1672

# Number of characters must be in the range [2, 95].

1673

# This must be encoded as ASCII.

1674

# The order of characters does not matter.

1675

"commonAlphabet": "A String", # Common alphabets.

1676

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

1677

# This annotation will be applied to the surrogate by prefixing it with

1678

# the name of the custom infoType followed by the number of

1679

# characters comprising the surrogate. The following scheme defines the

1680

# format: info_type_name(surrogate_character_count):surrogate

1681

#

1682

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

1683

# the surrogate is 'abc', the full replacement value

1684

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1685

#

1686

# This annotation identifies the surrogate when inspecting content using the

1687

# custom infoType

1688

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

1689

# This facilitates reversal of the surrogate when it occurs in free text.

1690

#

1691

# In order for inspection to work properly, the name of this infoType must

1692

# not occur naturally anywhere in your data; otherwise, inspection may

1693

# find a surrogate that does not correspond to an actual identifier.

1694

# Therefore, choose your custom infoType name carefully after considering

1695

# what your data looks like. One way to select a name that has a high chance

1696

# of yielding reliable detection is to include one or more unicode characters

1697

# that are highly improbable to exist in your data.

1698

# For example, assuming your data is entered from a regular ASCII keyboard,

1699

# the symbol with the hex code point 29DD might be used like so:

1700

# ⧝MY_TOKEN_TYPE

1701

"name": "A String", # Name of the information type. Either a name of your choosing when

1702

# creating a CustomInfoType, or one of the names listed

1703

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1704

# a built-in type. InfoType names should conform to the pattern

1705

# `[a-zA-Z0-9_]{1,64}`.

1706

},

1707

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1708

# identifier in two different contexts won't be given the same surrogate. If

1709

# the context is not set, a default tweak will be used.

1710

#

1711

# If the context is set but:

1712

#

1713

# 1. there is no record present when transforming a given value or

1714

# 1. the field is not present when transforming a given value,

1715

#

1716

# a default tweak will be used.

1717

#

1718

# Note that case (1) is expected when an `InfoTypeTransformation` is

1719

# applied to both structured and non-structured `ContentItem`s.

1720

# Currently, the referenced field may be of value type integer or string.

1721

#

1722

# The tweak is constructed as a sequence of bytes in big endian byte order

1723

# such that:

1724

#

1725

# - a 64 bit integer is encoded followed by a single byte of value 1

1726

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1727

"name": "A String", # Name describing the field.

1728

},

1729

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1730

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1731

# a key encryption key (KEK) stored by KMS).

1732

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1733

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1734

# unwrap the data crypto key.

1735

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1736

# The wrapped key must be a 128/192/256 bit key.

1737

# Authorization requires the following IAM permissions when sending a request

1738

# to perform a crypto transformation using a kms-wrapped crypto key:

1739

# dlp.kms.encrypt

1740

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1741

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1742

},

1743

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1744

# leaking the key. Choose another type of key if possible.

1745

"key": "A String", # Required. A 128/192/256 bit key.

1746

},

1747

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1748

# It will be discarded after the request finishes.

1749

"name": "A String", # Required. Name of the key.

1750

# This is an arbitrary string used to differentiate different keys.

1751

# A unique key is generated per name: two separate `TransientCryptoKey`

1752

# protos share the same generated key if their names are the same.

1753

# When the data crypto key is generated, this name is not used in any way

1754

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1759

# input. Outputs a base64 encoded representation of the encrypted output.

1760

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1761

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1762

# This annotation will be applied to the surrogate by prefixing it with

1763

# the name of the custom info type followed by the number of

1764

# characters comprising the surrogate. The following scheme defines the

1765

# format: {info type name}({surrogate character count}):{surrogate}

1766

#

1767

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1768

# the surrogate is 'abc', the full replacement value

1769

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1770

#

1771

# This annotation identifies the surrogate when inspecting content using the

1772

# custom info type 'Surrogate'. This facilitates reversal of the

1773

# surrogate when it occurs in free text.

1774

#

1775

# Note: For record transformations where the entire cell in a table is being

1776

# transformed, surrogates are not mandatory. Surrogates are used to denote

1777

# the location of the token and are necessary for re-identification in free

1778

# form text.

1779

#

1780

# In order for inspection to work properly, the name of this info type must

1781

# not occur naturally anywhere in your data; otherwise, inspection may either

1782

#

1783

# - reverse a surrogate that does not correspond to an actual identifier

1784

# - be unable to parse the surrogate and result in an error

1785

#

1786

# Therefore, choose your custom info type name carefully after considering

1787

# what your data looks like. One way to select a name that has a high chance

1788

# of yielding reliable detection is to include one or more unicode characters

1789

# that are highly improbable to exist in your data.

1790

# For example, assuming your data is entered from a regular ASCII keyboard,

1791

# the symbol with the hex code point 29DD might be used like so:

1792

# ⧝MY_TOKEN_TYPE.

1793

"name": "A String", # Name of the information type. Either a name of your choosing when

1794

# creating a CustomInfoType, or one of the names listed

1795

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1796

# a built-in type. InfoType names should conform to the pattern

1797

# `[a-zA-Z0-9_]{1,64}`.

1798

},

1799

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1800

# referential integrity such that the same identifier in two different

1801

# contexts will be given a distinct surrogate. The context is appended to

1802

# plaintext value being encrypted. On decryption the provided context is

1803

# validated against the value used during encryption. If a context was

1804

# provided during encryption, same context must be provided during decryption

1805

# as well.

1806

#

1807

# If the context is not set, plaintext would be used as is for encryption.

1808

# If the context is set but:

1809

#

1810

# 1. there is no record present when transforming a given value or

1811

# 2. the field is not present when transforming a given value,

1812

#

1813

# plaintext would be used as is for encryption.

1814

#

1815

# Note that case (1) is expected when an `InfoTypeTransformation` is

1816

# applied to both structured and non-structured `ContentItem`s.

1817

"name": "A String", # Name describing the field.

1818

},

1819

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1820

# a key encryption key (KEK) stored by KMS).

1821

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1822

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1823

# unwrap the data crypto key.

1824

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1825

# The wrapped key must be a 128/192/256 bit key.

1826

# Authorization requires the following IAM permissions when sending a request

1827

# to perform a crypto transformation using a kms-wrapped crypto key:

1828

# dlp.kms.encrypt

1829

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1830

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1831

},

1832

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1833

# leaking the key. Choose another type of key if possible.

1834

"key": "A String", # Required. A 128/192/256 bit key.

1835

},

1836

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1837

# It will be discarded after the request finishes.

1838

"name": "A String", # Required. Name of the key.

1839

# This is an arbitrary string used to differentiate different keys.

1840

# A unique key is generated per name: two separate `TransientCryptoKey`

1841

# protos share the same generated key if their names are the same.

1842

# When the data crypto key is generated, this name is not used in any way

1843

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1848

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1849

# output would be 'My phone number is '.

1850

},

1851

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1852

# replacement values are dynamically provided by the user for custom behavior,

1853

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1854

# This can be used on

1855

# data of type: number, long, string, timestamp.

1856

# If the bound `Value` type differs from the type of data being transformed, we

1857

# will first attempt converting the type of the data to be transformed to match

1858

# the type of the bound before comparing.

1859

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1860

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1861

{ # Bucket is represented as a range, along with replacement values.

1862

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1863

# used.

1864

# Note that for the purposes of inspection or transformation, the number

1865

# of bytes considered to comprise a 'Value' is based on its representation

1866

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1867

# 123456789, the number of bytes would be counted as 9, even though an

1868

# int64 only holds up to 8 bytes of data.

1869

"booleanValue": True or False, # boolean

1870

"floatValue": 3.14, # float

1871

"dayOfWeekValue": "A String", # day of week

1872

"timestampValue": "A String", # timestamp

1873

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1874

# and time zone are either specified elsewhere or are not significant. The date

1875

# is relative to the Proleptic Gregorian Calendar. This can represent:

1876

#

1877

# * A full date, with non-zero year, month and day values

1878

# * A month and day value, with a zero year, e.g. an anniversary

1879

# * A year on its own, with zero month and day values

1880

# * A year and month value, with a zero day, e.g. a credit card expiration date

1881

#

1882

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1883

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1884

# a year.

1885

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1886

# month and day.

1887

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1888

# if specifying a year by itself or a year and month where the day is not

1889

# significant.

1890

},

1891

"stringValue": "A String", # string

1892

"integerValue": "A String", # integer

1893

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1894

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1895

# types are google.type.Date and `google.protobuf.Timestamp`.

1896

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1897

# allow the value 60 if it allows leap-seconds.

1898

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1899

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1900

# to allow the value "24:00:00" for scenarios like business closing time.

1901

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1902

},

1903

},

1904

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1905

# Note that for the purposes of inspection or transformation, the number

1906

# of bytes considered to comprise a 'Value' is based on its representation

1907

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1908

# 123456789, the number of bytes would be counted as 9, even though an

1909

# int64 only holds up to 8 bytes of data.

1910

"booleanValue": True or False, # boolean

1911

"floatValue": 3.14, # float

1912

"dayOfWeekValue": "A String", # day of week

1913

"timestampValue": "A String", # timestamp

1914

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1915

# and time zone are either specified elsewhere or are not significant. The date

1916

# is relative to the Proleptic Gregorian Calendar. This can represent:

1917

#

1918

# * A full date, with non-zero year, month and day values

1919

# * A month and day value, with a zero year, e.g. an anniversary

1920

# * A year on its own, with zero month and day values

1921

# * A year and month value, with a zero day, e.g. a credit card expiration date

1922

#

1923

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1924

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1925

# a year.

1926

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1927

# month and day.

1928

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1929

# if specifying a year by itself or a year and month where the day is not

1930

# significant.

1931

},

1932

"stringValue": "A String", # string

1933

"integerValue": "A String", # integer

1934

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1935

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1936

# types are google.type.Date and `google.protobuf.Timestamp`.

1937

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1938

# allow the value 60 if it allows leap-seconds.

1939

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1940

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1941

# to allow the value "24:00:00" for scenarios like business closing time.

1942

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1943

},

1944

},

1945

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1946

# the default behavior will be to hyphenate the min-max range.

1947

# Note that for the purposes of inspection or transformation, the number

1948

# of bytes considered to comprise a 'Value' is based on its representation

1949

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1950

# 123456789, the number of bytes would be counted as 9, even though an

1951

# int64 only holds up to 8 bytes of data.

1952

"booleanValue": True or False, # boolean

1953

"floatValue": 3.14, # float

1954

"dayOfWeekValue": "A String", # day of week

1955

"timestampValue": "A String", # timestamp

1956

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1957

# and time zone are either specified elsewhere or are not significant. The date

1958

# is relative to the Proleptic Gregorian Calendar. This can represent:

1959

#

1960

# * A full date, with non-zero year, month and day values

1961

# * A month and day value, with a zero year, e.g. an anniversary

1962

# * A year on its own, with zero month and day values

1963

# * A year and month value, with a zero day, e.g. a credit card expiration date

1964

#

1965

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1966

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1967

# a year.

1968

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1969

# month and day.

1970

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1971

# if specifying a year by itself or a year and month where the day is not

1972

# significant.

1973

},

1974

"stringValue": "A String", # string

1975

"integerValue": "A String", # integer

1976

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1977

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1978

# types are google.type.Date and `google.protobuf.Timestamp`.

1979

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1980

# allow the value 60 if it allows leap-seconds.

1981

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1982

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1983

# to allow the value "24:00:00" for scenarios like business closing time.

1984

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1991

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1992

# Note that for the purposes of inspection or transformation, the number

1993

# of bytes considered to comprise a 'Value' is based on its representation

1994

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1995

# 123456789, the number of bytes would be counted as 9, even though an

1996

# int64 only holds up to 8 bytes of data.

1997

"booleanValue": True or False, # boolean

1998

"floatValue": 3.14, # float

1999

"dayOfWeekValue": "A String", # day of week

2000

"timestampValue": "A String", # timestamp

2001

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2002

# and time zone are either specified elsewhere or are not significant. The date

2003

# is relative to the Proleptic Gregorian Calendar. This can represent:

2004

#

2005

# * A full date, with non-zero year, month and day values

2006

# * A month and day value, with a zero year, e.g. an anniversary

2007

# * A year on its own, with zero month and day values

2008

# * A year and month value, with a zero day, e.g. a credit card expiration date

2009

#

2010

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2011

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2012

# a year.

2013

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2014

# month and day.

2015

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2016

# if specifying a year by itself or a year and month where the day is not

2017

# significant.

2018

},

2019

"stringValue": "A String", # string

2020

"integerValue": "A String", # integer

2021

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2022

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2023

# types are google.type.Date and `google.protobuf.Timestamp`.

2024

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2025

# allow the value 60 if it allows leap-seconds.

2026

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2027

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2028

# to allow the value "24:00:00" for scenarios like business closing time.

2029

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2034

# fixed character. Masking can start from the beginning or end of the string.

2035

# This can be used on data of any type (numbers, longs, and so on) and when

2036

# de-identifying structured data we'll attempt to preserve the original data's

2037

# type. (This allows you to take a long like 123 and modify it to a string like

2038

# **3.

2039

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2040

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2041

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2042

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2043

# is `true`, then the string `12345` is masked as `12***`.

2044

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2045

# characters. For example, if the input string is `555-555-5555` and you

2046

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2047

# returns `***-**5-5555`.

2048

{ # Characters to skip when doing deidentification of a value. These will be left

2049

# alone and skipped.

2050

"charactersToSkip": "A String", # Characters to not transform when masking.

2051

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2056

# masked. Skipped characters do not count towards this tally.

2057

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2058

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2059

# code or credit card number. This string must have a length of 1. If not

2060

# supplied, this value defaults to `*` for strings, and `0` for digits.

2061

},

2062

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2063

# Bucketing transformation can provide all of this functionality,

2064

# but requires more configuration. This message is provided as a convenience to

2065

# the user for simple bucketing strategies.

2066

#

2067

# The transformed value will be a hyphenated string of

2068

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2069

# all values that are within this bucket will be replaced with "10-20".

2070

#

2071

# This can be used on data of type: double, long.

2072

#

2073

# If the bound Value type differs from the type of data

2074

# being transformed, we will first attempt converting the type of the data to

2075

# be transformed to match the type of the bound before comparing.

2076

#

2077

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2078

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2079

# grouped together into a single bucket; for example if `lower_bound` = 10,

2080

# then all values less than 10 are replaced with the value "-10".

2081

# Note that for the purposes of inspection or transformation, the number

2082

# of bytes considered to comprise a 'Value' is based on its representation

2083

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2084

# 123456789, the number of bytes would be counted as 9, even though an

2085

# int64 only holds up to 8 bytes of data.

2086

"booleanValue": True or False, # boolean

2087

"floatValue": 3.14, # float

2088

"dayOfWeekValue": "A String", # day of week

2089

"timestampValue": "A String", # timestamp

2090

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2091

# and time zone are either specified elsewhere or are not significant. The date

2092

# is relative to the Proleptic Gregorian Calendar. This can represent:

2093

#

2094

# * A full date, with non-zero year, month and day values

2095

# * A month and day value, with a zero year, e.g. an anniversary

2096

# * A year on its own, with zero month and day values

2097

# * A year and month value, with a zero day, e.g. a credit card expiration date

2098

#

2099

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2100

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2101

# a year.

2102

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2103

# month and day.

2104

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2105

# if specifying a year by itself or a year and month where the day is not

2106

# significant.

2107

},

2108

"stringValue": "A String", # string

2109

"integerValue": "A String", # integer

2110

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2111

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2112

# types are google.type.Date and `google.protobuf.Timestamp`.

2113

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2114

# allow the value 60 if it allows leap-seconds.

2115

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2116

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2117

# to allow the value "24:00:00" for scenarios like business closing time.

2118

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2119

},

2120

},

2121

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2122

# grouped together into a single bucket; for example if `upper_bound` = 89,

2123

# then all values greater than 89 are replaced with the value "89+".

2124

# Note that for the purposes of inspection or transformation, the number

2125

# of bytes considered to comprise a 'Value' is based on its representation

2126

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2127

# 123456789, the number of bytes would be counted as 9, even though an

2128

# int64 only holds up to 8 bytes of data.

2129

"booleanValue": True or False, # boolean

2130

"floatValue": 3.14, # float

2131

"dayOfWeekValue": "A String", # day of week

2132

"timestampValue": "A String", # timestamp

2133

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2134

# and time zone are either specified elsewhere or are not significant. The date

2135

# is relative to the Proleptic Gregorian Calendar. This can represent:

2136

#

2137

# * A full date, with non-zero year, month and day values

2138

# * A month and day value, with a zero year, e.g. an anniversary

2139

# * A year on its own, with zero month and day values

2140

# * A year and month value, with a zero day, e.g. a credit card expiration date

2141

#

2142

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2143

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2144

# a year.

2145

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2146

# month and day.

2147

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2148

# if specifying a year by itself or a year and month where the day is not

2149

# significant.

2150

},

2151

"stringValue": "A String", # string

2152

"integerValue": "A String", # integer

2153

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2154

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2155

# types are google.type.Date and `google.protobuf.Timestamp`.

2156

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2157

# allow the value 60 if it allows leap-seconds.

2158

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2159

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2160

# to allow the value "24:00:00" for scenarios like business closing time.

2161

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2162

},

2163

},

2164

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2165

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2166

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2167

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2172

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2173

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2174

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2175

"locationId": "A String", # The geographic location to store the deidentification template. Reserved

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2176

# for future extensions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2177

}

2178

2179

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2186

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2187

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2188

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2189

"name": "A String", # Output only. The template name.

2190

#

2191

# The template will have one of the following formats:

2192

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

2193

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

2194

"description": "A String", # Short description (max 256 chars).

2195

"displayName": "A String", # Display name (max 256 chars).

2196

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

2197

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

2198

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

2199

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

2200

# mode is `TransformationErrorHandling.ThrowError`.

2201

# transformation error occurs when the requested transformation is incompatible

2202

# with the data. For example, trying to de-identify an IP address using a

2203

# `DateShift` transformation would result in a transformation error, since date

2204

# info cannot be extracted from an IP address.

2205

# Information about any incompatible transformations, and how they were

2206

# handled, is returned in the response as part of the

2207

# `TransformationOverviews`.

2208

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

2209

},

2210

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

2211

# cause an error. For example, if a `DateShift` transformation were applied

2212

# an an IP address, this mode would leave the IP address unchanged in the

2213

# response.

2214

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2215

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2216

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2217

# specific locations within structured datasets, such as transforming

2218

# a column within a table.

2219

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2220

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2221

# match any suppression rule are omitted from the output.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2222

{ # Configuration to suppress records whose suppression conditions evaluate to

2223

# true.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2224

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2225

# evaluated to be suppressed from the transformed content.

2226

# a field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2227

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2228

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

2229

# only supported value is `AND`.

2230

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2231

"conditions": [ # A collection of conditions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2232

{ # The field type of `value` and `field` do not need to match to be

2233

# considered equal, but not all comparisons are possible.

2234

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

2235

# but all other comparisons are invalid with incompatible types.

2236

# A `value` of type:

2237

#

2238

# - `string` can be compared against all other types

2239

# - `boolean` can only be compared against other booleans

2240

# - `integer` can be compared against doubles or a string if the string value

2241

# can be parsed as an integer.

2242

# - `double` can be compared against integers or a string if the string can

2243

# be parsed as a double.

2244

# - `Timestamp` can be compared against strings in RFC 3339 date string

2245

# format.

2246

# - `TimeOfDay` can be compared against timestamps and strings in the format

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2247

# of 'HH:mm:ss'.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2248

#

2249

# If we fail to compare do to type mismatch, a warning will be given and

2250

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2251

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2252

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2253

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2254

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

2255

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2256

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2257

# of bytes considered to comprise a 'Value' is based on its representation

2258

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2259

# 123456789, the number of bytes would be counted as 9, even though an

2260

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2261

"booleanValue": True or False, # boolean

2262

"floatValue": 3.14, # float

2263

"dayOfWeekValue": "A String", # day of week

2264

"timestampValue": "A String", # timestamp

2265

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2266

# and time zone are either specified elsewhere or are not significant. The date

2267

# is relative to the Proleptic Gregorian Calendar. This can represent:

2268

#

2269

# * A full date, with non-zero year, month and day values

2270

# * A month and day value, with a zero year, e.g. an anniversary

2271

# * A year on its own, with zero month and day values

2272

# * A year and month value, with a zero day, e.g. a credit card expiration date

2273

#

2274

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2275

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2276

# a year.

2277

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2278

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2279

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2280

# if specifying a year by itself or a year and month where the day is not

2281

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2282

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2283

"stringValue": "A String", # string

2284

"integerValue": "A String", # integer

2285

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2286

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2287

# types are google.type.Date and `google.protobuf.Timestamp`.

2288

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2289

# allow the value 60 if it allows leap-seconds.

2290

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2291

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2292

# to allow the value "24:00:00" for scenarios like business closing time.

2293

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2294

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2303

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2304

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2305

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2306

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2307

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2308

},

2309

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2310

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2311

# transform content that matches an `InfoType`.

2312

# apply various `PrimitiveTransformation`s to each finding, where the

2313

# transformation is applied to only values that were identified as a specific

2314

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2315

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2316

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2317

{ # A transformation to apply to text that is identified as a specific

2318

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2319

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

2320

# this transformation to apply to all findings that correspond to

2321

# infoTypes that were requested in `InspectConfig`.

2322

{ # Type of information detected by the API.

2323

"name": "A String", # Name of the information type. Either a name of your choosing when

2324

# creating a CustomInfoType, or one of the names listed

2325

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2326

# a built-in type. InfoType names should conform to the pattern

2327

# `[a-zA-Z0-9_]{1,64}`.

2328

},

2329

],

2330

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2331

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2332

# portion of the value.

2333

"partToExtract": "A String", # The part of the time to keep.

2334

},

2335

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2336

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2337

# to learn more.

2338

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2339

# If set, must also set cryptoKey. If set, shift will be consistent for the

2340

# given context.

2341

"name": "A String", # Name describing the field.

2342

},

2343

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2344

# range (inclusive ends). Negative means shift to earlier in time. Must not

2345

# be more than 365250 days (1000 years) each direction.

2346

#

2347

# For example, 3 means shift date to at most 3 days into the future.

2348

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2349

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2350

# results in the same shift for the same context and crypto_key. If

2351

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2352

# a key encryption key (KEK) stored by KMS).

2353

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2354

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2355

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2356

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2357

# The wrapped key must be a 128/192/256 bit key.

2358

# Authorization requires the following IAM permissions when sending a request

2359

# to perform a crypto transformation using a kms-wrapped crypto key:

2360

# dlp.kms.encrypt

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2361

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2362

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2363

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2364

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2365

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2366

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2367

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2368

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2369

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2370

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2371

# This is an arbitrary string used to differentiate different keys.

2372

# A unique key is generated per name: two separate `TransientCryptoKey`

2373

# protos share the same generated key if their names are the same.

2374

# When the data crypto key is generated, this name is not used in any way

2375

# (repeating the api call will result in a different key being generated).

2376

},

2377

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2378

},

2379

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2380

},

2381

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2382

# Uses SHA-256.

2383

# The key size must be either 32 or 64 bytes.

2384

# Outputs a base64 encoded representation of the hashed output

2385

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2386

# Currently, only string and integer values can be hashed.

2387

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2388

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2389

# a key encryption key (KEK) stored by KMS).

2390

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2391

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2392

# unwrap the data crypto key.

2393

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2394

# The wrapped key must be a 128/192/256 bit key.

2395

# Authorization requires the following IAM permissions when sending a request

2396

# to perform a crypto transformation using a kms-wrapped crypto key:

2397

# dlp.kms.encrypt

2398

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2399

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2400

},

2401

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2402

# leaking the key. Choose another type of key if possible.

2403

"key": "A String", # Required. A 128/192/256 bit key.

2404

},

2405

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2406

# It will be discarded after the request finishes.

2407

"name": "A String", # Required. Name of the key.

2408

# This is an arbitrary string used to differentiate different keys.

2409

# A unique key is generated per name: two separate `TransientCryptoKey`

2410

# protos share the same generated key if their names are the same.

2411

# When the data crypto key is generated, this name is not used in any way

2412

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2417

# (FPE) with the FFX mode of operation; however when used in the

2418

# `ReidentifyContent` API method, it serves the opposite function by reversing

2419

# the surrogate back into the original identifier. The identifier must be

2420

# encoded as ASCII. For a given crypto key and context, the same identifier

2421

# will be replaced with the same surrogate. Identifiers must be at least two

2422

# characters long. In the case that the identifier is the empty string, it will

2423

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2424

# more.

2425

#

2426

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2427

# do not require preserving the input alphabet space and size, plus warrant

2428

# referential integrity.

2429

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

2430

# that the FFX mode natively supports. This happens before/after

2431

# encryption/decryption.

2432

# Each character listed must appear only once.

2433

# Number of characters must be in the range [2, 95].

2434

# This must be encoded as ASCII.

2435

# The order of characters does not matter.

2436

"commonAlphabet": "A String", # Common alphabets.

2437

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2438

# This annotation will be applied to the surrogate by prefixing it with

2439

# the name of the custom infoType followed by the number of

2440

# characters comprising the surrogate. The following scheme defines the

2441

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2442

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2443

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2444

# the surrogate is 'abc', the full replacement value

2445

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2446

#

2447

# This annotation identifies the surrogate when inspecting content using the

2448

# custom infoType

2449

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2450

# This facilitates reversal of the surrogate when it occurs in free text.

2451

#

2452

# In order for inspection to work properly, the name of this infoType must

2453

# not occur naturally anywhere in your data; otherwise, inspection may

2454

# find a surrogate that does not correspond to an actual identifier.

2455

# Therefore, choose your custom infoType name carefully after considering

2456

# what your data looks like. One way to select a name that has a high chance

2457

# of yielding reliable detection is to include one or more unicode characters

2458

# that are highly improbable to exist in your data.

2459

# For example, assuming your data is entered from a regular ASCII keyboard,

2460

# the symbol with the hex code point 29DD might be used like so:

2461

# ⧝MY_TOKEN_TYPE

2462

"name": "A String", # Name of the information type. Either a name of your choosing when

2463

# creating a CustomInfoType, or one of the names listed

2464

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2465

# a built-in type. InfoType names should conform to the pattern

2466

# `[a-zA-Z0-9_]{1,64}`.

2467

},

2468

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2469

# identifier in two different contexts won't be given the same surrogate. If

2470

# the context is not set, a default tweak will be used.

2471

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2472

# If the context is set but:

2473

#

2474

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2475

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2476

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2477

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2478

#

2479

# Note that case (1) is expected when an `InfoTypeTransformation` is

2480

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2481

# Currently, the referenced field may be of value type integer or string.

2482

#

2483

# The tweak is constructed as a sequence of bytes in big endian byte order

2484

# such that:

2485

#

2486

# - a 64 bit integer is encoded followed by a single byte of value 1

2487

# - a string is encoded in UTF-8 format followed by a single byte of value 2

2488

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2489

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2490

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2491

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

2492

# a key encryption key (KEK) stored by KMS).

2493

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2494

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2495

# unwrap the data crypto key.

2496

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2497

# The wrapped key must be a 128/192/256 bit key.

2498

# Authorization requires the following IAM permissions when sending a request

2499

# to perform a crypto transformation using a kms-wrapped crypto key:

2500

# dlp.kms.encrypt

2501

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2502

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2503

},

2504

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2505

# leaking the key. Choose another type of key if possible.

2506

"key": "A String", # Required. A 128/192/256 bit key.

2507

},

2508

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2509

# It will be discarded after the request finishes.

2510

"name": "A String", # Required. Name of the key.

2511

# This is an arbitrary string used to differentiate different keys.

2512

# A unique key is generated per name: two separate `TransientCryptoKey`

2513

# protos share the same generated key if their names are the same.

2514

# When the data crypto key is generated, this name is not used in any way

2515

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

2520

# input. Outputs a base64 encoded representation of the encrypted output.

2521

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

2522

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2523

# This annotation will be applied to the surrogate by prefixing it with

2524

# the name of the custom info type followed by the number of

2525

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2526

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2527

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2528

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

2529

# the surrogate is 'abc', the full replacement value

2530

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2531

#

2532

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2533

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2534

# surrogate when it occurs in free text.

2535

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2536

# Note: For record transformations where the entire cell in a table is being

2537

# transformed, surrogates are not mandatory. Surrogates are used to denote

2538

# the location of the token and are necessary for re-identification in free

2539

# form text.

2540

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2541

# In order for inspection to work properly, the name of this info type must

2542

# not occur naturally anywhere in your data; otherwise, inspection may either

2543

#

2544

# - reverse a surrogate that does not correspond to an actual identifier

2545

# - be unable to parse the surrogate and result in an error

2546

#

2547

# Therefore, choose your custom info type name carefully after considering

2548

# what your data looks like. One way to select a name that has a high chance

2549

# of yielding reliable detection is to include one or more unicode characters

2550

# that are highly improbable to exist in your data.

2551

# For example, assuming your data is entered from a regular ASCII keyboard,

2552

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2553

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2554

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2555

# creating a CustomInfoType, or one of the names listed

2556

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2557

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2558

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2559

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2560

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

2561

# referential integrity such that the same identifier in two different

2562

# contexts will be given a distinct surrogate. The context is appended to

2563

# plaintext value being encrypted. On decryption the provided context is

2564

# validated against the value used during encryption. If a context was

2565

# provided during encryption, same context must be provided during decryption

2566

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2567

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2568

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2569

# If the context is set but:

2570

#

2571

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2572

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2573

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2574

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2575

#

2576

# Note that case (1) is expected when an `InfoTypeTransformation` is

2577

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2578

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2579

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2580

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

2581

# a key encryption key (KEK) stored by KMS).

2582

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2583

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2584

# unwrap the data crypto key.

2585

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2586

# The wrapped key must be a 128/192/256 bit key.

2587

# Authorization requires the following IAM permissions when sending a request

2588

# to perform a crypto transformation using a kms-wrapped crypto key:

2589

# dlp.kms.encrypt

2590

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2591

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2592

},

2593

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2594

# leaking the key. Choose another type of key if possible.

2595

"key": "A String", # Required. A 128/192/256 bit key.

2596

},

2597

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2598

# It will be discarded after the request finishes.

2599

"name": "A String", # Required. Name of the key.

2600

# This is an arbitrary string used to differentiate different keys.

2601

# A unique key is generated per name: two separate `TransientCryptoKey`

2602

# protos share the same generated key if their names are the same.

2603

# When the data crypto key is generated, this name is not used in any way

2604

# (repeating the api call will result in a different key being generated).

2605

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2606

},

2607

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2608

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

2609

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

2610

# output would be 'My phone number is '.

2611

},

2612

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2613

# replacement values are dynamically provided by the user for custom behavior,

2614

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

2615

# This can be used on

2616

# data of type: number, long, string, timestamp.

2617

# If the bound `Value` type differs from the type of data being transformed, we

2618

# will first attempt converting the type of the data to be transformed to match

2619

# the type of the bound before comparing.

2620

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2621

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2622

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2623

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2624

# used.

2625

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2626

# of bytes considered to comprise a 'Value' is based on its representation

2627

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2628

# 123456789, the number of bytes would be counted as 9, even though an

2629

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2630

"booleanValue": True or False, # boolean

2631

"floatValue": 3.14, # float

2632

"dayOfWeekValue": "A String", # day of week

2633

"timestampValue": "A String", # timestamp

2634

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2635

# and time zone are either specified elsewhere or are not significant. The date

2636

# is relative to the Proleptic Gregorian Calendar. This can represent:

2637

#

2638

# * A full date, with non-zero year, month and day values

2639

# * A month and day value, with a zero year, e.g. an anniversary

2640

# * A year on its own, with zero month and day values

2641

# * A year and month value, with a zero day, e.g. a credit card expiration date

2642

#

2643

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2644

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2645

# a year.

2646

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2647

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2648

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2649

# if specifying a year by itself or a year and month where the day is not

2650

# significant.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2651

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2652

"stringValue": "A String", # string

2653

"integerValue": "A String", # integer

2654

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2655

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2656

# types are google.type.Date and `google.protobuf.Timestamp`.

2657

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2658

# allow the value 60 if it allows leap-seconds.

2659

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2660

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2661

# to allow the value "24:00:00" for scenarios like business closing time.

2662

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2663

},

2664

},

2665

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

2666

# Note that for the purposes of inspection or transformation, the number

2667

# of bytes considered to comprise a 'Value' is based on its representation

2668

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2669

# 123456789, the number of bytes would be counted as 9, even though an

2670

# int64 only holds up to 8 bytes of data.

2671

"booleanValue": True or False, # boolean

2672

"floatValue": 3.14, # float

2673

"dayOfWeekValue": "A String", # day of week

2674

"timestampValue": "A String", # timestamp

2675

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2676

# and time zone are either specified elsewhere or are not significant. The date

2677

# is relative to the Proleptic Gregorian Calendar. This can represent:

2678

#

2679

# * A full date, with non-zero year, month and day values

2680

# * A month and day value, with a zero year, e.g. an anniversary

2681

# * A year on its own, with zero month and day values

2682

# * A year and month value, with a zero day, e.g. a credit card expiration date

2683

#

2684

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2685

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2686

# a year.

2687

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2688

# month and day.

2689

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2690

# if specifying a year by itself or a year and month where the day is not

2691

# significant.

2692

},

2693

"stringValue": "A String", # string

2694

"integerValue": "A String", # integer

2695

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2696

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2697

# types are google.type.Date and `google.protobuf.Timestamp`.

2698

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2699

# allow the value 60 if it allows leap-seconds.

2700

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2701

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2702

# to allow the value "24:00:00" for scenarios like business closing time.

2703

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2704

},

2705

},

2706

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

2707

# the default behavior will be to hyphenate the min-max range.

2708

# Note that for the purposes of inspection or transformation, the number

2709

# of bytes considered to comprise a 'Value' is based on its representation

2710

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2711

# 123456789, the number of bytes would be counted as 9, even though an

2712

# int64 only holds up to 8 bytes of data.

2713

"booleanValue": True or False, # boolean

2714

"floatValue": 3.14, # float

2715

"dayOfWeekValue": "A String", # day of week

2716

"timestampValue": "A String", # timestamp

2717

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2718

# and time zone are either specified elsewhere or are not significant. The date

2719

# is relative to the Proleptic Gregorian Calendar. This can represent:

2720

#

2721

# * A full date, with non-zero year, month and day values

2722

# * A month and day value, with a zero year, e.g. an anniversary

2723

# * A year on its own, with zero month and day values

2724

# * A year and month value, with a zero day, e.g. a credit card expiration date

2725

#

2726

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2727

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2728

# a year.

2729

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2730

# month and day.

2731

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2732

# if specifying a year by itself or a year and month where the day is not

2733

# significant.

2734

},

2735

"stringValue": "A String", # string

2736

"integerValue": "A String", # integer

2737

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2738

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2739

# types are google.type.Date and `google.protobuf.Timestamp`.

2740

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2741

# allow the value 60 if it allows leap-seconds.

2742

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2743

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2744

# to allow the value "24:00:00" for scenarios like business closing time.

2745

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2746

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2751

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2752

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2753

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2754

# of bytes considered to comprise a 'Value' is based on its representation

2755

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2756

# 123456789, the number of bytes would be counted as 9, even though an

2757

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2758

"booleanValue": True or False, # boolean

2759

"floatValue": 3.14, # float

2760

"dayOfWeekValue": "A String", # day of week

2761

"timestampValue": "A String", # timestamp

2762

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2763

# and time zone are either specified elsewhere or are not significant. The date

2764

# is relative to the Proleptic Gregorian Calendar. This can represent:

2765

#

2766

# * A full date, with non-zero year, month and day values

2767

# * A month and day value, with a zero year, e.g. an anniversary

2768

# * A year on its own, with zero month and day values

2769

# * A year and month value, with a zero day, e.g. a credit card expiration date

2770

#

2771

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2772

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2773

# a year.

2774

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2775

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2776

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2777

# if specifying a year by itself or a year and month where the day is not

2778

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2779

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2780

"stringValue": "A String", # string

2781

"integerValue": "A String", # integer

2782

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2783

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2784

# types are google.type.Date and `google.protobuf.Timestamp`.

2785

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2786

# allow the value 60 if it allows leap-seconds.

2787

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2788

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2789

# to allow the value "24:00:00" for scenarios like business closing time.

2790

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2795

# fixed character. Masking can start from the beginning or end of the string.

2796

# This can be used on data of any type (numbers, longs, and so on) and when

2797

# de-identifying structured data we'll attempt to preserve the original data's

2798

# type. (This allows you to take a long like 123 and modify it to a string like

2799

# **3.

2800

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2801

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2802

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2803

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2804

# is `true`, then the string `12345` is masked as `12***`.

2805

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2806

# characters. For example, if the input string is `555-555-5555` and you

2807

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2808

# returns `***-**5-5555`.

2809

{ # Characters to skip when doing deidentification of a value. These will be left

2810

# alone and skipped.

2811

"charactersToSkip": "A String", # Characters to not transform when masking.

2812

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2817

# masked. Skipped characters do not count towards this tally.

2818

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2819

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2820

# code or credit card number. This string must have a length of 1. If not

2821

# supplied, this value defaults to `*` for strings, and `0` for digits.

2822

},

2823

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2824

# Bucketing transformation can provide all of this functionality,

2825

# but requires more configuration. This message is provided as a convenience to

2826

# the user for simple bucketing strategies.

2827

#

2828

# The transformed value will be a hyphenated string of

2829

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2830

# all values that are within this bucket will be replaced with "10-20".

2831

#

2832

# This can be used on data of type: double, long.

2833

#

2834

# If the bound Value type differs from the type of data

2835

# being transformed, we will first attempt converting the type of the data to

2836

# be transformed to match the type of the bound before comparing.

2837

#

2838

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2839

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2840

# grouped together into a single bucket; for example if `lower_bound` = 10,

2841

# then all values less than 10 are replaced with the value "-10".

2842

# Note that for the purposes of inspection or transformation, the number

2843

# of bytes considered to comprise a 'Value' is based on its representation

2844

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2845

# 123456789, the number of bytes would be counted as 9, even though an

2846

# int64 only holds up to 8 bytes of data.

2847

"booleanValue": True or False, # boolean

2848

"floatValue": 3.14, # float

2849

"dayOfWeekValue": "A String", # day of week

2850

"timestampValue": "A String", # timestamp

2851

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2852

# and time zone are either specified elsewhere or are not significant. The date

2853

# is relative to the Proleptic Gregorian Calendar. This can represent:

2854

#

2855

# * A full date, with non-zero year, month and day values

2856

# * A month and day value, with a zero year, e.g. an anniversary

2857

# * A year on its own, with zero month and day values

2858

# * A year and month value, with a zero day, e.g. a credit card expiration date

2859

#

2860

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2861

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2862

# a year.

2863

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2864

# month and day.

2865

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2866

# if specifying a year by itself or a year and month where the day is not

2867

# significant.

2868

},

2869

"stringValue": "A String", # string

2870

"integerValue": "A String", # integer

2871

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2872

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2873

# types are google.type.Date and `google.protobuf.Timestamp`.

2874

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2875

# allow the value 60 if it allows leap-seconds.

2876

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2877

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2878

# to allow the value "24:00:00" for scenarios like business closing time.

2879

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2880

},

2881

},

2882

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2883

# grouped together into a single bucket; for example if `upper_bound` = 89,

2884

# then all values greater than 89 are replaced with the value "89+".

2885

# Note that for the purposes of inspection or transformation, the number

2886

# of bytes considered to comprise a 'Value' is based on its representation

2887

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2888

# 123456789, the number of bytes would be counted as 9, even though an

2889

# int64 only holds up to 8 bytes of data.

2890

"booleanValue": True or False, # boolean

2891

"floatValue": 3.14, # float

2892

"dayOfWeekValue": "A String", # day of week

2893

"timestampValue": "A String", # timestamp

2894

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2895

# and time zone are either specified elsewhere or are not significant. The date

2896

# is relative to the Proleptic Gregorian Calendar. This can represent:

2897

#

2898

# * A full date, with non-zero year, month and day values

2899

# * A month and day value, with a zero year, e.g. an anniversary

2900

# * A year on its own, with zero month and day values

2901

# * A year and month value, with a zero day, e.g. a credit card expiration date

2902

#

2903

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2904

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2905

# a year.

2906

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2907

# month and day.

2908

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2909

# if specifying a year by itself or a year and month where the day is not

2910

# significant.

2911

},

2912

"stringValue": "A String", # string

2913

"integerValue": "A String", # integer

2914

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2915

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2916

# types are google.type.Date and `google.protobuf.Timestamp`.

2917

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2918

# allow the value 60 if it allows leap-seconds.

2919

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2920

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2921

# to allow the value "24:00:00" for scenarios like business closing time.

2922

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2923

},

2924

},

2925

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2926

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2927

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2928

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

2935

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2936

# portion of the value.

2937

"partToExtract": "A String", # The part of the time to keep.

2938

},

2939

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2940

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2941

# to learn more.

2942

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2943

# If set, must also set cryptoKey. If set, shift will be consistent for the

2944

# given context.

2945

"name": "A String", # Name describing the field.

2946

},

2947

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2948

# range (inclusive ends). Negative means shift to earlier in time. Must not

2949

# be more than 365250 days (1000 years) each direction.

2950

#

2951

# For example, 3 means shift date to at most 3 days into the future.

2952

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2953

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2954

# results in the same shift for the same context and crypto_key. If

2955

# set, must also set context. Can only be applied to table items.

2956

# a key encryption key (KEK) stored by KMS).

2957

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2958

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2959

# unwrap the data crypto key.

2960

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2961

# The wrapped key must be a 128/192/256 bit key.

2962

# Authorization requires the following IAM permissions when sending a request

2963

# to perform a crypto transformation using a kms-wrapped crypto key:

2964

# dlp.kms.encrypt

2965

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2966

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2967

},

2968

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2969

# leaking the key. Choose another type of key if possible.

2970

"key": "A String", # Required. A 128/192/256 bit key.

2971

},

2972

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2973

# It will be discarded after the request finishes.

2974

"name": "A String", # Required. Name of the key.

2975

# This is an arbitrary string used to differentiate different keys.

2976

# A unique key is generated per name: two separate `TransientCryptoKey`

2977

# protos share the same generated key if their names are the same.

2978

# When the data crypto key is generated, this name is not used in any way

2979

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2984

},

2985

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2986

# Uses SHA-256.

2987

# The key size must be either 32 or 64 bytes.

2988

# Outputs a base64 encoded representation of the hashed output

2989

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2990

# Currently, only string and integer values can be hashed.

2991

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2992

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2993

# a key encryption key (KEK) stored by KMS).

2994

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2995

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2996

# unwrap the data crypto key.

2997

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2998

# The wrapped key must be a 128/192/256 bit key.

2999

# Authorization requires the following IAM permissions when sending a request

3000

# to perform a crypto transformation using a kms-wrapped crypto key:

3001

# dlp.kms.encrypt

3002

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3003

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3004

},

3005

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3006

# leaking the key. Choose another type of key if possible.

3007

"key": "A String", # Required. A 128/192/256 bit key.

3008

},

3009

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3010

# It will be discarded after the request finishes.

3011

"name": "A String", # Required. Name of the key.

3012

# This is an arbitrary string used to differentiate different keys.

3013

# A unique key is generated per name: two separate `TransientCryptoKey`

3014

# protos share the same generated key if their names are the same.

3015

# When the data crypto key is generated, this name is not used in any way

3016

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3021

# (FPE) with the FFX mode of operation; however when used in the

3022

# `ReidentifyContent` API method, it serves the opposite function by reversing

3023

# the surrogate back into the original identifier. The identifier must be

3024

# encoded as ASCII. For a given crypto key and context, the same identifier

3025

# will be replaced with the same surrogate. Identifiers must be at least two

3026

# characters long. In the case that the identifier is the empty string, it will

3027

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3028

# more.

3029

#

3030

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3031

# do not require preserving the input alphabet space and size, plus warrant

3032

# referential integrity.

3033

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3034

# that the FFX mode natively supports. This happens before/after

3035

# encryption/decryption.

3036

# Each character listed must appear only once.

3037

# Number of characters must be in the range [2, 95].

3038

# This must be encoded as ASCII.

3039

# The order of characters does not matter.

3040

"commonAlphabet": "A String", # Common alphabets.

3041

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3042

# This annotation will be applied to the surrogate by prefixing it with

3043

# the name of the custom infoType followed by the number of

3044

# characters comprising the surrogate. The following scheme defines the

3045

# format: info_type_name(surrogate_character_count):surrogate

3046

#

3047

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3048

# the surrogate is 'abc', the full replacement value

3049

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3050

#

3051

# This annotation identifies the surrogate when inspecting content using the

3052

# custom infoType

3053

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3054

# This facilitates reversal of the surrogate when it occurs in free text.

3055

#

3056

# In order for inspection to work properly, the name of this infoType must

3057

# not occur naturally anywhere in your data; otherwise, inspection may

3058

# find a surrogate that does not correspond to an actual identifier.

3059

# Therefore, choose your custom infoType name carefully after considering

3060

# what your data looks like. One way to select a name that has a high chance

3061

# of yielding reliable detection is to include one or more unicode characters

3062

# that are highly improbable to exist in your data.

3063

# For example, assuming your data is entered from a regular ASCII keyboard,

3064

# the symbol with the hex code point 29DD might be used like so:

3065

# ⧝MY_TOKEN_TYPE

3066

"name": "A String", # Name of the information type. Either a name of your choosing when

3067

# creating a CustomInfoType, or one of the names listed

3068

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3069

# a built-in type. InfoType names should conform to the pattern

3070

# `[a-zA-Z0-9_]{1,64}`.

3071

},

3072

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3073

# identifier in two different contexts won't be given the same surrogate. If

3074

# the context is not set, a default tweak will be used.

3075

#

3076

# If the context is set but:

3077

#

3078

# 1. there is no record present when transforming a given value or

3079

# 1. the field is not present when transforming a given value,

3080

#

3081

# a default tweak will be used.

3082

#

3083

# Note that case (1) is expected when an `InfoTypeTransformation` is

3084

# applied to both structured and non-structured `ContentItem`s.

3085

# Currently, the referenced field may be of value type integer or string.

3086

#

3087

# The tweak is constructed as a sequence of bytes in big endian byte order

3088

# such that:

3089

#

3090

# - a 64 bit integer is encoded followed by a single byte of value 1

3091

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3092

"name": "A String", # Name describing the field.

3093

},

3094

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3095

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3096

# a key encryption key (KEK) stored by KMS).

3097

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3098

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3099

# unwrap the data crypto key.

3100

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3101

# The wrapped key must be a 128/192/256 bit key.

3102

# Authorization requires the following IAM permissions when sending a request

3103

# to perform a crypto transformation using a kms-wrapped crypto key:

3104

# dlp.kms.encrypt

3105

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3106

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3107

},

3108

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3109

# leaking the key. Choose another type of key if possible.

3110

"key": "A String", # Required. A 128/192/256 bit key.

3111

},

3112

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3113

# It will be discarded after the request finishes.

3114

"name": "A String", # Required. Name of the key.

3115

# This is an arbitrary string used to differentiate different keys.

3116

# A unique key is generated per name: two separate `TransientCryptoKey`

3117

# protos share the same generated key if their names are the same.

3118

# When the data crypto key is generated, this name is not used in any way

3119

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3124

# input. Outputs a base64 encoded representation of the encrypted output.

3125

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3126

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3127

# This annotation will be applied to the surrogate by prefixing it with

3128

# the name of the custom info type followed by the number of

3129

# characters comprising the surrogate. The following scheme defines the

3130

# format: {info type name}({surrogate character count}):{surrogate}

3131

#

3132

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3133

# the surrogate is 'abc', the full replacement value

3134

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3135

#

3136

# This annotation identifies the surrogate when inspecting content using the

3137

# custom info type 'Surrogate'. This facilitates reversal of the

3138

# surrogate when it occurs in free text.

3139

#

3140

# Note: For record transformations where the entire cell in a table is being

3141

# transformed, surrogates are not mandatory. Surrogates are used to denote

3142

# the location of the token and are necessary for re-identification in free

3143

# form text.

3144

#

3145

# In order for inspection to work properly, the name of this info type must

3146

# not occur naturally anywhere in your data; otherwise, inspection may either

3147

#

3148

# - reverse a surrogate that does not correspond to an actual identifier

3149

# - be unable to parse the surrogate and result in an error

3150

#

3151

# Therefore, choose your custom info type name carefully after considering

3152

# what your data looks like. One way to select a name that has a high chance

3153

# of yielding reliable detection is to include one or more unicode characters

3154

# that are highly improbable to exist in your data.

3155

# For example, assuming your data is entered from a regular ASCII keyboard,

3156

# the symbol with the hex code point 29DD might be used like so:

3157

# ⧝MY_TOKEN_TYPE.

3158

"name": "A String", # Name of the information type. Either a name of your choosing when

3159

# creating a CustomInfoType, or one of the names listed

3160

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3161

# a built-in type. InfoType names should conform to the pattern

3162

# `[a-zA-Z0-9_]{1,64}`.

3163

},

3164

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3165

# referential integrity such that the same identifier in two different

3166

# contexts will be given a distinct surrogate. The context is appended to

3167

# plaintext value being encrypted. On decryption the provided context is

3168

# validated against the value used during encryption. If a context was

3169

# provided during encryption, same context must be provided during decryption

3170

# as well.

3171

#

3172

# If the context is not set, plaintext would be used as is for encryption.

3173

# If the context is set but:

3174

#

3175

# 1. there is no record present when transforming a given value or

3176

# 2. the field is not present when transforming a given value,

3177

#

3178

# plaintext would be used as is for encryption.

3179

#

3180

# Note that case (1) is expected when an `InfoTypeTransformation` is

3181

# applied to both structured and non-structured `ContentItem`s.

3182

"name": "A String", # Name describing the field.

3183

},

3184

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3185

# a key encryption key (KEK) stored by KMS).

3186

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3187

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3188

# unwrap the data crypto key.

3189

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3190

# The wrapped key must be a 128/192/256 bit key.

3191

# Authorization requires the following IAM permissions when sending a request

3192

# to perform a crypto transformation using a kms-wrapped crypto key:

3193

# dlp.kms.encrypt

3194

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3195

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3196

},

3197

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3198

# leaking the key. Choose another type of key if possible.

3199

"key": "A String", # Required. A 128/192/256 bit key.

3200

},

3201

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3202

# It will be discarded after the request finishes.

3203

"name": "A String", # Required. Name of the key.

3204

# This is an arbitrary string used to differentiate different keys.

3205

# A unique key is generated per name: two separate `TransientCryptoKey`

3206

# protos share the same generated key if their names are the same.

3207

# When the data crypto key is generated, this name is not used in any way

3208

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3213

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3214

# output would be 'My phone number is '.

3215

},

3216

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3217

# replacement values are dynamically provided by the user for custom behavior,

3218

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3219

# This can be used on

3220

# data of type: number, long, string, timestamp.

3221

# If the bound `Value` type differs from the type of data being transformed, we

3222

# will first attempt converting the type of the data to be transformed to match

3223

# the type of the bound before comparing.

3224

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3225

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3226

{ # Bucket is represented as a range, along with replacement values.

3227

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3228

# used.

3229

# Note that for the purposes of inspection or transformation, the number

3230

# of bytes considered to comprise a 'Value' is based on its representation

3231

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3232

# 123456789, the number of bytes would be counted as 9, even though an

3233

# int64 only holds up to 8 bytes of data.

3234

"booleanValue": True or False, # boolean

3235

"floatValue": 3.14, # float

3236

"dayOfWeekValue": "A String", # day of week

3237

"timestampValue": "A String", # timestamp

3238

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3239

# and time zone are either specified elsewhere or are not significant. The date

3240

# is relative to the Proleptic Gregorian Calendar. This can represent:

3241

#

3242

# * A full date, with non-zero year, month and day values

3243

# * A month and day value, with a zero year, e.g. an anniversary

3244

# * A year on its own, with zero month and day values

3245

# * A year and month value, with a zero day, e.g. a credit card expiration date

3246

#

3247

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3248

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3249

# a year.

3250

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3251

# month and day.

3252

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3253

# if specifying a year by itself or a year and month where the day is not

3254

# significant.

3255

},

3256

"stringValue": "A String", # string

3257

"integerValue": "A String", # integer

3258

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3259

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3260

# types are google.type.Date and `google.protobuf.Timestamp`.

3261

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3262

# allow the value 60 if it allows leap-seconds.

3263

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3264

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3265

# to allow the value "24:00:00" for scenarios like business closing time.

3266

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3267

},

3268

},

3269

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3270

# Note that for the purposes of inspection or transformation, the number

3271

# of bytes considered to comprise a 'Value' is based on its representation

3272

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3273

# 123456789, the number of bytes would be counted as 9, even though an

3274

# int64 only holds up to 8 bytes of data.

3275

"booleanValue": True or False, # boolean

3276

"floatValue": 3.14, # float

3277

"dayOfWeekValue": "A String", # day of week

3278

"timestampValue": "A String", # timestamp

3279

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3280

# and time zone are either specified elsewhere or are not significant. The date

3281

# is relative to the Proleptic Gregorian Calendar. This can represent:

3282

#

3283

# * A full date, with non-zero year, month and day values

3284

# * A month and day value, with a zero year, e.g. an anniversary

3285

# * A year on its own, with zero month and day values

3286

# * A year and month value, with a zero day, e.g. a credit card expiration date

3287

#

3288

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3289

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3290

# a year.

3291

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3292

# month and day.

3293

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3294

# if specifying a year by itself or a year and month where the day is not

3295

# significant.

3296

},

3297

"stringValue": "A String", # string

3298

"integerValue": "A String", # integer

3299

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3300

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3301

# types are google.type.Date and `google.protobuf.Timestamp`.

3302

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3303

# allow the value 60 if it allows leap-seconds.

3304

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3305

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3306

# to allow the value "24:00:00" for scenarios like business closing time.

3307

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3308

},

3309

},

3310

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3311

# the default behavior will be to hyphenate the min-max range.

3312

# Note that for the purposes of inspection or transformation, the number

3313

# of bytes considered to comprise a 'Value' is based on its representation

3314

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3315

# 123456789, the number of bytes would be counted as 9, even though an

3316

# int64 only holds up to 8 bytes of data.

3317

"booleanValue": True or False, # boolean

3318

"floatValue": 3.14, # float

3319

"dayOfWeekValue": "A String", # day of week

3320

"timestampValue": "A String", # timestamp

3321

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3322

# and time zone are either specified elsewhere or are not significant. The date

3323

# is relative to the Proleptic Gregorian Calendar. This can represent:

3324

#

3325

# * A full date, with non-zero year, month and day values

3326

# * A month and day value, with a zero year, e.g. an anniversary

3327

# * A year on its own, with zero month and day values

3328

# * A year and month value, with a zero day, e.g. a credit card expiration date

3329

#

3330

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3331

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3332

# a year.

3333

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3334

# month and day.

3335

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3336

# if specifying a year by itself or a year and month where the day is not

3337

# significant.

3338

},

3339

"stringValue": "A String", # string

3340

"integerValue": "A String", # integer

3341

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3342

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3343

# types are google.type.Date and `google.protobuf.Timestamp`.

3344

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3345

# allow the value 60 if it allows leap-seconds.

3346

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3347

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3348

# to allow the value "24:00:00" for scenarios like business closing time.

3349

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3350

},

3351

},

3352

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3353

],

3354

},

3355

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3356

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3357

# Note that for the purposes of inspection or transformation, the number

3358

# of bytes considered to comprise a 'Value' is based on its representation

3359

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3360

# 123456789, the number of bytes would be counted as 9, even though an

3361

# int64 only holds up to 8 bytes of data.

3362

"booleanValue": True or False, # boolean

3363

"floatValue": 3.14, # float

3364

"dayOfWeekValue": "A String", # day of week

3365

"timestampValue": "A String", # timestamp

3366

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3367

# and time zone are either specified elsewhere or are not significant. The date

3368

# is relative to the Proleptic Gregorian Calendar. This can represent:

3369

#

3370

# * A full date, with non-zero year, month and day values

3371

# * A month and day value, with a zero year, e.g. an anniversary

3372

# * A year on its own, with zero month and day values

3373

# * A year and month value, with a zero day, e.g. a credit card expiration date

3374

#

3375

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3376

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3377

# a year.

3378

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3379

# month and day.

3380

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3381

# if specifying a year by itself or a year and month where the day is not

3382

# significant.

3383

},

3384

"stringValue": "A String", # string

3385

"integerValue": "A String", # integer

3386

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3387

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3388

# types are google.type.Date and `google.protobuf.Timestamp`.

3389

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3390

# allow the value 60 if it allows leap-seconds.

3391

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3392

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3393

# to allow the value "24:00:00" for scenarios like business closing time.

3394

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

3399

# fixed character. Masking can start from the beginning or end of the string.

3400

# This can be used on data of any type (numbers, longs, and so on) and when

3401

# de-identifying structured data we'll attempt to preserve the original data's

3402

# type. (This allows you to take a long like 123 and modify it to a string like

3403

# **3.

3404

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

3405

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

3406

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

3407

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

3408

# is `true`, then the string `12345` is masked as `12***`.

3409

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

3410

# characters. For example, if the input string is `555-555-5555` and you

3411

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

3412

# returns `***-**5-5555`.

3413

{ # Characters to skip when doing deidentification of a value. These will be left

3414

# alone and skipped.

3415

"charactersToSkip": "A String", # Characters to not transform when masking.

3416

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

3421

# masked. Skipped characters do not count towards this tally.

3422

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

3423

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

3424

# code or credit card number. This string must have a length of 1. If not

3425

# supplied, this value defaults to `*` for strings, and `0` for digits.

3426

},

3427

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3428

# Bucketing transformation can provide all of this functionality,

3429

# but requires more configuration. This message is provided as a convenience to

3430

# the user for simple bucketing strategies.

3431

#

3432

# The transformed value will be a hyphenated string of

3433

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3434

# all values that are within this bucket will be replaced with "10-20".

3435

#

3436

# This can be used on data of type: double, long.

3437

#

3438

# If the bound Value type differs from the type of data

3439

# being transformed, we will first attempt converting the type of the data to

3440

# be transformed to match the type of the bound before comparing.

3441

#

3442

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3443

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

3444

# grouped together into a single bucket; for example if `lower_bound` = 10,

3445

# then all values less than 10 are replaced with the value "-10".

3446

# Note that for the purposes of inspection or transformation, the number

3447

# of bytes considered to comprise a 'Value' is based on its representation

3448

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3449

# 123456789, the number of bytes would be counted as 9, even though an

3450

# int64 only holds up to 8 bytes of data.

3451

"booleanValue": True or False, # boolean

3452

"floatValue": 3.14, # float

3453

"dayOfWeekValue": "A String", # day of week

3454

"timestampValue": "A String", # timestamp

3455

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3456

# and time zone are either specified elsewhere or are not significant. The date

3457

# is relative to the Proleptic Gregorian Calendar. This can represent:

3458

#

3459

# * A full date, with non-zero year, month and day values

3460

# * A month and day value, with a zero year, e.g. an anniversary

3461

# * A year on its own, with zero month and day values

3462

# * A year and month value, with a zero day, e.g. a credit card expiration date

3463

#

3464

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3465

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3466

# a year.

3467

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3468

# month and day.

3469

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3470

# if specifying a year by itself or a year and month where the day is not

3471

# significant.

3472

},

3473

"stringValue": "A String", # string

3474

"integerValue": "A String", # integer

3475

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3476

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3477

# types are google.type.Date and `google.protobuf.Timestamp`.

3478

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3479

# allow the value 60 if it allows leap-seconds.

3480

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3481

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3482

# to allow the value "24:00:00" for scenarios like business closing time.

3483

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3484

},

3485

},

3486

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3487

# grouped together into a single bucket; for example if `upper_bound` = 89,

3488

# then all values greater than 89 are replaced with the value "89+".

3489

# Note that for the purposes of inspection or transformation, the number

3490

# of bytes considered to comprise a 'Value' is based on its representation

3491

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3492

# 123456789, the number of bytes would be counted as 9, even though an

3493

# int64 only holds up to 8 bytes of data.

3494

"booleanValue": True or False, # boolean

3495

"floatValue": 3.14, # float

3496

"dayOfWeekValue": "A String", # day of week

3497

"timestampValue": "A String", # timestamp

3498

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3499

# and time zone are either specified elsewhere or are not significant. The date

3500

# is relative to the Proleptic Gregorian Calendar. This can represent:

3501

#

3502

# * A full date, with non-zero year, month and day values

3503

# * A month and day value, with a zero year, e.g. an anniversary

3504

# * A year on its own, with zero month and day values

3505

# * A year and month value, with a zero day, e.g. a credit card expiration date

3506

#

3507

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3508

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3509

# a year.

3510

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3511

# month and day.

3512

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3513

# if specifying a year by itself or a year and month where the day is not

3514

# significant.

3515

},

3516

"stringValue": "A String", # string

3517

"integerValue": "A String", # integer

3518

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3519

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3520

# types are google.type.Date and `google.protobuf.Timestamp`.

3521

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3522

# allow the value 60 if it allows leap-seconds.

3523

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3524

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3525

# to allow the value "24:00:00" for scenarios like business closing time.

3526

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3527

},

3528

},

3529

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3530

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

3531

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

3532

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

3533

},

3534

},

3535

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

3536

# given `RecordCondition`. The conditions are allowed to reference fields

3537

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

3542

# column for the same record is within a specific range.

3543

# - Redact a field if the date of birth field is greater than 85.

3544

# a field.

3545

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

3546

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

3547

# only supported value is `AND`.

3548

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

3549

"conditions": [ # A collection of conditions.

3550

{ # The field type of `value` and `field` do not need to match to be

3551

# considered equal, but not all comparisons are possible.

3552

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

3553

# but all other comparisons are invalid with incompatible types.

3554

# A `value` of type:

3555

#

3556

# - `string` can be compared against all other types

3557

# - `boolean` can only be compared against other booleans

3558

# - `integer` can be compared against doubles or a string if the string value

3559

# can be parsed as an integer.

3560

# - `double` can be compared against integers or a string if the string can

3561

# be parsed as a double.

3562

# - `Timestamp` can be compared against strings in RFC 3339 date string

3563

# format.

3564

# - `TimeOfDay` can be compared against timestamps and strings in the format

3565

# of 'HH:mm:ss'.

3566

#

3567

# If we fail to compare do to type mismatch, a warning will be given and

3568

# the condition will evaluate to false.

3569

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

3570

"name": "A String", # Name describing the field.

3571

},

3572

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

3573

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

3574

# Note that for the purposes of inspection or transformation, the number

3575

# of bytes considered to comprise a 'Value' is based on its representation

3576

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3577

# 123456789, the number of bytes would be counted as 9, even though an

3578

# int64 only holds up to 8 bytes of data.

3579

"booleanValue": True or False, # boolean

3580

"floatValue": 3.14, # float

3581

"dayOfWeekValue": "A String", # day of week

3582

"timestampValue": "A String", # timestamp

3583

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3584

# and time zone are either specified elsewhere or are not significant. The date

3585

# is relative to the Proleptic Gregorian Calendar. This can represent:

3586

#

3587

# * A full date, with non-zero year, month and day values

3588

# * A month and day value, with a zero year, e.g. an anniversary

3589

# * A year on its own, with zero month and day values

3590

# * A year and month value, with a zero day, e.g. a credit card expiration date

3591

#

3592

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3593

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3594

# a year.

3595

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3596

# month and day.

3597

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3598

# if specifying a year by itself or a year and month where the day is not

3599

# significant.

3600

},

3601

"stringValue": "A String", # string

3602

"integerValue": "A String", # integer

3603

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3604

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3605

# types are google.type.Date and `google.protobuf.Timestamp`.

3606

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3607

# allow the value 60 if it allows leap-seconds.

3608

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3609

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3610

# to allow the value "24:00:00" for scenarios like business closing time.

3611

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3612

},

3613

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3614

},

3615

],

3616

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3617

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3618

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3619

},

3620

],

3621

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3622

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

3623

# transformation everywhere.

3624

# apply various `PrimitiveTransformation`s to each finding, where the

3625

# transformation is applied to only values that were identified as a specific

3626

# info_type.

3627

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

3628

# for a given infoType.

3629

{ # A transformation to apply to text that is identified as a specific

3630

# info_type.

3631

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

3632

# this transformation to apply to all findings that correspond to

3633

# infoTypes that were requested in `InspectConfig`.

3634

{ # Type of information detected by the API.

3635

"name": "A String", # Name of the information type. Either a name of your choosing when

3636

# creating a CustomInfoType, or one of the names listed

3637

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3638

# a built-in type. InfoType names should conform to the pattern

3639

# `[a-zA-Z0-9_]{1,64}`.

3640

},

3641

],

3642

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

3643

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

3644

# portion of the value.

3645

"partToExtract": "A String", # The part of the time to keep.

3646

},

3647

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

3648

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

3649

# to learn more.

3650

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

3651

# If set, must also set cryptoKey. If set, shift will be consistent for the

3652

# given context.

3653

"name": "A String", # Name describing the field.

3654

},

3655

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

3656

# range (inclusive ends). Negative means shift to earlier in time. Must not

3657

# be more than 365250 days (1000 years) each direction.

3658

#

3659

# For example, 3 means shift date to at most 3 days into the future.

3660

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3661

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

3662

# results in the same shift for the same context and crypto_key. If

3663

# set, must also set context. Can only be applied to table items.

3664

# a key encryption key (KEK) stored by KMS).

3665

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3666

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3667

# unwrap the data crypto key.

3668

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3669

# The wrapped key must be a 128/192/256 bit key.

3670

# Authorization requires the following IAM permissions when sending a request

3671

# to perform a crypto transformation using a kms-wrapped crypto key:

3672

# dlp.kms.encrypt

3673

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3674

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3675

},

3676

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3677

# leaking the key. Choose another type of key if possible.

3678

"key": "A String", # Required. A 128/192/256 bit key.

3679

},

3680

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3681

# It will be discarded after the request finishes.

3682

"name": "A String", # Required. Name of the key.

3683

# This is an arbitrary string used to differentiate different keys.

3684

# A unique key is generated per name: two separate `TransientCryptoKey`

3685

# protos share the same generated key if their names are the same.

3686

# When the data crypto key is generated, this name is not used in any way

3687

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3692

},

3693

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

3694

# Uses SHA-256.

3695

# The key size must be either 32 or 64 bytes.

3696

# Outputs a base64 encoded representation of the hashed output

3697

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

3698

# Currently, only string and integer values can be hashed.

3699

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

3700

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

3701

# a key encryption key (KEK) stored by KMS).

3702

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3703

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3704

# unwrap the data crypto key.

3705

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3706

# The wrapped key must be a 128/192/256 bit key.

3707

# Authorization requires the following IAM permissions when sending a request

3708

# to perform a crypto transformation using a kms-wrapped crypto key:

3709

# dlp.kms.encrypt

3710

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3711

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3712

},

3713

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3714

# leaking the key. Choose another type of key if possible.

3715

"key": "A String", # Required. A 128/192/256 bit key.

3716

},

3717

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3718

# It will be discarded after the request finishes.

3719

"name": "A String", # Required. Name of the key.

3720

# This is an arbitrary string used to differentiate different keys.

3721

# A unique key is generated per name: two separate `TransientCryptoKey`

3722

# protos share the same generated key if their names are the same.

3723

# When the data crypto key is generated, this name is not used in any way

3724

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3729

# (FPE) with the FFX mode of operation; however when used in the

3730

# `ReidentifyContent` API method, it serves the opposite function by reversing

3731

# the surrogate back into the original identifier. The identifier must be

3732

# encoded as ASCII. For a given crypto key and context, the same identifier

3733

# will be replaced with the same surrogate. Identifiers must be at least two

3734

# characters long. In the case that the identifier is the empty string, it will

3735

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3736

# more.

3737

#

3738

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3739

# do not require preserving the input alphabet space and size, plus warrant

3740

# referential integrity.

3741

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3742

# that the FFX mode natively supports. This happens before/after

3743

# encryption/decryption.

3744

# Each character listed must appear only once.

3745

# Number of characters must be in the range [2, 95].

3746

# This must be encoded as ASCII.

3747

# The order of characters does not matter.

3748

"commonAlphabet": "A String", # Common alphabets.

3749

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3750

# This annotation will be applied to the surrogate by prefixing it with

3751

# the name of the custom infoType followed by the number of

3752

# characters comprising the surrogate. The following scheme defines the

3753

# format: info_type_name(surrogate_character_count):surrogate

3754

#

3755

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3756

# the surrogate is 'abc', the full replacement value

3757

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3758

#

3759

# This annotation identifies the surrogate when inspecting content using the

3760

# custom infoType

3761

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3762

# This facilitates reversal of the surrogate when it occurs in free text.

3763

#

3764

# In order for inspection to work properly, the name of this infoType must

3765

# not occur naturally anywhere in your data; otherwise, inspection may

3766

# find a surrogate that does not correspond to an actual identifier.

3767

# Therefore, choose your custom infoType name carefully after considering

3768

# what your data looks like. One way to select a name that has a high chance

3769

# of yielding reliable detection is to include one or more unicode characters

3770

# that are highly improbable to exist in your data.

3771

# For example, assuming your data is entered from a regular ASCII keyboard,

3772

# the symbol with the hex code point 29DD might be used like so:

3773

# ⧝MY_TOKEN_TYPE

3774

"name": "A String", # Name of the information type. Either a name of your choosing when

3775

# creating a CustomInfoType, or one of the names listed

3776

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3777

# a built-in type. InfoType names should conform to the pattern

3778

# `[a-zA-Z0-9_]{1,64}`.

3779

},

3780

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3781

# identifier in two different contexts won't be given the same surrogate. If

3782

# the context is not set, a default tweak will be used.

3783

#

3784

# If the context is set but:

3785

#

3786

# 1. there is no record present when transforming a given value or

3787

# 1. the field is not present when transforming a given value,

3788

#

3789

# a default tweak will be used.

3790

#

3791

# Note that case (1) is expected when an `InfoTypeTransformation` is

3792

# applied to both structured and non-structured `ContentItem`s.

3793

# Currently, the referenced field may be of value type integer or string.

3794

#

3795

# The tweak is constructed as a sequence of bytes in big endian byte order

3796

# such that:

3797

#

3798

# - a 64 bit integer is encoded followed by a single byte of value 1

3799

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3800

"name": "A String", # Name describing the field.

3801

},

3802

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3803

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3804

# a key encryption key (KEK) stored by KMS).

3805

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3806

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3807

# unwrap the data crypto key.

3808

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3809

# The wrapped key must be a 128/192/256 bit key.

3810

# Authorization requires the following IAM permissions when sending a request

3811

# to perform a crypto transformation using a kms-wrapped crypto key:

3812

# dlp.kms.encrypt

3813

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3814

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3815

},

3816

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3817

# leaking the key. Choose another type of key if possible.

3818

"key": "A String", # Required. A 128/192/256 bit key.

3819

},

3820

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3821

# It will be discarded after the request finishes.

3822

"name": "A String", # Required. Name of the key.

3823

# This is an arbitrary string used to differentiate different keys.

3824

# A unique key is generated per name: two separate `TransientCryptoKey`

3825

# protos share the same generated key if their names are the same.

3826

# When the data crypto key is generated, this name is not used in any way

3827

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3832

# input. Outputs a base64 encoded representation of the encrypted output.

3833

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3834

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3835

# This annotation will be applied to the surrogate by prefixing it with

3836

# the name of the custom info type followed by the number of

3837

# characters comprising the surrogate. The following scheme defines the

3838

# format: {info type name}({surrogate character count}):{surrogate}

3839

#

3840

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3841

# the surrogate is 'abc', the full replacement value

3842

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3843

#

3844

# This annotation identifies the surrogate when inspecting content using the

3845

# custom info type 'Surrogate'. This facilitates reversal of the

3846

# surrogate when it occurs in free text.

3847

#

3848

# Note: For record transformations where the entire cell in a table is being

3849

# transformed, surrogates are not mandatory. Surrogates are used to denote

3850

# the location of the token and are necessary for re-identification in free

3851

# form text.

3852

#

3853

# In order for inspection to work properly, the name of this info type must

3854

# not occur naturally anywhere in your data; otherwise, inspection may either

3855

#

3856

# - reverse a surrogate that does not correspond to an actual identifier

3857

# - be unable to parse the surrogate and result in an error

3858

#

3859

# Therefore, choose your custom info type name carefully after considering

3860

# what your data looks like. One way to select a name that has a high chance

3861

# of yielding reliable detection is to include one or more unicode characters

3862

# that are highly improbable to exist in your data.

3863

# For example, assuming your data is entered from a regular ASCII keyboard,

3864

# the symbol with the hex code point 29DD might be used like so:

3865

# ⧝MY_TOKEN_TYPE.

3866

"name": "A String", # Name of the information type. Either a name of your choosing when

3867

# creating a CustomInfoType, or one of the names listed

3868

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3869

# a built-in type. InfoType names should conform to the pattern

3870

# `[a-zA-Z0-9_]{1,64}`.

3871

},

3872

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3873

# referential integrity such that the same identifier in two different

3874

# contexts will be given a distinct surrogate. The context is appended to

3875

# plaintext value being encrypted. On decryption the provided context is

3876

# validated against the value used during encryption. If a context was

3877

# provided during encryption, same context must be provided during decryption

3878

# as well.

3879

#

3880

# If the context is not set, plaintext would be used as is for encryption.

3881

# If the context is set but:

3882

#

3883

# 1. there is no record present when transforming a given value or

3884

# 2. the field is not present when transforming a given value,

3885

#

3886

# plaintext would be used as is for encryption.

3887

#

3888

# Note that case (1) is expected when an `InfoTypeTransformation` is

3889

# applied to both structured and non-structured `ContentItem`s.

3890

"name": "A String", # Name describing the field.

3891

},

3892

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3893

# a key encryption key (KEK) stored by KMS).

3894

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3895

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3896

# unwrap the data crypto key.

3897

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3898

# The wrapped key must be a 128/192/256 bit key.

3899

# Authorization requires the following IAM permissions when sending a request

3900

# to perform a crypto transformation using a kms-wrapped crypto key:

3901

# dlp.kms.encrypt

3902

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3903

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3904

},

3905

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3906

# leaking the key. Choose another type of key if possible.

3907

"key": "A String", # Required. A 128/192/256 bit key.

3908

},

3909

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3910

# It will be discarded after the request finishes.

3911

"name": "A String", # Required. Name of the key.

3912

# This is an arbitrary string used to differentiate different keys.

3913

# A unique key is generated per name: two separate `TransientCryptoKey`

3914

# protos share the same generated key if their names are the same.

3915

# When the data crypto key is generated, this name is not used in any way

3916

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3921

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3922

# output would be 'My phone number is '.

3923

},

3924

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3925

# replacement values are dynamically provided by the user for custom behavior,

3926

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3927

# This can be used on

3928

# data of type: number, long, string, timestamp.

3929

# If the bound `Value` type differs from the type of data being transformed, we

3930

# will first attempt converting the type of the data to be transformed to match

3931

# the type of the bound before comparing.

3932

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3933

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3934

{ # Bucket is represented as a range, along with replacement values.

3935

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3936

# used.

3937

# Note that for the purposes of inspection or transformation, the number

3938

# of bytes considered to comprise a 'Value' is based on its representation

3939

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3940

# 123456789, the number of bytes would be counted as 9, even though an

3941

# int64 only holds up to 8 bytes of data.

3942

"booleanValue": True or False, # boolean

3943

"floatValue": 3.14, # float

3944

"dayOfWeekValue": "A String", # day of week

3945

"timestampValue": "A String", # timestamp

3946

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3947

# and time zone are either specified elsewhere or are not significant. The date

3948

# is relative to the Proleptic Gregorian Calendar. This can represent:

3949

#

3950

# * A full date, with non-zero year, month and day values

3951

# * A month and day value, with a zero year, e.g. an anniversary

3952

# * A year on its own, with zero month and day values

3953

# * A year and month value, with a zero day, e.g. a credit card expiration date

3954

#

3955

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3956

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3957

# a year.

3958

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3959

# month and day.

3960

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3961

# if specifying a year by itself or a year and month where the day is not

3962

# significant.

3963

},

3964

"stringValue": "A String", # string

3965

"integerValue": "A String", # integer

3966

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3967

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3968

# types are google.type.Date and `google.protobuf.Timestamp`.

3969

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3970

# allow the value 60 if it allows leap-seconds.

3971

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3972

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3973

# to allow the value "24:00:00" for scenarios like business closing time.

3974

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3975

},

3976

},

3977

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3978

# Note that for the purposes of inspection or transformation, the number

3979

# of bytes considered to comprise a 'Value' is based on its representation

3980

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3981

# 123456789, the number of bytes would be counted as 9, even though an

3982

# int64 only holds up to 8 bytes of data.

3983

"booleanValue": True or False, # boolean

3984

"floatValue": 3.14, # float

3985

"dayOfWeekValue": "A String", # day of week

3986

"timestampValue": "A String", # timestamp

3987

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3988

# and time zone are either specified elsewhere or are not significant. The date

3989

# is relative to the Proleptic Gregorian Calendar. This can represent:

3990

#

3991

# * A full date, with non-zero year, month and day values

3992

# * A month and day value, with a zero year, e.g. an anniversary

3993

# * A year on its own, with zero month and day values

3994

# * A year and month value, with a zero day, e.g. a credit card expiration date

3995

#

3996

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3997

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3998

# a year.

3999

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4000

# month and day.

4001

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4002

# if specifying a year by itself or a year and month where the day is not

4003

# significant.

4004

},

4005

"stringValue": "A String", # string

4006

"integerValue": "A String", # integer

4007

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4008

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4009

# types are google.type.Date and `google.protobuf.Timestamp`.

4010

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4011

# allow the value 60 if it allows leap-seconds.

4012

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4013

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4014

# to allow the value "24:00:00" for scenarios like business closing time.

4015

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4016

},

4017

},

4018

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4019

# the default behavior will be to hyphenate the min-max range.

4020

# Note that for the purposes of inspection or transformation, the number

4021

# of bytes considered to comprise a 'Value' is based on its representation

4022

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4023

# 123456789, the number of bytes would be counted as 9, even though an

4024

# int64 only holds up to 8 bytes of data.

4025

"booleanValue": True or False, # boolean

4026

"floatValue": 3.14, # float

4027

"dayOfWeekValue": "A String", # day of week

4028

"timestampValue": "A String", # timestamp

4029

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4030

# and time zone are either specified elsewhere or are not significant. The date

4031

# is relative to the Proleptic Gregorian Calendar. This can represent:

4032

#

4033

# * A full date, with non-zero year, month and day values

4034

# * A month and day value, with a zero year, e.g. an anniversary

4035

# * A year on its own, with zero month and day values

4036

# * A year and month value, with a zero day, e.g. a credit card expiration date

4037

#

4038

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4039

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4040

# a year.

4041

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4042

# month and day.

4043

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4044

# if specifying a year by itself or a year and month where the day is not

4045

# significant.

4046

},

4047

"stringValue": "A String", # string

4048

"integerValue": "A String", # integer

4049

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4050

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4051

# types are google.type.Date and `google.protobuf.Timestamp`.

4052

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4053

# allow the value 60 if it allows leap-seconds.

4054

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4055

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4056

# to allow the value "24:00:00" for scenarios like business closing time.

4057

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4064

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

4065

# Note that for the purposes of inspection or transformation, the number

4066

# of bytes considered to comprise a 'Value' is based on its representation

4067

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4068

# 123456789, the number of bytes would be counted as 9, even though an

4069

# int64 only holds up to 8 bytes of data.

4070

"booleanValue": True or False, # boolean

4071

"floatValue": 3.14, # float

4072

"dayOfWeekValue": "A String", # day of week

4073

"timestampValue": "A String", # timestamp

4074

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4075

# and time zone are either specified elsewhere or are not significant. The date

4076

# is relative to the Proleptic Gregorian Calendar. This can represent:

4077

#

4078

# * A full date, with non-zero year, month and day values

4079

# * A month and day value, with a zero year, e.g. an anniversary

4080

# * A year on its own, with zero month and day values

4081

# * A year and month value, with a zero day, e.g. a credit card expiration date

4082

#

4083

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4084

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4085

# a year.

4086

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4087

# month and day.

4088

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4089

# if specifying a year by itself or a year and month where the day is not

4090

# significant.

4091

},

4092

"stringValue": "A String", # string

4093

"integerValue": "A String", # integer

4094

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4095

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4096

# types are google.type.Date and `google.protobuf.Timestamp`.

4097

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4098

# allow the value 60 if it allows leap-seconds.

4099

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4100

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4101

# to allow the value "24:00:00" for scenarios like business closing time.

4102

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4107

# fixed character. Masking can start from the beginning or end of the string.

4108

# This can be used on data of any type (numbers, longs, and so on) and when

4109

# de-identifying structured data we'll attempt to preserve the original data's

4110

# type. (This allows you to take a long like 123 and modify it to a string like

4111

# **3.

4112

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4113

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4114

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4115

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4116

# is `true`, then the string `12345` is masked as `12***`.

4117

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4118

# characters. For example, if the input string is `555-555-5555` and you

4119

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4120

# returns `***-**5-5555`.

4121

{ # Characters to skip when doing deidentification of a value. These will be left

4122

# alone and skipped.

4123

"charactersToSkip": "A String", # Characters to not transform when masking.

4124

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4129

# masked. Skipped characters do not count towards this tally.

4130

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4131

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4132

# code or credit card number. This string must have a length of 1. If not

4133

# supplied, this value defaults to `*` for strings, and `0` for digits.

4134

},

4135

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4136

# Bucketing transformation can provide all of this functionality,

4137

# but requires more configuration. This message is provided as a convenience to

4138

# the user for simple bucketing strategies.

4139

#

4140

# The transformed value will be a hyphenated string of

4141

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4142

# all values that are within this bucket will be replaced with "10-20".

4143

#

4144

# This can be used on data of type: double, long.

4145

#

4146

# If the bound Value type differs from the type of data

4147

# being transformed, we will first attempt converting the type of the data to

4148

# be transformed to match the type of the bound before comparing.

4149

#

4150

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4151

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4152

# grouped together into a single bucket; for example if `lower_bound` = 10,

4153

# then all values less than 10 are replaced with the value "-10".

4154

# Note that for the purposes of inspection or transformation, the number

4155

# of bytes considered to comprise a 'Value' is based on its representation

4156

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4157

# 123456789, the number of bytes would be counted as 9, even though an

4158

# int64 only holds up to 8 bytes of data.

4159

"booleanValue": True or False, # boolean

4160

"floatValue": 3.14, # float

4161

"dayOfWeekValue": "A String", # day of week

4162

"timestampValue": "A String", # timestamp

4163

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4164

# and time zone are either specified elsewhere or are not significant. The date

4165

# is relative to the Proleptic Gregorian Calendar. This can represent:

4166

#

4167

# * A full date, with non-zero year, month and day values

4168

# * A month and day value, with a zero year, e.g. an anniversary

4169

# * A year on its own, with zero month and day values

4170

# * A year and month value, with a zero day, e.g. a credit card expiration date

4171

#

4172

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4173

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4174

# a year.

4175

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4176

# month and day.

4177

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4178

# if specifying a year by itself or a year and month where the day is not

4179

# significant.

4180

},

4181

"stringValue": "A String", # string

4182

"integerValue": "A String", # integer

4183

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4184

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4185

# types are google.type.Date and `google.protobuf.Timestamp`.

4186

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4187

# allow the value 60 if it allows leap-seconds.

4188

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4189

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4190

# to allow the value "24:00:00" for scenarios like business closing time.

4191

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4192

},

4193

},

4194

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4195

# grouped together into a single bucket; for example if `upper_bound` = 89,

4196

# then all values greater than 89 are replaced with the value "89+".

4197

# Note that for the purposes of inspection or transformation, the number

4198

# of bytes considered to comprise a 'Value' is based on its representation

4199

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4200

# 123456789, the number of bytes would be counted as 9, even though an

4201

# int64 only holds up to 8 bytes of data.

4202

"booleanValue": True or False, # boolean

4203

"floatValue": 3.14, # float

4204

"dayOfWeekValue": "A String", # day of week

4205

"timestampValue": "A String", # timestamp

4206

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4207

# and time zone are either specified elsewhere or are not significant. The date

4208

# is relative to the Proleptic Gregorian Calendar. This can represent:

4209

#

4210

# * A full date, with non-zero year, month and day values

4211

# * A month and day value, with a zero year, e.g. an anniversary

4212

# * A year on its own, with zero month and day values

4213

# * A year and month value, with a zero day, e.g. a credit card expiration date

4214

#

4215

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4216

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4217

# a year.

4218

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4219

# month and day.

4220

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4221

# if specifying a year by itself or a year and month where the day is not

4222

# significant.

4223

},

4224

"stringValue": "A String", # string

4225

"integerValue": "A String", # integer

4226

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4227

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4228

# types are google.type.Date and `google.protobuf.Timestamp`.

4229

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4230

# allow the value 60 if it allows leap-seconds.

4231

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4232

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4233

# to allow the value "24:00:00" for scenarios like business closing time.

4234

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4235

},

4236

},

4237

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

4238

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4239

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4240

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4245

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4246

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

4252

<pre>Deletes a DeidentifyTemplate.

4253

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

4254

more.

4255

4256

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4257

name: string, Required. Resource name of the organization and deidentify template to be deleted,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4258

for example `organizations/433245324/deidentifyTemplates/432452342` or

4259

projects/project-id/deidentifyTemplates/432452342. (required)

4260

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4267

4268

{ # A generic empty message that you can re-use to avoid defining duplicated

4269

# empty messages in your APIs. A typical example is to use it as the request

4270

# or the response type of an API method. For instance:

4271

#

4272

# service Foo {

4273

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

4274

# }

4275

#

4276

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

4282

<pre>Gets a DeidentifyTemplate.

4283

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

4284

more.

4285

4286

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4287

name: string, Required. Resource name of the organization and deidentify template to be read, for

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4288

example `organizations/433245324/deidentifyTemplates/432452342` or

4289

projects/project-id/deidentifyTemplates/432452342. (required)

4290

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4297

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4298

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4299

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4300

"name": "A String", # Output only. The template name.

4301

#

4302

# The template will have one of the following formats:

4303

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

4304

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

4305

"description": "A String", # Short description (max 256 chars).

4306

"displayName": "A String", # Display name (max 256 chars).

4307

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

4308

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

4309

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

4310

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

4311

# mode is `TransformationErrorHandling.ThrowError`.

4312

# transformation error occurs when the requested transformation is incompatible

4313

# with the data. For example, trying to de-identify an IP address using a

4314

# `DateShift` transformation would result in a transformation error, since date

4315

# info cannot be extracted from an IP address.

4316

# Information about any incompatible transformations, and how they were

4317

# handled, is returned in the response as part of the

4318

# `TransformationOverviews`.

4319

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

4320

},

4321

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

4322

# cause an error. For example, if a `DateShift` transformation were applied

4323

# an an IP address, this mode would leave the IP address unchanged in the

4324

# response.

4325

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4326

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4327

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4328

# specific locations within structured datasets, such as transforming

4329

# a column within a table.

4330

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4331

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4332

# match any suppression rule are omitted from the output.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4333

{ # Configuration to suppress records whose suppression conditions evaluate to

4334

# true.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4335

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4336

# evaluated to be suppressed from the transformed content.

4337

# a field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4338

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4339

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4340

# only supported value is `AND`.

4341

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4342

"conditions": [ # A collection of conditions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4343

{ # The field type of `value` and `field` do not need to match to be

4344

# considered equal, but not all comparisons are possible.

4345

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4346

# but all other comparisons are invalid with incompatible types.

4347

# A `value` of type:

4348

#

4349

# - `string` can be compared against all other types

4350

# - `boolean` can only be compared against other booleans

4351

# - `integer` can be compared against doubles or a string if the string value

4352

# can be parsed as an integer.

4353

# - `double` can be compared against integers or a string if the string can

4354

# be parsed as a double.

4355

# - `Timestamp` can be compared against strings in RFC 3339 date string

4356

# format.

4357

# - `TimeOfDay` can be compared against timestamps and strings in the format

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4358

# of 'HH:mm:ss'.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4359

#

4360

# If we fail to compare do to type mismatch, a warning will be given and

4361

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4362

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4363

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4364

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4365

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

4366

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4367

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4368

# of bytes considered to comprise a 'Value' is based on its representation

4369

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4370

# 123456789, the number of bytes would be counted as 9, even though an

4371

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4372

"booleanValue": True or False, # boolean

4373

"floatValue": 3.14, # float

4374

"dayOfWeekValue": "A String", # day of week

4375

"timestampValue": "A String", # timestamp

4376

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4377

# and time zone are either specified elsewhere or are not significant. The date

4378

# is relative to the Proleptic Gregorian Calendar. This can represent:

4379

#

4380

# * A full date, with non-zero year, month and day values

4381

# * A month and day value, with a zero year, e.g. an anniversary

4382

# * A year on its own, with zero month and day values

4383

# * A year and month value, with a zero day, e.g. a credit card expiration date

4384

#

4385

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4386

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4387

# a year.

4388

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4389

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4390

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4391

# if specifying a year by itself or a year and month where the day is not

4392

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4393

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4394

"stringValue": "A String", # string

4395

"integerValue": "A String", # integer

4396

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4397

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4398

# types are google.type.Date and `google.protobuf.Timestamp`.

4399

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4400

# allow the value 60 if it allows leap-seconds.

4401

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4402

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4403

# to allow the value "24:00:00" for scenarios like business closing time.

4404

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4405

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4414

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4415

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4416

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4417

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4418

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4419

},

4420

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4421

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4422

# transform content that matches an `InfoType`.

4423

# apply various `PrimitiveTransformation`s to each finding, where the

4424

# transformation is applied to only values that were identified as a specific

4425

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4426

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4427

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4428

{ # A transformation to apply to text that is identified as a specific

4429

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4430

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

4431

# this transformation to apply to all findings that correspond to

4432

# infoTypes that were requested in `InspectConfig`.

4433

{ # Type of information detected by the API.

4434

"name": "A String", # Name of the information type. Either a name of your choosing when

4435

# creating a CustomInfoType, or one of the names listed

4436

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4437

# a built-in type. InfoType names should conform to the pattern

4438

# `[a-zA-Z0-9_]{1,64}`.

4439

},

4440

],

4441

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

4442

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

4443

# portion of the value.

4444

"partToExtract": "A String", # The part of the time to keep.

4445

},

4446

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

4447

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

4448

# to learn more.

4449

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

4450

# If set, must also set cryptoKey. If set, shift will be consistent for the

4451

# given context.

4452

"name": "A String", # Name describing the field.

4453

},

4454

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

4455

# range (inclusive ends). Negative means shift to earlier in time. Must not

4456

# be more than 365250 days (1000 years) each direction.

4457

#

4458

# For example, 3 means shift date to at most 3 days into the future.

4459

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

4460

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

4461

# results in the same shift for the same context and crypto_key. If

4462

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4463

# a key encryption key (KEK) stored by KMS).

4464

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4465

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4466

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4467

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4468

# The wrapped key must be a 128/192/256 bit key.

4469

# Authorization requires the following IAM permissions when sending a request

4470

# to perform a crypto transformation using a kms-wrapped crypto key:

4471

# dlp.kms.encrypt

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4472

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4473

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4474

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4475

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4476

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4477

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4478

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4479

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4480

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4481

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4482

# This is an arbitrary string used to differentiate different keys.

4483

# A unique key is generated per name: two separate `TransientCryptoKey`

4484

# protos share the same generated key if their names are the same.

4485

# When the data crypto key is generated, this name is not used in any way

4486

# (repeating the api call will result in a different key being generated).

4487

},

4488

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4489

},

4490

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

4491

},

4492

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

4493

# Uses SHA-256.

4494

# The key size must be either 32 or 64 bytes.

4495

# Outputs a base64 encoded representation of the hashed output

4496

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

4497

# Currently, only string and integer values can be hashed.

4498

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

4499

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

4500

# a key encryption key (KEK) stored by KMS).

4501

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4502

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4503

# unwrap the data crypto key.

4504

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4505

# The wrapped key must be a 128/192/256 bit key.

4506

# Authorization requires the following IAM permissions when sending a request

4507

# to perform a crypto transformation using a kms-wrapped crypto key:

4508

# dlp.kms.encrypt

4509

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4510

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4511

},

4512

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4513

# leaking the key. Choose another type of key if possible.

4514

"key": "A String", # Required. A 128/192/256 bit key.

4515

},

4516

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4517

# It will be discarded after the request finishes.

4518

"name": "A String", # Required. Name of the key.

4519

# This is an arbitrary string used to differentiate different keys.

4520

# A unique key is generated per name: two separate `TransientCryptoKey`

4521

# protos share the same generated key if their names are the same.

4522

# When the data crypto key is generated, this name is not used in any way

4523

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

4528

# (FPE) with the FFX mode of operation; however when used in the

4529

# `ReidentifyContent` API method, it serves the opposite function by reversing

4530

# the surrogate back into the original identifier. The identifier must be

4531

# encoded as ASCII. For a given crypto key and context, the same identifier

4532

# will be replaced with the same surrogate. Identifiers must be at least two

4533

# characters long. In the case that the identifier is the empty string, it will

4534

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

4535

# more.

4536

#

4537

# Note: We recommend using CryptoDeterministicConfig for all use cases which

4538

# do not require preserving the input alphabet space and size, plus warrant

4539

# referential integrity.

4540

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

4541

# that the FFX mode natively supports. This happens before/after

4542

# encryption/decryption.

4543

# Each character listed must appear only once.

4544

# Number of characters must be in the range [2, 95].

4545

# This must be encoded as ASCII.

4546

# The order of characters does not matter.

4547

"commonAlphabet": "A String", # Common alphabets.

4548

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

4549

# This annotation will be applied to the surrogate by prefixing it with

4550

# the name of the custom infoType followed by the number of

4551

# characters comprising the surrogate. The following scheme defines the

4552

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4553

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4554

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

4555

# the surrogate is 'abc', the full replacement value

4556

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4557

#

4558

# This annotation identifies the surrogate when inspecting content using the

4559

# custom infoType

4560

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

4561

# This facilitates reversal of the surrogate when it occurs in free text.

4562

#

4563

# In order for inspection to work properly, the name of this infoType must

4564

# not occur naturally anywhere in your data; otherwise, inspection may

4565

# find a surrogate that does not correspond to an actual identifier.

4566

# Therefore, choose your custom infoType name carefully after considering

4567

# what your data looks like. One way to select a name that has a high chance

4568

# of yielding reliable detection is to include one or more unicode characters

4569

# that are highly improbable to exist in your data.

4570

# For example, assuming your data is entered from a regular ASCII keyboard,

4571

# the symbol with the hex code point 29DD might be used like so:

4572

# ⧝MY_TOKEN_TYPE

4573

"name": "A String", # Name of the information type. Either a name of your choosing when

4574

# creating a CustomInfoType, or one of the names listed

4575

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4576

# a built-in type. InfoType names should conform to the pattern

4577

# `[a-zA-Z0-9_]{1,64}`.

4578

},

4579

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

4580

# identifier in two different contexts won't be given the same surrogate. If

4581

# the context is not set, a default tweak will be used.

4582

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4583

# If the context is set but:

4584

#

4585

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4586

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4587

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4588

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4589

#

4590

# Note that case (1) is expected when an `InfoTypeTransformation` is

4591

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4592

# Currently, the referenced field may be of value type integer or string.

4593

#

4594

# The tweak is constructed as a sequence of bytes in big endian byte order

4595

# such that:

4596

#

4597

# - a 64 bit integer is encoded followed by a single byte of value 1

4598

# - a string is encoded in UTF-8 format followed by a single byte of value 2

4599

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4600

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4601

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

4602

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

4603

# a key encryption key (KEK) stored by KMS).

4604

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4605

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4606

# unwrap the data crypto key.

4607

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4608

# The wrapped key must be a 128/192/256 bit key.

4609

# Authorization requires the following IAM permissions when sending a request

4610

# to perform a crypto transformation using a kms-wrapped crypto key:

4611

# dlp.kms.encrypt

4612

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4613

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4614

},

4615

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4616

# leaking the key. Choose another type of key if possible.

4617

"key": "A String", # Required. A 128/192/256 bit key.

4618

},

4619

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4620

# It will be discarded after the request finishes.

4621

"name": "A String", # Required. Name of the key.

4622

# This is an arbitrary string used to differentiate different keys.

4623

# A unique key is generated per name: two separate `TransientCryptoKey`

4624

# protos share the same generated key if their names are the same.

4625

# When the data crypto key is generated, this name is not used in any way

4626

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

4631

# input. Outputs a base64 encoded representation of the encrypted output.

4632

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

4633

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4634

# This annotation will be applied to the surrogate by prefixing it with

4635

# the name of the custom info type followed by the number of

4636

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4637

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4638

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4639

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

4640

# the surrogate is 'abc', the full replacement value

4641

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4642

#

4643

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4644

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4645

# surrogate when it occurs in free text.

4646

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4647

# Note: For record transformations where the entire cell in a table is being

4648

# transformed, surrogates are not mandatory. Surrogates are used to denote

4649

# the location of the token and are necessary for re-identification in free

4650

# form text.

4651

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4652

# In order for inspection to work properly, the name of this info type must

4653

# not occur naturally anywhere in your data; otherwise, inspection may either

4654

#

4655

# - reverse a surrogate that does not correspond to an actual identifier

4656

# - be unable to parse the surrogate and result in an error

4657

#

4658

# Therefore, choose your custom info type name carefully after considering

4659

# what your data looks like. One way to select a name that has a high chance

4660

# of yielding reliable detection is to include one or more unicode characters

4661

# that are highly improbable to exist in your data.

4662

# For example, assuming your data is entered from a regular ASCII keyboard,

4663

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4664

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4665

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4666

# creating a CustomInfoType, or one of the names listed

4667

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4668

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4669

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4670

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4671

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

4672

# referential integrity such that the same identifier in two different

4673

# contexts will be given a distinct surrogate. The context is appended to

4674

# plaintext value being encrypted. On decryption the provided context is

4675

# validated against the value used during encryption. If a context was

4676

# provided during encryption, same context must be provided during decryption

4677

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4678

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4679

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4680

# If the context is set but:

4681

#

4682

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4683

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4684

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4685

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4686

#

4687

# Note that case (1) is expected when an `InfoTypeTransformation` is

4688

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4689

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4690

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4691

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

4692

# a key encryption key (KEK) stored by KMS).

4693

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4694

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4695

# unwrap the data crypto key.

4696

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4697

# The wrapped key must be a 128/192/256 bit key.

4698

# Authorization requires the following IAM permissions when sending a request

4699

# to perform a crypto transformation using a kms-wrapped crypto key:

4700

# dlp.kms.encrypt

4701

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4702

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4703

},

4704

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4705

# leaking the key. Choose another type of key if possible.

4706

"key": "A String", # Required. A 128/192/256 bit key.

4707

},

4708

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4709

# It will be discarded after the request finishes.

4710

"name": "A String", # Required. Name of the key.

4711

# This is an arbitrary string used to differentiate different keys.

4712

# A unique key is generated per name: two separate `TransientCryptoKey`

4713

# protos share the same generated key if their names are the same.

4714

# When the data crypto key is generated, this name is not used in any way

4715

# (repeating the api call will result in a different key being generated).

4716

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4717

},

4718

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4719

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

4720

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

4721

# output would be 'My phone number is '.

4722

},

4723

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4724

# replacement values are dynamically provided by the user for custom behavior,

4725

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

4726

# This can be used on

4727

# data of type: number, long, string, timestamp.

4728

# If the bound `Value` type differs from the type of data being transformed, we

4729

# will first attempt converting the type of the data to be transformed to match

4730

# the type of the bound before comparing.

4731

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4732

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4733

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4734

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4735

# used.

4736

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4737

# of bytes considered to comprise a 'Value' is based on its representation

4738

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4739

# 123456789, the number of bytes would be counted as 9, even though an

4740

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4741

"booleanValue": True or False, # boolean

4742

"floatValue": 3.14, # float

4743

"dayOfWeekValue": "A String", # day of week

4744

"timestampValue": "A String", # timestamp

4745

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4746

# and time zone are either specified elsewhere or are not significant. The date

4747

# is relative to the Proleptic Gregorian Calendar. This can represent:

4748

#

4749

# * A full date, with non-zero year, month and day values

4750

# * A month and day value, with a zero year, e.g. an anniversary

4751

# * A year on its own, with zero month and day values

4752

# * A year and month value, with a zero day, e.g. a credit card expiration date

4753

#

4754

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4755

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4756

# a year.

4757

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4758

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4759

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4760

# if specifying a year by itself or a year and month where the day is not

4761

# significant.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4762

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4763

"stringValue": "A String", # string

4764

"integerValue": "A String", # integer

4765

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4766

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4767

# types are google.type.Date and `google.protobuf.Timestamp`.

4768

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4769

# allow the value 60 if it allows leap-seconds.

4770

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4771

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4772

# to allow the value "24:00:00" for scenarios like business closing time.

4773

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4774

},

4775

},

4776

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

4777

# Note that for the purposes of inspection or transformation, the number

4778

# of bytes considered to comprise a 'Value' is based on its representation

4779

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4780

# 123456789, the number of bytes would be counted as 9, even though an

4781

# int64 only holds up to 8 bytes of data.

4782

"booleanValue": True or False, # boolean

4783

"floatValue": 3.14, # float

4784

"dayOfWeekValue": "A String", # day of week

4785

"timestampValue": "A String", # timestamp

4786

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4787

# and time zone are either specified elsewhere or are not significant. The date

4788

# is relative to the Proleptic Gregorian Calendar. This can represent:

4789

#

4790

# * A full date, with non-zero year, month and day values

4791

# * A month and day value, with a zero year, e.g. an anniversary

4792

# * A year on its own, with zero month and day values

4793

# * A year and month value, with a zero day, e.g. a credit card expiration date

4794

#

4795

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4796

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4797

# a year.

4798

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4799

# month and day.

4800

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4801

# if specifying a year by itself or a year and month where the day is not

4802

# significant.

4803

},

4804

"stringValue": "A String", # string

4805

"integerValue": "A String", # integer

4806

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4807

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4808

# types are google.type.Date and `google.protobuf.Timestamp`.

4809

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4810

# allow the value 60 if it allows leap-seconds.

4811

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4812

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4813

# to allow the value "24:00:00" for scenarios like business closing time.

4814

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4815

},

4816

},

4817

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4818

# the default behavior will be to hyphenate the min-max range.

4819

# Note that for the purposes of inspection or transformation, the number

4820

# of bytes considered to comprise a 'Value' is based on its representation

4821

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4822

# 123456789, the number of bytes would be counted as 9, even though an

4823

# int64 only holds up to 8 bytes of data.

4824

"booleanValue": True or False, # boolean

4825

"floatValue": 3.14, # float

4826

"dayOfWeekValue": "A String", # day of week

4827

"timestampValue": "A String", # timestamp

4828

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4829

# and time zone are either specified elsewhere or are not significant. The date

4830

# is relative to the Proleptic Gregorian Calendar. This can represent:

4831

#

4832

# * A full date, with non-zero year, month and day values

4833

# * A month and day value, with a zero year, e.g. an anniversary

4834

# * A year on its own, with zero month and day values

4835

# * A year and month value, with a zero day, e.g. a credit card expiration date

4836

#

4837

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4838

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4839

# a year.

4840

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4841

# month and day.

4842

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4843

# if specifying a year by itself or a year and month where the day is not

4844

# significant.

4845

},

4846

"stringValue": "A String", # string

4847

"integerValue": "A String", # integer

4848

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4849

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4850

# types are google.type.Date and `google.protobuf.Timestamp`.

4851

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4852

# allow the value 60 if it allows leap-seconds.

4853

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4854

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4855

# to allow the value "24:00:00" for scenarios like business closing time.

4856

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4857

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4862

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4863

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4864

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4865

# of bytes considered to comprise a 'Value' is based on its representation

4866

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4867

# 123456789, the number of bytes would be counted as 9, even though an

4868

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4869

"booleanValue": True or False, # boolean

4870

"floatValue": 3.14, # float

4871

"dayOfWeekValue": "A String", # day of week

4872

"timestampValue": "A String", # timestamp

4873

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4874

# and time zone are either specified elsewhere or are not significant. The date

4875

# is relative to the Proleptic Gregorian Calendar. This can represent:

4876

#

4877

# * A full date, with non-zero year, month and day values

4878

# * A month and day value, with a zero year, e.g. an anniversary

4879

# * A year on its own, with zero month and day values

4880

# * A year and month value, with a zero day, e.g. a credit card expiration date

4881

#

4882

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4883

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4884

# a year.

4885

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4886

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4887

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4888

# if specifying a year by itself or a year and month where the day is not

4889

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4890

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4891

"stringValue": "A String", # string

4892

"integerValue": "A String", # integer

4893

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4894

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4895

# types are google.type.Date and `google.protobuf.Timestamp`.

4896

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4897

# allow the value 60 if it allows leap-seconds.

4898

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4899

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4900

# to allow the value "24:00:00" for scenarios like business closing time.

4901

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4906

# fixed character. Masking can start from the beginning or end of the string.

4907

# This can be used on data of any type (numbers, longs, and so on) and when

4908

# de-identifying structured data we'll attempt to preserve the original data's

4909

# type. (This allows you to take a long like 123 and modify it to a string like

4910

# **3.

4911

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4912

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4913

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4914

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4915

# is `true`, then the string `12345` is masked as `12***`.

4916

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4917

# characters. For example, if the input string is `555-555-5555` and you

4918

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4919

# returns `***-**5-5555`.

4920

{ # Characters to skip when doing deidentification of a value. These will be left

4921

# alone and skipped.

4922

"charactersToSkip": "A String", # Characters to not transform when masking.

4923

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4928

# masked. Skipped characters do not count towards this tally.

4929

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4930

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4931

# code or credit card number. This string must have a length of 1. If not

4932

# supplied, this value defaults to `*` for strings, and `0` for digits.

4933

},

4934

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4935

# Bucketing transformation can provide all of this functionality,

4936

# but requires more configuration. This message is provided as a convenience to

4937

# the user for simple bucketing strategies.

4938

#

4939

# The transformed value will be a hyphenated string of

4940

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4941

# all values that are within this bucket will be replaced with "10-20".

4942

#

4943

# This can be used on data of type: double, long.

4944

#

4945

# If the bound Value type differs from the type of data

4946

# being transformed, we will first attempt converting the type of the data to

4947

# be transformed to match the type of the bound before comparing.

4948

#

4949

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4950

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4951

# grouped together into a single bucket; for example if `lower_bound` = 10,

4952

# then all values less than 10 are replaced with the value "-10".

4953

# Note that for the purposes of inspection or transformation, the number

4954

# of bytes considered to comprise a 'Value' is based on its representation

4955

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4956

# 123456789, the number of bytes would be counted as 9, even though an

4957

# int64 only holds up to 8 bytes of data.

4958

"booleanValue": True or False, # boolean

4959

"floatValue": 3.14, # float

4960

"dayOfWeekValue": "A String", # day of week

4961

"timestampValue": "A String", # timestamp

4962

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4963

# and time zone are either specified elsewhere or are not significant. The date

4964

# is relative to the Proleptic Gregorian Calendar. This can represent:

4965

#

4966

# * A full date, with non-zero year, month and day values

4967

# * A month and day value, with a zero year, e.g. an anniversary

4968

# * A year on its own, with zero month and day values

4969

# * A year and month value, with a zero day, e.g. a credit card expiration date

4970

#

4971

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4972

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4973

# a year.

4974

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4975

# month and day.

4976

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4977

# if specifying a year by itself or a year and month where the day is not

4978

# significant.

4979

},

4980

"stringValue": "A String", # string

4981

"integerValue": "A String", # integer

4982

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4983

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4984

# types are google.type.Date and `google.protobuf.Timestamp`.

4985

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4986

# allow the value 60 if it allows leap-seconds.

4987

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4988

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4989

# to allow the value "24:00:00" for scenarios like business closing time.

4990

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4991

},

4992

},

4993

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4994

# grouped together into a single bucket; for example if `upper_bound` = 89,

4995

# then all values greater than 89 are replaced with the value "89+".

4996

# Note that for the purposes of inspection or transformation, the number

4997

# of bytes considered to comprise a 'Value' is based on its representation

4998

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4999

# 123456789, the number of bytes would be counted as 9, even though an

5000

# int64 only holds up to 8 bytes of data.

5001

"booleanValue": True or False, # boolean

5002

"floatValue": 3.14, # float

5003

"dayOfWeekValue": "A String", # day of week

5004

"timestampValue": "A String", # timestamp

5005

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5006

# and time zone are either specified elsewhere or are not significant. The date

5007

# is relative to the Proleptic Gregorian Calendar. This can represent:

5008

#

5009

# * A full date, with non-zero year, month and day values

5010

# * A month and day value, with a zero year, e.g. an anniversary

5011

# * A year on its own, with zero month and day values

5012

# * A year and month value, with a zero day, e.g. a credit card expiration date

5013

#

5014

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5015

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5016

# a year.

5017

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5018

# month and day.

5019

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5020

# if specifying a year by itself or a year and month where the day is not

5021

# significant.

5022

},

5023

"stringValue": "A String", # string

5024

"integerValue": "A String", # integer

5025

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5026

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5027

# types are google.type.Date and `google.protobuf.Timestamp`.

5028

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5029

# allow the value 60 if it allows leap-seconds.

5030

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5031

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5032

# to allow the value "24:00:00" for scenarios like business closing time.

5033

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5034

},

5035

},

5036

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

5037

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

5038

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

5039

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

5046

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5047

# portion of the value.

5048

"partToExtract": "A String", # The part of the time to keep.

5049

},

5050

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5051

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5052

# to learn more.

5053

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5054

# If set, must also set cryptoKey. If set, shift will be consistent for the

5055

# given context.

5056

"name": "A String", # Name describing the field.

5057

},

5058

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5059

# range (inclusive ends). Negative means shift to earlier in time. Must not

5060

# be more than 365250 days (1000 years) each direction.

5061

#

5062

# For example, 3 means shift date to at most 3 days into the future.

5063

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5064

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5065

# results in the same shift for the same context and crypto_key. If

5066

# set, must also set context. Can only be applied to table items.

5067

# a key encryption key (KEK) stored by KMS).

5068

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5069

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5070

# unwrap the data crypto key.

5071

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5072

# The wrapped key must be a 128/192/256 bit key.

5073

# Authorization requires the following IAM permissions when sending a request

5074

# to perform a crypto transformation using a kms-wrapped crypto key:

5075

# dlp.kms.encrypt

5076

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5077

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5078

},

5079

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5080

# leaking the key. Choose another type of key if possible.

5081

"key": "A String", # Required. A 128/192/256 bit key.

5082

},

5083

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5084

# It will be discarded after the request finishes.

5085

"name": "A String", # Required. Name of the key.

5086

# This is an arbitrary string used to differentiate different keys.

5087

# A unique key is generated per name: two separate `TransientCryptoKey`

5088

# protos share the same generated key if their names are the same.

5089

# When the data crypto key is generated, this name is not used in any way

5090

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5095

},

5096

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5097

# Uses SHA-256.

5098

# The key size must be either 32 or 64 bytes.

5099

# Outputs a base64 encoded representation of the hashed output

5100

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5101

# Currently, only string and integer values can be hashed.

5102

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5103

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5104

# a key encryption key (KEK) stored by KMS).

5105

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5106

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5107

# unwrap the data crypto key.

5108

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5109

# The wrapped key must be a 128/192/256 bit key.

5110

# Authorization requires the following IAM permissions when sending a request

5111

# to perform a crypto transformation using a kms-wrapped crypto key:

5112

# dlp.kms.encrypt

5113

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5114

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5115

},

5116

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5117

# leaking the key. Choose another type of key if possible.

5118

"key": "A String", # Required. A 128/192/256 bit key.

5119

},

5120

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5121

# It will be discarded after the request finishes.

5122

"name": "A String", # Required. Name of the key.

5123

# This is an arbitrary string used to differentiate different keys.

5124

# A unique key is generated per name: two separate `TransientCryptoKey`

5125

# protos share the same generated key if their names are the same.

5126

# When the data crypto key is generated, this name is not used in any way

5127

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5132

# (FPE) with the FFX mode of operation; however when used in the

5133

# `ReidentifyContent` API method, it serves the opposite function by reversing

5134

# the surrogate back into the original identifier. The identifier must be

5135

# encoded as ASCII. For a given crypto key and context, the same identifier

5136

# will be replaced with the same surrogate. Identifiers must be at least two

5137

# characters long. In the case that the identifier is the empty string, it will

5138

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5139

# more.

5140

#

5141

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5142

# do not require preserving the input alphabet space and size, plus warrant

5143

# referential integrity.

5144

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5145

# that the FFX mode natively supports. This happens before/after

5146

# encryption/decryption.

5147

# Each character listed must appear only once.

5148

# Number of characters must be in the range [2, 95].

5149

# This must be encoded as ASCII.

5150

# The order of characters does not matter.

5151

"commonAlphabet": "A String", # Common alphabets.

5152

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5153

# This annotation will be applied to the surrogate by prefixing it with

5154

# the name of the custom infoType followed by the number of

5155

# characters comprising the surrogate. The following scheme defines the

5156

# format: info_type_name(surrogate_character_count):surrogate

5157

#

5158

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5159

# the surrogate is 'abc', the full replacement value

5160

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5161

#

5162

# This annotation identifies the surrogate when inspecting content using the

5163

# custom infoType

5164

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5165

# This facilitates reversal of the surrogate when it occurs in free text.

5166

#

5167

# In order for inspection to work properly, the name of this infoType must

5168

# not occur naturally anywhere in your data; otherwise, inspection may

5169

# find a surrogate that does not correspond to an actual identifier.

5170

# Therefore, choose your custom infoType name carefully after considering

5171

# what your data looks like. One way to select a name that has a high chance

5172

# of yielding reliable detection is to include one or more unicode characters

5173

# that are highly improbable to exist in your data.

5174

# For example, assuming your data is entered from a regular ASCII keyboard,

5175

# the symbol with the hex code point 29DD might be used like so:

5176

# ⧝MY_TOKEN_TYPE

5177

"name": "A String", # Name of the information type. Either a name of your choosing when

5178

# creating a CustomInfoType, or one of the names listed

5179

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5180

# a built-in type. InfoType names should conform to the pattern

5181

# `[a-zA-Z0-9_]{1,64}`.

5182

},

5183

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5184

# identifier in two different contexts won't be given the same surrogate. If

5185

# the context is not set, a default tweak will be used.

5186

#

5187

# If the context is set but:

5188

#

5189

# 1. there is no record present when transforming a given value or

5190

# 1. the field is not present when transforming a given value,

5191

#

5192

# a default tweak will be used.

5193

#

5194

# Note that case (1) is expected when an `InfoTypeTransformation` is

5195

# applied to both structured and non-structured `ContentItem`s.

5196

# Currently, the referenced field may be of value type integer or string.

5197

#

5198

# The tweak is constructed as a sequence of bytes in big endian byte order

5199

# such that:

5200

#

5201

# - a 64 bit integer is encoded followed by a single byte of value 1

5202

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5203

"name": "A String", # Name describing the field.

5204

},

5205

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5206

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5207

# a key encryption key (KEK) stored by KMS).

5208

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5209

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5210

# unwrap the data crypto key.

5211

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5212

# The wrapped key must be a 128/192/256 bit key.

5213

# Authorization requires the following IAM permissions when sending a request

5214

# to perform a crypto transformation using a kms-wrapped crypto key:

5215

# dlp.kms.encrypt

5216

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5217

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5218

},

5219

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5220

# leaking the key. Choose another type of key if possible.

5221

"key": "A String", # Required. A 128/192/256 bit key.

5222

},

5223

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5224

# It will be discarded after the request finishes.

5225

"name": "A String", # Required. Name of the key.

5226

# This is an arbitrary string used to differentiate different keys.

5227

# A unique key is generated per name: two separate `TransientCryptoKey`

5228

# protos share the same generated key if their names are the same.

5229

# When the data crypto key is generated, this name is not used in any way

5230

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5235

# input. Outputs a base64 encoded representation of the encrypted output.

5236

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5237

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5238

# This annotation will be applied to the surrogate by prefixing it with

5239

# the name of the custom info type followed by the number of

5240

# characters comprising the surrogate. The following scheme defines the

5241

# format: {info type name}({surrogate character count}):{surrogate}

5242

#

5243

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5244

# the surrogate is 'abc', the full replacement value

5245

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5246

#

5247

# This annotation identifies the surrogate when inspecting content using the

5248

# custom info type 'Surrogate'. This facilitates reversal of the

5249

# surrogate when it occurs in free text.

5250

#

5251

# Note: For record transformations where the entire cell in a table is being

5252

# transformed, surrogates are not mandatory. Surrogates are used to denote

5253

# the location of the token and are necessary for re-identification in free

5254

# form text.

5255

#

5256

# In order for inspection to work properly, the name of this info type must

5257

# not occur naturally anywhere in your data; otherwise, inspection may either

5258

#

5259

# - reverse a surrogate that does not correspond to an actual identifier

5260

# - be unable to parse the surrogate and result in an error

5261

#

5262

# Therefore, choose your custom info type name carefully after considering

5263

# what your data looks like. One way to select a name that has a high chance

5264

# of yielding reliable detection is to include one or more unicode characters

5265

# that are highly improbable to exist in your data.

5266

# For example, assuming your data is entered from a regular ASCII keyboard,

5267

# the symbol with the hex code point 29DD might be used like so:

5268

# ⧝MY_TOKEN_TYPE.

5269

"name": "A String", # Name of the information type. Either a name of your choosing when

5270

# creating a CustomInfoType, or one of the names listed

5271

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5272

# a built-in type. InfoType names should conform to the pattern

5273

# `[a-zA-Z0-9_]{1,64}`.

5274

},

5275

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5276

# referential integrity such that the same identifier in two different

5277

# contexts will be given a distinct surrogate. The context is appended to

5278

# plaintext value being encrypted. On decryption the provided context is

5279

# validated against the value used during encryption. If a context was

5280

# provided during encryption, same context must be provided during decryption

5281

# as well.

5282

#

5283

# If the context is not set, plaintext would be used as is for encryption.

5284

# If the context is set but:

5285

#

5286

# 1. there is no record present when transforming a given value or

5287

# 2. the field is not present when transforming a given value,

5288

#

5289

# plaintext would be used as is for encryption.

5290

#

5291

# Note that case (1) is expected when an `InfoTypeTransformation` is

5292

# applied to both structured and non-structured `ContentItem`s.

5293

"name": "A String", # Name describing the field.

5294

},

5295

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

5296

# a key encryption key (KEK) stored by KMS).

5297

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5298

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5299

# unwrap the data crypto key.

5300

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5301

# The wrapped key must be a 128/192/256 bit key.

5302

# Authorization requires the following IAM permissions when sending a request

5303

# to perform a crypto transformation using a kms-wrapped crypto key:

5304

# dlp.kms.encrypt

5305

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5306

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5307

},

5308

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5309

# leaking the key. Choose another type of key if possible.

5310

"key": "A String", # Required. A 128/192/256 bit key.

5311

},

5312

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5313

# It will be discarded after the request finishes.

5314

"name": "A String", # Required. Name of the key.

5315

# This is an arbitrary string used to differentiate different keys.

5316

# A unique key is generated per name: two separate `TransientCryptoKey`

5317

# protos share the same generated key if their names are the same.

5318

# When the data crypto key is generated, this name is not used in any way

5319

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

5324

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

5325

# output would be 'My phone number is '.

5326

},

5327

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

5328

# replacement values are dynamically provided by the user for custom behavior,

5329

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

5330

# This can be used on

5331

# data of type: number, long, string, timestamp.

5332

# If the bound `Value` type differs from the type of data being transformed, we

5333

# will first attempt converting the type of the data to be transformed to match

5334

# the type of the bound before comparing.

5335

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5336

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

5337

{ # Bucket is represented as a range, along with replacement values.

5338

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

5339

# used.

5340

# Note that for the purposes of inspection or transformation, the number

5341

# of bytes considered to comprise a 'Value' is based on its representation

5342

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5343

# 123456789, the number of bytes would be counted as 9, even though an

5344

# int64 only holds up to 8 bytes of data.

5345

"booleanValue": True or False, # boolean

5346

"floatValue": 3.14, # float

5347

"dayOfWeekValue": "A String", # day of week

5348

"timestampValue": "A String", # timestamp

5349

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5350

# and time zone are either specified elsewhere or are not significant. The date

5351

# is relative to the Proleptic Gregorian Calendar. This can represent:

5352

#

5353

# * A full date, with non-zero year, month and day values

5354

# * A month and day value, with a zero year, e.g. an anniversary

5355

# * A year on its own, with zero month and day values

5356

# * A year and month value, with a zero day, e.g. a credit card expiration date

5357

#

5358

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5359

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5360

# a year.

5361

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5362

# month and day.

5363

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5364

# if specifying a year by itself or a year and month where the day is not

5365

# significant.

5366

},

5367

"stringValue": "A String", # string

5368

"integerValue": "A String", # integer

5369

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5370

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5371

# types are google.type.Date and `google.protobuf.Timestamp`.

5372

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5373

# allow the value 60 if it allows leap-seconds.

5374

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5375

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5376

# to allow the value "24:00:00" for scenarios like business closing time.

5377

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5378

},

5379

},

5380

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

5381

# Note that for the purposes of inspection or transformation, the number

5382

# of bytes considered to comprise a 'Value' is based on its representation

5383

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5384

# 123456789, the number of bytes would be counted as 9, even though an

5385

# int64 only holds up to 8 bytes of data.

5386

"booleanValue": True or False, # boolean

5387

"floatValue": 3.14, # float

5388

"dayOfWeekValue": "A String", # day of week

5389

"timestampValue": "A String", # timestamp

5390

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5391

# and time zone are either specified elsewhere or are not significant. The date

5392

# is relative to the Proleptic Gregorian Calendar. This can represent:

5393

#

5394

# * A full date, with non-zero year, month and day values

5395

# * A month and day value, with a zero year, e.g. an anniversary

5396

# * A year on its own, with zero month and day values

5397

# * A year and month value, with a zero day, e.g. a credit card expiration date

5398

#

5399

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5400

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5401

# a year.

5402

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5403

# month and day.

5404

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5405

# if specifying a year by itself or a year and month where the day is not

5406

# significant.

5407

},

5408

"stringValue": "A String", # string

5409

"integerValue": "A String", # integer

5410

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5411

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5412

# types are google.type.Date and `google.protobuf.Timestamp`.

5413

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5414

# allow the value 60 if it allows leap-seconds.

5415

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5416

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5417

# to allow the value "24:00:00" for scenarios like business closing time.

5418

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5419

},

5420

},

5421

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

5422

# the default behavior will be to hyphenate the min-max range.

5423

# Note that for the purposes of inspection or transformation, the number

5424

# of bytes considered to comprise a 'Value' is based on its representation

5425

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5426

# 123456789, the number of bytes would be counted as 9, even though an

5427

# int64 only holds up to 8 bytes of data.

5428

"booleanValue": True or False, # boolean

5429

"floatValue": 3.14, # float

5430

"dayOfWeekValue": "A String", # day of week

5431

"timestampValue": "A String", # timestamp

5432

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5433

# and time zone are either specified elsewhere or are not significant. The date

5434

# is relative to the Proleptic Gregorian Calendar. This can represent:

5435

#

5436

# * A full date, with non-zero year, month and day values

5437

# * A month and day value, with a zero year, e.g. an anniversary

5438

# * A year on its own, with zero month and day values

5439

# * A year and month value, with a zero day, e.g. a credit card expiration date

5440

#

5441

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5442

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5443

# a year.

5444

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5445

# month and day.

5446

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5447

# if specifying a year by itself or a year and month where the day is not

5448

# significant.

5449

},

5450

"stringValue": "A String", # string

5451

"integerValue": "A String", # integer

5452

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5453

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5454

# types are google.type.Date and `google.protobuf.Timestamp`.

5455

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5456

# allow the value 60 if it allows leap-seconds.

5457

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5458

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5459

# to allow the value "24:00:00" for scenarios like business closing time.

5460

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5461

},

5462

},

5463

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5464

],

5465

},

5466

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

5467

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

5468

# Note that for the purposes of inspection or transformation, the number

5469

# of bytes considered to comprise a 'Value' is based on its representation

5470

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5471

# 123456789, the number of bytes would be counted as 9, even though an

5472

# int64 only holds up to 8 bytes of data.

5473

"booleanValue": True or False, # boolean

5474

"floatValue": 3.14, # float

5475

"dayOfWeekValue": "A String", # day of week

5476

"timestampValue": "A String", # timestamp

5477

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5478

# and time zone are either specified elsewhere or are not significant. The date

5479

# is relative to the Proleptic Gregorian Calendar. This can represent:

5480

#

5481

# * A full date, with non-zero year, month and day values

5482

# * A month and day value, with a zero year, e.g. an anniversary

5483

# * A year on its own, with zero month and day values

5484

# * A year and month value, with a zero day, e.g. a credit card expiration date

5485

#

5486

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5487

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5488

# a year.

5489

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5490

# month and day.

5491

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5492

# if specifying a year by itself or a year and month where the day is not

5493

# significant.

5494

},

5495

"stringValue": "A String", # string

5496

"integerValue": "A String", # integer

5497

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5498

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5499

# types are google.type.Date and `google.protobuf.Timestamp`.

5500

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5501

# allow the value 60 if it allows leap-seconds.

5502

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5503

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5504

# to allow the value "24:00:00" for scenarios like business closing time.

5505

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

5510

# fixed character. Masking can start from the beginning or end of the string.

5511

# This can be used on data of any type (numbers, longs, and so on) and when

5512

# de-identifying structured data we'll attempt to preserve the original data's

5513

# type. (This allows you to take a long like 123 and modify it to a string like

5514

# **3.

5515

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

5516

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

5517

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

5518

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

5519

# is `true`, then the string `12345` is masked as `12***`.

5520

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

5521

# characters. For example, if the input string is `555-555-5555` and you

5522

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

5523

# returns `***-**5-5555`.

5524

{ # Characters to skip when doing deidentification of a value. These will be left

5525

# alone and skipped.

5526

"charactersToSkip": "A String", # Characters to not transform when masking.

5527

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

5532

# masked. Skipped characters do not count towards this tally.

5533

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

5534

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

5535

# code or credit card number. This string must have a length of 1. If not

5536

# supplied, this value defaults to `*` for strings, and `0` for digits.

5537

},

5538

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

5539

# Bucketing transformation can provide all of this functionality,

5540

# but requires more configuration. This message is provided as a convenience to

5541

# the user for simple bucketing strategies.

5542

#

5543

# The transformed value will be a hyphenated string of

5544

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

5545

# all values that are within this bucket will be replaced with "10-20".

5546

#

5547

# This can be used on data of type: double, long.

5548

#

5549

# If the bound Value type differs from the type of data

5550

# being transformed, we will first attempt converting the type of the data to

5551

# be transformed to match the type of the bound before comparing.

5552

#

5553

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5554

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

5555

# grouped together into a single bucket; for example if `lower_bound` = 10,

5556

# then all values less than 10 are replaced with the value "-10".

5557

# Note that for the purposes of inspection or transformation, the number

5558

# of bytes considered to comprise a 'Value' is based on its representation

5559

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5560

# 123456789, the number of bytes would be counted as 9, even though an

5561

# int64 only holds up to 8 bytes of data.

5562

"booleanValue": True or False, # boolean

5563

"floatValue": 3.14, # float

5564

"dayOfWeekValue": "A String", # day of week

5565

"timestampValue": "A String", # timestamp

5566

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5567

# and time zone are either specified elsewhere or are not significant. The date

5568

# is relative to the Proleptic Gregorian Calendar. This can represent:

5569

#

5570

# * A full date, with non-zero year, month and day values

5571

# * A month and day value, with a zero year, e.g. an anniversary

5572

# * A year on its own, with zero month and day values

5573

# * A year and month value, with a zero day, e.g. a credit card expiration date

5574

#

5575

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5576

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5577

# a year.

5578

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5579

# month and day.

5580

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5581

# if specifying a year by itself or a year and month where the day is not

5582

# significant.

5583

},

5584

"stringValue": "A String", # string

5585

"integerValue": "A String", # integer

5586

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5587

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5588

# types are google.type.Date and `google.protobuf.Timestamp`.

5589

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5590

# allow the value 60 if it allows leap-seconds.

5591

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5592

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5593

# to allow the value "24:00:00" for scenarios like business closing time.

5594

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5595

},

5596

},

5597

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

5598

# grouped together into a single bucket; for example if `upper_bound` = 89,

5599

# then all values greater than 89 are replaced with the value "89+".

5600

# Note that for the purposes of inspection or transformation, the number

5601

# of bytes considered to comprise a 'Value' is based on its representation

5602

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5603

# 123456789, the number of bytes would be counted as 9, even though an

5604

# int64 only holds up to 8 bytes of data.

5605

"booleanValue": True or False, # boolean

5606

"floatValue": 3.14, # float

5607

"dayOfWeekValue": "A String", # day of week

5608

"timestampValue": "A String", # timestamp

5609

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5610

# and time zone are either specified elsewhere or are not significant. The date

5611

# is relative to the Proleptic Gregorian Calendar. This can represent:

5612

#

5613

# * A full date, with non-zero year, month and day values

5614

# * A month and day value, with a zero year, e.g. an anniversary

5615

# * A year on its own, with zero month and day values

5616

# * A year and month value, with a zero day, e.g. a credit card expiration date

5617

#

5618

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5619

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5620

# a year.

5621

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5622

# month and day.

5623

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5624

# if specifying a year by itself or a year and month where the day is not

5625

# significant.

5626

},

5627

"stringValue": "A String", # string

5628

"integerValue": "A String", # integer

5629

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5630

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5631

# types are google.type.Date and `google.protobuf.Timestamp`.

5632

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5633

# allow the value 60 if it allows leap-seconds.

5634

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5635

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5636

# to allow the value "24:00:00" for scenarios like business closing time.

5637

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5638

},

5639

},

5640

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

5641

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

5642

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

5643

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

5644

},

5645

},

5646

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

5647

# given `RecordCondition`. The conditions are allowed to reference fields

5648

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

5653

# column for the same record is within a specific range.

5654

# - Redact a field if the date of birth field is greater than 85.

5655

# a field.

5656

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

5657

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

5658

# only supported value is `AND`.

5659

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

5660

"conditions": [ # A collection of conditions.

5661

{ # The field type of `value` and `field` do not need to match to be

5662

# considered equal, but not all comparisons are possible.

5663

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

5664

# but all other comparisons are invalid with incompatible types.

5665

# A `value` of type:

5666

#

5667

# - `string` can be compared against all other types

5668

# - `boolean` can only be compared against other booleans

5669

# - `integer` can be compared against doubles or a string if the string value

5670

# can be parsed as an integer.

5671

# - `double` can be compared against integers or a string if the string can

5672

# be parsed as a double.

5673

# - `Timestamp` can be compared against strings in RFC 3339 date string

5674

# format.

5675

# - `TimeOfDay` can be compared against timestamps and strings in the format

5676

# of 'HH:mm:ss'.

5677

#

5678

# If we fail to compare do to type mismatch, a warning will be given and

5679

# the condition will evaluate to false.

5680

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

5681

"name": "A String", # Name describing the field.

5682

},

5683

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

5684

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

5685

# Note that for the purposes of inspection or transformation, the number

5686

# of bytes considered to comprise a 'Value' is based on its representation

5687

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5688

# 123456789, the number of bytes would be counted as 9, even though an

5689

# int64 only holds up to 8 bytes of data.

5690

"booleanValue": True or False, # boolean

5691

"floatValue": 3.14, # float

5692

"dayOfWeekValue": "A String", # day of week

5693

"timestampValue": "A String", # timestamp

5694

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5695

# and time zone are either specified elsewhere or are not significant. The date

5696

# is relative to the Proleptic Gregorian Calendar. This can represent:

5697

#

5698

# * A full date, with non-zero year, month and day values

5699

# * A month and day value, with a zero year, e.g. an anniversary

5700

# * A year on its own, with zero month and day values

5701

# * A year and month value, with a zero day, e.g. a credit card expiration date

5702

#

5703

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5704

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5705

# a year.

5706

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5707

# month and day.

5708

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5709

# if specifying a year by itself or a year and month where the day is not

5710

# significant.

5711

},

5712

"stringValue": "A String", # string

5713

"integerValue": "A String", # integer

5714

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5715

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5716

# types are google.type.Date and `google.protobuf.Timestamp`.

5717

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5718

# allow the value 60 if it allows leap-seconds.

5719

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5720

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5721

# to allow the value "24:00:00" for scenarios like business closing time.

5722

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5723

},

5724

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5725

},

5726

],

5727

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5728

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5729

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5730

},

5731

],

5732

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5733

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

5734

# transformation everywhere.

5735

# apply various `PrimitiveTransformation`s to each finding, where the

5736

# transformation is applied to only values that were identified as a specific

5737

# info_type.

5738

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

5739

# for a given infoType.

5740

{ # A transformation to apply to text that is identified as a specific

5741

# info_type.

5742

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

5743

# this transformation to apply to all findings that correspond to

5744

# infoTypes that were requested in `InspectConfig`.

5745

{ # Type of information detected by the API.

5746

"name": "A String", # Name of the information type. Either a name of your choosing when

5747

# creating a CustomInfoType, or one of the names listed

5748

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5749

# a built-in type. InfoType names should conform to the pattern

5750

# `[a-zA-Z0-9_]{1,64}`.

5751

},

5752

],

5753

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

5754

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5755

# portion of the value.

5756

"partToExtract": "A String", # The part of the time to keep.

5757

},

5758

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5759

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5760

# to learn more.

5761

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5762

# If set, must also set cryptoKey. If set, shift will be consistent for the

5763

# given context.

5764

"name": "A String", # Name describing the field.

5765

},

5766

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5767

# range (inclusive ends). Negative means shift to earlier in time. Must not

5768

# be more than 365250 days (1000 years) each direction.

5769

#

5770

# For example, 3 means shift date to at most 3 days into the future.

5771

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5772

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5773

# results in the same shift for the same context and crypto_key. If

5774

# set, must also set context. Can only be applied to table items.

5775

# a key encryption key (KEK) stored by KMS).

5776

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5777

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5778

# unwrap the data crypto key.

5779

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5780

# The wrapped key must be a 128/192/256 bit key.

5781

# Authorization requires the following IAM permissions when sending a request

5782

# to perform a crypto transformation using a kms-wrapped crypto key:

5783

# dlp.kms.encrypt

5784

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5785

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5786

},

5787

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5788

# leaking the key. Choose another type of key if possible.

5789

"key": "A String", # Required. A 128/192/256 bit key.

5790

},

5791

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5792

# It will be discarded after the request finishes.

5793

"name": "A String", # Required. Name of the key.

5794

# This is an arbitrary string used to differentiate different keys.

5795

# A unique key is generated per name: two separate `TransientCryptoKey`

5796

# protos share the same generated key if their names are the same.

5797

# When the data crypto key is generated, this name is not used in any way

5798

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5803

},

5804

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5805

# Uses SHA-256.

5806

# The key size must be either 32 or 64 bytes.

5807

# Outputs a base64 encoded representation of the hashed output

5808

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5809

# Currently, only string and integer values can be hashed.

5810

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5811

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5812

# a key encryption key (KEK) stored by KMS).

5813

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5814

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5815

# unwrap the data crypto key.

5816

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5817

# The wrapped key must be a 128/192/256 bit key.

5818

# Authorization requires the following IAM permissions when sending a request

5819

# to perform a crypto transformation using a kms-wrapped crypto key:

5820

# dlp.kms.encrypt

5821

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5822

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5823

},

5824

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5825

# leaking the key. Choose another type of key if possible.

5826

"key": "A String", # Required. A 128/192/256 bit key.

5827

},

5828

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5829

# It will be discarded after the request finishes.

5830

"name": "A String", # Required. Name of the key.

5831

# This is an arbitrary string used to differentiate different keys.

5832

# A unique key is generated per name: two separate `TransientCryptoKey`

5833

# protos share the same generated key if their names are the same.

5834

# When the data crypto key is generated, this name is not used in any way

5835

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5840

# (FPE) with the FFX mode of operation; however when used in the

5841

# `ReidentifyContent` API method, it serves the opposite function by reversing

5842

# the surrogate back into the original identifier. The identifier must be

5843

# encoded as ASCII. For a given crypto key and context, the same identifier

5844

# will be replaced with the same surrogate. Identifiers must be at least two

5845

# characters long. In the case that the identifier is the empty string, it will

5846

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5847

# more.

5848

#

5849

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5850

# do not require preserving the input alphabet space and size, plus warrant

5851

# referential integrity.

5852

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5853

# that the FFX mode natively supports. This happens before/after

5854

# encryption/decryption.

5855

# Each character listed must appear only once.

5856

# Number of characters must be in the range [2, 95].

5857

# This must be encoded as ASCII.

5858

# The order of characters does not matter.

5859

"commonAlphabet": "A String", # Common alphabets.

5860

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5861

# This annotation will be applied to the surrogate by prefixing it with

5862

# the name of the custom infoType followed by the number of

5863

# characters comprising the surrogate. The following scheme defines the

5864

# format: info_type_name(surrogate_character_count):surrogate

5865

#

5866

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5867

# the surrogate is 'abc', the full replacement value

5868

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5869

#

5870

# This annotation identifies the surrogate when inspecting content using the

5871

# custom infoType

5872

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5873

# This facilitates reversal of the surrogate when it occurs in free text.

5874

#

5875

# In order for inspection to work properly, the name of this infoType must

5876

# not occur naturally anywhere in your data; otherwise, inspection may

5877

# find a surrogate that does not correspond to an actual identifier.

5878

# Therefore, choose your custom infoType name carefully after considering

5879

# what your data looks like. One way to select a name that has a high chance

5880

# of yielding reliable detection is to include one or more unicode characters

5881

# that are highly improbable to exist in your data.

5882

# For example, assuming your data is entered from a regular ASCII keyboard,

5883

# the symbol with the hex code point 29DD might be used like so:

5884

# ⧝MY_TOKEN_TYPE

5885

"name": "A String", # Name of the information type. Either a name of your choosing when

5886

# creating a CustomInfoType, or one of the names listed

5887

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5888

# a built-in type. InfoType names should conform to the pattern

5889

# `[a-zA-Z0-9_]{1,64}`.

5890

},

5891

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5892

# identifier in two different contexts won't be given the same surrogate. If

5893

# the context is not set, a default tweak will be used.

5894

#

5895

# If the context is set but:

5896

#

5897

# 1. there is no record present when transforming a given value or

5898

# 1. the field is not present when transforming a given value,

5899

#

5900

# a default tweak will be used.

5901

#

5902

# Note that case (1) is expected when an `InfoTypeTransformation` is

5903

# applied to both structured and non-structured `ContentItem`s.

5904

# Currently, the referenced field may be of value type integer or string.

5905

#

5906

# The tweak is constructed as a sequence of bytes in big endian byte order

5907

# such that:

5908

#

5909

# - a 64 bit integer is encoded followed by a single byte of value 1

5910

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5911

"name": "A String", # Name describing the field.

5912

},

5913

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5914

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5915

# a key encryption key (KEK) stored by KMS).

5916

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5917

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5918

# unwrap the data crypto key.

5919

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5920

# The wrapped key must be a 128/192/256 bit key.

5921

# Authorization requires the following IAM permissions when sending a request

5922

# to perform a crypto transformation using a kms-wrapped crypto key:

5923

# dlp.kms.encrypt

5924

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5925

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5926

},

5927

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5928

# leaking the key. Choose another type of key if possible.

5929

"key": "A String", # Required. A 128/192/256 bit key.

5930

},

5931

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5932

# It will be discarded after the request finishes.

5933

"name": "A String", # Required. Name of the key.

5934

# This is an arbitrary string used to differentiate different keys.

5935

# A unique key is generated per name: two separate `TransientCryptoKey`

5936

# protos share the same generated key if their names are the same.

5937

# When the data crypto key is generated, this name is not used in any way

5938

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5943

# input. Outputs a base64 encoded representation of the encrypted output.

5944

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5945

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5946

# This annotation will be applied to the surrogate by prefixing it with

5947

# the name of the custom info type followed by the number of

5948

# characters comprising the surrogate. The following scheme defines the

5949

# format: {info type name}({surrogate character count}):{surrogate}

5950

#

5951

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5952

# the surrogate is 'abc', the full replacement value

5953

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5954

#

5955

# This annotation identifies the surrogate when inspecting content using the

5956

# custom info type 'Surrogate'. This facilitates reversal of the

5957

# surrogate when it occurs in free text.

5958

#

5959

# Note: For record transformations where the entire cell in a table is being

5960

# transformed, surrogates are not mandatory. Surrogates are used to denote

5961

# the location of the token and are necessary for re-identification in free

5962

# form text.

5963

#

5964

# In order for inspection to work properly, the name of this info type must

5965

# not occur naturally anywhere in your data; otherwise, inspection may either

5966

#

5967

# - reverse a surrogate that does not correspond to an actual identifier

5968

# - be unable to parse the surrogate and result in an error

5969

#

5970

# Therefore, choose your custom info type name carefully after considering

5971

# what your data looks like. One way to select a name that has a high chance

5972

# of yielding reliable detection is to include one or more unicode characters

5973

# that are highly improbable to exist in your data.

5974

# For example, assuming your data is entered from a regular ASCII keyboard,

5975

# the symbol with the hex code point 29DD might be used like so:

5976

# ⧝MY_TOKEN_TYPE.

5977

"name": "A String", # Name of the information type. Either a name of your choosing when

5978

# creating a CustomInfoType, or one of the names listed

5979

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5980

# a built-in type. InfoType names should conform to the pattern

5981

# `[a-zA-Z0-9_]{1,64}`.

5982

},

5983

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5984

# referential integrity such that the same identifier in two different

5985

# contexts will be given a distinct surrogate. The context is appended to

5986

# plaintext value being encrypted. On decryption the provided context is

5987

# validated against the value used during encryption. If a context was

5988

# provided during encryption, same context must be provided during decryption

5989

# as well.

5990

#

5991

# If the context is not set, plaintext would be used as is for encryption.

5992

# If the context is set but:

5993

#

5994

# 1. there is no record present when transforming a given value or

5995

# 2. the field is not present when transforming a given value,

5996

#

5997

# plaintext would be used as is for encryption.

5998

#

5999

# Note that case (1) is expected when an `InfoTypeTransformation` is

6000

# applied to both structured and non-structured `ContentItem`s.

6001

"name": "A String", # Name describing the field.

6002

},

6003

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6004

# a key encryption key (KEK) stored by KMS).

6005

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6006

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6007

# unwrap the data crypto key.

6008

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6009

# The wrapped key must be a 128/192/256 bit key.

6010

# Authorization requires the following IAM permissions when sending a request

6011

# to perform a crypto transformation using a kms-wrapped crypto key:

6012

# dlp.kms.encrypt

6013

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6014

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6015

},

6016

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6017

# leaking the key. Choose another type of key if possible.

6018

"key": "A String", # Required. A 128/192/256 bit key.

6019

},

6020

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6021

# It will be discarded after the request finishes.

6022

"name": "A String", # Required. Name of the key.

6023

# This is an arbitrary string used to differentiate different keys.

6024

# A unique key is generated per name: two separate `TransientCryptoKey`

6025

# protos share the same generated key if their names are the same.

6026

# When the data crypto key is generated, this name is not used in any way

6027

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6032

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6033

# output would be 'My phone number is '.

6034

},

6035

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6036

# replacement values are dynamically provided by the user for custom behavior,

6037

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6038

# This can be used on

6039

# data of type: number, long, string, timestamp.

6040

# If the bound `Value` type differs from the type of data being transformed, we

6041

# will first attempt converting the type of the data to be transformed to match

6042

# the type of the bound before comparing.

6043

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6044

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6045

{ # Bucket is represented as a range, along with replacement values.

6046

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6047

# used.

6048

# Note that for the purposes of inspection or transformation, the number

6049

# of bytes considered to comprise a 'Value' is based on its representation

6050

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6051

# 123456789, the number of bytes would be counted as 9, even though an

6052

# int64 only holds up to 8 bytes of data.

6053

"booleanValue": True or False, # boolean

6054

"floatValue": 3.14, # float

6055

"dayOfWeekValue": "A String", # day of week

6056

"timestampValue": "A String", # timestamp

6057

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6058

# and time zone are either specified elsewhere or are not significant. The date

6059

# is relative to the Proleptic Gregorian Calendar. This can represent:

6060

#

6061

# * A full date, with non-zero year, month and day values

6062

# * A month and day value, with a zero year, e.g. an anniversary

6063

# * A year on its own, with zero month and day values

6064

# * A year and month value, with a zero day, e.g. a credit card expiration date

6065

#

6066

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6067

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6068

# a year.

6069

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6070

# month and day.

6071

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6072

# if specifying a year by itself or a year and month where the day is not

6073

# significant.

6074

},

6075

"stringValue": "A String", # string

6076

"integerValue": "A String", # integer

6077

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6078

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6079

# types are google.type.Date and `google.protobuf.Timestamp`.

6080

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6081

# allow the value 60 if it allows leap-seconds.

6082

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6083

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6084

# to allow the value "24:00:00" for scenarios like business closing time.

6085

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6086

},

6087

},

6088

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6089

# Note that for the purposes of inspection or transformation, the number

6090

# of bytes considered to comprise a 'Value' is based on its representation

6091

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6092

# 123456789, the number of bytes would be counted as 9, even though an

6093

# int64 only holds up to 8 bytes of data.

6094

"booleanValue": True or False, # boolean

6095

"floatValue": 3.14, # float

6096

"dayOfWeekValue": "A String", # day of week

6097

"timestampValue": "A String", # timestamp

6098

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6099

# and time zone are either specified elsewhere or are not significant. The date

6100

# is relative to the Proleptic Gregorian Calendar. This can represent:

6101

#

6102

# * A full date, with non-zero year, month and day values

6103

# * A month and day value, with a zero year, e.g. an anniversary

6104

# * A year on its own, with zero month and day values

6105

# * A year and month value, with a zero day, e.g. a credit card expiration date

6106

#

6107

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6108

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6109

# a year.

6110

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6111

# month and day.

6112

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6113

# if specifying a year by itself or a year and month where the day is not

6114

# significant.

6115

},

6116

"stringValue": "A String", # string

6117

"integerValue": "A String", # integer

6118

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6119

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6120

# types are google.type.Date and `google.protobuf.Timestamp`.

6121

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6122

# allow the value 60 if it allows leap-seconds.

6123

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6124

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6125

# to allow the value "24:00:00" for scenarios like business closing time.

6126

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6127

},

6128

},

6129

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6130

# the default behavior will be to hyphenate the min-max range.

6131

# Note that for the purposes of inspection or transformation, the number

6132

# of bytes considered to comprise a 'Value' is based on its representation

6133

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6134

# 123456789, the number of bytes would be counted as 9, even though an

6135

# int64 only holds up to 8 bytes of data.

6136

"booleanValue": True or False, # boolean

6137

"floatValue": 3.14, # float

6138

"dayOfWeekValue": "A String", # day of week

6139

"timestampValue": "A String", # timestamp

6140

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6141

# and time zone are either specified elsewhere or are not significant. The date

6142

# is relative to the Proleptic Gregorian Calendar. This can represent:

6143

#

6144

# * A full date, with non-zero year, month and day values

6145

# * A month and day value, with a zero year, e.g. an anniversary

6146

# * A year on its own, with zero month and day values

6147

# * A year and month value, with a zero day, e.g. a credit card expiration date

6148

#

6149

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6150

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6151

# a year.

6152

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6153

# month and day.

6154

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6155

# if specifying a year by itself or a year and month where the day is not

6156

# significant.

6157

},

6158

"stringValue": "A String", # string

6159

"integerValue": "A String", # integer

6160

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6161

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6162

# types are google.type.Date and `google.protobuf.Timestamp`.

6163

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6164

# allow the value 60 if it allows leap-seconds.

6165

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6166

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6167

# to allow the value "24:00:00" for scenarios like business closing time.

6168

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6175

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6176

# Note that for the purposes of inspection or transformation, the number

6177

# of bytes considered to comprise a 'Value' is based on its representation

6178

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6179

# 123456789, the number of bytes would be counted as 9, even though an

6180

# int64 only holds up to 8 bytes of data.

6181

"booleanValue": True or False, # boolean

6182

"floatValue": 3.14, # float

6183

"dayOfWeekValue": "A String", # day of week

6184

"timestampValue": "A String", # timestamp

6185

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6186

# and time zone are either specified elsewhere or are not significant. The date

6187

# is relative to the Proleptic Gregorian Calendar. This can represent:

6188

#

6189

# * A full date, with non-zero year, month and day values

6190

# * A month and day value, with a zero year, e.g. an anniversary

6191

# * A year on its own, with zero month and day values

6192

# * A year and month value, with a zero day, e.g. a credit card expiration date

6193

#

6194

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6195

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6196

# a year.

6197

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6198

# month and day.

6199

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6200

# if specifying a year by itself or a year and month where the day is not

6201

# significant.

6202

},

6203

"stringValue": "A String", # string

6204

"integerValue": "A String", # integer

6205

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6206

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6207

# types are google.type.Date and `google.protobuf.Timestamp`.

6208

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6209

# allow the value 60 if it allows leap-seconds.

6210

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6211

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6212

# to allow the value "24:00:00" for scenarios like business closing time.

6213

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6218

# fixed character. Masking can start from the beginning or end of the string.

6219

# This can be used on data of any type (numbers, longs, and so on) and when

6220

# de-identifying structured data we'll attempt to preserve the original data's

6221

# type. (This allows you to take a long like 123 and modify it to a string like

6222

# **3.

6223

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

6224

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

6225

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

6226

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

6227

# is `true`, then the string `12345` is masked as `12***`.

6228

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

6229

# characters. For example, if the input string is `555-555-5555` and you

6230

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

6231

# returns `***-**5-5555`.

6232

{ # Characters to skip when doing deidentification of a value. These will be left

6233

# alone and skipped.

6234

"charactersToSkip": "A String", # Characters to not transform when masking.

6235

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

6240

# masked. Skipped characters do not count towards this tally.

6241

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

6242

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

6243

# code or credit card number. This string must have a length of 1. If not

6244

# supplied, this value defaults to `*` for strings, and `0` for digits.

6245

},

6246

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6247

# Bucketing transformation can provide all of this functionality,

6248

# but requires more configuration. This message is provided as a convenience to

6249

# the user for simple bucketing strategies.

6250

#

6251

# The transformed value will be a hyphenated string of

6252

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6253

# all values that are within this bucket will be replaced with "10-20".

6254

#

6255

# This can be used on data of type: double, long.

6256

#

6257

# If the bound Value type differs from the type of data

6258

# being transformed, we will first attempt converting the type of the data to

6259

# be transformed to match the type of the bound before comparing.

6260

#

6261

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6262

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6263

# grouped together into a single bucket; for example if `lower_bound` = 10,

6264

# then all values less than 10 are replaced with the value "-10".

6265

# Note that for the purposes of inspection or transformation, the number

6266

# of bytes considered to comprise a 'Value' is based on its representation

6267

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6268

# 123456789, the number of bytes would be counted as 9, even though an

6269

# int64 only holds up to 8 bytes of data.

6270

"booleanValue": True or False, # boolean

6271

"floatValue": 3.14, # float

6272

"dayOfWeekValue": "A String", # day of week

6273

"timestampValue": "A String", # timestamp

6274

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6275

# and time zone are either specified elsewhere or are not significant. The date

6276

# is relative to the Proleptic Gregorian Calendar. This can represent:

6277

#

6278

# * A full date, with non-zero year, month and day values

6279

# * A month and day value, with a zero year, e.g. an anniversary

6280

# * A year on its own, with zero month and day values

6281

# * A year and month value, with a zero day, e.g. a credit card expiration date

6282

#

6283

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6284

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6285

# a year.

6286

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6287

# month and day.

6288

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6289

# if specifying a year by itself or a year and month where the day is not

6290

# significant.

6291

},

6292

"stringValue": "A String", # string

6293

"integerValue": "A String", # integer

6294

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6295

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6296

# types are google.type.Date and `google.protobuf.Timestamp`.

6297

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6298

# allow the value 60 if it allows leap-seconds.

6299

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6300

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6301

# to allow the value "24:00:00" for scenarios like business closing time.

6302

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6303

},

6304

},

6305

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6306

# grouped together into a single bucket; for example if `upper_bound` = 89,

6307

# then all values greater than 89 are replaced with the value "89+".

6308

# Note that for the purposes of inspection or transformation, the number

6309

# of bytes considered to comprise a 'Value' is based on its representation

6310

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6311

# 123456789, the number of bytes would be counted as 9, even though an

6312

# int64 only holds up to 8 bytes of data.

6313

"booleanValue": True or False, # boolean

6314

"floatValue": 3.14, # float

6315

"dayOfWeekValue": "A String", # day of week

6316

"timestampValue": "A String", # timestamp

6317

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6318

# and time zone are either specified elsewhere or are not significant. The date

6319

# is relative to the Proleptic Gregorian Calendar. This can represent:

6320

#

6321

# * A full date, with non-zero year, month and day values

6322

# * A month and day value, with a zero year, e.g. an anniversary

6323

# * A year on its own, with zero month and day values

6324

# * A year and month value, with a zero day, e.g. a credit card expiration date

6325

#

6326

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6327

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6328

# a year.

6329

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6330

# month and day.

6331

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6332

# if specifying a year by itself or a year and month where the day is not

6333

# significant.

6334

},

6335

"stringValue": "A String", # string

6336

"integerValue": "A String", # integer

6337

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6338

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6339

# types are google.type.Date and `google.protobuf.Timestamp`.

6340

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6341

# allow the value 60 if it allows leap-seconds.

6342

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6343

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6344

# to allow the value "24:00:00" for scenarios like business closing time.

6345

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6346

},

6347

},

6348

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6349

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6350

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6351

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6356

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6357

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6362

<code class="details" id="list">list(parent, pageToken=None, locationId=None, pageSize=None, orderBy=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6363

<pre>Lists DeidentifyTemplates.

6364

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

6365

more.

6366

6367

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6368

parent: string, Required. The parent resource name, for example projects/my-project-id or

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6369

organizations/my-org-id. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6370

pageToken: string, Page token to continue retrieval. Comes from previous call

6371

to `ListDeidentifyTemplates`.

6372

locationId: string, The geographic location where deidentifications templates will be retrieved

6373

from. Use `-` for all locations. Reserved for future extensions.

6374

pageSize: integer, Size of the page, can be limited by server. If zero server returns

6375

a page of max size 100.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6376

orderBy: string, Comma separated list of fields to order by,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6377

followed by `asc` or `desc` postfix. This list is case-insensitive,

6378

default sorting order is ascending, redundant space characters are

6379

insignificant.

6380

6381

Example: `name asc,update_time, create_time desc`

6382

6383

Supported fields are:

6384

6385

- `create_time`: corresponds to time the template was created.

6386

- `update_time`: corresponds to time the template was last updated.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6387

- `name`: corresponds to template's name.

6388

- `display_name`: corresponds to template's display name.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6389

x__xgafv: string, V1 error format.

6390

Allowed values

6391

1 - v1 error format

6392

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6393

6394

Returns:

6395

An object of the form:

6396

6397

{ # Response message for ListDeidentifyTemplates.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6398

"nextPageToken": "A String", # If the next page is available then the next page token to be used

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6399

# in following ListDeidentifyTemplates request.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6400

"deidentifyTemplates": [ # List of deidentify templates, up to page_size in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6401

# ListDeidentifyTemplatesRequest.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6402

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6403

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6404

"name": "A String", # Output only. The template name.

6405

#

6406

# The template will have one of the following formats:

6407

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

6408

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

6409

"description": "A String", # Short description (max 256 chars).

6410

"displayName": "A String", # Display name (max 256 chars).

6411

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

6412

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

6413

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

6414

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

6415

# mode is `TransformationErrorHandling.ThrowError`.

6416

# transformation error occurs when the requested transformation is incompatible

6417

# with the data. For example, trying to de-identify an IP address using a

6418

# `DateShift` transformation would result in a transformation error, since date

6419

# info cannot be extracted from an IP address.

6420

# Information about any incompatible transformations, and how they were

6421

# handled, is returned in the response as part of the

6422

# `TransformationOverviews`.

6423

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

6424

},

6425

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

6426

# cause an error. For example, if a `DateShift` transformation were applied

6427

# an an IP address, this mode would leave the IP address unchanged in the

6428

# response.

6429

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6430

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6431

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6432

# specific locations within structured datasets, such as transforming

6433

# a column within a table.

6434

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6435

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6436

# match any suppression rule are omitted from the output.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6437

{ # Configuration to suppress records whose suppression conditions evaluate to

6438

# true.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6439

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6440

# evaluated to be suppressed from the transformed content.

6441

# a field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6442

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

6443

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

6444

# only supported value is `AND`.

6445

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

6446

"conditions": [ # A collection of conditions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6447

{ # The field type of `value` and `field` do not need to match to be

6448

# considered equal, but not all comparisons are possible.

6449

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

6450

# but all other comparisons are invalid with incompatible types.

6451

# A `value` of type:

6452

#

6453

# - `string` can be compared against all other types

6454

# - `boolean` can only be compared against other booleans

6455

# - `integer` can be compared against doubles or a string if the string value

6456

# can be parsed as an integer.

6457

# - `double` can be compared against integers or a string if the string can

6458

# be parsed as a double.

6459

# - `Timestamp` can be compared against strings in RFC 3339 date string

6460

# format.

6461

# - `TimeOfDay` can be compared against timestamps and strings in the format

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6462

# of 'HH:mm:ss'.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6463

#

6464

# If we fail to compare do to type mismatch, a warning will be given and

6465

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6466

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

6467

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6468

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6469

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

6470

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6471

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6472

# of bytes considered to comprise a 'Value' is based on its representation

6473

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6474

# 123456789, the number of bytes would be counted as 9, even though an

6475

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6476

"booleanValue": True or False, # boolean

6477

"floatValue": 3.14, # float

6478

"dayOfWeekValue": "A String", # day of week

6479

"timestampValue": "A String", # timestamp

6480

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6481

# and time zone are either specified elsewhere or are not significant. The date

6482

# is relative to the Proleptic Gregorian Calendar. This can represent:

6483

#

6484

# * A full date, with non-zero year, month and day values

6485

# * A month and day value, with a zero year, e.g. an anniversary

6486

# * A year on its own, with zero month and day values

6487

# * A year and month value, with a zero day, e.g. a credit card expiration date

6488

#

6489

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6490

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6491

# a year.

6492

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6493

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6494

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6495

# if specifying a year by itself or a year and month where the day is not

6496

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6497

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6498

"stringValue": "A String", # string

6499

"integerValue": "A String", # integer

6500

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6501

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6502

# types are google.type.Date and `google.protobuf.Timestamp`.

6503

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6504

# allow the value 60 if it allows leap-seconds.

6505

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6506

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6507

# to allow the value "24:00:00" for scenarios like business closing time.

6508

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6509

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6518

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6519

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6520

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6521

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6522

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6523

},

6524

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6525

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6526

# transform content that matches an `InfoType`.

6527

# apply various `PrimitiveTransformation`s to each finding, where the

6528

# transformation is applied to only values that were identified as a specific

6529

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6530

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6531

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6532

{ # A transformation to apply to text that is identified as a specific

6533

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6534

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

6535

# this transformation to apply to all findings that correspond to

6536

# infoTypes that were requested in `InspectConfig`.

6537

{ # Type of information detected by the API.

6538

"name": "A String", # Name of the information type. Either a name of your choosing when

6539

# creating a CustomInfoType, or one of the names listed

6540

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6541

# a built-in type. InfoType names should conform to the pattern

6542

# `[a-zA-Z0-9_]{1,64}`.

6543

},

6544

],

6545

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

6546

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

6547

# portion of the value.

6548

"partToExtract": "A String", # The part of the time to keep.

6549

},

6550

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

6551

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

6552

# to learn more.

6553

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

6554

# If set, must also set cryptoKey. If set, shift will be consistent for the

6555

# given context.

6556

"name": "A String", # Name describing the field.

6557

},

6558

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

6559

# range (inclusive ends). Negative means shift to earlier in time. Must not

6560

# be more than 365250 days (1000 years) each direction.

6561

#

6562

# For example, 3 means shift date to at most 3 days into the future.

6563

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

6564

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

6565

# results in the same shift for the same context and crypto_key. If

6566

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6567

# a key encryption key (KEK) stored by KMS).

6568

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6569

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6570

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6571

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6572

# The wrapped key must be a 128/192/256 bit key.

6573

# Authorization requires the following IAM permissions when sending a request

6574

# to perform a crypto transformation using a kms-wrapped crypto key:

6575

# dlp.kms.encrypt

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6576

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6577

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6578

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6579

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6580

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6581

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6582

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6583

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6584

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6585

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6586

# This is an arbitrary string used to differentiate different keys.

6587

# A unique key is generated per name: two separate `TransientCryptoKey`

6588

# protos share the same generated key if their names are the same.

6589

# When the data crypto key is generated, this name is not used in any way

6590

# (repeating the api call will result in a different key being generated).

6591

},

6592

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6593

},

6594

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

6595

},

6596

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

6597

# Uses SHA-256.

6598

# The key size must be either 32 or 64 bytes.

6599

# Outputs a base64 encoded representation of the hashed output

6600

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

6601

# Currently, only string and integer values can be hashed.

6602

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

6603

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

6604

# a key encryption key (KEK) stored by KMS).

6605

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6606

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6607

# unwrap the data crypto key.

6608

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6609

# The wrapped key must be a 128/192/256 bit key.

6610

# Authorization requires the following IAM permissions when sending a request

6611

# to perform a crypto transformation using a kms-wrapped crypto key:

6612

# dlp.kms.encrypt

6613

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6614

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6615

},

6616

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6617

# leaking the key. Choose another type of key if possible.

6618

"key": "A String", # Required. A 128/192/256 bit key.

6619

},

6620

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6621

# It will be discarded after the request finishes.

6622

"name": "A String", # Required. Name of the key.

6623

# This is an arbitrary string used to differentiate different keys.

6624

# A unique key is generated per name: two separate `TransientCryptoKey`

6625

# protos share the same generated key if their names are the same.

6626

# When the data crypto key is generated, this name is not used in any way

6627

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

6632

# (FPE) with the FFX mode of operation; however when used in the

6633

# `ReidentifyContent` API method, it serves the opposite function by reversing

6634

# the surrogate back into the original identifier. The identifier must be

6635

# encoded as ASCII. For a given crypto key and context, the same identifier

6636

# will be replaced with the same surrogate. Identifiers must be at least two

6637

# characters long. In the case that the identifier is the empty string, it will

6638

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

6639

# more.

6640

#

6641

# Note: We recommend using CryptoDeterministicConfig for all use cases which

6642

# do not require preserving the input alphabet space and size, plus warrant

6643

# referential integrity.

6644

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

6645

# that the FFX mode natively supports. This happens before/after

6646

# encryption/decryption.

6647

# Each character listed must appear only once.

6648

# Number of characters must be in the range [2, 95].

6649

# This must be encoded as ASCII.

6650

# The order of characters does not matter.

6651

"commonAlphabet": "A String", # Common alphabets.

6652

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

6653

# This annotation will be applied to the surrogate by prefixing it with

6654

# the name of the custom infoType followed by the number of

6655

# characters comprising the surrogate. The following scheme defines the

6656

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6657

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6658

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

6659

# the surrogate is 'abc', the full replacement value

6660

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6661

#

6662

# This annotation identifies the surrogate when inspecting content using the

6663

# custom infoType

6664

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

6665

# This facilitates reversal of the surrogate when it occurs in free text.

6666

#

6667

# In order for inspection to work properly, the name of this infoType must

6668

# not occur naturally anywhere in your data; otherwise, inspection may

6669

# find a surrogate that does not correspond to an actual identifier.

6670

# Therefore, choose your custom infoType name carefully after considering

6671

# what your data looks like. One way to select a name that has a high chance

6672

# of yielding reliable detection is to include one or more unicode characters

6673

# that are highly improbable to exist in your data.

6674

# For example, assuming your data is entered from a regular ASCII keyboard,

6675

# the symbol with the hex code point 29DD might be used like so:

6676

# ⧝MY_TOKEN_TYPE

6677

"name": "A String", # Name of the information type. Either a name of your choosing when

6678

# creating a CustomInfoType, or one of the names listed

6679

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6680

# a built-in type. InfoType names should conform to the pattern

6681

# `[a-zA-Z0-9_]{1,64}`.

6682

},

6683

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

6684

# identifier in two different contexts won't be given the same surrogate. If

6685

# the context is not set, a default tweak will be used.

6686

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6687

# If the context is set but:

6688

#

6689

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6690

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6691

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6692

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6693

#

6694

# Note that case (1) is expected when an `InfoTypeTransformation` is

6695

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6696

# Currently, the referenced field may be of value type integer or string.

6697

#

6698

# The tweak is constructed as a sequence of bytes in big endian byte order

6699

# such that:

6700

#

6701

# - a 64 bit integer is encoded followed by a single byte of value 1

6702

# - a string is encoded in UTF-8 format followed by a single byte of value 2

6703

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6704

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6705

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

6706

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

6707

# a key encryption key (KEK) stored by KMS).

6708

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6709

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6710

# unwrap the data crypto key.

6711

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6712

# The wrapped key must be a 128/192/256 bit key.

6713

# Authorization requires the following IAM permissions when sending a request

6714

# to perform a crypto transformation using a kms-wrapped crypto key:

6715

# dlp.kms.encrypt

6716

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6717

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6718

},

6719

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6720

# leaking the key. Choose another type of key if possible.

6721

"key": "A String", # Required. A 128/192/256 bit key.

6722

},

6723

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6724

# It will be discarded after the request finishes.

6725

"name": "A String", # Required. Name of the key.

6726

# This is an arbitrary string used to differentiate different keys.

6727

# A unique key is generated per name: two separate `TransientCryptoKey`

6728

# protos share the same generated key if their names are the same.

6729

# When the data crypto key is generated, this name is not used in any way

6730

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

6735

# input. Outputs a base64 encoded representation of the encrypted output.

6736

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

6737

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6738

# This annotation will be applied to the surrogate by prefixing it with

6739

# the name of the custom info type followed by the number of

6740

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6741

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6742

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6743

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

6744

# the surrogate is 'abc', the full replacement value

6745

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6746

#

6747

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6748

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6749

# surrogate when it occurs in free text.

6750

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6751

# Note: For record transformations where the entire cell in a table is being

6752

# transformed, surrogates are not mandatory. Surrogates are used to denote

6753

# the location of the token and are necessary for re-identification in free

6754

# form text.

6755

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6756

# In order for inspection to work properly, the name of this info type must

6757

# not occur naturally anywhere in your data; otherwise, inspection may either

6758

#

6759

# - reverse a surrogate that does not correspond to an actual identifier

6760

# - be unable to parse the surrogate and result in an error

6761

#

6762

# Therefore, choose your custom info type name carefully after considering

6763

# what your data looks like. One way to select a name that has a high chance

6764

# of yielding reliable detection is to include one or more unicode characters

6765

# that are highly improbable to exist in your data.

6766

# For example, assuming your data is entered from a regular ASCII keyboard,

6767

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6768

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6769

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6770

# creating a CustomInfoType, or one of the names listed

6771

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6772

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6773

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6774

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6775

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

6776

# referential integrity such that the same identifier in two different

6777

# contexts will be given a distinct surrogate. The context is appended to

6778

# plaintext value being encrypted. On decryption the provided context is

6779

# validated against the value used during encryption. If a context was

6780

# provided during encryption, same context must be provided during decryption

6781

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6782

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6783

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6784

# If the context is set but:

6785

#

6786

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6787

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6788

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6789

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6790

#

6791

# Note that case (1) is expected when an `InfoTypeTransformation` is

6792

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6793

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6794

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6795

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6796

# a key encryption key (KEK) stored by KMS).

6797

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6798

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6799

# unwrap the data crypto key.

6800

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6801

# The wrapped key must be a 128/192/256 bit key.

6802

# Authorization requires the following IAM permissions when sending a request

6803

# to perform a crypto transformation using a kms-wrapped crypto key:

6804

# dlp.kms.encrypt

6805

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6806

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6807

},

6808

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6809

# leaking the key. Choose another type of key if possible.

6810

"key": "A String", # Required. A 128/192/256 bit key.

6811

},

6812

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6813

# It will be discarded after the request finishes.

6814

"name": "A String", # Required. Name of the key.

6815

# This is an arbitrary string used to differentiate different keys.

6816

# A unique key is generated per name: two separate `TransientCryptoKey`

6817

# protos share the same generated key if their names are the same.

6818

# When the data crypto key is generated, this name is not used in any way

6819

# (repeating the api call will result in a different key being generated).

6820

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6821

},

6822

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6823

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6824

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6825

# output would be 'My phone number is '.

6826

},

6827

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6828

# replacement values are dynamically provided by the user for custom behavior,

6829

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6830

# This can be used on

6831

# data of type: number, long, string, timestamp.

6832

# If the bound `Value` type differs from the type of data being transformed, we

6833

# will first attempt converting the type of the data to be transformed to match

6834

# the type of the bound before comparing.

6835

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6836

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6837

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6838

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6839

# used.

6840

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6841

# of bytes considered to comprise a 'Value' is based on its representation

6842

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6843

# 123456789, the number of bytes would be counted as 9, even though an

6844

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6845

"booleanValue": True or False, # boolean

6846

"floatValue": 3.14, # float

6847

"dayOfWeekValue": "A String", # day of week

6848

"timestampValue": "A String", # timestamp

6849

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6850

# and time zone are either specified elsewhere or are not significant. The date

6851

# is relative to the Proleptic Gregorian Calendar. This can represent:

6852

#

6853

# * A full date, with non-zero year, month and day values

6854

# * A month and day value, with a zero year, e.g. an anniversary

6855

# * A year on its own, with zero month and day values

6856

# * A year and month value, with a zero day, e.g. a credit card expiration date

6857

#

6858

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6859

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6860

# a year.

6861

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6862

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6863

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6864

# if specifying a year by itself or a year and month where the day is not

6865

# significant.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6866

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6867

"stringValue": "A String", # string

6868

"integerValue": "A String", # integer

6869

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6870

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6871

# types are google.type.Date and `google.protobuf.Timestamp`.

6872

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6873

# allow the value 60 if it allows leap-seconds.

6874

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6875

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6876

# to allow the value "24:00:00" for scenarios like business closing time.

6877

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6878

},

6879

},

6880

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6881

# Note that for the purposes of inspection or transformation, the number

6882

# of bytes considered to comprise a 'Value' is based on its representation

6883

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6884

# 123456789, the number of bytes would be counted as 9, even though an

6885

# int64 only holds up to 8 bytes of data.

6886

"booleanValue": True or False, # boolean

6887

"floatValue": 3.14, # float

6888

"dayOfWeekValue": "A String", # day of week

6889

"timestampValue": "A String", # timestamp

6890

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6891

# and time zone are either specified elsewhere or are not significant. The date

6892

# is relative to the Proleptic Gregorian Calendar. This can represent:

6893

#

6894

# * A full date, with non-zero year, month and day values

6895

# * A month and day value, with a zero year, e.g. an anniversary

6896

# * A year on its own, with zero month and day values

6897

# * A year and month value, with a zero day, e.g. a credit card expiration date

6898

#

6899

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6900

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6901

# a year.

6902

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6903

# month and day.

6904

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6905

# if specifying a year by itself or a year and month where the day is not

6906

# significant.

6907

},

6908

"stringValue": "A String", # string

6909

"integerValue": "A String", # integer

6910

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6911

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6912

# types are google.type.Date and `google.protobuf.Timestamp`.

6913

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6914

# allow the value 60 if it allows leap-seconds.

6915

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6916

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6917

# to allow the value "24:00:00" for scenarios like business closing time.

6918

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6919

},

6920

},

6921

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6922

# the default behavior will be to hyphenate the min-max range.

6923

# Note that for the purposes of inspection or transformation, the number

6924

# of bytes considered to comprise a 'Value' is based on its representation

6925

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6926

# 123456789, the number of bytes would be counted as 9, even though an

6927

# int64 only holds up to 8 bytes of data.

6928

"booleanValue": True or False, # boolean

6929

"floatValue": 3.14, # float

6930

"dayOfWeekValue": "A String", # day of week

6931

"timestampValue": "A String", # timestamp

6932

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6933

# and time zone are either specified elsewhere or are not significant. The date

6934

# is relative to the Proleptic Gregorian Calendar. This can represent:

6935

#

6936

# * A full date, with non-zero year, month and day values

6937

# * A month and day value, with a zero year, e.g. an anniversary

6938

# * A year on its own, with zero month and day values

6939

# * A year and month value, with a zero day, e.g. a credit card expiration date

6940

#

6941

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6942

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6943

# a year.

6944

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6945

# month and day.

6946

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6947

# if specifying a year by itself or a year and month where the day is not

6948

# significant.

6949

},

6950

"stringValue": "A String", # string

6951

"integerValue": "A String", # integer

6952

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6953

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6954

# types are google.type.Date and `google.protobuf.Timestamp`.

6955

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6956

# allow the value 60 if it allows leap-seconds.

6957

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6958

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6959

# to allow the value "24:00:00" for scenarios like business closing time.

6960

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6961

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6966

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6967

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6968

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6969

# of bytes considered to comprise a 'Value' is based on its representation

6970

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6971

# 123456789, the number of bytes would be counted as 9, even though an

6972

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6973

"booleanValue": True or False, # boolean

6974

"floatValue": 3.14, # float

6975

"dayOfWeekValue": "A String", # day of week

6976

"timestampValue": "A String", # timestamp

6977

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6978

# and time zone are either specified elsewhere or are not significant. The date

6979

# is relative to the Proleptic Gregorian Calendar. This can represent:

6980

#

6981

# * A full date, with non-zero year, month and day values

6982

# * A month and day value, with a zero year, e.g. an anniversary

6983

# * A year on its own, with zero month and day values

6984

# * A year and month value, with a zero day, e.g. a credit card expiration date

6985

#

6986

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6987

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6988

# a year.

6989

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6990

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6991

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6992

# if specifying a year by itself or a year and month where the day is not

6993

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6994

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6995

"stringValue": "A String", # string

6996

"integerValue": "A String", # integer

6997

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6998

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6999

# types are google.type.Date and `google.protobuf.Timestamp`.

7000

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7001

# allow the value 60 if it allows leap-seconds.

7002

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7003

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7004

# to allow the value "24:00:00" for scenarios like business closing time.

7005

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7010

# fixed character. Masking can start from the beginning or end of the string.

7011

# This can be used on data of any type (numbers, longs, and so on) and when

7012

# de-identifying structured data we'll attempt to preserve the original data's

7013

# type. (This allows you to take a long like 123 and modify it to a string like

7014

# **3.

7015

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7016

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7017

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7018

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7019

# is `true`, then the string `12345` is masked as `12***`.

7020

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7021

# characters. For example, if the input string is `555-555-5555` and you

7022

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7023

# returns `***-**5-5555`.

7024

{ # Characters to skip when doing deidentification of a value. These will be left

7025

# alone and skipped.

7026

"charactersToSkip": "A String", # Characters to not transform when masking.

7027

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7032

# masked. Skipped characters do not count towards this tally.

7033

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7034

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7035

# code or credit card number. This string must have a length of 1. If not

7036

# supplied, this value defaults to `*` for strings, and `0` for digits.

7037

},

7038

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7039

# Bucketing transformation can provide all of this functionality,

7040

# but requires more configuration. This message is provided as a convenience to

7041

# the user for simple bucketing strategies.

7042

#

7043

# The transformed value will be a hyphenated string of

7044

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7045

# all values that are within this bucket will be replaced with "10-20".

7046

#

7047

# This can be used on data of type: double, long.

7048

#

7049

# If the bound Value type differs from the type of data

7050

# being transformed, we will first attempt converting the type of the data to

7051

# be transformed to match the type of the bound before comparing.

7052

#

7053

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7054

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7055

# grouped together into a single bucket; for example if `lower_bound` = 10,

7056

# then all values less than 10 are replaced with the value "-10".

7057

# Note that for the purposes of inspection or transformation, the number

7058

# of bytes considered to comprise a 'Value' is based on its representation

7059

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7060

# 123456789, the number of bytes would be counted as 9, even though an

7061

# int64 only holds up to 8 bytes of data.

7062

"booleanValue": True or False, # boolean

7063

"floatValue": 3.14, # float

7064

"dayOfWeekValue": "A String", # day of week

7065

"timestampValue": "A String", # timestamp

7066

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7067

# and time zone are either specified elsewhere or are not significant. The date

7068

# is relative to the Proleptic Gregorian Calendar. This can represent:

7069

#

7070

# * A full date, with non-zero year, month and day values

7071

# * A month and day value, with a zero year, e.g. an anniversary

7072

# * A year on its own, with zero month and day values

7073

# * A year and month value, with a zero day, e.g. a credit card expiration date

7074

#

7075

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7076

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7077

# a year.

7078

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7079

# month and day.

7080

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7081

# if specifying a year by itself or a year and month where the day is not

7082

# significant.

7083

},

7084

"stringValue": "A String", # string

7085

"integerValue": "A String", # integer

7086

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7087

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7088

# types are google.type.Date and `google.protobuf.Timestamp`.

7089

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7090

# allow the value 60 if it allows leap-seconds.

7091

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7092

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7093

# to allow the value "24:00:00" for scenarios like business closing time.

7094

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7095

},

7096

},

7097

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7098

# grouped together into a single bucket; for example if `upper_bound` = 89,

7099

# then all values greater than 89 are replaced with the value "89+".

7100

# Note that for the purposes of inspection or transformation, the number

7101

# of bytes considered to comprise a 'Value' is based on its representation

7102

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7103

# 123456789, the number of bytes would be counted as 9, even though an

7104

# int64 only holds up to 8 bytes of data.

7105

"booleanValue": True or False, # boolean

7106

"floatValue": 3.14, # float

7107

"dayOfWeekValue": "A String", # day of week

7108

"timestampValue": "A String", # timestamp

7109

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7110

# and time zone are either specified elsewhere or are not significant. The date

7111

# is relative to the Proleptic Gregorian Calendar. This can represent:

7112

#

7113

# * A full date, with non-zero year, month and day values

7114

# * A month and day value, with a zero year, e.g. an anniversary

7115

# * A year on its own, with zero month and day values

7116

# * A year and month value, with a zero day, e.g. a credit card expiration date

7117

#

7118

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7119

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7120

# a year.

7121

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7122

# month and day.

7123

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7124

# if specifying a year by itself or a year and month where the day is not

7125

# significant.

7126

},

7127

"stringValue": "A String", # string

7128

"integerValue": "A String", # integer

7129

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7130

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7131

# types are google.type.Date and `google.protobuf.Timestamp`.

7132

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7133

# allow the value 60 if it allows leap-seconds.

7134

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7135

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7136

# to allow the value "24:00:00" for scenarios like business closing time.

7137

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7138

},

7139

},

7140

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7141

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7142

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7143

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

7150

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7151

# portion of the value.

7152

"partToExtract": "A String", # The part of the time to keep.

7153

},

7154

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7155

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7156

# to learn more.

7157

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7158

# If set, must also set cryptoKey. If set, shift will be consistent for the

7159

# given context.

7160

"name": "A String", # Name describing the field.

7161

},

7162

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7163

# range (inclusive ends). Negative means shift to earlier in time. Must not

7164

# be more than 365250 days (1000 years) each direction.

7165

#

7166

# For example, 3 means shift date to at most 3 days into the future.

7167

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7168

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7169

# results in the same shift for the same context and crypto_key. If

7170

# set, must also set context. Can only be applied to table items.

7171

# a key encryption key (KEK) stored by KMS).

7172

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7173

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7174

# unwrap the data crypto key.

7175

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7176

# The wrapped key must be a 128/192/256 bit key.

7177

# Authorization requires the following IAM permissions when sending a request

7178

# to perform a crypto transformation using a kms-wrapped crypto key:

7179

# dlp.kms.encrypt

7180

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7181

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7182

},

7183

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7184

# leaking the key. Choose another type of key if possible.

7185

"key": "A String", # Required. A 128/192/256 bit key.

7186

},

7187

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7188

# It will be discarded after the request finishes.

7189

"name": "A String", # Required. Name of the key.

7190

# This is an arbitrary string used to differentiate different keys.

7191

# A unique key is generated per name: two separate `TransientCryptoKey`

7192

# protos share the same generated key if their names are the same.

7193

# When the data crypto key is generated, this name is not used in any way

7194

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7199

},

7200

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7201

# Uses SHA-256.

7202

# The key size must be either 32 or 64 bytes.

7203

# Outputs a base64 encoded representation of the hashed output

7204

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7205

# Currently, only string and integer values can be hashed.

7206

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7207

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7208

# a key encryption key (KEK) stored by KMS).

7209

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7210

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7211

# unwrap the data crypto key.

7212

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7213

# The wrapped key must be a 128/192/256 bit key.

7214

# Authorization requires the following IAM permissions when sending a request

7215

# to perform a crypto transformation using a kms-wrapped crypto key:

7216

# dlp.kms.encrypt

7217

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7218

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7219

},

7220

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7221

# leaking the key. Choose another type of key if possible.

7222

"key": "A String", # Required. A 128/192/256 bit key.

7223

},

7224

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7225

# It will be discarded after the request finishes.

7226

"name": "A String", # Required. Name of the key.

7227

# This is an arbitrary string used to differentiate different keys.

7228

# A unique key is generated per name: two separate `TransientCryptoKey`

7229

# protos share the same generated key if their names are the same.

7230

# When the data crypto key is generated, this name is not used in any way

7231

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7236

# (FPE) with the FFX mode of operation; however when used in the

7237

# `ReidentifyContent` API method, it serves the opposite function by reversing

7238

# the surrogate back into the original identifier. The identifier must be

7239

# encoded as ASCII. For a given crypto key and context, the same identifier

7240

# will be replaced with the same surrogate. Identifiers must be at least two

7241

# characters long. In the case that the identifier is the empty string, it will

7242

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7243

# more.

7244

#

7245

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7246

# do not require preserving the input alphabet space and size, plus warrant

7247

# referential integrity.

7248

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7249

# that the FFX mode natively supports. This happens before/after

7250

# encryption/decryption.

7251

# Each character listed must appear only once.

7252

# Number of characters must be in the range [2, 95].

7253

# This must be encoded as ASCII.

7254

# The order of characters does not matter.

7255

"commonAlphabet": "A String", # Common alphabets.

7256

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7257

# This annotation will be applied to the surrogate by prefixing it with

7258

# the name of the custom infoType followed by the number of

7259

# characters comprising the surrogate. The following scheme defines the

7260

# format: info_type_name(surrogate_character_count):surrogate

7261

#

7262

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7263

# the surrogate is 'abc', the full replacement value

7264

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7265

#

7266

# This annotation identifies the surrogate when inspecting content using the

7267

# custom infoType

7268

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7269

# This facilitates reversal of the surrogate when it occurs in free text.

7270

#

7271

# In order for inspection to work properly, the name of this infoType must

7272

# not occur naturally anywhere in your data; otherwise, inspection may

7273

# find a surrogate that does not correspond to an actual identifier.

7274

# Therefore, choose your custom infoType name carefully after considering

7275

# what your data looks like. One way to select a name that has a high chance

7276

# of yielding reliable detection is to include one or more unicode characters

7277

# that are highly improbable to exist in your data.

7278

# For example, assuming your data is entered from a regular ASCII keyboard,

7279

# the symbol with the hex code point 29DD might be used like so:

7280

# ⧝MY_TOKEN_TYPE

7281

"name": "A String", # Name of the information type. Either a name of your choosing when

7282

# creating a CustomInfoType, or one of the names listed

7283

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7284

# a built-in type. InfoType names should conform to the pattern

7285

# `[a-zA-Z0-9_]{1,64}`.

7286

},

7287

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7288

# identifier in two different contexts won't be given the same surrogate. If

7289

# the context is not set, a default tweak will be used.

7290

#

7291

# If the context is set but:

7292

#

7293

# 1. there is no record present when transforming a given value or

7294

# 1. the field is not present when transforming a given value,

7295

#

7296

# a default tweak will be used.

7297

#

7298

# Note that case (1) is expected when an `InfoTypeTransformation` is

7299

# applied to both structured and non-structured `ContentItem`s.

7300

# Currently, the referenced field may be of value type integer or string.

7301

#

7302

# The tweak is constructed as a sequence of bytes in big endian byte order

7303

# such that:

7304

#

7305

# - a 64 bit integer is encoded followed by a single byte of value 1

7306

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7307

"name": "A String", # Name describing the field.

7308

},

7309

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7310

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7311

# a key encryption key (KEK) stored by KMS).

7312

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7313

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7314

# unwrap the data crypto key.

7315

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7316

# The wrapped key must be a 128/192/256 bit key.

7317

# Authorization requires the following IAM permissions when sending a request

7318

# to perform a crypto transformation using a kms-wrapped crypto key:

7319

# dlp.kms.encrypt

7320

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7321

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7322

},

7323

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7324

# leaking the key. Choose another type of key if possible.

7325

"key": "A String", # Required. A 128/192/256 bit key.

7326

},

7327

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7328

# It will be discarded after the request finishes.

7329

"name": "A String", # Required. Name of the key.

7330

# This is an arbitrary string used to differentiate different keys.

7331

# A unique key is generated per name: two separate `TransientCryptoKey`

7332

# protos share the same generated key if their names are the same.

7333

# When the data crypto key is generated, this name is not used in any way

7334

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7339

# input. Outputs a base64 encoded representation of the encrypted output.

7340

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7341

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

7342

# This annotation will be applied to the surrogate by prefixing it with

7343

# the name of the custom info type followed by the number of

7344

# characters comprising the surrogate. The following scheme defines the

7345

# format: {info type name}({surrogate character count}):{surrogate}

7346

#

7347

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7348

# the surrogate is 'abc', the full replacement value

7349

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7350

#

7351

# This annotation identifies the surrogate when inspecting content using the

7352

# custom info type 'Surrogate'. This facilitates reversal of the

7353

# surrogate when it occurs in free text.

7354

#

7355

# Note: For record transformations where the entire cell in a table is being

7356

# transformed, surrogates are not mandatory. Surrogates are used to denote

7357

# the location of the token and are necessary for re-identification in free

7358

# form text.

7359

#

7360

# In order for inspection to work properly, the name of this info type must

7361

# not occur naturally anywhere in your data; otherwise, inspection may either

7362

#

7363

# - reverse a surrogate that does not correspond to an actual identifier

7364

# - be unable to parse the surrogate and result in an error

7365

#

7366

# Therefore, choose your custom info type name carefully after considering

7367

# what your data looks like. One way to select a name that has a high chance

7368

# of yielding reliable detection is to include one or more unicode characters

7369

# that are highly improbable to exist in your data.

7370

# For example, assuming your data is entered from a regular ASCII keyboard,

7371

# the symbol with the hex code point 29DD might be used like so:

7372

# ⧝MY_TOKEN_TYPE.

7373

"name": "A String", # Name of the information type. Either a name of your choosing when

7374

# creating a CustomInfoType, or one of the names listed

7375

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7376

# a built-in type. InfoType names should conform to the pattern

7377

# `[a-zA-Z0-9_]{1,64}`.

7378

},

7379

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7380

# referential integrity such that the same identifier in two different

7381

# contexts will be given a distinct surrogate. The context is appended to

7382

# plaintext value being encrypted. On decryption the provided context is

7383

# validated against the value used during encryption. If a context was

7384

# provided during encryption, same context must be provided during decryption

7385

# as well.

7386

#

7387

# If the context is not set, plaintext would be used as is for encryption.

7388

# If the context is set but:

7389

#

7390

# 1. there is no record present when transforming a given value or

7391

# 2. the field is not present when transforming a given value,

7392

#

7393

# plaintext would be used as is for encryption.

7394

#

7395

# Note that case (1) is expected when an `InfoTypeTransformation` is

7396

# applied to both structured and non-structured `ContentItem`s.

7397

"name": "A String", # Name describing the field.

7398

},

7399

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7400

# a key encryption key (KEK) stored by KMS).

7401

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7402

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7403

# unwrap the data crypto key.

7404

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7405

# The wrapped key must be a 128/192/256 bit key.

7406

# Authorization requires the following IAM permissions when sending a request

7407

# to perform a crypto transformation using a kms-wrapped crypto key:

7408

# dlp.kms.encrypt

7409

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7410

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7411

},

7412

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7413

# leaking the key. Choose another type of key if possible.

7414

"key": "A String", # Required. A 128/192/256 bit key.

7415

},

7416

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7417

# It will be discarded after the request finishes.

7418

"name": "A String", # Required. Name of the key.

7419

# This is an arbitrary string used to differentiate different keys.

7420

# A unique key is generated per name: two separate `TransientCryptoKey`

7421

# protos share the same generated key if their names are the same.

7422

# When the data crypto key is generated, this name is not used in any way

7423

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

7428

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

7429

# output would be 'My phone number is '.

7430

},

7431

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

7432

# replacement values are dynamically provided by the user for custom behavior,

7433

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7434

# This can be used on

7435

# data of type: number, long, string, timestamp.

7436

# If the bound `Value` type differs from the type of data being transformed, we

7437

# will first attempt converting the type of the data to be transformed to match

7438

# the type of the bound before comparing.

7439

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7440

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

7441

{ # Bucket is represented as a range, along with replacement values.

7442

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

7443

# used.

7444

# Note that for the purposes of inspection or transformation, the number

7445

# of bytes considered to comprise a 'Value' is based on its representation

7446

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7447

# 123456789, the number of bytes would be counted as 9, even though an

7448

# int64 only holds up to 8 bytes of data.

7449

"booleanValue": True or False, # boolean

7450

"floatValue": 3.14, # float

7451

"dayOfWeekValue": "A String", # day of week

7452

"timestampValue": "A String", # timestamp

7453

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7454

# and time zone are either specified elsewhere or are not significant. The date

7455

# is relative to the Proleptic Gregorian Calendar. This can represent:

7456

#

7457

# * A full date, with non-zero year, month and day values

7458

# * A month and day value, with a zero year, e.g. an anniversary

7459

# * A year on its own, with zero month and day values

7460

# * A year and month value, with a zero day, e.g. a credit card expiration date

7461

#

7462

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7463

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7464

# a year.

7465

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7466

# month and day.

7467

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7468

# if specifying a year by itself or a year and month where the day is not

7469

# significant.

7470

},

7471

"stringValue": "A String", # string

7472

"integerValue": "A String", # integer

7473

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7474

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7475

# types are google.type.Date and `google.protobuf.Timestamp`.

7476

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7477

# allow the value 60 if it allows leap-seconds.

7478

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7479

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7480

# to allow the value "24:00:00" for scenarios like business closing time.

7481

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7482

},

7483

},

7484

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

7485

# Note that for the purposes of inspection or transformation, the number

7486

# of bytes considered to comprise a 'Value' is based on its representation

7487

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7488

# 123456789, the number of bytes would be counted as 9, even though an

7489

# int64 only holds up to 8 bytes of data.

7490

"booleanValue": True or False, # boolean

7491

"floatValue": 3.14, # float

7492

"dayOfWeekValue": "A String", # day of week

7493

"timestampValue": "A String", # timestamp

7494

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7495

# and time zone are either specified elsewhere or are not significant. The date

7496

# is relative to the Proleptic Gregorian Calendar. This can represent:

7497

#

7498

# * A full date, with non-zero year, month and day values

7499

# * A month and day value, with a zero year, e.g. an anniversary

7500

# * A year on its own, with zero month and day values

7501

# * A year and month value, with a zero day, e.g. a credit card expiration date

7502

#

7503

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7504

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7505

# a year.

7506

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7507

# month and day.

7508

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7509

# if specifying a year by itself or a year and month where the day is not

7510

# significant.

7511

},

7512

"stringValue": "A String", # string

7513

"integerValue": "A String", # integer

7514

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7515

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7516

# types are google.type.Date and `google.protobuf.Timestamp`.

7517

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7518

# allow the value 60 if it allows leap-seconds.

7519

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7520

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7521

# to allow the value "24:00:00" for scenarios like business closing time.

7522

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7523

},

7524

},

7525

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7526

# the default behavior will be to hyphenate the min-max range.

7527

# Note that for the purposes of inspection or transformation, the number

7528

# of bytes considered to comprise a 'Value' is based on its representation

7529

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7530

# 123456789, the number of bytes would be counted as 9, even though an

7531

# int64 only holds up to 8 bytes of data.

7532

"booleanValue": True or False, # boolean

7533

"floatValue": 3.14, # float

7534

"dayOfWeekValue": "A String", # day of week

7535

"timestampValue": "A String", # timestamp

7536

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7537

# and time zone are either specified elsewhere or are not significant. The date

7538

# is relative to the Proleptic Gregorian Calendar. This can represent:

7539

#

7540

# * A full date, with non-zero year, month and day values

7541

# * A month and day value, with a zero year, e.g. an anniversary

7542

# * A year on its own, with zero month and day values

7543

# * A year and month value, with a zero day, e.g. a credit card expiration date

7544

#

7545

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7546

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7547

# a year.

7548

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7549

# month and day.

7550

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7551

# if specifying a year by itself or a year and month where the day is not

7552

# significant.

7553

},

7554

"stringValue": "A String", # string

7555

"integerValue": "A String", # integer

7556

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7557

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7558

# types are google.type.Date and `google.protobuf.Timestamp`.

7559

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7560

# allow the value 60 if it allows leap-seconds.

7561

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7562

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7563

# to allow the value "24:00:00" for scenarios like business closing time.

7564

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7565

},

7566

},

7567

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7568

],

7569

},

7570

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

7571

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

7572

# Note that for the purposes of inspection or transformation, the number

7573

# of bytes considered to comprise a 'Value' is based on its representation

7574

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7575

# 123456789, the number of bytes would be counted as 9, even though an

7576

# int64 only holds up to 8 bytes of data.

7577

"booleanValue": True or False, # boolean

7578

"floatValue": 3.14, # float

7579

"dayOfWeekValue": "A String", # day of week

7580

"timestampValue": "A String", # timestamp

7581

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7582

# and time zone are either specified elsewhere or are not significant. The date

7583

# is relative to the Proleptic Gregorian Calendar. This can represent:

7584

#

7585

# * A full date, with non-zero year, month and day values

7586

# * A month and day value, with a zero year, e.g. an anniversary

7587

# * A year on its own, with zero month and day values

7588

# * A year and month value, with a zero day, e.g. a credit card expiration date

7589

#

7590

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7591

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7592

# a year.

7593

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7594

# month and day.

7595

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7596

# if specifying a year by itself or a year and month where the day is not

7597

# significant.

7598

},

7599

"stringValue": "A String", # string

7600

"integerValue": "A String", # integer

7601

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7602

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7603

# types are google.type.Date and `google.protobuf.Timestamp`.

7604

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7605

# allow the value 60 if it allows leap-seconds.

7606

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7607

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7608

# to allow the value "24:00:00" for scenarios like business closing time.

7609

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7614

# fixed character. Masking can start from the beginning or end of the string.

7615

# This can be used on data of any type (numbers, longs, and so on) and when

7616

# de-identifying structured data we'll attempt to preserve the original data's

7617

# type. (This allows you to take a long like 123 and modify it to a string like

7618

# **3.

7619

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7620

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7621

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7622

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7623

# is `true`, then the string `12345` is masked as `12***`.

7624

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7625

# characters. For example, if the input string is `555-555-5555` and you

7626

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7627

# returns `***-**5-5555`.

7628

{ # Characters to skip when doing deidentification of a value. These will be left

7629

# alone and skipped.

7630

"charactersToSkip": "A String", # Characters to not transform when masking.

7631

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7636

# masked. Skipped characters do not count towards this tally.

7637

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7638

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7639

# code or credit card number. This string must have a length of 1. If not

7640

# supplied, this value defaults to `*` for strings, and `0` for digits.

7641

},

7642

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7643

# Bucketing transformation can provide all of this functionality,

7644

# but requires more configuration. This message is provided as a convenience to

7645

# the user for simple bucketing strategies.

7646

#

7647

# The transformed value will be a hyphenated string of

7648

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7649

# all values that are within this bucket will be replaced with "10-20".

7650

#

7651

# This can be used on data of type: double, long.

7652

#

7653

# If the bound Value type differs from the type of data

7654

# being transformed, we will first attempt converting the type of the data to

7655

# be transformed to match the type of the bound before comparing.

7656

#

7657

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7658

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7659

# grouped together into a single bucket; for example if `lower_bound` = 10,

7660

# then all values less than 10 are replaced with the value "-10".

7661

# Note that for the purposes of inspection or transformation, the number

7662

# of bytes considered to comprise a 'Value' is based on its representation

7663

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7664

# 123456789, the number of bytes would be counted as 9, even though an

7665

# int64 only holds up to 8 bytes of data.

7666

"booleanValue": True or False, # boolean

7667

"floatValue": 3.14, # float

7668

"dayOfWeekValue": "A String", # day of week

7669

"timestampValue": "A String", # timestamp

7670

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7671

# and time zone are either specified elsewhere or are not significant. The date

7672

# is relative to the Proleptic Gregorian Calendar. This can represent:

7673

#

7674

# * A full date, with non-zero year, month and day values

7675

# * A month and day value, with a zero year, e.g. an anniversary

7676

# * A year on its own, with zero month and day values

7677

# * A year and month value, with a zero day, e.g. a credit card expiration date

7678

#

7679

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7680

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7681

# a year.

7682

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7683

# month and day.

7684

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7685

# if specifying a year by itself or a year and month where the day is not

7686

# significant.

7687

},

7688

"stringValue": "A String", # string

7689

"integerValue": "A String", # integer

7690

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7691

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7692

# types are google.type.Date and `google.protobuf.Timestamp`.

7693

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7694

# allow the value 60 if it allows leap-seconds.

7695

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7696

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7697

# to allow the value "24:00:00" for scenarios like business closing time.

7698

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7699

},

7700

},

7701

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7702

# grouped together into a single bucket; for example if `upper_bound` = 89,

7703

# then all values greater than 89 are replaced with the value "89+".

7704

# Note that for the purposes of inspection or transformation, the number

7705

# of bytes considered to comprise a 'Value' is based on its representation

7706

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7707

# 123456789, the number of bytes would be counted as 9, even though an

7708

# int64 only holds up to 8 bytes of data.

7709

"booleanValue": True or False, # boolean

7710

"floatValue": 3.14, # float

7711

"dayOfWeekValue": "A String", # day of week

7712

"timestampValue": "A String", # timestamp

7713

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7714

# and time zone are either specified elsewhere or are not significant. The date

7715

# is relative to the Proleptic Gregorian Calendar. This can represent:

7716

#

7717

# * A full date, with non-zero year, month and day values

7718

# * A month and day value, with a zero year, e.g. an anniversary

7719

# * A year on its own, with zero month and day values

7720

# * A year and month value, with a zero day, e.g. a credit card expiration date

7721

#

7722

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7723

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7724

# a year.

7725

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7726

# month and day.

7727

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7728

# if specifying a year by itself or a year and month where the day is not

7729

# significant.

7730

},

7731

"stringValue": "A String", # string

7732

"integerValue": "A String", # integer

7733

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7734

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7735

# types are google.type.Date and `google.protobuf.Timestamp`.

7736

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7737

# allow the value 60 if it allows leap-seconds.

7738

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7739

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7740

# to allow the value "24:00:00" for scenarios like business closing time.

7741

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7742

},

7743

},

7744

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7745

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7746

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7747

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

7748

},

7749

},

7750

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

7751

# given `RecordCondition`. The conditions are allowed to reference fields

7752

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

7757

# column for the same record is within a specific range.

7758

# - Redact a field if the date of birth field is greater than 85.

7759

# a field.

7760

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

7761

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

7762

# only supported value is `AND`.

7763

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

7764

"conditions": [ # A collection of conditions.

7765

{ # The field type of `value` and `field` do not need to match to be

7766

# considered equal, but not all comparisons are possible.

7767

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

7768

# but all other comparisons are invalid with incompatible types.

7769

# A `value` of type:

7770

#

7771

# - `string` can be compared against all other types

7772

# - `boolean` can only be compared against other booleans

7773

# - `integer` can be compared against doubles or a string if the string value

7774

# can be parsed as an integer.

7775

# - `double` can be compared against integers or a string if the string can

7776

# be parsed as a double.

7777

# - `Timestamp` can be compared against strings in RFC 3339 date string

7778

# format.

7779

# - `TimeOfDay` can be compared against timestamps and strings in the format

7780

# of 'HH:mm:ss'.

7781

#

7782

# If we fail to compare do to type mismatch, a warning will be given and

7783

# the condition will evaluate to false.

7784

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

7785

"name": "A String", # Name describing the field.

7786

},

7787

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

7788

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

7789

# Note that for the purposes of inspection or transformation, the number

7790

# of bytes considered to comprise a 'Value' is based on its representation

7791

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7792

# 123456789, the number of bytes would be counted as 9, even though an

7793

# int64 only holds up to 8 bytes of data.

7794

"booleanValue": True or False, # boolean

7795

"floatValue": 3.14, # float

7796

"dayOfWeekValue": "A String", # day of week

7797

"timestampValue": "A String", # timestamp

7798

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7799

# and time zone are either specified elsewhere or are not significant. The date

7800

# is relative to the Proleptic Gregorian Calendar. This can represent:

7801

#

7802

# * A full date, with non-zero year, month and day values

7803

# * A month and day value, with a zero year, e.g. an anniversary

7804

# * A year on its own, with zero month and day values

7805

# * A year and month value, with a zero day, e.g. a credit card expiration date

7806

#

7807

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7808

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7809

# a year.

7810

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7811

# month and day.

7812

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7813

# if specifying a year by itself or a year and month where the day is not

7814

# significant.

7815

},

7816

"stringValue": "A String", # string

7817

"integerValue": "A String", # integer

7818

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7819

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7820

# types are google.type.Date and `google.protobuf.Timestamp`.

7821

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7822

# allow the value 60 if it allows leap-seconds.

7823

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7824

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7825

# to allow the value "24:00:00" for scenarios like business closing time.

7826

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7827

},

7828

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7829

},

7830

],

7831

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7832

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7833

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7834

},

7835

],

7836

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7837

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

7838

# transformation everywhere.

7839

# apply various `PrimitiveTransformation`s to each finding, where the

7840

# transformation is applied to only values that were identified as a specific

7841

# info_type.

7842

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

7843

# for a given infoType.

7844

{ # A transformation to apply to text that is identified as a specific

7845

# info_type.

7846

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7847

# this transformation to apply to all findings that correspond to

7848

# infoTypes that were requested in `InspectConfig`.

7849

{ # Type of information detected by the API.

7850

"name": "A String", # Name of the information type. Either a name of your choosing when

7851

# creating a CustomInfoType, or one of the names listed

7852

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7853

# a built-in type. InfoType names should conform to the pattern

7854

# `[a-zA-Z0-9_]{1,64}`.

7855

},

7856

],

7857

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

7858

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7859

# portion of the value.

7860

"partToExtract": "A String", # The part of the time to keep.

7861

},

7862

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7863

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7864

# to learn more.

7865

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7866

# If set, must also set cryptoKey. If set, shift will be consistent for the

7867

# given context.

7868

"name": "A String", # Name describing the field.

7869

},

7870

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7871

# range (inclusive ends). Negative means shift to earlier in time. Must not

7872

# be more than 365250 days (1000 years) each direction.

7873

#

7874

# For example, 3 means shift date to at most 3 days into the future.

7875

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7876

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7877

# results in the same shift for the same context and crypto_key. If

7878

# set, must also set context. Can only be applied to table items.

7879

# a key encryption key (KEK) stored by KMS).

7880

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7881

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7882

# unwrap the data crypto key.

7883

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7884

# The wrapped key must be a 128/192/256 bit key.

7885

# Authorization requires the following IAM permissions when sending a request

7886

# to perform a crypto transformation using a kms-wrapped crypto key:

7887

# dlp.kms.encrypt

7888

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7889

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7890

},

7891

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7892

# leaking the key. Choose another type of key if possible.

7893

"key": "A String", # Required. A 128/192/256 bit key.

7894

},

7895

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7896

# It will be discarded after the request finishes.

7897

"name": "A String", # Required. Name of the key.

7898

# This is an arbitrary string used to differentiate different keys.

7899

# A unique key is generated per name: two separate `TransientCryptoKey`

7900

# protos share the same generated key if their names are the same.

7901

# When the data crypto key is generated, this name is not used in any way

7902

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7907

},

7908

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7909

# Uses SHA-256.

7910

# The key size must be either 32 or 64 bytes.

7911

# Outputs a base64 encoded representation of the hashed output

7912

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7913

# Currently, only string and integer values can be hashed.

7914

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7915

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7916

# a key encryption key (KEK) stored by KMS).

7917

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7918

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7919

# unwrap the data crypto key.

7920

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7921

# The wrapped key must be a 128/192/256 bit key.

7922

# Authorization requires the following IAM permissions when sending a request

7923

# to perform a crypto transformation using a kms-wrapped crypto key:

7924

# dlp.kms.encrypt

7925

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7926

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7927

},

7928

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7929

# leaking the key. Choose another type of key if possible.

7930

"key": "A String", # Required. A 128/192/256 bit key.

7931

},

7932

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7933

# It will be discarded after the request finishes.

7934

"name": "A String", # Required. Name of the key.

7935

# This is an arbitrary string used to differentiate different keys.

7936

# A unique key is generated per name: two separate `TransientCryptoKey`

7937

# protos share the same generated key if their names are the same.

7938

# When the data crypto key is generated, this name is not used in any way

7939

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7944

# (FPE) with the FFX mode of operation; however when used in the

7945

# `ReidentifyContent` API method, it serves the opposite function by reversing

7946

# the surrogate back into the original identifier. The identifier must be

7947

# encoded as ASCII. For a given crypto key and context, the same identifier

7948

# will be replaced with the same surrogate. Identifiers must be at least two

7949

# characters long. In the case that the identifier is the empty string, it will

7950

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7951

# more.

7952

#

7953

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7954

# do not require preserving the input alphabet space and size, plus warrant

7955

# referential integrity.

7956

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7957

# that the FFX mode natively supports. This happens before/after

7958

# encryption/decryption.

7959

# Each character listed must appear only once.

7960

# Number of characters must be in the range [2, 95].

7961

# This must be encoded as ASCII.

7962

# The order of characters does not matter.

7963

"commonAlphabet": "A String", # Common alphabets.

7964

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7965

# This annotation will be applied to the surrogate by prefixing it with

7966

# the name of the custom infoType followed by the number of

7967

# characters comprising the surrogate. The following scheme defines the

7968

# format: info_type_name(surrogate_character_count):surrogate

7969

#

7970

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7971

# the surrogate is 'abc', the full replacement value

7972

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7973

#

7974

# This annotation identifies the surrogate when inspecting content using the

7975

# custom infoType

7976

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7977

# This facilitates reversal of the surrogate when it occurs in free text.

7978

#

7979

# In order for inspection to work properly, the name of this infoType must

7980

# not occur naturally anywhere in your data; otherwise, inspection may

7981

# find a surrogate that does not correspond to an actual identifier.

7982

# Therefore, choose your custom infoType name carefully after considering

7983

# what your data looks like. One way to select a name that has a high chance

7984

# of yielding reliable detection is to include one or more unicode characters

7985

# that are highly improbable to exist in your data.

7986

# For example, assuming your data is entered from a regular ASCII keyboard,

7987

# the symbol with the hex code point 29DD might be used like so:

7988

# ⧝MY_TOKEN_TYPE

7989

"name": "A String", # Name of the information type. Either a name of your choosing when

7990

# creating a CustomInfoType, or one of the names listed

7991

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7992

# a built-in type. InfoType names should conform to the pattern

7993

# `[a-zA-Z0-9_]{1,64}`.

7994

},

7995

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7996

# identifier in two different contexts won't be given the same surrogate. If

7997

# the context is not set, a default tweak will be used.

7998

#

7999

# If the context is set but:

8000

#

8001

# 1. there is no record present when transforming a given value or

8002

# 1. the field is not present when transforming a given value,

8003

#

8004

# a default tweak will be used.

8005

#

8006

# Note that case (1) is expected when an `InfoTypeTransformation` is

8007

# applied to both structured and non-structured `ContentItem`s.

8008

# Currently, the referenced field may be of value type integer or string.

8009

#

8010

# The tweak is constructed as a sequence of bytes in big endian byte order

8011

# such that:

8012

#

8013

# - a 64 bit integer is encoded followed by a single byte of value 1

8014

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8015

"name": "A String", # Name describing the field.

8016

},

8017

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8018

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8019

# a key encryption key (KEK) stored by KMS).

8020

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8021

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8022

# unwrap the data crypto key.

8023

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8024

# The wrapped key must be a 128/192/256 bit key.

8025

# Authorization requires the following IAM permissions when sending a request

8026

# to perform a crypto transformation using a kms-wrapped crypto key:

8027

# dlp.kms.encrypt

8028

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8029

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8030

},

8031

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8032

# leaking the key. Choose another type of key if possible.

8033

"key": "A String", # Required. A 128/192/256 bit key.

8034

},

8035

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8036

# It will be discarded after the request finishes.

8037

"name": "A String", # Required. Name of the key.

8038

# This is an arbitrary string used to differentiate different keys.

8039

# A unique key is generated per name: two separate `TransientCryptoKey`

8040

# protos share the same generated key if their names are the same.

8041

# When the data crypto key is generated, this name is not used in any way

8042

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8047

# input. Outputs a base64 encoded representation of the encrypted output.

8048

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8049

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8050

# This annotation will be applied to the surrogate by prefixing it with

8051

# the name of the custom info type followed by the number of

8052

# characters comprising the surrogate. The following scheme defines the

8053

# format: {info type name}({surrogate character count}):{surrogate}

8054

#

8055

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8056

# the surrogate is 'abc', the full replacement value

8057

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8058

#

8059

# This annotation identifies the surrogate when inspecting content using the

8060

# custom info type 'Surrogate'. This facilitates reversal of the

8061

# surrogate when it occurs in free text.

8062

#

8063

# Note: For record transformations where the entire cell in a table is being

8064

# transformed, surrogates are not mandatory. Surrogates are used to denote

8065

# the location of the token and are necessary for re-identification in free

8066

# form text.

8067

#

8068

# In order for inspection to work properly, the name of this info type must

8069

# not occur naturally anywhere in your data; otherwise, inspection may either

8070

#

8071

# - reverse a surrogate that does not correspond to an actual identifier

8072

# - be unable to parse the surrogate and result in an error

8073

#

8074

# Therefore, choose your custom info type name carefully after considering

8075

# what your data looks like. One way to select a name that has a high chance

8076

# of yielding reliable detection is to include one or more unicode characters

8077

# that are highly improbable to exist in your data.

8078

# For example, assuming your data is entered from a regular ASCII keyboard,

8079

# the symbol with the hex code point 29DD might be used like so:

8080

# ⧝MY_TOKEN_TYPE.

8081

"name": "A String", # Name of the information type. Either a name of your choosing when

8082

# creating a CustomInfoType, or one of the names listed

8083

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8084

# a built-in type. InfoType names should conform to the pattern

8085

# `[a-zA-Z0-9_]{1,64}`.

8086

},

8087

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8088

# referential integrity such that the same identifier in two different

8089

# contexts will be given a distinct surrogate. The context is appended to

8090

# plaintext value being encrypted. On decryption the provided context is

8091

# validated against the value used during encryption. If a context was

8092

# provided during encryption, same context must be provided during decryption

8093

# as well.

8094

#

8095

# If the context is not set, plaintext would be used as is for encryption.

8096

# If the context is set but:

8097

#

8098

# 1. there is no record present when transforming a given value or

8099

# 2. the field is not present when transforming a given value,

8100

#

8101

# plaintext would be used as is for encryption.

8102

#

8103

# Note that case (1) is expected when an `InfoTypeTransformation` is

8104

# applied to both structured and non-structured `ContentItem`s.

8105

"name": "A String", # Name describing the field.

8106

},

8107

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8108

# a key encryption key (KEK) stored by KMS).

8109

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8110

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8111

# unwrap the data crypto key.

8112

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8113

# The wrapped key must be a 128/192/256 bit key.

8114

# Authorization requires the following IAM permissions when sending a request

8115

# to perform a crypto transformation using a kms-wrapped crypto key:

8116

# dlp.kms.encrypt

8117

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8118

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8119

},

8120

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8121

# leaking the key. Choose another type of key if possible.

8122

"key": "A String", # Required. A 128/192/256 bit key.

8123

},

8124

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8125

# It will be discarded after the request finishes.

8126

"name": "A String", # Required. Name of the key.

8127

# This is an arbitrary string used to differentiate different keys.

8128

# A unique key is generated per name: two separate `TransientCryptoKey`

8129

# protos share the same generated key if their names are the same.

8130

# When the data crypto key is generated, this name is not used in any way

8131

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8136

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8137

# output would be 'My phone number is '.

8138

},

8139

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8140

# replacement values are dynamically provided by the user for custom behavior,

8141

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8142

# This can be used on

8143

# data of type: number, long, string, timestamp.

8144

# If the bound `Value` type differs from the type of data being transformed, we

8145

# will first attempt converting the type of the data to be transformed to match

8146

# the type of the bound before comparing.

8147

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8148

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8149

{ # Bucket is represented as a range, along with replacement values.

8150

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8151

# used.

8152

# Note that for the purposes of inspection or transformation, the number

8153

# of bytes considered to comprise a 'Value' is based on its representation

8154

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8155

# 123456789, the number of bytes would be counted as 9, even though an

8156

# int64 only holds up to 8 bytes of data.

8157

"booleanValue": True or False, # boolean

8158

"floatValue": 3.14, # float

8159

"dayOfWeekValue": "A String", # day of week

8160

"timestampValue": "A String", # timestamp

8161

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8162

# and time zone are either specified elsewhere or are not significant. The date

8163

# is relative to the Proleptic Gregorian Calendar. This can represent:

8164

#

8165

# * A full date, with non-zero year, month and day values

8166

# * A month and day value, with a zero year, e.g. an anniversary

8167

# * A year on its own, with zero month and day values

8168

# * A year and month value, with a zero day, e.g. a credit card expiration date

8169

#

8170

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8171

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8172

# a year.

8173

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8174

# month and day.

8175

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8176

# if specifying a year by itself or a year and month where the day is not

8177

# significant.

8178

},

8179

"stringValue": "A String", # string

8180

"integerValue": "A String", # integer

8181

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8182

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8183

# types are google.type.Date and `google.protobuf.Timestamp`.

8184

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8185

# allow the value 60 if it allows leap-seconds.

8186

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8187

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8188

# to allow the value "24:00:00" for scenarios like business closing time.

8189

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8190

},

8191

},

8192

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8193

# Note that for the purposes of inspection or transformation, the number

8194

# of bytes considered to comprise a 'Value' is based on its representation

8195

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8196

# 123456789, the number of bytes would be counted as 9, even though an

8197

# int64 only holds up to 8 bytes of data.

8198

"booleanValue": True or False, # boolean

8199

"floatValue": 3.14, # float

8200

"dayOfWeekValue": "A String", # day of week

8201

"timestampValue": "A String", # timestamp

8202

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8203

# and time zone are either specified elsewhere or are not significant. The date

8204

# is relative to the Proleptic Gregorian Calendar. This can represent:

8205

#

8206

# * A full date, with non-zero year, month and day values

8207

# * A month and day value, with a zero year, e.g. an anniversary

8208

# * A year on its own, with zero month and day values

8209

# * A year and month value, with a zero day, e.g. a credit card expiration date

8210

#

8211

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8212

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8213

# a year.

8214

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8215

# month and day.

8216

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8217

# if specifying a year by itself or a year and month where the day is not

8218

# significant.

8219

},

8220

"stringValue": "A String", # string

8221

"integerValue": "A String", # integer

8222

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8223

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8224

# types are google.type.Date and `google.protobuf.Timestamp`.

8225

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8226

# allow the value 60 if it allows leap-seconds.

8227

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8228

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8229

# to allow the value "24:00:00" for scenarios like business closing time.

8230

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8231

},

8232

},

8233

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

8234

# the default behavior will be to hyphenate the min-max range.

8235

# Note that for the purposes of inspection or transformation, the number

8236

# of bytes considered to comprise a 'Value' is based on its representation

8237

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8238

# 123456789, the number of bytes would be counted as 9, even though an

8239

# int64 only holds up to 8 bytes of data.

8240

"booleanValue": True or False, # boolean

8241

"floatValue": 3.14, # float

8242

"dayOfWeekValue": "A String", # day of week

8243

"timestampValue": "A String", # timestamp

8244

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8245

# and time zone are either specified elsewhere or are not significant. The date

8246

# is relative to the Proleptic Gregorian Calendar. This can represent:

8247

#

8248

# * A full date, with non-zero year, month and day values

8249

# * A month and day value, with a zero year, e.g. an anniversary

8250

# * A year on its own, with zero month and day values

8251

# * A year and month value, with a zero day, e.g. a credit card expiration date

8252

#

8253

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8254

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8255

# a year.

8256

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8257

# month and day.

8258

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8259

# if specifying a year by itself or a year and month where the day is not

8260

# significant.

8261

},

8262

"stringValue": "A String", # string

8263

"integerValue": "A String", # integer

8264

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8265

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8266

# types are google.type.Date and `google.protobuf.Timestamp`.

8267

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8268

# allow the value 60 if it allows leap-seconds.

8269

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8270

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8271

# to allow the value "24:00:00" for scenarios like business closing time.

8272

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8279

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8280

# Note that for the purposes of inspection or transformation, the number

8281

# of bytes considered to comprise a 'Value' is based on its representation

8282

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8283

# 123456789, the number of bytes would be counted as 9, even though an

8284

# int64 only holds up to 8 bytes of data.

8285

"booleanValue": True or False, # boolean

8286

"floatValue": 3.14, # float

8287

"dayOfWeekValue": "A String", # day of week

8288

"timestampValue": "A String", # timestamp

8289

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8290

# and time zone are either specified elsewhere or are not significant. The date

8291

# is relative to the Proleptic Gregorian Calendar. This can represent:

8292

#

8293

# * A full date, with non-zero year, month and day values

8294

# * A month and day value, with a zero year, e.g. an anniversary

8295

# * A year on its own, with zero month and day values

8296

# * A year and month value, with a zero day, e.g. a credit card expiration date

8297

#

8298

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8299

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8300

# a year.

8301

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8302

# month and day.

8303

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8304

# if specifying a year by itself or a year and month where the day is not

8305

# significant.

8306

},

8307

"stringValue": "A String", # string

8308

"integerValue": "A String", # integer

8309

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8310

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8311

# types are google.type.Date and `google.protobuf.Timestamp`.

8312

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8313

# allow the value 60 if it allows leap-seconds.

8314

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8315

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8316

# to allow the value "24:00:00" for scenarios like business closing time.

8317

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

8322

# fixed character. Masking can start from the beginning or end of the string.

8323

# This can be used on data of any type (numbers, longs, and so on) and when

8324

# de-identifying structured data we'll attempt to preserve the original data's

8325

# type. (This allows you to take a long like 123 and modify it to a string like

8326

# **3.

8327

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

8328

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

8329

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

8330

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

8331

# is `true`, then the string `12345` is masked as `12***`.

8332

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

8333

# characters. For example, if the input string is `555-555-5555` and you

8334

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

8335

# returns `***-**5-5555`.

8336

{ # Characters to skip when doing deidentification of a value. These will be left

8337

# alone and skipped.

8338

"charactersToSkip": "A String", # Characters to not transform when masking.

8339

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

8344

# masked. Skipped characters do not count towards this tally.

8345

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

8346

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

8347

# code or credit card number. This string must have a length of 1. If not

8348

# supplied, this value defaults to `*` for strings, and `0` for digits.

8349

},

8350

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8351

# Bucketing transformation can provide all of this functionality,

8352

# but requires more configuration. This message is provided as a convenience to

8353

# the user for simple bucketing strategies.

8354

#

8355

# The transformed value will be a hyphenated string of

8356

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8357

# all values that are within this bucket will be replaced with "10-20".

8358

#

8359

# This can be used on data of type: double, long.

8360

#

8361

# If the bound Value type differs from the type of data

8362

# being transformed, we will first attempt converting the type of the data to

8363

# be transformed to match the type of the bound before comparing.

8364

#

8365

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8366

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

8367

# grouped together into a single bucket; for example if `lower_bound` = 10,

8368

# then all values less than 10 are replaced with the value "-10".

8369

# Note that for the purposes of inspection or transformation, the number

8370

# of bytes considered to comprise a 'Value' is based on its representation

8371

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8372

# 123456789, the number of bytes would be counted as 9, even though an

8373

# int64 only holds up to 8 bytes of data.

8374

"booleanValue": True or False, # boolean

8375

"floatValue": 3.14, # float

8376

"dayOfWeekValue": "A String", # day of week

8377

"timestampValue": "A String", # timestamp

8378

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8379

# and time zone are either specified elsewhere or are not significant. The date

8380

# is relative to the Proleptic Gregorian Calendar. This can represent:

8381

#

8382

# * A full date, with non-zero year, month and day values

8383

# * A month and day value, with a zero year, e.g. an anniversary

8384

# * A year on its own, with zero month and day values

8385

# * A year and month value, with a zero day, e.g. a credit card expiration date

8386

#

8387

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8388

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8389

# a year.

8390

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8391

# month and day.

8392

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8393

# if specifying a year by itself or a year and month where the day is not

8394

# significant.

8395

},

8396

"stringValue": "A String", # string

8397

"integerValue": "A String", # integer

8398

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8399

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8400

# types are google.type.Date and `google.protobuf.Timestamp`.

8401

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8402

# allow the value 60 if it allows leap-seconds.

8403

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8404

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8405

# to allow the value "24:00:00" for scenarios like business closing time.

8406

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8407

},

8408

},

8409

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8410

# grouped together into a single bucket; for example if `upper_bound` = 89,

8411

# then all values greater than 89 are replaced with the value "89+".

8412

# Note that for the purposes of inspection or transformation, the number

8413

# of bytes considered to comprise a 'Value' is based on its representation

8414

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8415

# 123456789, the number of bytes would be counted as 9, even though an

8416

# int64 only holds up to 8 bytes of data.

8417

"booleanValue": True or False, # boolean

8418

"floatValue": 3.14, # float

8419

"dayOfWeekValue": "A String", # day of week

8420

"timestampValue": "A String", # timestamp

8421

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8422

# and time zone are either specified elsewhere or are not significant. The date

8423

# is relative to the Proleptic Gregorian Calendar. This can represent:

8424

#

8425

# * A full date, with non-zero year, month and day values

8426

# * A month and day value, with a zero year, e.g. an anniversary

8427

# * A year on its own, with zero month and day values

8428

# * A year and month value, with a zero day, e.g. a credit card expiration date

8429

#

8430

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8431

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8432

# a year.

8433

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8434

# month and day.

8435

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8436

# if specifying a year by itself or a year and month where the day is not

8437

# significant.

8438

},

8439

"stringValue": "A String", # string

8440

"integerValue": "A String", # integer

8441

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8442

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8443

# types are google.type.Date and `google.protobuf.Timestamp`.

8444

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8445

# allow the value 60 if it allows leap-seconds.

8446

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8447

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8448

# to allow the value "24:00:00" for scenarios like business closing time.

8449

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8450

},

8451

},

8452

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

8453

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

8454

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

8455

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8460

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8461

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

8469

<pre>Retrieves the next page of results.

8470

8471

Args:

8472

previous_request: The request for the previous page. (required)

8473

previous_response: The response from the request for the previous page. (required)

8474

8475

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8476

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8477

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8482

<code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8483

<pre>Updates the DeidentifyTemplate.

8484

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

8485

more.

8486

8487

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8488

name: string, Required. Resource name of organization and deidentify template to be updated, for

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8489

example `organizations/433245324/deidentifyTemplates/432452342` or

8490

projects/project-id/deidentifyTemplates/432452342. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8491

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8492

The object takes the form of:

8493

8494

{ # Request message for UpdateDeidentifyTemplate.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8495

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8496

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8497

"name": "A String", # Output only. The template name.

8498

#

8499

# The template will have one of the following formats:

8500

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

8501

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

8502

"description": "A String", # Short description (max 256 chars).

8503

"displayName": "A String", # Display name (max 256 chars).

8504

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

8505

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

8506

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

8507

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

8508

# mode is `TransformationErrorHandling.ThrowError`.

8509

# transformation error occurs when the requested transformation is incompatible

8510

# with the data. For example, trying to de-identify an IP address using a

8511

# `DateShift` transformation would result in a transformation error, since date

8512

# info cannot be extracted from an IP address.

8513

# Information about any incompatible transformations, and how they were

8514

# handled, is returned in the response as part of the

8515

# `TransformationOverviews`.

8516

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

8517

},

8518

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

8519

# cause an error. For example, if a `DateShift` transformation were applied

8520

# an an IP address, this mode would leave the IP address unchanged in the

8521

# response.

8522

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8523

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8524

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8525

# specific locations within structured datasets, such as transforming

8526

# a column within a table.

8527

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8528

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8529

# match any suppression rule are omitted from the output.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8530

{ # Configuration to suppress records whose suppression conditions evaluate to

8531

# true.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8532

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8533

# evaluated to be suppressed from the transformed content.

8534

# a field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8535

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

8536

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

8537

# only supported value is `AND`.

8538

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

8539

"conditions": [ # A collection of conditions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8540

{ # The field type of `value` and `field` do not need to match to be

8541

# considered equal, but not all comparisons are possible.

8542

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

8543

# but all other comparisons are invalid with incompatible types.

8544

# A `value` of type:

8545

#

8546

# - `string` can be compared against all other types

8547

# - `boolean` can only be compared against other booleans

8548

# - `integer` can be compared against doubles or a string if the string value

8549

# can be parsed as an integer.

8550

# - `double` can be compared against integers or a string if the string can

8551

# be parsed as a double.

8552

# - `Timestamp` can be compared against strings in RFC 3339 date string

8553

# format.

8554

# - `TimeOfDay` can be compared against timestamps and strings in the format

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8555

# of 'HH:mm:ss'.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8556

#

8557

# If we fail to compare do to type mismatch, a warning will be given and

8558

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8559

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

8560

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8561

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8562

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

8563

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8564

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8565

# of bytes considered to comprise a 'Value' is based on its representation

8566

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8567

# 123456789, the number of bytes would be counted as 9, even though an

8568

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8569

"booleanValue": True or False, # boolean

8570

"floatValue": 3.14, # float

8571

"dayOfWeekValue": "A String", # day of week

8572

"timestampValue": "A String", # timestamp

8573

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8574

# and time zone are either specified elsewhere or are not significant. The date

8575

# is relative to the Proleptic Gregorian Calendar. This can represent:

8576

#

8577

# * A full date, with non-zero year, month and day values

8578

# * A month and day value, with a zero year, e.g. an anniversary

8579

# * A year on its own, with zero month and day values

8580

# * A year and month value, with a zero day, e.g. a credit card expiration date

8581

#

8582

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8583

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8584

# a year.

8585

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8586

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8587

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8588

# if specifying a year by itself or a year and month where the day is not

8589

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8590

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8591

"stringValue": "A String", # string

8592

"integerValue": "A String", # integer

8593

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8594

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8595

# types are google.type.Date and `google.protobuf.Timestamp`.

8596

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8597

# allow the value 60 if it allows leap-seconds.

8598

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8599

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8600

# to allow the value "24:00:00" for scenarios like business closing time.

8601

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8602

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8611

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8612

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8613

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8614

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8615

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8616

},

8617

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8618

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8619

# transform content that matches an `InfoType`.

8620

# apply various `PrimitiveTransformation`s to each finding, where the

8621

# transformation is applied to only values that were identified as a specific

8622

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8623

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8624

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8625

{ # A transformation to apply to text that is identified as a specific

8626

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8627

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

8628

# this transformation to apply to all findings that correspond to

8629

# infoTypes that were requested in `InspectConfig`.

8630

{ # Type of information detected by the API.

8631

"name": "A String", # Name of the information type. Either a name of your choosing when

8632

# creating a CustomInfoType, or one of the names listed

8633

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8634

# a built-in type. InfoType names should conform to the pattern

8635

# `[a-zA-Z0-9_]{1,64}`.

8636

},

8637

],

8638

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

8639

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

8640

# portion of the value.

8641

"partToExtract": "A String", # The part of the time to keep.

8642

},

8643

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

8644

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

8645

# to learn more.

8646

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

8647

# If set, must also set cryptoKey. If set, shift will be consistent for the

8648

# given context.

8649

"name": "A String", # Name describing the field.

8650

},

8651

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

8652

# range (inclusive ends). Negative means shift to earlier in time. Must not

8653

# be more than 365250 days (1000 years) each direction.

8654

#

8655

# For example, 3 means shift date to at most 3 days into the future.

8656

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

8657

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

8658

# results in the same shift for the same context and crypto_key. If

8659

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8660

# a key encryption key (KEK) stored by KMS).

8661

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8662

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8663

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8664

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8665

# The wrapped key must be a 128/192/256 bit key.

8666

# Authorization requires the following IAM permissions when sending a request

8667

# to perform a crypto transformation using a kms-wrapped crypto key:

8668

# dlp.kms.encrypt

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8669

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8670

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8671

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8672

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8673

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8674

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8675

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8676

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8677

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8678

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8679

# This is an arbitrary string used to differentiate different keys.

8680

# A unique key is generated per name: two separate `TransientCryptoKey`

8681

# protos share the same generated key if their names are the same.

8682

# When the data crypto key is generated, this name is not used in any way

8683

# (repeating the api call will result in a different key being generated).

8684

},

8685

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8686

},

8687

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

8688

},

8689

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

8690

# Uses SHA-256.

8691

# The key size must be either 32 or 64 bytes.

8692

# Outputs a base64 encoded representation of the hashed output

8693

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

8694

# Currently, only string and integer values can be hashed.

8695

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

8696

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

8697

# a key encryption key (KEK) stored by KMS).

8698

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8699

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8700

# unwrap the data crypto key.

8701

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8702

# The wrapped key must be a 128/192/256 bit key.

8703

# Authorization requires the following IAM permissions when sending a request

8704

# to perform a crypto transformation using a kms-wrapped crypto key:

8705

# dlp.kms.encrypt

8706

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8707

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8708

},

8709

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8710

# leaking the key. Choose another type of key if possible.

8711

"key": "A String", # Required. A 128/192/256 bit key.

8712

},

8713

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8714

# It will be discarded after the request finishes.

8715

"name": "A String", # Required. Name of the key.

8716

# This is an arbitrary string used to differentiate different keys.

8717

# A unique key is generated per name: two separate `TransientCryptoKey`

8718

# protos share the same generated key if their names are the same.

8719

# When the data crypto key is generated, this name is not used in any way

8720

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

8725

# (FPE) with the FFX mode of operation; however when used in the

8726

# `ReidentifyContent` API method, it serves the opposite function by reversing

8727

# the surrogate back into the original identifier. The identifier must be

8728

# encoded as ASCII. For a given crypto key and context, the same identifier

8729

# will be replaced with the same surrogate. Identifiers must be at least two

8730

# characters long. In the case that the identifier is the empty string, it will

8731

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

8732

# more.

8733

#

8734

# Note: We recommend using CryptoDeterministicConfig for all use cases which

8735

# do not require preserving the input alphabet space and size, plus warrant

8736

# referential integrity.

8737

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

8738

# that the FFX mode natively supports. This happens before/after

8739

# encryption/decryption.

8740

# Each character listed must appear only once.

8741

# Number of characters must be in the range [2, 95].

8742

# This must be encoded as ASCII.

8743

# The order of characters does not matter.

8744

"commonAlphabet": "A String", # Common alphabets.

8745

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

8746

# This annotation will be applied to the surrogate by prefixing it with

8747

# the name of the custom infoType followed by the number of

8748

# characters comprising the surrogate. The following scheme defines the

8749

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8750

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8751

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

8752

# the surrogate is 'abc', the full replacement value

8753

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8754

#

8755

# This annotation identifies the surrogate when inspecting content using the

8756

# custom infoType

8757

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

8758

# This facilitates reversal of the surrogate when it occurs in free text.

8759

#

8760

# In order for inspection to work properly, the name of this infoType must

8761

# not occur naturally anywhere in your data; otherwise, inspection may

8762

# find a surrogate that does not correspond to an actual identifier.

8763

# Therefore, choose your custom infoType name carefully after considering

8764

# what your data looks like. One way to select a name that has a high chance

8765

# of yielding reliable detection is to include one or more unicode characters

8766

# that are highly improbable to exist in your data.

8767

# For example, assuming your data is entered from a regular ASCII keyboard,

8768

# the symbol with the hex code point 29DD might be used like so:

8769

# ⧝MY_TOKEN_TYPE

8770

"name": "A String", # Name of the information type. Either a name of your choosing when

8771

# creating a CustomInfoType, or one of the names listed

8772

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8773

# a built-in type. InfoType names should conform to the pattern

8774

# `[a-zA-Z0-9_]{1,64}`.

8775

},

8776

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

8777

# identifier in two different contexts won't be given the same surrogate. If

8778

# the context is not set, a default tweak will be used.

8779

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8780

# If the context is set but:

8781

#

8782

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8783

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8784

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8785

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8786

#

8787

# Note that case (1) is expected when an `InfoTypeTransformation` is

8788

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8789

# Currently, the referenced field may be of value type integer or string.

8790

#

8791

# The tweak is constructed as a sequence of bytes in big endian byte order

8792

# such that:

8793

#

8794

# - a 64 bit integer is encoded followed by a single byte of value 1

8795

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8796

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8797

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8798

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8799

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8800

# a key encryption key (KEK) stored by KMS).

8801

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8802

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8803

# unwrap the data crypto key.

8804

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8805

# The wrapped key must be a 128/192/256 bit key.

8806

# Authorization requires the following IAM permissions when sending a request

8807

# to perform a crypto transformation using a kms-wrapped crypto key:

8808

# dlp.kms.encrypt

8809

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8810

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8811

},

8812

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8813

# leaking the key. Choose another type of key if possible.

8814

"key": "A String", # Required. A 128/192/256 bit key.

8815

},

8816

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8817

# It will be discarded after the request finishes.

8818

"name": "A String", # Required. Name of the key.

8819

# This is an arbitrary string used to differentiate different keys.

8820

# A unique key is generated per name: two separate `TransientCryptoKey`

8821

# protos share the same generated key if their names are the same.

8822

# When the data crypto key is generated, this name is not used in any way

8823

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8828

# input. Outputs a base64 encoded representation of the encrypted output.

8829

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8830

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8831

# This annotation will be applied to the surrogate by prefixing it with

8832

# the name of the custom info type followed by the number of

8833

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8834

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8835

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8836

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8837

# the surrogate is 'abc', the full replacement value

8838

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8839

#

8840

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8841

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8842

# surrogate when it occurs in free text.

8843

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8844

# Note: For record transformations where the entire cell in a table is being

8845

# transformed, surrogates are not mandatory. Surrogates are used to denote

8846

# the location of the token and are necessary for re-identification in free

8847

# form text.

8848

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8849

# In order for inspection to work properly, the name of this info type must

8850

# not occur naturally anywhere in your data; otherwise, inspection may either

8851

#

8852

# - reverse a surrogate that does not correspond to an actual identifier

8853

# - be unable to parse the surrogate and result in an error

8854

#

8855

# Therefore, choose your custom info type name carefully after considering

8856

# what your data looks like. One way to select a name that has a high chance

8857

# of yielding reliable detection is to include one or more unicode characters

8858

# that are highly improbable to exist in your data.

8859

# For example, assuming your data is entered from a regular ASCII keyboard,

8860

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8861

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8862

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8863

# creating a CustomInfoType, or one of the names listed

8864

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8865

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8866

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8867

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8868

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8869

# referential integrity such that the same identifier in two different

8870

# contexts will be given a distinct surrogate. The context is appended to

8871

# plaintext value being encrypted. On decryption the provided context is

8872

# validated against the value used during encryption. If a context was

8873

# provided during encryption, same context must be provided during decryption

8874

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8875

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8876

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8877

# If the context is set but:

8878

#

8879

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8880

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8881

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8882

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8883

#

8884

# Note that case (1) is expected when an `InfoTypeTransformation` is

8885

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8886

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8887

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8888

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8889

# a key encryption key (KEK) stored by KMS).

8890

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8891

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8892

# unwrap the data crypto key.

8893

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8894

# The wrapped key must be a 128/192/256 bit key.

8895

# Authorization requires the following IAM permissions when sending a request

8896

# to perform a crypto transformation using a kms-wrapped crypto key:

8897

# dlp.kms.encrypt

8898

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8899

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8900

},

8901

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8902

# leaking the key. Choose another type of key if possible.

8903

"key": "A String", # Required. A 128/192/256 bit key.

8904

},

8905

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8906

# It will be discarded after the request finishes.

8907

"name": "A String", # Required. Name of the key.

8908

# This is an arbitrary string used to differentiate different keys.

8909

# A unique key is generated per name: two separate `TransientCryptoKey`

8910

# protos share the same generated key if their names are the same.

8911

# When the data crypto key is generated, this name is not used in any way

8912

# (repeating the api call will result in a different key being generated).

8913

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8914

},

8915

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8916

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8917

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8918

# output would be 'My phone number is '.

8919

},

8920

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8921

# replacement values are dynamically provided by the user for custom behavior,

8922

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8923

# This can be used on

8924

# data of type: number, long, string, timestamp.

8925

# If the bound `Value` type differs from the type of data being transformed, we

8926

# will first attempt converting the type of the data to be transformed to match

8927

# the type of the bound before comparing.

8928

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8929

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8930

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8931

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8932

# used.

8933

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8934

# of bytes considered to comprise a 'Value' is based on its representation

8935

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8936

# 123456789, the number of bytes would be counted as 9, even though an

8937

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8938

"booleanValue": True or False, # boolean

8939

"floatValue": 3.14, # float

8940

"dayOfWeekValue": "A String", # day of week

8941

"timestampValue": "A String", # timestamp

8942

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8943

# and time zone are either specified elsewhere or are not significant. The date

8944

# is relative to the Proleptic Gregorian Calendar. This can represent:

8945

#

8946

# * A full date, with non-zero year, month and day values

8947

# * A month and day value, with a zero year, e.g. an anniversary

8948

# * A year on its own, with zero month and day values

8949

# * A year and month value, with a zero day, e.g. a credit card expiration date

8950

#

8951

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8952

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8953

# a year.

8954

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8955

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8956

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8957

# if specifying a year by itself or a year and month where the day is not

8958

# significant.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8959

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8960

"stringValue": "A String", # string

8961

"integerValue": "A String", # integer

8962

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8963

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8964

# types are google.type.Date and `google.protobuf.Timestamp`.

8965

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8966

# allow the value 60 if it allows leap-seconds.

8967

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8968

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8969

# to allow the value "24:00:00" for scenarios like business closing time.

8970

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8971

},

8972

},

8973

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8974

# Note that for the purposes of inspection or transformation, the number

8975

# of bytes considered to comprise a 'Value' is based on its representation

8976

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8977

# 123456789, the number of bytes would be counted as 9, even though an

8978

# int64 only holds up to 8 bytes of data.

8979

"booleanValue": True or False, # boolean

8980

"floatValue": 3.14, # float

8981

"dayOfWeekValue": "A String", # day of week

8982

"timestampValue": "A String", # timestamp

8983

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8984

# and time zone are either specified elsewhere or are not significant. The date

8985

# is relative to the Proleptic Gregorian Calendar. This can represent:

8986

#

8987

# * A full date, with non-zero year, month and day values

8988

# * A month and day value, with a zero year, e.g. an anniversary

8989

# * A year on its own, with zero month and day values

8990

# * A year and month value, with a zero day, e.g. a credit card expiration date

8991

#

8992

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8993

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8994

# a year.

8995

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8996

# month and day.

8997

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8998

# if specifying a year by itself or a year and month where the day is not

8999

# significant.

9000

},

9001

"stringValue": "A String", # string

9002

"integerValue": "A String", # integer

9003

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9004

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9005

# types are google.type.Date and `google.protobuf.Timestamp`.

9006

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9007

# allow the value 60 if it allows leap-seconds.

9008

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9009

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9010

# to allow the value "24:00:00" for scenarios like business closing time.

9011

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9012

},

9013

},

9014

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9015

# the default behavior will be to hyphenate the min-max range.

9016

# Note that for the purposes of inspection or transformation, the number

9017

# of bytes considered to comprise a 'Value' is based on its representation

9018

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9019

# 123456789, the number of bytes would be counted as 9, even though an

9020

# int64 only holds up to 8 bytes of data.

9021

"booleanValue": True or False, # boolean

9022

"floatValue": 3.14, # float

9023

"dayOfWeekValue": "A String", # day of week

9024

"timestampValue": "A String", # timestamp

9025

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9026

# and time zone are either specified elsewhere or are not significant. The date

9027

# is relative to the Proleptic Gregorian Calendar. This can represent:

9028

#

9029

# * A full date, with non-zero year, month and day values

9030

# * A month and day value, with a zero year, e.g. an anniversary

9031

# * A year on its own, with zero month and day values

9032

# * A year and month value, with a zero day, e.g. a credit card expiration date

9033

#

9034

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9035

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9036

# a year.

9037

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9038

# month and day.

9039

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9040

# if specifying a year by itself or a year and month where the day is not

9041

# significant.

9042

},

9043

"stringValue": "A String", # string

9044

"integerValue": "A String", # integer

9045

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9046

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9047

# types are google.type.Date and `google.protobuf.Timestamp`.

9048

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9049

# allow the value 60 if it allows leap-seconds.

9050

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9051

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9052

# to allow the value "24:00:00" for scenarios like business closing time.

9053

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9054

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9059

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9060

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9061

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9062

# of bytes considered to comprise a 'Value' is based on its representation

9063

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9064

# 123456789, the number of bytes would be counted as 9, even though an

9065

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9066

"booleanValue": True or False, # boolean

9067

"floatValue": 3.14, # float

9068

"dayOfWeekValue": "A String", # day of week

9069

"timestampValue": "A String", # timestamp

9070

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9071

# and time zone are either specified elsewhere or are not significant. The date

9072

# is relative to the Proleptic Gregorian Calendar. This can represent:

9073

#

9074

# * A full date, with non-zero year, month and day values

9075

# * A month and day value, with a zero year, e.g. an anniversary

9076

# * A year on its own, with zero month and day values

9077

# * A year and month value, with a zero day, e.g. a credit card expiration date

9078

#

9079

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9080

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9081

# a year.

9082

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9083

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9084

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9085

# if specifying a year by itself or a year and month where the day is not

9086

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9087

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9088

"stringValue": "A String", # string

9089

"integerValue": "A String", # integer

9090

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9091

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9092

# types are google.type.Date and `google.protobuf.Timestamp`.

9093

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9094

# allow the value 60 if it allows leap-seconds.

9095

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9096

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9097

# to allow the value "24:00:00" for scenarios like business closing time.

9098

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9103

# fixed character. Masking can start from the beginning or end of the string.

9104

# This can be used on data of any type (numbers, longs, and so on) and when

9105

# de-identifying structured data we'll attempt to preserve the original data's

9106

# type. (This allows you to take a long like 123 and modify it to a string like

9107

# **3.

9108

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9109

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9110

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9111

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9112

# is `true`, then the string `12345` is masked as `12***`.

9113

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9114

# characters. For example, if the input string is `555-555-5555` and you

9115

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9116

# returns `***-**5-5555`.

9117

{ # Characters to skip when doing deidentification of a value. These will be left

9118

# alone and skipped.

9119

"charactersToSkip": "A String", # Characters to not transform when masking.

9120

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9125

# masked. Skipped characters do not count towards this tally.

9126

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9127

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9128

# code or credit card number. This string must have a length of 1. If not

9129

# supplied, this value defaults to `*` for strings, and `0` for digits.

9130

},

9131

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9132

# Bucketing transformation can provide all of this functionality,

9133

# but requires more configuration. This message is provided as a convenience to

9134

# the user for simple bucketing strategies.

9135

#

9136

# The transformed value will be a hyphenated string of

9137

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9138

# all values that are within this bucket will be replaced with "10-20".

9139

#

9140

# This can be used on data of type: double, long.

9141

#

9142

# If the bound Value type differs from the type of data

9143

# being transformed, we will first attempt converting the type of the data to

9144

# be transformed to match the type of the bound before comparing.

9145

#

9146

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9147

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9148

# grouped together into a single bucket; for example if `lower_bound` = 10,

9149

# then all values less than 10 are replaced with the value "-10".

9150

# Note that for the purposes of inspection or transformation, the number

9151

# of bytes considered to comprise a 'Value' is based on its representation

9152

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9153

# 123456789, the number of bytes would be counted as 9, even though an

9154

# int64 only holds up to 8 bytes of data.

9155

"booleanValue": True or False, # boolean

9156

"floatValue": 3.14, # float

9157

"dayOfWeekValue": "A String", # day of week

9158

"timestampValue": "A String", # timestamp

9159

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9160

# and time zone are either specified elsewhere or are not significant. The date

9161

# is relative to the Proleptic Gregorian Calendar. This can represent:

9162

#

9163

# * A full date, with non-zero year, month and day values

9164

# * A month and day value, with a zero year, e.g. an anniversary

9165

# * A year on its own, with zero month and day values

9166

# * A year and month value, with a zero day, e.g. a credit card expiration date

9167

#

9168

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9169

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9170

# a year.

9171

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9172

# month and day.

9173

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9174

# if specifying a year by itself or a year and month where the day is not

9175

# significant.

9176

},

9177

"stringValue": "A String", # string

9178

"integerValue": "A String", # integer

9179

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9180

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9181

# types are google.type.Date and `google.protobuf.Timestamp`.

9182

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9183

# allow the value 60 if it allows leap-seconds.

9184

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9185

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9186

# to allow the value "24:00:00" for scenarios like business closing time.

9187

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9188

},

9189

},

9190

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9191

# grouped together into a single bucket; for example if `upper_bound` = 89,

9192

# then all values greater than 89 are replaced with the value "89+".

9193

# Note that for the purposes of inspection or transformation, the number

9194

# of bytes considered to comprise a 'Value' is based on its representation

9195

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9196

# 123456789, the number of bytes would be counted as 9, even though an

9197

# int64 only holds up to 8 bytes of data.

9198

"booleanValue": True or False, # boolean

9199

"floatValue": 3.14, # float

9200

"dayOfWeekValue": "A String", # day of week

9201

"timestampValue": "A String", # timestamp

9202

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9203

# and time zone are either specified elsewhere or are not significant. The date

9204

# is relative to the Proleptic Gregorian Calendar. This can represent:

9205

#

9206

# * A full date, with non-zero year, month and day values

9207

# * A month and day value, with a zero year, e.g. an anniversary

9208

# * A year on its own, with zero month and day values

9209

# * A year and month value, with a zero day, e.g. a credit card expiration date

9210

#

9211

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9212

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9213

# a year.

9214

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9215

# month and day.

9216

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9217

# if specifying a year by itself or a year and month where the day is not

9218

# significant.

9219

},

9220

"stringValue": "A String", # string

9221

"integerValue": "A String", # integer

9222

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9223

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9224

# types are google.type.Date and `google.protobuf.Timestamp`.

9225

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9226

# allow the value 60 if it allows leap-seconds.

9227

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9228

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9229

# to allow the value "24:00:00" for scenarios like business closing time.

9230

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9231

},

9232

},

9233

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9234

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9235

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9236

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

9243

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9244

# portion of the value.

9245

"partToExtract": "A String", # The part of the time to keep.

9246

},

9247

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9248

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9249

# to learn more.

9250

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9251

# If set, must also set cryptoKey. If set, shift will be consistent for the

9252

# given context.

9253

"name": "A String", # Name describing the field.

9254

},

9255

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9256

# range (inclusive ends). Negative means shift to earlier in time. Must not

9257

# be more than 365250 days (1000 years) each direction.

9258

#

9259

# For example, 3 means shift date to at most 3 days into the future.

9260

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9261

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9262

# results in the same shift for the same context and crypto_key. If

9263

# set, must also set context. Can only be applied to table items.

9264

# a key encryption key (KEK) stored by KMS).

9265

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9266

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9267

# unwrap the data crypto key.

9268

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9269

# The wrapped key must be a 128/192/256 bit key.

9270

# Authorization requires the following IAM permissions when sending a request

9271

# to perform a crypto transformation using a kms-wrapped crypto key:

9272

# dlp.kms.encrypt

9273

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9274

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9275

},

9276

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9277

# leaking the key. Choose another type of key if possible.

9278

"key": "A String", # Required. A 128/192/256 bit key.

9279

},

9280

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9281

# It will be discarded after the request finishes.

9282

"name": "A String", # Required. Name of the key.

9283

# This is an arbitrary string used to differentiate different keys.

9284

# A unique key is generated per name: two separate `TransientCryptoKey`

9285

# protos share the same generated key if their names are the same.

9286

# When the data crypto key is generated, this name is not used in any way

9287

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9292

},

9293

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9294

# Uses SHA-256.

9295

# The key size must be either 32 or 64 bytes.

9296

# Outputs a base64 encoded representation of the hashed output

9297

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9298

# Currently, only string and integer values can be hashed.

9299

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9300

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9301

# a key encryption key (KEK) stored by KMS).

9302

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9303

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9304

# unwrap the data crypto key.

9305

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9306

# The wrapped key must be a 128/192/256 bit key.

9307

# Authorization requires the following IAM permissions when sending a request

9308

# to perform a crypto transformation using a kms-wrapped crypto key:

9309

# dlp.kms.encrypt

9310

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9311

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9312

},

9313

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9314

# leaking the key. Choose another type of key if possible.

9315

"key": "A String", # Required. A 128/192/256 bit key.

9316

},

9317

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9318

# It will be discarded after the request finishes.

9319

"name": "A String", # Required. Name of the key.

9320

# This is an arbitrary string used to differentiate different keys.

9321

# A unique key is generated per name: two separate `TransientCryptoKey`

9322

# protos share the same generated key if their names are the same.

9323

# When the data crypto key is generated, this name is not used in any way

9324

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9329

# (FPE) with the FFX mode of operation; however when used in the

9330

# `ReidentifyContent` API method, it serves the opposite function by reversing

9331

# the surrogate back into the original identifier. The identifier must be

9332

# encoded as ASCII. For a given crypto key and context, the same identifier

9333

# will be replaced with the same surrogate. Identifiers must be at least two

9334

# characters long. In the case that the identifier is the empty string, it will

9335

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9336

# more.

9337

#

9338

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9339

# do not require preserving the input alphabet space and size, plus warrant

9340

# referential integrity.

9341

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9342

# that the FFX mode natively supports. This happens before/after

9343

# encryption/decryption.

9344

# Each character listed must appear only once.

9345

# Number of characters must be in the range [2, 95].

9346

# This must be encoded as ASCII.

9347

# The order of characters does not matter.

9348

"commonAlphabet": "A String", # Common alphabets.

9349

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9350

# This annotation will be applied to the surrogate by prefixing it with

9351

# the name of the custom infoType followed by the number of

9352

# characters comprising the surrogate. The following scheme defines the

9353

# format: info_type_name(surrogate_character_count):surrogate

9354

#

9355

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9356

# the surrogate is 'abc', the full replacement value

9357

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9358

#

9359

# This annotation identifies the surrogate when inspecting content using the

9360

# custom infoType

9361

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9362

# This facilitates reversal of the surrogate when it occurs in free text.

9363

#

9364

# In order for inspection to work properly, the name of this infoType must

9365

# not occur naturally anywhere in your data; otherwise, inspection may

9366

# find a surrogate that does not correspond to an actual identifier.

9367

# Therefore, choose your custom infoType name carefully after considering

9368

# what your data looks like. One way to select a name that has a high chance

9369

# of yielding reliable detection is to include one or more unicode characters

9370

# that are highly improbable to exist in your data.

9371

# For example, assuming your data is entered from a regular ASCII keyboard,

9372

# the symbol with the hex code point 29DD might be used like so:

9373

# ⧝MY_TOKEN_TYPE

9374

"name": "A String", # Name of the information type. Either a name of your choosing when

9375

# creating a CustomInfoType, or one of the names listed

9376

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9377

# a built-in type. InfoType names should conform to the pattern

9378

# `[a-zA-Z0-9_]{1,64}`.

9379

},

9380

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9381

# identifier in two different contexts won't be given the same surrogate. If

9382

# the context is not set, a default tweak will be used.

9383

#

9384

# If the context is set but:

9385

#

9386

# 1. there is no record present when transforming a given value or

9387

# 1. the field is not present when transforming a given value,

9388

#

9389

# a default tweak will be used.

9390

#

9391

# Note that case (1) is expected when an `InfoTypeTransformation` is

9392

# applied to both structured and non-structured `ContentItem`s.

9393

# Currently, the referenced field may be of value type integer or string.

9394

#

9395

# The tweak is constructed as a sequence of bytes in big endian byte order

9396

# such that:

9397

#

9398

# - a 64 bit integer is encoded followed by a single byte of value 1

9399

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9400

"name": "A String", # Name describing the field.

9401

},

9402

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9403

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9404

# a key encryption key (KEK) stored by KMS).

9405

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9406

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9407

# unwrap the data crypto key.

9408

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9409

# The wrapped key must be a 128/192/256 bit key.

9410

# Authorization requires the following IAM permissions when sending a request

9411

# to perform a crypto transformation using a kms-wrapped crypto key:

9412

# dlp.kms.encrypt

9413

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9414

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9415

},

9416

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9417

# leaking the key. Choose another type of key if possible.

9418

"key": "A String", # Required. A 128/192/256 bit key.

9419

},

9420

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9421

# It will be discarded after the request finishes.

9422

"name": "A String", # Required. Name of the key.

9423

# This is an arbitrary string used to differentiate different keys.

9424

# A unique key is generated per name: two separate `TransientCryptoKey`

9425

# protos share the same generated key if their names are the same.

9426

# When the data crypto key is generated, this name is not used in any way

9427

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9432

# input. Outputs a base64 encoded representation of the encrypted output.

9433

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9434

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

9435

# This annotation will be applied to the surrogate by prefixing it with

9436

# the name of the custom info type followed by the number of

9437

# characters comprising the surrogate. The following scheme defines the

9438

# format: {info type name}({surrogate character count}):{surrogate}

9439

#

9440

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9441

# the surrogate is 'abc', the full replacement value

9442

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9443

#

9444

# This annotation identifies the surrogate when inspecting content using the

9445

# custom info type 'Surrogate'. This facilitates reversal of the

9446

# surrogate when it occurs in free text.

9447

#

9448

# Note: For record transformations where the entire cell in a table is being

9449

# transformed, surrogates are not mandatory. Surrogates are used to denote

9450

# the location of the token and are necessary for re-identification in free

9451

# form text.

9452

#

9453

# In order for inspection to work properly, the name of this info type must

9454

# not occur naturally anywhere in your data; otherwise, inspection may either

9455

#

9456

# - reverse a surrogate that does not correspond to an actual identifier

9457

# - be unable to parse the surrogate and result in an error

9458

#

9459

# Therefore, choose your custom info type name carefully after considering

9460

# what your data looks like. One way to select a name that has a high chance

9461

# of yielding reliable detection is to include one or more unicode characters

9462

# that are highly improbable to exist in your data.

9463

# For example, assuming your data is entered from a regular ASCII keyboard,

9464

# the symbol with the hex code point 29DD might be used like so:

9465

# ⧝MY_TOKEN_TYPE.

9466

"name": "A String", # Name of the information type. Either a name of your choosing when

9467

# creating a CustomInfoType, or one of the names listed

9468

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9469

# a built-in type. InfoType names should conform to the pattern

9470

# `[a-zA-Z0-9_]{1,64}`.

9471

},

9472

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

9473

# referential integrity such that the same identifier in two different

9474

# contexts will be given a distinct surrogate. The context is appended to

9475

# plaintext value being encrypted. On decryption the provided context is

9476

# validated against the value used during encryption. If a context was

9477

# provided during encryption, same context must be provided during decryption

9478

# as well.

9479

#

9480

# If the context is not set, plaintext would be used as is for encryption.

9481

# If the context is set but:

9482

#

9483

# 1. there is no record present when transforming a given value or

9484

# 2. the field is not present when transforming a given value,

9485

#

9486

# plaintext would be used as is for encryption.

9487

#

9488

# Note that case (1) is expected when an `InfoTypeTransformation` is

9489

# applied to both structured and non-structured `ContentItem`s.

9490

"name": "A String", # Name describing the field.

9491

},

9492

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

9493

# a key encryption key (KEK) stored by KMS).

9494

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9495

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9496

# unwrap the data crypto key.

9497

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9498

# The wrapped key must be a 128/192/256 bit key.

9499

# Authorization requires the following IAM permissions when sending a request

9500

# to perform a crypto transformation using a kms-wrapped crypto key:

9501

# dlp.kms.encrypt

9502

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9503

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9504

},

9505

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9506

# leaking the key. Choose another type of key if possible.

9507

"key": "A String", # Required. A 128/192/256 bit key.

9508

},

9509

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9510

# It will be discarded after the request finishes.

9511

"name": "A String", # Required. Name of the key.

9512

# This is an arbitrary string used to differentiate different keys.

9513

# A unique key is generated per name: two separate `TransientCryptoKey`

9514

# protos share the same generated key if their names are the same.

9515

# When the data crypto key is generated, this name is not used in any way

9516

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

9521

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

9522

# output would be 'My phone number is '.

9523

},

9524

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

9525

# replacement values are dynamically provided by the user for custom behavior,

9526

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

9527

# This can be used on

9528

# data of type: number, long, string, timestamp.

9529

# If the bound `Value` type differs from the type of data being transformed, we

9530

# will first attempt converting the type of the data to be transformed to match

9531

# the type of the bound before comparing.

9532

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9533

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

9534

{ # Bucket is represented as a range, along with replacement values.

9535

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

9536

# used.

9537

# Note that for the purposes of inspection or transformation, the number

9538

# of bytes considered to comprise a 'Value' is based on its representation

9539

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9540

# 123456789, the number of bytes would be counted as 9, even though an

9541

# int64 only holds up to 8 bytes of data.

9542

"booleanValue": True or False, # boolean

9543

"floatValue": 3.14, # float

9544

"dayOfWeekValue": "A String", # day of week

9545

"timestampValue": "A String", # timestamp

9546

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9547

# and time zone are either specified elsewhere or are not significant. The date

9548

# is relative to the Proleptic Gregorian Calendar. This can represent:

9549

#

9550

# * A full date, with non-zero year, month and day values

9551

# * A month and day value, with a zero year, e.g. an anniversary

9552

# * A year on its own, with zero month and day values

9553

# * A year and month value, with a zero day, e.g. a credit card expiration date

9554

#

9555

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9556

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9557

# a year.

9558

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9559

# month and day.

9560

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9561

# if specifying a year by itself or a year and month where the day is not

9562

# significant.

9563

},

9564

"stringValue": "A String", # string

9565

"integerValue": "A String", # integer

9566

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9567

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9568

# types are google.type.Date and `google.protobuf.Timestamp`.

9569

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9570

# allow the value 60 if it allows leap-seconds.

9571

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9572

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9573

# to allow the value "24:00:00" for scenarios like business closing time.

9574

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9575

},

9576

},

9577

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

9578

# Note that for the purposes of inspection or transformation, the number

9579

# of bytes considered to comprise a 'Value' is based on its representation

9580

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9581

# 123456789, the number of bytes would be counted as 9, even though an

9582

# int64 only holds up to 8 bytes of data.

9583

"booleanValue": True or False, # boolean

9584

"floatValue": 3.14, # float

9585

"dayOfWeekValue": "A String", # day of week

9586

"timestampValue": "A String", # timestamp

9587

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9588

# and time zone are either specified elsewhere or are not significant. The date

9589

# is relative to the Proleptic Gregorian Calendar. This can represent:

9590

#

9591

# * A full date, with non-zero year, month and day values

9592

# * A month and day value, with a zero year, e.g. an anniversary

9593

# * A year on its own, with zero month and day values

9594

# * A year and month value, with a zero day, e.g. a credit card expiration date

9595

#

9596

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9597

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9598

# a year.

9599

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9600

# month and day.

9601

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9602

# if specifying a year by itself or a year and month where the day is not

9603

# significant.

9604

},

9605

"stringValue": "A String", # string

9606

"integerValue": "A String", # integer

9607

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9608

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9609

# types are google.type.Date and `google.protobuf.Timestamp`.

9610

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9611

# allow the value 60 if it allows leap-seconds.

9612

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9613

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9614

# to allow the value "24:00:00" for scenarios like business closing time.

9615

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9616

},

9617

},

9618

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9619

# the default behavior will be to hyphenate the min-max range.

9620

# Note that for the purposes of inspection or transformation, the number

9621

# of bytes considered to comprise a 'Value' is based on its representation

9622

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9623

# 123456789, the number of bytes would be counted as 9, even though an

9624

# int64 only holds up to 8 bytes of data.

9625

"booleanValue": True or False, # boolean

9626

"floatValue": 3.14, # float

9627

"dayOfWeekValue": "A String", # day of week

9628

"timestampValue": "A String", # timestamp

9629

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9630

# and time zone are either specified elsewhere or are not significant. The date

9631

# is relative to the Proleptic Gregorian Calendar. This can represent:

9632

#

9633

# * A full date, with non-zero year, month and day values

9634

# * A month and day value, with a zero year, e.g. an anniversary

9635

# * A year on its own, with zero month and day values

9636

# * A year and month value, with a zero day, e.g. a credit card expiration date

9637

#

9638

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9639

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9640

# a year.

9641

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9642

# month and day.

9643

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9644

# if specifying a year by itself or a year and month where the day is not

9645

# significant.

9646

},

9647

"stringValue": "A String", # string

9648

"integerValue": "A String", # integer

9649

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9650

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9651

# types are google.type.Date and `google.protobuf.Timestamp`.

9652

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9653

# allow the value 60 if it allows leap-seconds.

9654

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9655

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9656

# to allow the value "24:00:00" for scenarios like business closing time.

9657

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9658

},

9659

},

9660

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9661

],

9662

},

9663

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9664

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

9665

# Note that for the purposes of inspection or transformation, the number

9666

# of bytes considered to comprise a 'Value' is based on its representation

9667

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9668

# 123456789, the number of bytes would be counted as 9, even though an

9669

# int64 only holds up to 8 bytes of data.

9670

"booleanValue": True or False, # boolean

9671

"floatValue": 3.14, # float

9672

"dayOfWeekValue": "A String", # day of week

9673

"timestampValue": "A String", # timestamp

9674

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9675

# and time zone are either specified elsewhere or are not significant. The date

9676

# is relative to the Proleptic Gregorian Calendar. This can represent:

9677

#

9678

# * A full date, with non-zero year, month and day values

9679

# * A month and day value, with a zero year, e.g. an anniversary

9680

# * A year on its own, with zero month and day values

9681

# * A year and month value, with a zero day, e.g. a credit card expiration date

9682

#

9683

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9684

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9685

# a year.

9686

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9687

# month and day.

9688

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9689

# if specifying a year by itself or a year and month where the day is not

9690

# significant.

9691

},

9692

"stringValue": "A String", # string

9693

"integerValue": "A String", # integer

9694

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9695

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9696

# types are google.type.Date and `google.protobuf.Timestamp`.

9697

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9698

# allow the value 60 if it allows leap-seconds.

9699

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9700

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9701

# to allow the value "24:00:00" for scenarios like business closing time.

9702

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9707

# fixed character. Masking can start from the beginning or end of the string.

9708

# This can be used on data of any type (numbers, longs, and so on) and when

9709

# de-identifying structured data we'll attempt to preserve the original data's

9710

# type. (This allows you to take a long like 123 and modify it to a string like

9711

# **3.

9712

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9713

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9714

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9715

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9716

# is `true`, then the string `12345` is masked as `12***`.

9717

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9718

# characters. For example, if the input string is `555-555-5555` and you

9719

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9720

# returns `***-**5-5555`.

9721

{ # Characters to skip when doing deidentification of a value. These will be left

9722

# alone and skipped.

9723

"charactersToSkip": "A String", # Characters to not transform when masking.

9724

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9729

# masked. Skipped characters do not count towards this tally.

9730

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9731

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9732

# code or credit card number. This string must have a length of 1. If not

9733

# supplied, this value defaults to `*` for strings, and `0` for digits.

9734

},

9735

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9736

# Bucketing transformation can provide all of this functionality,

9737

# but requires more configuration. This message is provided as a convenience to

9738

# the user for simple bucketing strategies.

9739

#

9740

# The transformed value will be a hyphenated string of

9741

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9742

# all values that are within this bucket will be replaced with "10-20".

9743

#

9744

# This can be used on data of type: double, long.

9745

#

9746

# If the bound Value type differs from the type of data

9747

# being transformed, we will first attempt converting the type of the data to

9748

# be transformed to match the type of the bound before comparing.

9749

#

9750

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9751

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9752

# grouped together into a single bucket; for example if `lower_bound` = 10,

9753

# then all values less than 10 are replaced with the value "-10".

9754

# Note that for the purposes of inspection or transformation, the number

9755

# of bytes considered to comprise a 'Value' is based on its representation

9756

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9757

# 123456789, the number of bytes would be counted as 9, even though an

9758

# int64 only holds up to 8 bytes of data.

9759

"booleanValue": True or False, # boolean

9760

"floatValue": 3.14, # float

9761

"dayOfWeekValue": "A String", # day of week

9762

"timestampValue": "A String", # timestamp

9763

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9764

# and time zone are either specified elsewhere or are not significant. The date

9765

# is relative to the Proleptic Gregorian Calendar. This can represent:

9766

#

9767

# * A full date, with non-zero year, month and day values

9768

# * A month and day value, with a zero year, e.g. an anniversary

9769

# * A year on its own, with zero month and day values

9770

# * A year and month value, with a zero day, e.g. a credit card expiration date

9771

#

9772

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9773

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9774

# a year.

9775

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9776

# month and day.

9777

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9778

# if specifying a year by itself or a year and month where the day is not

9779

# significant.

9780

},

9781

"stringValue": "A String", # string

9782

"integerValue": "A String", # integer

9783

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9784

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9785

# types are google.type.Date and `google.protobuf.Timestamp`.

9786

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9787

# allow the value 60 if it allows leap-seconds.

9788

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9789

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9790

# to allow the value "24:00:00" for scenarios like business closing time.

9791

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9792

},

9793

},

9794

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9795

# grouped together into a single bucket; for example if `upper_bound` = 89,

9796

# then all values greater than 89 are replaced with the value "89+".

9797

# Note that for the purposes of inspection or transformation, the number

9798

# of bytes considered to comprise a 'Value' is based on its representation

9799

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9800

# 123456789, the number of bytes would be counted as 9, even though an

9801

# int64 only holds up to 8 bytes of data.

9802

"booleanValue": True or False, # boolean

9803

"floatValue": 3.14, # float

9804

"dayOfWeekValue": "A String", # day of week

9805

"timestampValue": "A String", # timestamp

9806

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9807

# and time zone are either specified elsewhere or are not significant. The date

9808

# is relative to the Proleptic Gregorian Calendar. This can represent:

9809

#

9810

# * A full date, with non-zero year, month and day values

9811

# * A month and day value, with a zero year, e.g. an anniversary

9812

# * A year on its own, with zero month and day values

9813

# * A year and month value, with a zero day, e.g. a credit card expiration date

9814

#

9815

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9816

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9817

# a year.

9818

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9819

# month and day.

9820

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9821

# if specifying a year by itself or a year and month where the day is not

9822

# significant.

9823

},

9824

"stringValue": "A String", # string

9825

"integerValue": "A String", # integer

9826

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9827

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9828

# types are google.type.Date and `google.protobuf.Timestamp`.

9829

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9830

# allow the value 60 if it allows leap-seconds.

9831

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9832

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9833

# to allow the value "24:00:00" for scenarios like business closing time.

9834

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9835

},

9836

},

9837

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9838

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9839

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9840

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

9841

},

9842

},

9843

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

9844

# given `RecordCondition`. The conditions are allowed to reference fields

9845

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

9850

# column for the same record is within a specific range.

9851

# - Redact a field if the date of birth field is greater than 85.

9852

# a field.

9853

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

9854

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

9855

# only supported value is `AND`.

9856

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

9857

"conditions": [ # A collection of conditions.

9858

{ # The field type of `value` and `field` do not need to match to be

9859

# considered equal, but not all comparisons are possible.

9860

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

9861

# but all other comparisons are invalid with incompatible types.

9862

# A `value` of type:

9863

#

9864

# - `string` can be compared against all other types

9865

# - `boolean` can only be compared against other booleans

9866

# - `integer` can be compared against doubles or a string if the string value

9867

# can be parsed as an integer.

9868

# - `double` can be compared against integers or a string if the string can

9869

# be parsed as a double.

9870

# - `Timestamp` can be compared against strings in RFC 3339 date string

9871

# format.

9872

# - `TimeOfDay` can be compared against timestamps and strings in the format

9873

# of 'HH:mm:ss'.

9874

#

9875

# If we fail to compare do to type mismatch, a warning will be given and

9876

# the condition will evaluate to false.

9877

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

9878

"name": "A String", # Name describing the field.

9879

},

9880

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

9881

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

9882

# Note that for the purposes of inspection or transformation, the number

9883

# of bytes considered to comprise a 'Value' is based on its representation

9884

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9885

# 123456789, the number of bytes would be counted as 9, even though an

9886

# int64 only holds up to 8 bytes of data.

9887

"booleanValue": True or False, # boolean

9888

"floatValue": 3.14, # float

9889

"dayOfWeekValue": "A String", # day of week

9890

"timestampValue": "A String", # timestamp

9891

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9892

# and time zone are either specified elsewhere or are not significant. The date

9893

# is relative to the Proleptic Gregorian Calendar. This can represent:

9894

#

9895

# * A full date, with non-zero year, month and day values

9896

# * A month and day value, with a zero year, e.g. an anniversary

9897

# * A year on its own, with zero month and day values

9898

# * A year and month value, with a zero day, e.g. a credit card expiration date

9899

#

9900

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9901

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9902

# a year.

9903

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9904

# month and day.

9905

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9906

# if specifying a year by itself or a year and month where the day is not

9907

# significant.

9908

},

9909

"stringValue": "A String", # string

9910

"integerValue": "A String", # integer

9911

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9912

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9913

# types are google.type.Date and `google.protobuf.Timestamp`.

9914

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9915

# allow the value 60 if it allows leap-seconds.

9916

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9917

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9918

# to allow the value "24:00:00" for scenarios like business closing time.

9919

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9920

},

9921

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9922

},

9923

],

9924

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9925

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9926

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9927

},

9928

],

9929

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9930

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

9931

# transformation everywhere.

9932

# apply various `PrimitiveTransformation`s to each finding, where the

9933

# transformation is applied to only values that were identified as a specific

9934

# info_type.

9935

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

9936

# for a given infoType.

9937

{ # A transformation to apply to text that is identified as a specific

9938

# info_type.

9939

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

9940

# this transformation to apply to all findings that correspond to

9941

# infoTypes that were requested in `InspectConfig`.

9942

{ # Type of information detected by the API.

9943

"name": "A String", # Name of the information type. Either a name of your choosing when

9944

# creating a CustomInfoType, or one of the names listed

9945

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9946

# a built-in type. InfoType names should conform to the pattern

9947

# `[a-zA-Z0-9_]{1,64}`.

9948

},

9949

],

9950

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

9951

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9952

# portion of the value.

9953

"partToExtract": "A String", # The part of the time to keep.

9954

},

9955

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9956

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9957

# to learn more.

9958

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9959

# If set, must also set cryptoKey. If set, shift will be consistent for the

9960

# given context.

9961

"name": "A String", # Name describing the field.

9962

},

9963

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9964

# range (inclusive ends). Negative means shift to earlier in time. Must not

9965

# be more than 365250 days (1000 years) each direction.

9966

#

9967

# For example, 3 means shift date to at most 3 days into the future.

9968

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9969

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9970

# results in the same shift for the same context and crypto_key. If

9971

# set, must also set context. Can only be applied to table items.

9972

# a key encryption key (KEK) stored by KMS).

9973

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9974

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9975

# unwrap the data crypto key.

9976

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9977

# The wrapped key must be a 128/192/256 bit key.

9978

# Authorization requires the following IAM permissions when sending a request

9979

# to perform a crypto transformation using a kms-wrapped crypto key:

9980

# dlp.kms.encrypt

9981

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9982

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9983

},

9984

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9985

# leaking the key. Choose another type of key if possible.

9986

"key": "A String", # Required. A 128/192/256 bit key.

9987

},

9988

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9989

# It will be discarded after the request finishes.

9990

"name": "A String", # Required. Name of the key.

9991

# This is an arbitrary string used to differentiate different keys.

9992

# A unique key is generated per name: two separate `TransientCryptoKey`

9993

# protos share the same generated key if their names are the same.

9994

# When the data crypto key is generated, this name is not used in any way

9995

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

10000

},

10001

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

10002

# Uses SHA-256.

10003

# The key size must be either 32 or 64 bytes.

10004

# Outputs a base64 encoded representation of the hashed output

10005

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

10006

# Currently, only string and integer values can be hashed.

10007

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

10008

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

10009

# a key encryption key (KEK) stored by KMS).

10010

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10011

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10012

# unwrap the data crypto key.

10013

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10014

# The wrapped key must be a 128/192/256 bit key.

10015

# Authorization requires the following IAM permissions when sending a request

10016

# to perform a crypto transformation using a kms-wrapped crypto key:

10017

# dlp.kms.encrypt

10018

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10019

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10020

},

10021

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10022

# leaking the key. Choose another type of key if possible.

10023

"key": "A String", # Required. A 128/192/256 bit key.

10024

},

10025

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10026

# It will be discarded after the request finishes.

10027

"name": "A String", # Required. Name of the key.

10028

# This is an arbitrary string used to differentiate different keys.

10029

# A unique key is generated per name: two separate `TransientCryptoKey`

10030

# protos share the same generated key if their names are the same.

10031

# When the data crypto key is generated, this name is not used in any way

10032

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

10037

# (FPE) with the FFX mode of operation; however when used in the

10038

# `ReidentifyContent` API method, it serves the opposite function by reversing

10039

# the surrogate back into the original identifier. The identifier must be

10040

# encoded as ASCII. For a given crypto key and context, the same identifier

10041

# will be replaced with the same surrogate. Identifiers must be at least two

10042

# characters long. In the case that the identifier is the empty string, it will

10043

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

10044

# more.

10045

#

10046

# Note: We recommend using CryptoDeterministicConfig for all use cases which

10047

# do not require preserving the input alphabet space and size, plus warrant

10048

# referential integrity.

10049

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

10050

# that the FFX mode natively supports. This happens before/after

10051

# encryption/decryption.

10052

# Each character listed must appear only once.

10053

# Number of characters must be in the range [2, 95].

10054

# This must be encoded as ASCII.

10055

# The order of characters does not matter.

10056

"commonAlphabet": "A String", # Common alphabets.

10057

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

10058

# This annotation will be applied to the surrogate by prefixing it with

10059

# the name of the custom infoType followed by the number of

10060

# characters comprising the surrogate. The following scheme defines the

10061

# format: info_type_name(surrogate_character_count):surrogate

10062

#

10063

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

10064

# the surrogate is 'abc', the full replacement value

10065

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10066

#

10067

# This annotation identifies the surrogate when inspecting content using the

10068

# custom infoType

10069

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

10070

# This facilitates reversal of the surrogate when it occurs in free text.

10071

#

10072

# In order for inspection to work properly, the name of this infoType must

10073

# not occur naturally anywhere in your data; otherwise, inspection may

10074

# find a surrogate that does not correspond to an actual identifier.

10075

# Therefore, choose your custom infoType name carefully after considering

10076

# what your data looks like. One way to select a name that has a high chance

10077

# of yielding reliable detection is to include one or more unicode characters

10078

# that are highly improbable to exist in your data.

10079

# For example, assuming your data is entered from a regular ASCII keyboard,

10080

# the symbol with the hex code point 29DD might be used like so:

10081

# ⧝MY_TOKEN_TYPE

10082

"name": "A String", # Name of the information type. Either a name of your choosing when

10083

# creating a CustomInfoType, or one of the names listed

10084

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10085

# a built-in type. InfoType names should conform to the pattern

10086

# `[a-zA-Z0-9_]{1,64}`.

10087

},

10088

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

10089

# identifier in two different contexts won't be given the same surrogate. If

10090

# the context is not set, a default tweak will be used.

10091

#

10092

# If the context is set but:

10093

#

10094

# 1. there is no record present when transforming a given value or

10095

# 1. the field is not present when transforming a given value,

10096

#

10097

# a default tweak will be used.

10098

#

10099

# Note that case (1) is expected when an `InfoTypeTransformation` is

10100

# applied to both structured and non-structured `ContentItem`s.

10101

# Currently, the referenced field may be of value type integer or string.

10102

#

10103

# The tweak is constructed as a sequence of bytes in big endian byte order

10104

# such that:

10105

#

10106

# - a 64 bit integer is encoded followed by a single byte of value 1

10107

# - a string is encoded in UTF-8 format followed by a single byte of value 2

10108

"name": "A String", # Name describing the field.

10109

},

10110

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

10111

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

10112

# a key encryption key (KEK) stored by KMS).

10113

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10114

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10115

# unwrap the data crypto key.

10116

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10117

# The wrapped key must be a 128/192/256 bit key.

10118

# Authorization requires the following IAM permissions when sending a request

10119

# to perform a crypto transformation using a kms-wrapped crypto key:

10120

# dlp.kms.encrypt

10121

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10122

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10123

},

10124

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10125

# leaking the key. Choose another type of key if possible.

10126

"key": "A String", # Required. A 128/192/256 bit key.

10127

},

10128

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10129

# It will be discarded after the request finishes.

10130

"name": "A String", # Required. Name of the key.

10131

# This is an arbitrary string used to differentiate different keys.

10132

# A unique key is generated per name: two separate `TransientCryptoKey`

10133

# protos share the same generated key if their names are the same.

10134

# When the data crypto key is generated, this name is not used in any way

10135

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

10140

# input. Outputs a base64 encoded representation of the encrypted output.

10141

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

10142

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

10143

# This annotation will be applied to the surrogate by prefixing it with

10144

# the name of the custom info type followed by the number of

10145

# characters comprising the surrogate. The following scheme defines the

10146

# format: {info type name}({surrogate character count}):{surrogate}

10147

#

10148

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

10149

# the surrogate is 'abc', the full replacement value

10150

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10151

#

10152

# This annotation identifies the surrogate when inspecting content using the

10153

# custom info type 'Surrogate'. This facilitates reversal of the

10154

# surrogate when it occurs in free text.

10155

#

10156

# Note: For record transformations where the entire cell in a table is being

10157

# transformed, surrogates are not mandatory. Surrogates are used to denote

10158

# the location of the token and are necessary for re-identification in free

10159

# form text.

10160

#

10161

# In order for inspection to work properly, the name of this info type must

10162

# not occur naturally anywhere in your data; otherwise, inspection may either

10163

#

10164

# - reverse a surrogate that does not correspond to an actual identifier

10165

# - be unable to parse the surrogate and result in an error

10166

#

10167

# Therefore, choose your custom info type name carefully after considering

10168

# what your data looks like. One way to select a name that has a high chance

10169

# of yielding reliable detection is to include one or more unicode characters

10170

# that are highly improbable to exist in your data.

10171

# For example, assuming your data is entered from a regular ASCII keyboard,

10172

# the symbol with the hex code point 29DD might be used like so:

10173

# ⧝MY_TOKEN_TYPE.

10174

"name": "A String", # Name of the information type. Either a name of your choosing when

10175

# creating a CustomInfoType, or one of the names listed

10176

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10177

# a built-in type. InfoType names should conform to the pattern

10178

# `[a-zA-Z0-9_]{1,64}`.

10179

},

10180

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10181

# referential integrity such that the same identifier in two different

10182

# contexts will be given a distinct surrogate. The context is appended to

10183

# plaintext value being encrypted. On decryption the provided context is

10184

# validated against the value used during encryption. If a context was

10185

# provided during encryption, same context must be provided during decryption

10186

# as well.

10187

#

10188

# If the context is not set, plaintext would be used as is for encryption.

10189

# If the context is set but:

10190

#

10191

# 1. there is no record present when transforming a given value or

10192

# 2. the field is not present when transforming a given value,

10193

#

10194

# plaintext would be used as is for encryption.

10195

#

10196

# Note that case (1) is expected when an `InfoTypeTransformation` is

10197

# applied to both structured and non-structured `ContentItem`s.

10198

"name": "A String", # Name describing the field.

10199

},

10200

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10201

# a key encryption key (KEK) stored by KMS).

10202

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10203

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10204

# unwrap the data crypto key.

10205

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10206

# The wrapped key must be a 128/192/256 bit key.

10207

# Authorization requires the following IAM permissions when sending a request

10208

# to perform a crypto transformation using a kms-wrapped crypto key:

10209

# dlp.kms.encrypt

10210

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10211

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10212

},

10213

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10214

# leaking the key. Choose another type of key if possible.

10215

"key": "A String", # Required. A 128/192/256 bit key.

10216

},

10217

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10218

# It will be discarded after the request finishes.

10219

"name": "A String", # Required. Name of the key.

10220

# This is an arbitrary string used to differentiate different keys.

10221

# A unique key is generated per name: two separate `TransientCryptoKey`

10222

# protos share the same generated key if their names are the same.

10223

# When the data crypto key is generated, this name is not used in any way

10224

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

10229

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

10230

# output would be 'My phone number is '.

10231

},

10232

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10233

# replacement values are dynamically provided by the user for custom behavior,

10234

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10235

# This can be used on

10236

# data of type: number, long, string, timestamp.

10237

# If the bound `Value` type differs from the type of data being transformed, we

10238

# will first attempt converting the type of the data to be transformed to match

10239

# the type of the bound before comparing.

10240

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10241

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

10242

{ # Bucket is represented as a range, along with replacement values.

10243

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

10244

# used.

10245

# Note that for the purposes of inspection or transformation, the number

10246

# of bytes considered to comprise a 'Value' is based on its representation

10247

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10248

# 123456789, the number of bytes would be counted as 9, even though an

10249

# int64 only holds up to 8 bytes of data.

10250

"booleanValue": True or False, # boolean

10251

"floatValue": 3.14, # float

10252

"dayOfWeekValue": "A String", # day of week

10253

"timestampValue": "A String", # timestamp

10254

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10255

# and time zone are either specified elsewhere or are not significant. The date

10256

# is relative to the Proleptic Gregorian Calendar. This can represent:

10257

#

10258

# * A full date, with non-zero year, month and day values

10259

# * A month and day value, with a zero year, e.g. an anniversary

10260

# * A year on its own, with zero month and day values

10261

# * A year and month value, with a zero day, e.g. a credit card expiration date

10262

#

10263

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10264

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10265

# a year.

10266

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10267

# month and day.

10268

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10269

# if specifying a year by itself or a year and month where the day is not

10270

# significant.

10271

},

10272

"stringValue": "A String", # string

10273

"integerValue": "A String", # integer

10274

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10275

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10276

# types are google.type.Date and `google.protobuf.Timestamp`.

10277

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10278

# allow the value 60 if it allows leap-seconds.

10279

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10280

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10281

# to allow the value "24:00:00" for scenarios like business closing time.

10282

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10283

},

10284

},

10285

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

10286

# Note that for the purposes of inspection or transformation, the number

10287

# of bytes considered to comprise a 'Value' is based on its representation

10288

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10289

# 123456789, the number of bytes would be counted as 9, even though an

10290

# int64 only holds up to 8 bytes of data.

10291

"booleanValue": True or False, # boolean

10292

"floatValue": 3.14, # float

10293

"dayOfWeekValue": "A String", # day of week

10294

"timestampValue": "A String", # timestamp

10295

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10296

# and time zone are either specified elsewhere or are not significant. The date

10297

# is relative to the Proleptic Gregorian Calendar. This can represent:

10298

#

10299

# * A full date, with non-zero year, month and day values

10300

# * A month and day value, with a zero year, e.g. an anniversary

10301

# * A year on its own, with zero month and day values

10302

# * A year and month value, with a zero day, e.g. a credit card expiration date

10303

#

10304

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10305

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10306

# a year.

10307

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10308

# month and day.

10309

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10310

# if specifying a year by itself or a year and month where the day is not

10311

# significant.

10312

},

10313

"stringValue": "A String", # string

10314

"integerValue": "A String", # integer

10315

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10316

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10317

# types are google.type.Date and `google.protobuf.Timestamp`.

10318

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10319

# allow the value 60 if it allows leap-seconds.

10320

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10321

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10322

# to allow the value "24:00:00" for scenarios like business closing time.

10323

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10324

},

10325

},

10326

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

10327

# the default behavior will be to hyphenate the min-max range.

10328

# Note that for the purposes of inspection or transformation, the number

10329

# of bytes considered to comprise a 'Value' is based on its representation

10330

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10331

# 123456789, the number of bytes would be counted as 9, even though an

10332

# int64 only holds up to 8 bytes of data.

10333

"booleanValue": True or False, # boolean

10334

"floatValue": 3.14, # float

10335

"dayOfWeekValue": "A String", # day of week

10336

"timestampValue": "A String", # timestamp

10337

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10338

# and time zone are either specified elsewhere or are not significant. The date

10339

# is relative to the Proleptic Gregorian Calendar. This can represent:

10340

#

10341

# * A full date, with non-zero year, month and day values

10342

# * A month and day value, with a zero year, e.g. an anniversary

10343

# * A year on its own, with zero month and day values

10344

# * A year and month value, with a zero day, e.g. a credit card expiration date

10345

#

10346

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10347

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10348

# a year.

10349

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10350

# month and day.

10351

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10352

# if specifying a year by itself or a year and month where the day is not

10353

# significant.

10354

},

10355

"stringValue": "A String", # string

10356

"integerValue": "A String", # integer

10357

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10358

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10359

# types are google.type.Date and `google.protobuf.Timestamp`.

10360

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10361

# allow the value 60 if it allows leap-seconds.

10362

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10363

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10364

# to allow the value "24:00:00" for scenarios like business closing time.

10365

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

10372

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

10373

# Note that for the purposes of inspection or transformation, the number

10374

# of bytes considered to comprise a 'Value' is based on its representation

10375

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10376

# 123456789, the number of bytes would be counted as 9, even though an

10377

# int64 only holds up to 8 bytes of data.

10378

"booleanValue": True or False, # boolean

10379

"floatValue": 3.14, # float

10380

"dayOfWeekValue": "A String", # day of week

10381

"timestampValue": "A String", # timestamp

10382

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10383

# and time zone are either specified elsewhere or are not significant. The date

10384

# is relative to the Proleptic Gregorian Calendar. This can represent:

10385

#

10386

# * A full date, with non-zero year, month and day values

10387

# * A month and day value, with a zero year, e.g. an anniversary

10388

# * A year on its own, with zero month and day values

10389

# * A year and month value, with a zero day, e.g. a credit card expiration date

10390

#

10391

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10392

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10393

# a year.

10394

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10395

# month and day.

10396

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10397

# if specifying a year by itself or a year and month where the day is not

10398

# significant.

10399

},

10400

"stringValue": "A String", # string

10401

"integerValue": "A String", # integer

10402

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10403

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10404

# types are google.type.Date and `google.protobuf.Timestamp`.

10405

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10406

# allow the value 60 if it allows leap-seconds.

10407

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10408

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10409

# to allow the value "24:00:00" for scenarios like business closing time.

10410

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

10415

# fixed character. Masking can start from the beginning or end of the string.

10416

# This can be used on data of any type (numbers, longs, and so on) and when

10417

# de-identifying structured data we'll attempt to preserve the original data's

10418

# type. (This allows you to take a long like 123 and modify it to a string like

10419

# **3.

10420

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

10421

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

10422

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

10423

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

10424

# is `true`, then the string `12345` is masked as `12***`.

10425

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

10426

# characters. For example, if the input string is `555-555-5555` and you

10427

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

10428

# returns `***-**5-5555`.

10429

{ # Characters to skip when doing deidentification of a value. These will be left

10430

# alone and skipped.

10431

"charactersToSkip": "A String", # Characters to not transform when masking.

10432

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

10437

# masked. Skipped characters do not count towards this tally.

10438

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

10439

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

10440

# code or credit card number. This string must have a length of 1. If not

10441

# supplied, this value defaults to `*` for strings, and `0` for digits.

10442

},

10443

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

10444

# Bucketing transformation can provide all of this functionality,

10445

# but requires more configuration. This message is provided as a convenience to

10446

# the user for simple bucketing strategies.

10447

#

10448

# The transformed value will be a hyphenated string of

10449

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

10450

# all values that are within this bucket will be replaced with "10-20".

10451

#

10452

# This can be used on data of type: double, long.

10453

#

10454

# If the bound Value type differs from the type of data

10455

# being transformed, we will first attempt converting the type of the data to

10456

# be transformed to match the type of the bound before comparing.

10457

#

10458

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10459

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

10460

# grouped together into a single bucket; for example if `lower_bound` = 10,

10461

# then all values less than 10 are replaced with the value "-10".

10462

# Note that for the purposes of inspection or transformation, the number

10463

# of bytes considered to comprise a 'Value' is based on its representation

10464

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10465

# 123456789, the number of bytes would be counted as 9, even though an

10466

# int64 only holds up to 8 bytes of data.

10467

"booleanValue": True or False, # boolean

10468

"floatValue": 3.14, # float

10469

"dayOfWeekValue": "A String", # day of week

10470

"timestampValue": "A String", # timestamp

10471

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10472

# and time zone are either specified elsewhere or are not significant. The date

10473

# is relative to the Proleptic Gregorian Calendar. This can represent:

10474

#

10475

# * A full date, with non-zero year, month and day values

10476

# * A month and day value, with a zero year, e.g. an anniversary

10477

# * A year on its own, with zero month and day values

10478

# * A year and month value, with a zero day, e.g. a credit card expiration date

10479

#

10480

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10481

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10482

# a year.

10483

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10484

# month and day.

10485

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10486

# if specifying a year by itself or a year and month where the day is not

10487

# significant.

10488

},

10489

"stringValue": "A String", # string

10490

"integerValue": "A String", # integer

10491

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10492

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10493

# types are google.type.Date and `google.protobuf.Timestamp`.

10494

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10495

# allow the value 60 if it allows leap-seconds.

10496

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10497

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10498

# to allow the value "24:00:00" for scenarios like business closing time.

10499

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10500

},

10501

},

10502

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

10503

# grouped together into a single bucket; for example if `upper_bound` = 89,

10504

# then all values greater than 89 are replaced with the value "89+".

10505

# Note that for the purposes of inspection or transformation, the number

10506

# of bytes considered to comprise a 'Value' is based on its representation

10507

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10508

# 123456789, the number of bytes would be counted as 9, even though an

10509

# int64 only holds up to 8 bytes of data.

10510

"booleanValue": True or False, # boolean

10511

"floatValue": 3.14, # float

10512

"dayOfWeekValue": "A String", # day of week

10513

"timestampValue": "A String", # timestamp

10514

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10515

# and time zone are either specified elsewhere or are not significant. The date

10516

# is relative to the Proleptic Gregorian Calendar. This can represent:

10517

#

10518

# * A full date, with non-zero year, month and day values

10519

# * A month and day value, with a zero year, e.g. an anniversary

10520

# * A year on its own, with zero month and day values

10521

# * A year and month value, with a zero day, e.g. a credit card expiration date

10522

#

10523

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10524

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10525

# a year.

10526

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10527

# month and day.

10528

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10529

# if specifying a year by itself or a year and month where the day is not

10530

# significant.

10531

},

10532

"stringValue": "A String", # string

10533

"integerValue": "A String", # integer

10534

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10535

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10536

# types are google.type.Date and `google.protobuf.Timestamp`.

10537

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10538

# allow the value 60 if it allows leap-seconds.

10539

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10540

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10541

# to allow the value "24:00:00" for scenarios like business closing time.

10542

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10543

},

10544

},

10545

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

10546

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

10547

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

10548

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10553

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10554

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10555

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10556

"updateMask": "A String", # Mask to control which fields get updated.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10557

}

10558

10559

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

10566

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10567

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10568

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10569

"name": "A String", # Output only. The template name.

10570

#

10571

# The template will have one of the following formats:

10572

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

10573

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

10574

"description": "A String", # Short description (max 256 chars).

10575

"displayName": "A String", # Display name (max 256 chars).

10576

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

10577

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

10578

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

10579

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

10580

# mode is `TransformationErrorHandling.ThrowError`.

10581

# transformation error occurs when the requested transformation is incompatible

10582

# with the data. For example, trying to de-identify an IP address using a

10583

# `DateShift` transformation would result in a transformation error, since date

10584

# info cannot be extracted from an IP address.

10585

# Information about any incompatible transformations, and how they were

10586

# handled, is returned in the response as part of the

10587

# `TransformationOverviews`.

10588

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

10589

},

10590

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

10591

# cause an error. For example, if a `DateShift` transformation were applied

10592

# an an IP address, this mode would leave the IP address unchanged in the

10593

# response.

10594

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10595

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10596

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10597

# specific locations within structured datasets, such as transforming

10598

# a column within a table.

10599

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10600

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10601

# match any suppression rule are omitted from the output.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10602

{ # Configuration to suppress records whose suppression conditions evaluate to

10603

# true.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10604

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10605

# evaluated to be suppressed from the transformed content.

10606

# a field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10607

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

10608

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

10609

# only supported value is `AND`.

10610

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

10611

"conditions": [ # A collection of conditions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10612

{ # The field type of `value` and `field` do not need to match to be

10613

# considered equal, but not all comparisons are possible.

10614

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

10615

# but all other comparisons are invalid with incompatible types.

10616

# A `value` of type:

10617

#

10618

# - `string` can be compared against all other types

10619

# - `boolean` can only be compared against other booleans

10620

# - `integer` can be compared against doubles or a string if the string value

10621

# can be parsed as an integer.

10622

# - `double` can be compared against integers or a string if the string can

10623

# be parsed as a double.

10624

# - `Timestamp` can be compared against strings in RFC 3339 date string

10625

# format.

10626

# - `TimeOfDay` can be compared against timestamps and strings in the format

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10627

# of 'HH:mm:ss'.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10628

#

10629

# If we fail to compare do to type mismatch, a warning will be given and

10630

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10631

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

10632

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10633

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10634

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

10635

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10636

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10637

# of bytes considered to comprise a 'Value' is based on its representation

10638

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10639

# 123456789, the number of bytes would be counted as 9, even though an

10640

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10641

"booleanValue": True or False, # boolean

10642

"floatValue": 3.14, # float

10643

"dayOfWeekValue": "A String", # day of week

10644

"timestampValue": "A String", # timestamp

10645

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10646

# and time zone are either specified elsewhere or are not significant. The date

10647

# is relative to the Proleptic Gregorian Calendar. This can represent:

10648

#

10649

# * A full date, with non-zero year, month and day values

10650

# * A month and day value, with a zero year, e.g. an anniversary

10651

# * A year on its own, with zero month and day values

10652

# * A year and month value, with a zero day, e.g. a credit card expiration date

10653

#

10654

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10655

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10656

# a year.

10657

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10658

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10659

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10660

# if specifying a year by itself or a year and month where the day is not

10661

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10662

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10663

"stringValue": "A String", # string

10664

"integerValue": "A String", # integer

10665

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10666

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10667

# types are google.type.Date and `google.protobuf.Timestamp`.

10668

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10669

# allow the value 60 if it allows leap-seconds.

10670

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10671

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10672

# to allow the value "24:00:00" for scenarios like business closing time.

10673

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10674

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10683

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10684

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10685

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10686

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10687

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10688

},

10689

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10690

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10691

# transform content that matches an `InfoType`.

10692

# apply various `PrimitiveTransformation`s to each finding, where the

10693

# transformation is applied to only values that were identified as a specific

10694

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10695

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10696

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10697

{ # A transformation to apply to text that is identified as a specific

10698

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10699

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

10700

# this transformation to apply to all findings that correspond to

10701

# infoTypes that were requested in `InspectConfig`.

10702

{ # Type of information detected by the API.

10703

"name": "A String", # Name of the information type. Either a name of your choosing when

10704

# creating a CustomInfoType, or one of the names listed

10705

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10706

# a built-in type. InfoType names should conform to the pattern

10707

# `[a-zA-Z0-9_]{1,64}`.

10708

},

10709

],

10710

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

10711

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

10712

# portion of the value.

10713

"partToExtract": "A String", # The part of the time to keep.

10714

},

10715

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

10716

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

10717

# to learn more.

10718

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

10719

# If set, must also set cryptoKey. If set, shift will be consistent for the

10720

# given context.

10721

"name": "A String", # Name describing the field.

10722

},

10723

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

10724

# range (inclusive ends). Negative means shift to earlier in time. Must not

10725

# be more than 365250 days (1000 years) each direction.

10726

#

10727

# For example, 3 means shift date to at most 3 days into the future.

10728

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

10729

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

10730

# results in the same shift for the same context and crypto_key. If

10731

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10732

# a key encryption key (KEK) stored by KMS).

10733

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10734

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10735

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10736

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10737

# The wrapped key must be a 128/192/256 bit key.

10738

# Authorization requires the following IAM permissions when sending a request

10739

# to perform a crypto transformation using a kms-wrapped crypto key:

10740

# dlp.kms.encrypt

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10741

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10742

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10743

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10744

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10745

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10746

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10747

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10748

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10749

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10750

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10751

# This is an arbitrary string used to differentiate different keys.

10752

# A unique key is generated per name: two separate `TransientCryptoKey`

10753

# protos share the same generated key if their names are the same.

10754

# When the data crypto key is generated, this name is not used in any way

10755

# (repeating the api call will result in a different key being generated).

10756

},

10757

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10758

},

10759

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

10760

},

10761

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

10762

# Uses SHA-256.

10763

# The key size must be either 32 or 64 bytes.

10764

# Outputs a base64 encoded representation of the hashed output

10765

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

10766

# Currently, only string and integer values can be hashed.

10767

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

10768

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

10769

# a key encryption key (KEK) stored by KMS).

10770

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10771

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10772

# unwrap the data crypto key.

10773

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10774

# The wrapped key must be a 128/192/256 bit key.

10775

# Authorization requires the following IAM permissions when sending a request

10776

# to perform a crypto transformation using a kms-wrapped crypto key:

10777

# dlp.kms.encrypt

10778

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10779

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10780

},

10781

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10782

# leaking the key. Choose another type of key if possible.

10783

"key": "A String", # Required. A 128/192/256 bit key.

10784

},

10785

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10786

# It will be discarded after the request finishes.

10787

"name": "A String", # Required. Name of the key.

10788

# This is an arbitrary string used to differentiate different keys.

10789

# A unique key is generated per name: two separate `TransientCryptoKey`

10790

# protos share the same generated key if their names are the same.

10791

# When the data crypto key is generated, this name is not used in any way

10792

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

10797

# (FPE) with the FFX mode of operation; however when used in the

10798

# `ReidentifyContent` API method, it serves the opposite function by reversing

10799

# the surrogate back into the original identifier. The identifier must be

10800

# encoded as ASCII. For a given crypto key and context, the same identifier

10801

# will be replaced with the same surrogate. Identifiers must be at least two

10802

# characters long. In the case that the identifier is the empty string, it will

10803

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

10804

# more.

10805

#

10806

# Note: We recommend using CryptoDeterministicConfig for all use cases which

10807

# do not require preserving the input alphabet space and size, plus warrant

10808

# referential integrity.

10809

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

10810

# that the FFX mode natively supports. This happens before/after

10811

# encryption/decryption.

10812

# Each character listed must appear only once.

10813

# Number of characters must be in the range [2, 95].

10814

# This must be encoded as ASCII.

10815

# The order of characters does not matter.

10816

"commonAlphabet": "A String", # Common alphabets.

10817

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

10818

# This annotation will be applied to the surrogate by prefixing it with

10819

# the name of the custom infoType followed by the number of

10820

# characters comprising the surrogate. The following scheme defines the

10821

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10822

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10823

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

10824

# the surrogate is 'abc', the full replacement value

10825

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10826

#

10827

# This annotation identifies the surrogate when inspecting content using the

10828

# custom infoType

10829

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

10830

# This facilitates reversal of the surrogate when it occurs in free text.

10831

#

10832

# In order for inspection to work properly, the name of this infoType must

10833

# not occur naturally anywhere in your data; otherwise, inspection may

10834

# find a surrogate that does not correspond to an actual identifier.

10835

# Therefore, choose your custom infoType name carefully after considering

10836

# what your data looks like. One way to select a name that has a high chance

10837

# of yielding reliable detection is to include one or more unicode characters

10838

# that are highly improbable to exist in your data.

10839

# For example, assuming your data is entered from a regular ASCII keyboard,

10840

# the symbol with the hex code point 29DD might be used like so:

10841

# ⧝MY_TOKEN_TYPE

10842

"name": "A String", # Name of the information type. Either a name of your choosing when

10843

# creating a CustomInfoType, or one of the names listed

10844

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10845

# a built-in type. InfoType names should conform to the pattern

10846

# `[a-zA-Z0-9_]{1,64}`.

10847

},

10848

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

10849

# identifier in two different contexts won't be given the same surrogate. If

10850

# the context is not set, a default tweak will be used.

10851

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10852

# If the context is set but:

10853

#

10854

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10855

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10856

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10857

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10858

#

10859

# Note that case (1) is expected when an `InfoTypeTransformation` is

10860

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10861

# Currently, the referenced field may be of value type integer or string.

10862

#

10863

# The tweak is constructed as a sequence of bytes in big endian byte order

10864

# such that:

10865

#

10866

# - a 64 bit integer is encoded followed by a single byte of value 1

10867

# - a string is encoded in UTF-8 format followed by a single byte of value 2

10868

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10869

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10870

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

10871

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

10872

# a key encryption key (KEK) stored by KMS).

10873

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10874

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10875

# unwrap the data crypto key.

10876

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10877

# The wrapped key must be a 128/192/256 bit key.

10878

# Authorization requires the following IAM permissions when sending a request

10879

# to perform a crypto transformation using a kms-wrapped crypto key:

10880

# dlp.kms.encrypt

10881

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10882

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10883

},

10884

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10885

# leaking the key. Choose another type of key if possible.

10886

"key": "A String", # Required. A 128/192/256 bit key.

10887

},

10888

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10889

# It will be discarded after the request finishes.

10890

"name": "A String", # Required. Name of the key.

10891

# This is an arbitrary string used to differentiate different keys.

10892

# A unique key is generated per name: two separate `TransientCryptoKey`

10893

# protos share the same generated key if their names are the same.

10894

# When the data crypto key is generated, this name is not used in any way

10895

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

10900

# input. Outputs a base64 encoded representation of the encrypted output.

10901

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

10902

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10903

# This annotation will be applied to the surrogate by prefixing it with

10904

# the name of the custom info type followed by the number of

10905

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10906

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10907

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10908

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

10909

# the surrogate is 'abc', the full replacement value

10910

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10911

#

10912

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10913

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10914

# surrogate when it occurs in free text.

10915

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10916

# Note: For record transformations where the entire cell in a table is being

10917

# transformed, surrogates are not mandatory. Surrogates are used to denote

10918

# the location of the token and are necessary for re-identification in free

10919

# form text.

10920

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10921

# In order for inspection to work properly, the name of this info type must

10922

# not occur naturally anywhere in your data; otherwise, inspection may either

10923

#

10924

# - reverse a surrogate that does not correspond to an actual identifier

10925

# - be unable to parse the surrogate and result in an error

10926

#

10927

# Therefore, choose your custom info type name carefully after considering

10928

# what your data looks like. One way to select a name that has a high chance

10929

# of yielding reliable detection is to include one or more unicode characters

10930

# that are highly improbable to exist in your data.

10931

# For example, assuming your data is entered from a regular ASCII keyboard,

10932

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10933

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10934

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10935

# creating a CustomInfoType, or one of the names listed

10936

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10937

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10938

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10939

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10940

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10941

# referential integrity such that the same identifier in two different

10942

# contexts will be given a distinct surrogate. The context is appended to

10943

# plaintext value being encrypted. On decryption the provided context is

10944

# validated against the value used during encryption. If a context was

10945

# provided during encryption, same context must be provided during decryption

10946

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10947

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10948

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10949

# If the context is set but:

10950

#

10951

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10952

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10953

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10954

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10955

#

10956

# Note that case (1) is expected when an `InfoTypeTransformation` is

10957

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10958

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10959

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10960

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10961

# a key encryption key (KEK) stored by KMS).

10962

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10963

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10964

# unwrap the data crypto key.

10965

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10966

# The wrapped key must be a 128/192/256 bit key.

10967

# Authorization requires the following IAM permissions when sending a request

10968

# to perform a crypto transformation using a kms-wrapped crypto key:

10969

# dlp.kms.encrypt

10970

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10971

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10972

},

10973

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10974

# leaking the key. Choose another type of key if possible.

10975

"key": "A String", # Required. A 128/192/256 bit key.

10976

},

10977

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10978

# It will be discarded after the request finishes.

10979

"name": "A String", # Required. Name of the key.

10980

# This is an arbitrary string used to differentiate different keys.

10981

# A unique key is generated per name: two separate `TransientCryptoKey`

10982

# protos share the same generated key if their names are the same.

10983

# When the data crypto key is generated, this name is not used in any way

10984

# (repeating the api call will result in a different key being generated).

10985

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10986

},

10987

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10988

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

10989

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

10990

# output would be 'My phone number is '.

10991

},

10992

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10993

# replacement values are dynamically provided by the user for custom behavior,

10994

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10995

# This can be used on

10996

# data of type: number, long, string, timestamp.

10997

# If the bound `Value` type differs from the type of data being transformed, we

10998

# will first attempt converting the type of the data to be transformed to match

10999

# the type of the bound before comparing.

11000

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11001

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11002

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11003

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11004

# used.

11005

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11006

# of bytes considered to comprise a 'Value' is based on its representation

11007

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11008

# 123456789, the number of bytes would be counted as 9, even though an

11009

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11010

"booleanValue": True or False, # boolean

11011

"floatValue": 3.14, # float

11012

"dayOfWeekValue": "A String", # day of week

11013

"timestampValue": "A String", # timestamp

11014

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11015

# and time zone are either specified elsewhere or are not significant. The date

11016

# is relative to the Proleptic Gregorian Calendar. This can represent:

11017

#

11018

# * A full date, with non-zero year, month and day values

11019

# * A month and day value, with a zero year, e.g. an anniversary

11020

# * A year on its own, with zero month and day values

11021

# * A year and month value, with a zero day, e.g. a credit card expiration date

11022

#

11023

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11024

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11025

# a year.

11026

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11027

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11028

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11029

# if specifying a year by itself or a year and month where the day is not

11030

# significant.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11031

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11032

"stringValue": "A String", # string

11033

"integerValue": "A String", # integer

11034

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11035

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11036

# types are google.type.Date and `google.protobuf.Timestamp`.

11037

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11038

# allow the value 60 if it allows leap-seconds.

11039

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11040

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11041

# to allow the value "24:00:00" for scenarios like business closing time.

11042

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11043

},

11044

},

11045

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

11046

# Note that for the purposes of inspection or transformation, the number

11047

# of bytes considered to comprise a 'Value' is based on its representation

11048

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11049

# 123456789, the number of bytes would be counted as 9, even though an

11050

# int64 only holds up to 8 bytes of data.

11051

"booleanValue": True or False, # boolean

11052

"floatValue": 3.14, # float

11053

"dayOfWeekValue": "A String", # day of week

11054

"timestampValue": "A String", # timestamp

11055

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11056

# and time zone are either specified elsewhere or are not significant. The date

11057

# is relative to the Proleptic Gregorian Calendar. This can represent:

11058

#

11059

# * A full date, with non-zero year, month and day values

11060

# * A month and day value, with a zero year, e.g. an anniversary

11061

# * A year on its own, with zero month and day values

11062

# * A year and month value, with a zero day, e.g. a credit card expiration date

11063

#

11064

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11065

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11066

# a year.

11067

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11068

# month and day.

11069

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11070

# if specifying a year by itself or a year and month where the day is not

11071

# significant.

11072

},

11073

"stringValue": "A String", # string

11074

"integerValue": "A String", # integer

11075

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11076

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11077

# types are google.type.Date and `google.protobuf.Timestamp`.

11078

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11079

# allow the value 60 if it allows leap-seconds.

11080

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11081

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11082

# to allow the value "24:00:00" for scenarios like business closing time.

11083

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11084

},

11085

},

11086

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

11087

# the default behavior will be to hyphenate the min-max range.

11088

# Note that for the purposes of inspection or transformation, the number

11089

# of bytes considered to comprise a 'Value' is based on its representation

11090

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11091

# 123456789, the number of bytes would be counted as 9, even though an

11092

# int64 only holds up to 8 bytes of data.

11093

"booleanValue": True or False, # boolean

11094

"floatValue": 3.14, # float

11095

"dayOfWeekValue": "A String", # day of week

11096

"timestampValue": "A String", # timestamp

11097

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11098

# and time zone are either specified elsewhere or are not significant. The date

11099

# is relative to the Proleptic Gregorian Calendar. This can represent:

11100

#

11101

# * A full date, with non-zero year, month and day values

11102

# * A month and day value, with a zero year, e.g. an anniversary

11103

# * A year on its own, with zero month and day values

11104

# * A year and month value, with a zero day, e.g. a credit card expiration date

11105

#

11106

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11107

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11108

# a year.

11109

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11110

# month and day.

11111

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11112

# if specifying a year by itself or a year and month where the day is not

11113

# significant.

11114

},

11115

"stringValue": "A String", # string

11116

"integerValue": "A String", # integer

11117

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11118

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11119

# types are google.type.Date and `google.protobuf.Timestamp`.

11120

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11121

# allow the value 60 if it allows leap-seconds.

11122

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11123

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11124

# to allow the value "24:00:00" for scenarios like business closing time.

11125

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11126

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11131

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11132

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11133

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11134

# of bytes considered to comprise a 'Value' is based on its representation

11135

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11136

# 123456789, the number of bytes would be counted as 9, even though an

11137

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11138

"booleanValue": True or False, # boolean

11139

"floatValue": 3.14, # float

11140

"dayOfWeekValue": "A String", # day of week

11141

"timestampValue": "A String", # timestamp

11142

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11143

# and time zone are either specified elsewhere or are not significant. The date

11144

# is relative to the Proleptic Gregorian Calendar. This can represent:

11145

#

11146

# * A full date, with non-zero year, month and day values

11147

# * A month and day value, with a zero year, e.g. an anniversary

11148

# * A year on its own, with zero month and day values

11149

# * A year and month value, with a zero day, e.g. a credit card expiration date

11150

#

11151

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11152

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11153

# a year.

11154

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11155

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11156

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11157

# if specifying a year by itself or a year and month where the day is not

11158

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11159

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11160

"stringValue": "A String", # string

11161

"integerValue": "A String", # integer

11162

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11163

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11164

# types are google.type.Date and `google.protobuf.Timestamp`.

11165

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11166

# allow the value 60 if it allows leap-seconds.

11167

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11168

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11169

# to allow the value "24:00:00" for scenarios like business closing time.

11170

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11175

# fixed character. Masking can start from the beginning or end of the string.

11176

# This can be used on data of any type (numbers, longs, and so on) and when

11177

# de-identifying structured data we'll attempt to preserve the original data's

11178

# type. (This allows you to take a long like 123 and modify it to a string like

11179

# **3.

11180

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11181

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11182

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11183

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11184

# is `true`, then the string `12345` is masked as `12***`.

11185

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11186

# characters. For example, if the input string is `555-555-5555` and you

11187

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11188

# returns `***-**5-5555`.

11189

{ # Characters to skip when doing deidentification of a value. These will be left

11190

# alone and skipped.

11191

"charactersToSkip": "A String", # Characters to not transform when masking.

11192

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11197

# masked. Skipped characters do not count towards this tally.

11198

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11199

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11200

# code or credit card number. This string must have a length of 1. If not

11201

# supplied, this value defaults to `*` for strings, and `0` for digits.

11202

},

11203

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11204

# Bucketing transformation can provide all of this functionality,

11205

# but requires more configuration. This message is provided as a convenience to

11206

# the user for simple bucketing strategies.

11207

#

11208

# The transformed value will be a hyphenated string of

11209

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11210

# all values that are within this bucket will be replaced with "10-20".

11211

#

11212

# This can be used on data of type: double, long.

11213

#

11214

# If the bound Value type differs from the type of data

11215

# being transformed, we will first attempt converting the type of the data to

11216

# be transformed to match the type of the bound before comparing.

11217

#

11218

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11219

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11220

# grouped together into a single bucket; for example if `lower_bound` = 10,

11221

# then all values less than 10 are replaced with the value "-10".

11222

# Note that for the purposes of inspection or transformation, the number

11223

# of bytes considered to comprise a 'Value' is based on its representation

11224

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11225

# 123456789, the number of bytes would be counted as 9, even though an

11226

# int64 only holds up to 8 bytes of data.

11227

"booleanValue": True or False, # boolean

11228

"floatValue": 3.14, # float

11229

"dayOfWeekValue": "A String", # day of week

11230

"timestampValue": "A String", # timestamp

11231

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11232

# and time zone are either specified elsewhere or are not significant. The date

11233

# is relative to the Proleptic Gregorian Calendar. This can represent:

11234

#

11235

# * A full date, with non-zero year, month and day values

11236

# * A month and day value, with a zero year, e.g. an anniversary

11237

# * A year on its own, with zero month and day values

11238

# * A year and month value, with a zero day, e.g. a credit card expiration date

11239

#

11240

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11241

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11242

# a year.

11243

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11244

# month and day.

11245

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11246

# if specifying a year by itself or a year and month where the day is not

11247

# significant.

11248

},

11249

"stringValue": "A String", # string

11250

"integerValue": "A String", # integer

11251

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11252

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11253

# types are google.type.Date and `google.protobuf.Timestamp`.

11254

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11255

# allow the value 60 if it allows leap-seconds.

11256

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11257

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11258

# to allow the value "24:00:00" for scenarios like business closing time.

11259

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11260

},

11261

},

11262

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11263

# grouped together into a single bucket; for example if `upper_bound` = 89,

11264

# then all values greater than 89 are replaced with the value "89+".

11265

# Note that for the purposes of inspection or transformation, the number

11266

# of bytes considered to comprise a 'Value' is based on its representation

11267

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11268

# 123456789, the number of bytes would be counted as 9, even though an

11269

# int64 only holds up to 8 bytes of data.

11270

"booleanValue": True or False, # boolean

11271

"floatValue": 3.14, # float

11272

"dayOfWeekValue": "A String", # day of week

11273

"timestampValue": "A String", # timestamp

11274

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11275

# and time zone are either specified elsewhere or are not significant. The date

11276

# is relative to the Proleptic Gregorian Calendar. This can represent:

11277

#

11278

# * A full date, with non-zero year, month and day values

11279

# * A month and day value, with a zero year, e.g. an anniversary

11280

# * A year on its own, with zero month and day values

11281

# * A year and month value, with a zero day, e.g. a credit card expiration date

11282

#

11283

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11284

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11285

# a year.

11286

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11287

# month and day.

11288

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11289

# if specifying a year by itself or a year and month where the day is not

11290

# significant.

11291

},

11292

"stringValue": "A String", # string

11293

"integerValue": "A String", # integer

11294

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11295

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11296

# types are google.type.Date and `google.protobuf.Timestamp`.

11297

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11298

# allow the value 60 if it allows leap-seconds.

11299

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11300

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11301

# to allow the value "24:00:00" for scenarios like business closing time.

11302

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11303

},

11304

},

11305

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11306

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11307

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11308

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

11315

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

11316

# portion of the value.

11317

"partToExtract": "A String", # The part of the time to keep.

11318

},

11319

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

11320

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

11321

# to learn more.

11322

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

11323

# If set, must also set cryptoKey. If set, shift will be consistent for the

11324

# given context.

11325

"name": "A String", # Name describing the field.

11326

},

11327

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

11328

# range (inclusive ends). Negative means shift to earlier in time. Must not

11329

# be more than 365250 days (1000 years) each direction.

11330

#

11331

# For example, 3 means shift date to at most 3 days into the future.

11332

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

11333

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

11334

# results in the same shift for the same context and crypto_key. If

11335

# set, must also set context. Can only be applied to table items.

11336

# a key encryption key (KEK) stored by KMS).

11337

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11338

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11339

# unwrap the data crypto key.

11340

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11341

# The wrapped key must be a 128/192/256 bit key.

11342

# Authorization requires the following IAM permissions when sending a request

11343

# to perform a crypto transformation using a kms-wrapped crypto key:

11344

# dlp.kms.encrypt

11345

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11346

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11347

},

11348

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11349

# leaking the key. Choose another type of key if possible.

11350

"key": "A String", # Required. A 128/192/256 bit key.

11351

},

11352

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11353

# It will be discarded after the request finishes.

11354

"name": "A String", # Required. Name of the key.

11355

# This is an arbitrary string used to differentiate different keys.

11356

# A unique key is generated per name: two separate `TransientCryptoKey`

11357

# protos share the same generated key if their names are the same.

11358

# When the data crypto key is generated, this name is not used in any way

11359

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

11364

},

11365

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

11366

# Uses SHA-256.

11367

# The key size must be either 32 or 64 bytes.

11368

# Outputs a base64 encoded representation of the hashed output

11369

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

11370

# Currently, only string and integer values can be hashed.

11371

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

11372

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

11373

# a key encryption key (KEK) stored by KMS).

11374

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11375

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11376

# unwrap the data crypto key.

11377

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11378

# The wrapped key must be a 128/192/256 bit key.

11379

# Authorization requires the following IAM permissions when sending a request

11380

# to perform a crypto transformation using a kms-wrapped crypto key:

11381

# dlp.kms.encrypt

11382

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11383

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11384

},

11385

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11386

# leaking the key. Choose another type of key if possible.

11387

"key": "A String", # Required. A 128/192/256 bit key.

11388

},

11389

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11390

# It will be discarded after the request finishes.

11391

"name": "A String", # Required. Name of the key.

11392

# This is an arbitrary string used to differentiate different keys.

11393

# A unique key is generated per name: two separate `TransientCryptoKey`

11394

# protos share the same generated key if their names are the same.

11395

# When the data crypto key is generated, this name is not used in any way

11396

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

11401

# (FPE) with the FFX mode of operation; however when used in the

11402

# `ReidentifyContent` API method, it serves the opposite function by reversing

11403

# the surrogate back into the original identifier. The identifier must be

11404

# encoded as ASCII. For a given crypto key and context, the same identifier

11405

# will be replaced with the same surrogate. Identifiers must be at least two

11406

# characters long. In the case that the identifier is the empty string, it will

11407

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

11408

# more.

11409

#

11410

# Note: We recommend using CryptoDeterministicConfig for all use cases which

11411

# do not require preserving the input alphabet space and size, plus warrant

11412

# referential integrity.

11413

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

11414

# that the FFX mode natively supports. This happens before/after

11415

# encryption/decryption.

11416

# Each character listed must appear only once.

11417

# Number of characters must be in the range [2, 95].

11418

# This must be encoded as ASCII.

11419

# The order of characters does not matter.

11420

"commonAlphabet": "A String", # Common alphabets.

11421

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

11422

# This annotation will be applied to the surrogate by prefixing it with

11423

# the name of the custom infoType followed by the number of

11424

# characters comprising the surrogate. The following scheme defines the

11425

# format: info_type_name(surrogate_character_count):surrogate

11426

#

11427

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

11428

# the surrogate is 'abc', the full replacement value

11429

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11430

#

11431

# This annotation identifies the surrogate when inspecting content using the

11432

# custom infoType

11433

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

11434

# This facilitates reversal of the surrogate when it occurs in free text.

11435

#

11436

# In order for inspection to work properly, the name of this infoType must

11437

# not occur naturally anywhere in your data; otherwise, inspection may

11438

# find a surrogate that does not correspond to an actual identifier.

11439

# Therefore, choose your custom infoType name carefully after considering

11440

# what your data looks like. One way to select a name that has a high chance

11441

# of yielding reliable detection is to include one or more unicode characters

11442

# that are highly improbable to exist in your data.

11443

# For example, assuming your data is entered from a regular ASCII keyboard,

11444

# the symbol with the hex code point 29DD might be used like so:

11445

# ⧝MY_TOKEN_TYPE

11446

"name": "A String", # Name of the information type. Either a name of your choosing when

11447

# creating a CustomInfoType, or one of the names listed

11448

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11449

# a built-in type. InfoType names should conform to the pattern

11450

# `[a-zA-Z0-9_]{1,64}`.

11451

},

11452

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

11453

# identifier in two different contexts won't be given the same surrogate. If

11454

# the context is not set, a default tweak will be used.

11455

#

11456

# If the context is set but:

11457

#

11458

# 1. there is no record present when transforming a given value or

11459

# 1. the field is not present when transforming a given value,

11460

#

11461

# a default tweak will be used.

11462

#

11463

# Note that case (1) is expected when an `InfoTypeTransformation` is

11464

# applied to both structured and non-structured `ContentItem`s.

11465

# Currently, the referenced field may be of value type integer or string.

11466

#

11467

# The tweak is constructed as a sequence of bytes in big endian byte order

11468

# such that:

11469

#

11470

# - a 64 bit integer is encoded followed by a single byte of value 1

11471

# - a string is encoded in UTF-8 format followed by a single byte of value 2

11472

"name": "A String", # Name describing the field.

11473

},

11474

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

11475

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

11476

# a key encryption key (KEK) stored by KMS).

11477

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11478

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11479

# unwrap the data crypto key.

11480

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11481

# The wrapped key must be a 128/192/256 bit key.

11482

# Authorization requires the following IAM permissions when sending a request

11483

# to perform a crypto transformation using a kms-wrapped crypto key:

11484

# dlp.kms.encrypt

11485

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11486

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11487

},

11488

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11489

# leaking the key. Choose another type of key if possible.

11490

"key": "A String", # Required. A 128/192/256 bit key.

11491

},

11492

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11493

# It will be discarded after the request finishes.

11494

"name": "A String", # Required. Name of the key.

11495

# This is an arbitrary string used to differentiate different keys.

11496

# A unique key is generated per name: two separate `TransientCryptoKey`

11497

# protos share the same generated key if their names are the same.

11498

# When the data crypto key is generated, this name is not used in any way

11499

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

11504

# input. Outputs a base64 encoded representation of the encrypted output.

11505

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

11506

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

11507

# This annotation will be applied to the surrogate by prefixing it with

11508

# the name of the custom info type followed by the number of

11509

# characters comprising the surrogate. The following scheme defines the

11510

# format: {info type name}({surrogate character count}):{surrogate}

11511

#

11512

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

11513

# the surrogate is 'abc', the full replacement value

11514

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11515

#

11516

# This annotation identifies the surrogate when inspecting content using the

11517

# custom info type 'Surrogate'. This facilitates reversal of the

11518

# surrogate when it occurs in free text.

11519

#

11520

# Note: For record transformations where the entire cell in a table is being

11521

# transformed, surrogates are not mandatory. Surrogates are used to denote

11522

# the location of the token and are necessary for re-identification in free

11523

# form text.

11524

#

11525

# In order for inspection to work properly, the name of this info type must

11526

# not occur naturally anywhere in your data; otherwise, inspection may either

11527

#

11528

# - reverse a surrogate that does not correspond to an actual identifier

11529

# - be unable to parse the surrogate and result in an error

11530

#

11531

# Therefore, choose your custom info type name carefully after considering

11532

# what your data looks like. One way to select a name that has a high chance

11533

# of yielding reliable detection is to include one or more unicode characters

11534

# that are highly improbable to exist in your data.

11535

# For example, assuming your data is entered from a regular ASCII keyboard,

11536

# the symbol with the hex code point 29DD might be used like so:

11537

# ⧝MY_TOKEN_TYPE.

11538

"name": "A String", # Name of the information type. Either a name of your choosing when

11539

# creating a CustomInfoType, or one of the names listed

11540

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11541

# a built-in type. InfoType names should conform to the pattern

11542

# `[a-zA-Z0-9_]{1,64}`.

11543

},

11544

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

11545

# referential integrity such that the same identifier in two different

11546

# contexts will be given a distinct surrogate. The context is appended to

11547

# plaintext value being encrypted. On decryption the provided context is

11548

# validated against the value used during encryption. If a context was

11549

# provided during encryption, same context must be provided during decryption

11550

# as well.

11551

#

11552

# If the context is not set, plaintext would be used as is for encryption.

11553

# If the context is set but:

11554

#

11555

# 1. there is no record present when transforming a given value or

11556

# 2. the field is not present when transforming a given value,

11557

#

11558

# plaintext would be used as is for encryption.

11559

#

11560

# Note that case (1) is expected when an `InfoTypeTransformation` is

11561

# applied to both structured and non-structured `ContentItem`s.

11562

"name": "A String", # Name describing the field.

11563

},

11564

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

11565

# a key encryption key (KEK) stored by KMS).

11566

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11567

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11568

# unwrap the data crypto key.

11569

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11570

# The wrapped key must be a 128/192/256 bit key.

11571

# Authorization requires the following IAM permissions when sending a request

11572

# to perform a crypto transformation using a kms-wrapped crypto key:

11573

# dlp.kms.encrypt

11574

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11575

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11576

},

11577

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11578

# leaking the key. Choose another type of key if possible.

11579

"key": "A String", # Required. A 128/192/256 bit key.

11580

},

11581

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11582

# It will be discarded after the request finishes.

11583

"name": "A String", # Required. Name of the key.

11584

# This is an arbitrary string used to differentiate different keys.

11585

# A unique key is generated per name: two separate `TransientCryptoKey`

11586

# protos share the same generated key if their names are the same.

11587

# When the data crypto key is generated, this name is not used in any way

11588

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

11593

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

11594

# output would be 'My phone number is '.

11595

},

11596

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

11597

# replacement values are dynamically provided by the user for custom behavior,

11598

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

11599

# This can be used on

11600

# data of type: number, long, string, timestamp.

11601

# If the bound `Value` type differs from the type of data being transformed, we

11602

# will first attempt converting the type of the data to be transformed to match

11603

# the type of the bound before comparing.

11604

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11605

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

11606

{ # Bucket is represented as a range, along with replacement values.

11607

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

11608

# used.

11609

# Note that for the purposes of inspection or transformation, the number

11610

# of bytes considered to comprise a 'Value' is based on its representation

11611

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11612

# 123456789, the number of bytes would be counted as 9, even though an

11613

# int64 only holds up to 8 bytes of data.

11614

"booleanValue": True or False, # boolean

11615

"floatValue": 3.14, # float

11616

"dayOfWeekValue": "A String", # day of week

11617

"timestampValue": "A String", # timestamp

11618

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11619

# and time zone are either specified elsewhere or are not significant. The date

11620

# is relative to the Proleptic Gregorian Calendar. This can represent:

11621

#

11622

# * A full date, with non-zero year, month and day values

11623

# * A month and day value, with a zero year, e.g. an anniversary

11624

# * A year on its own, with zero month and day values

11625

# * A year and month value, with a zero day, e.g. a credit card expiration date

11626

#

11627

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11628

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11629

# a year.

11630

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11631

# month and day.

11632

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11633

# if specifying a year by itself or a year and month where the day is not

11634

# significant.

11635

},

11636

"stringValue": "A String", # string

11637

"integerValue": "A String", # integer

11638

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11639

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11640

# types are google.type.Date and `google.protobuf.Timestamp`.

11641

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11642

# allow the value 60 if it allows leap-seconds.

11643

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11644

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11645

# to allow the value "24:00:00" for scenarios like business closing time.

11646

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11647

},

11648

},

11649

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

11650

# Note that for the purposes of inspection or transformation, the number

11651

# of bytes considered to comprise a 'Value' is based on its representation

11652

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11653

# 123456789, the number of bytes would be counted as 9, even though an

11654

# int64 only holds up to 8 bytes of data.

11655

"booleanValue": True or False, # boolean

11656

"floatValue": 3.14, # float

11657

"dayOfWeekValue": "A String", # day of week

11658

"timestampValue": "A String", # timestamp

11659

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11660

# and time zone are either specified elsewhere or are not significant. The date

11661

# is relative to the Proleptic Gregorian Calendar. This can represent:

11662

#

11663

# * A full date, with non-zero year, month and day values

11664

# * A month and day value, with a zero year, e.g. an anniversary

11665

# * A year on its own, with zero month and day values

11666

# * A year and month value, with a zero day, e.g. a credit card expiration date

11667

#

11668

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11669

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11670

# a year.

11671

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11672

# month and day.

11673

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11674

# if specifying a year by itself or a year and month where the day is not

11675

# significant.

11676

},

11677

"stringValue": "A String", # string

11678

"integerValue": "A String", # integer

11679

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11680

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11681

# types are google.type.Date and `google.protobuf.Timestamp`.

11682

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11683

# allow the value 60 if it allows leap-seconds.

11684

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11685

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11686

# to allow the value "24:00:00" for scenarios like business closing time.

11687

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11688

},

11689

},

11690

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

11691

# the default behavior will be to hyphenate the min-max range.

11692

# Note that for the purposes of inspection or transformation, the number

11693

# of bytes considered to comprise a 'Value' is based on its representation

11694

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11695

# 123456789, the number of bytes would be counted as 9, even though an

11696

# int64 only holds up to 8 bytes of data.

11697

"booleanValue": True or False, # boolean

11698

"floatValue": 3.14, # float

11699

"dayOfWeekValue": "A String", # day of week

11700

"timestampValue": "A String", # timestamp

11701

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11702

# and time zone are either specified elsewhere or are not significant. The date

11703

# is relative to the Proleptic Gregorian Calendar. This can represent:

11704

#

11705

# * A full date, with non-zero year, month and day values

11706

# * A month and day value, with a zero year, e.g. an anniversary

11707

# * A year on its own, with zero month and day values

11708

# * A year and month value, with a zero day, e.g. a credit card expiration date

11709

#

11710

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11711

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11712

# a year.

11713

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11714

# month and day.

11715

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11716

# if specifying a year by itself or a year and month where the day is not

11717

# significant.

11718

},

11719

"stringValue": "A String", # string

11720

"integerValue": "A String", # integer

11721

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11722

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11723

# types are google.type.Date and `google.protobuf.Timestamp`.

11724

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11725

# allow the value 60 if it allows leap-seconds.

11726

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11727

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11728

# to allow the value "24:00:00" for scenarios like business closing time.

11729

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11730

},

11731

},

11732

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11733

],

11734

},

11735

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11736

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

11737

# Note that for the purposes of inspection or transformation, the number

11738

# of bytes considered to comprise a 'Value' is based on its representation

11739

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11740

# 123456789, the number of bytes would be counted as 9, even though an

11741

# int64 only holds up to 8 bytes of data.

11742

"booleanValue": True or False, # boolean

11743

"floatValue": 3.14, # float

11744

"dayOfWeekValue": "A String", # day of week

11745

"timestampValue": "A String", # timestamp

11746

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11747

# and time zone are either specified elsewhere or are not significant. The date

11748

# is relative to the Proleptic Gregorian Calendar. This can represent:

11749

#

11750

# * A full date, with non-zero year, month and day values

11751

# * A month and day value, with a zero year, e.g. an anniversary

11752

# * A year on its own, with zero month and day values

11753

# * A year and month value, with a zero day, e.g. a credit card expiration date

11754

#

11755

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11756

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11757

# a year.

11758

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11759

# month and day.

11760

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11761

# if specifying a year by itself or a year and month where the day is not

11762

# significant.

11763

},

11764

"stringValue": "A String", # string

11765

"integerValue": "A String", # integer

11766

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11767

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11768

# types are google.type.Date and `google.protobuf.Timestamp`.

11769

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11770

# allow the value 60 if it allows leap-seconds.

11771

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11772

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11773

# to allow the value "24:00:00" for scenarios like business closing time.

11774

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11779

# fixed character. Masking can start from the beginning or end of the string.

11780

# This can be used on data of any type (numbers, longs, and so on) and when

11781

# de-identifying structured data we'll attempt to preserve the original data's

11782

# type. (This allows you to take a long like 123 and modify it to a string like

11783

# **3.

11784

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11785

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11786

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11787

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11788

# is `true`, then the string `12345` is masked as `12***`.

11789

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11790

# characters. For example, if the input string is `555-555-5555` and you

11791

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11792

# returns `***-**5-5555`.

11793

{ # Characters to skip when doing deidentification of a value. These will be left

11794

# alone and skipped.

11795

"charactersToSkip": "A String", # Characters to not transform when masking.

11796

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11801

# masked. Skipped characters do not count towards this tally.

11802

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11803

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11804

# code or credit card number. This string must have a length of 1. If not

11805

# supplied, this value defaults to `*` for strings, and `0` for digits.

11806

},

11807

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11808

# Bucketing transformation can provide all of this functionality,

11809

# but requires more configuration. This message is provided as a convenience to

11810

# the user for simple bucketing strategies.

11811

#

11812

# The transformed value will be a hyphenated string of

11813

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11814

# all values that are within this bucket will be replaced with "10-20".

11815

#

11816

# This can be used on data of type: double, long.

11817

#

11818

# If the bound Value type differs from the type of data

11819

# being transformed, we will first attempt converting the type of the data to

11820

# be transformed to match the type of the bound before comparing.

11821

#

11822

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11823

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11824

# grouped together into a single bucket; for example if `lower_bound` = 10,

11825

# then all values less than 10 are replaced with the value "-10".

11826

# Note that for the purposes of inspection or transformation, the number

11827

# of bytes considered to comprise a 'Value' is based on its representation

11828

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11829

# 123456789, the number of bytes would be counted as 9, even though an

11830

# int64 only holds up to 8 bytes of data.

11831

"booleanValue": True or False, # boolean

11832

"floatValue": 3.14, # float

11833

"dayOfWeekValue": "A String", # day of week

11834

"timestampValue": "A String", # timestamp

11835

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11836

# and time zone are either specified elsewhere or are not significant. The date

11837

# is relative to the Proleptic Gregorian Calendar. This can represent:

11838

#

11839

# * A full date, with non-zero year, month and day values

11840

# * A month and day value, with a zero year, e.g. an anniversary

11841

# * A year on its own, with zero month and day values

11842

# * A year and month value, with a zero day, e.g. a credit card expiration date

11843

#

11844

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11845

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11846

# a year.

11847

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11848

# month and day.

11849

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11850

# if specifying a year by itself or a year and month where the day is not

11851

# significant.

11852

},

11853

"stringValue": "A String", # string

11854

"integerValue": "A String", # integer

11855

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11856

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11857

# types are google.type.Date and `google.protobuf.Timestamp`.

11858

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11859

# allow the value 60 if it allows leap-seconds.

11860

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11861

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11862

# to allow the value "24:00:00" for scenarios like business closing time.

11863

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11864

},

11865

},

11866

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11867

# grouped together into a single bucket; for example if `upper_bound` = 89,

11868

# then all values greater than 89 are replaced with the value "89+".

11869

# Note that for the purposes of inspection or transformation, the number

11870

# of bytes considered to comprise a 'Value' is based on its representation

11871

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11872

# 123456789, the number of bytes would be counted as 9, even though an

11873

# int64 only holds up to 8 bytes of data.

11874

"booleanValue": True or False, # boolean

11875

"floatValue": 3.14, # float

11876

"dayOfWeekValue": "A String", # day of week

11877

"timestampValue": "A String", # timestamp

11878

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11879

# and time zone are either specified elsewhere or are not significant. The date

11880

# is relative to the Proleptic Gregorian Calendar. This can represent:

11881

#

11882

# * A full date, with non-zero year, month and day values

11883

# * A month and day value, with a zero year, e.g. an anniversary

11884

# * A year on its own, with zero month and day values

11885

# * A year and month value, with a zero day, e.g. a credit card expiration date

11886

#

11887

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11888

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11889

# a year.

11890

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11891

# month and day.

11892

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11893

# if specifying a year by itself or a year and month where the day is not

11894

# significant.

11895

},

11896

"stringValue": "A String", # string

11897

"integerValue": "A String", # integer

11898

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11899

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11900

# types are google.type.Date and `google.protobuf.Timestamp`.

11901

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11902

# allow the value 60 if it allows leap-seconds.

11903

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11904

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11905

# to allow the value "24:00:00" for scenarios like business closing time.

11906

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11907

},

11908

},

11909

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11910

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11911

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11912

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

11913

},

11914

},

11915

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

11916

# given `RecordCondition`. The conditions are allowed to reference fields

11917

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

11922

# column for the same record is within a specific range.

11923

# - Redact a field if the date of birth field is greater than 85.

11924

# a field.

11925

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

11926

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

11927

# only supported value is `AND`.

11928

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

11929

"conditions": [ # A collection of conditions.

11930

{ # The field type of `value` and `field` do not need to match to be

11931

# considered equal, but not all comparisons are possible.

11932

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

11933

# but all other comparisons are invalid with incompatible types.

11934

# A `value` of type:

11935

#

11936

# - `string` can be compared against all other types

11937

# - `boolean` can only be compared against other booleans

11938

# - `integer` can be compared against doubles or a string if the string value

11939

# can be parsed as an integer.

11940

# - `double` can be compared against integers or a string if the string can

11941

# be parsed as a double.

11942

# - `Timestamp` can be compared against strings in RFC 3339 date string

11943

# format.

11944

# - `TimeOfDay` can be compared against timestamps and strings in the format

11945

# of 'HH:mm:ss'.

11946

#

11947

# If we fail to compare do to type mismatch, a warning will be given and

11948

# the condition will evaluate to false.

11949

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

11950

"name": "A String", # Name describing the field.

11951

},

11952

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

11953

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

11954

# Note that for the purposes of inspection or transformation, the number

11955

# of bytes considered to comprise a 'Value' is based on its representation

11956

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11957

# 123456789, the number of bytes would be counted as 9, even though an

11958

# int64 only holds up to 8 bytes of data.

11959

"booleanValue": True or False, # boolean

11960

"floatValue": 3.14, # float

11961

"dayOfWeekValue": "A String", # day of week

11962

"timestampValue": "A String", # timestamp

11963

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11964

# and time zone are either specified elsewhere or are not significant. The date

11965

# is relative to the Proleptic Gregorian Calendar. This can represent:

11966

#

11967

# * A full date, with non-zero year, month and day values

11968

# * A month and day value, with a zero year, e.g. an anniversary

11969

# * A year on its own, with zero month and day values

11970

# * A year and month value, with a zero day, e.g. a credit card expiration date

11971

#

11972

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11973

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11974

# a year.

11975

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11976

# month and day.

11977

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11978

# if specifying a year by itself or a year and month where the day is not

11979

# significant.

11980

},

11981

"stringValue": "A String", # string

11982

"integerValue": "A String", # integer

11983

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11984

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11985

# types are google.type.Date and `google.protobuf.Timestamp`.

11986

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11987

# allow the value 60 if it allows leap-seconds.

11988

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11989

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11990

# to allow the value "24:00:00" for scenarios like business closing time.

11991

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11992

},

11993

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11994

},

11995

],

11996

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11997

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11998

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11999

},

12000

],

12001

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12002

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

12003

# transformation everywhere.

12004

# apply various `PrimitiveTransformation`s to each finding, where the

12005

# transformation is applied to only values that were identified as a specific

12006

# info_type.

12007

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

12008

# for a given infoType.

12009

{ # A transformation to apply to text that is identified as a specific

12010

# info_type.

12011

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

12012

# this transformation to apply to all findings that correspond to

12013

# infoTypes that were requested in `InspectConfig`.

12014

{ # Type of information detected by the API.

12015

"name": "A String", # Name of the information type. Either a name of your choosing when

12016

# creating a CustomInfoType, or one of the names listed

12017

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12018

# a built-in type. InfoType names should conform to the pattern

12019

# `[a-zA-Z0-9_]{1,64}`.

12020

},

12021

],

12022

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

12023

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

12024

# portion of the value.

12025

"partToExtract": "A String", # The part of the time to keep.

12026

},

12027

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

12028

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

12029

# to learn more.

12030

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

12031

# If set, must also set cryptoKey. If set, shift will be consistent for the

12032

# given context.

12033

"name": "A String", # Name describing the field.

12034

},

12035

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

12036

# range (inclusive ends). Negative means shift to earlier in time. Must not

12037

# be more than 365250 days (1000 years) each direction.

12038

#

12039

# For example, 3 means shift date to at most 3 days into the future.

12040

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

12041

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

12042

# results in the same shift for the same context and crypto_key. If

12043

# set, must also set context. Can only be applied to table items.

12044

# a key encryption key (KEK) stored by KMS).

12045

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12046

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12047

# unwrap the data crypto key.

12048

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12049

# The wrapped key must be a 128/192/256 bit key.

12050

# Authorization requires the following IAM permissions when sending a request

12051

# to perform a crypto transformation using a kms-wrapped crypto key:

12052

# dlp.kms.encrypt

12053

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12054

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12055

},

12056

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12057

# leaking the key. Choose another type of key if possible.

12058

"key": "A String", # Required. A 128/192/256 bit key.

12059

},

12060

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12061

# It will be discarded after the request finishes.

12062

"name": "A String", # Required. Name of the key.

12063

# This is an arbitrary string used to differentiate different keys.

12064

# A unique key is generated per name: two separate `TransientCryptoKey`

12065

# protos share the same generated key if their names are the same.

12066

# When the data crypto key is generated, this name is not used in any way

12067

# (repeating the api call will result in a different key being generated).

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

12072

},

12073

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

12074

# Uses SHA-256.

12075

# The key size must be either 32 or 64 bytes.

12076

# Outputs a base64 encoded representation of the hashed output

12077

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

12078

# Currently, only string and integer values can be hashed.

12079

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

12080

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

12081

# a key encryption key (KEK) stored by KMS).

12082

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12083

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12084

# unwrap the data crypto key.

12085

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12086

# The wrapped key must be a 128/192/256 bit key.

12087

# Authorization requires the following IAM permissions when sending a request

12088

# to perform a crypto transformation using a kms-wrapped crypto key:

12089

# dlp.kms.encrypt

12090

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12091

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12092

},

12093

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12094

# leaking the key. Choose another type of key if possible.

12095

"key": "A String", # Required. A 128/192/256 bit key.

12096

},

12097

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12098

# It will be discarded after the request finishes.

12099

"name": "A String", # Required. Name of the key.

12100

# This is an arbitrary string used to differentiate different keys.

12101

# A unique key is generated per name: two separate `TransientCryptoKey`

12102

# protos share the same generated key if their names are the same.

12103

# When the data crypto key is generated, this name is not used in any way

12104

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

12109

# (FPE) with the FFX mode of operation; however when used in the

12110

# `ReidentifyContent` API method, it serves the opposite function by reversing

12111

# the surrogate back into the original identifier. The identifier must be

12112

# encoded as ASCII. For a given crypto key and context, the same identifier

12113

# will be replaced with the same surrogate. Identifiers must be at least two

12114

# characters long. In the case that the identifier is the empty string, it will

12115

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

12116

# more.

12117

#

12118

# Note: We recommend using CryptoDeterministicConfig for all use cases which

12119

# do not require preserving the input alphabet space and size, plus warrant

12120

# referential integrity.

12121

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

12122

# that the FFX mode natively supports. This happens before/after

12123

# encryption/decryption.

12124

# Each character listed must appear only once.

12125

# Number of characters must be in the range [2, 95].

12126

# This must be encoded as ASCII.

12127

# The order of characters does not matter.

12128

"commonAlphabet": "A String", # Common alphabets.

12129

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

12130

# This annotation will be applied to the surrogate by prefixing it with

12131

# the name of the custom infoType followed by the number of

12132

# characters comprising the surrogate. The following scheme defines the

12133

# format: info_type_name(surrogate_character_count):surrogate

12134

#

12135

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

12136

# the surrogate is 'abc', the full replacement value

12137

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

12138

#

12139

# This annotation identifies the surrogate when inspecting content using the

12140

# custom infoType

12141

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

12142

# This facilitates reversal of the surrogate when it occurs in free text.

12143

#

12144

# In order for inspection to work properly, the name of this infoType must

12145

# not occur naturally anywhere in your data; otherwise, inspection may

12146

# find a surrogate that does not correspond to an actual identifier.

12147

# Therefore, choose your custom infoType name carefully after considering

12148

# what your data looks like. One way to select a name that has a high chance

12149

# of yielding reliable detection is to include one or more unicode characters

12150

# that are highly improbable to exist in your data.

12151

# For example, assuming your data is entered from a regular ASCII keyboard,

12152

# the symbol with the hex code point 29DD might be used like so:

12153

# ⧝MY_TOKEN_TYPE

12154

"name": "A String", # Name of the information type. Either a name of your choosing when

12155

# creating a CustomInfoType, or one of the names listed

12156

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12157

# a built-in type. InfoType names should conform to the pattern

12158

# `[a-zA-Z0-9_]{1,64}`.

12159

},

12160

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

12161

# identifier in two different contexts won't be given the same surrogate. If

12162

# the context is not set, a default tweak will be used.

12163

#

12164

# If the context is set but:

12165

#

12166

# 1. there is no record present when transforming a given value or

12167

# 1. the field is not present when transforming a given value,

12168

#

12169

# a default tweak will be used.

12170

#

12171

# Note that case (1) is expected when an `InfoTypeTransformation` is

12172

# applied to both structured and non-structured `ContentItem`s.

12173

# Currently, the referenced field may be of value type integer or string.

12174

#

12175

# The tweak is constructed as a sequence of bytes in big endian byte order

12176

# such that:

12177

#

12178

# - a 64 bit integer is encoded followed by a single byte of value 1

12179

# - a string is encoded in UTF-8 format followed by a single byte of value 2

12180

"name": "A String", # Name describing the field.

12181

},

12182

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

12183

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

12184

# a key encryption key (KEK) stored by KMS).

12185

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12186

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12187

# unwrap the data crypto key.

12188

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12189

# The wrapped key must be a 128/192/256 bit key.

12190

# Authorization requires the following IAM permissions when sending a request

12191

# to perform a crypto transformation using a kms-wrapped crypto key:

12192

# dlp.kms.encrypt

12193

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12194

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12195

},

12196

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12197

# leaking the key. Choose another type of key if possible.

12198

"key": "A String", # Required. A 128/192/256 bit key.

12199

},

12200

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12201

# It will be discarded after the request finishes.

12202

"name": "A String", # Required. Name of the key.

12203

# This is an arbitrary string used to differentiate different keys.

12204

# A unique key is generated per name: two separate `TransientCryptoKey`

12205

# protos share the same generated key if their names are the same.

12206

# When the data crypto key is generated, this name is not used in any way

12207

# (repeating the api call will result in a different key being generated).

},

},

},

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

12212

# input. Outputs a base64 encoded representation of the encrypted output.

12213

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

12214

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

12215

# This annotation will be applied to the surrogate by prefixing it with

12216

# the name of the custom info type followed by the number of

12217

# characters comprising the surrogate. The following scheme defines the

12218

# format: {info type name}({surrogate character count}):{surrogate}

12219

#

12220

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

12221

# the surrogate is 'abc', the full replacement value

12222

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

12223

#

12224

# This annotation identifies the surrogate when inspecting content using the

12225

# custom info type 'Surrogate'. This facilitates reversal of the

12226

# surrogate when it occurs in free text.

12227

#

12228

# Note: For record transformations where the entire cell in a table is being

12229

# transformed, surrogates are not mandatory. Surrogates are used to denote

12230

# the location of the token and are necessary for re-identification in free

12231

# form text.

12232

#

12233

# In order for inspection to work properly, the name of this info type must

12234

# not occur naturally anywhere in your data; otherwise, inspection may either

12235

#

12236

# - reverse a surrogate that does not correspond to an actual identifier

12237

# - be unable to parse the surrogate and result in an error

12238

#

12239

# Therefore, choose your custom info type name carefully after considering

12240

# what your data looks like. One way to select a name that has a high chance

12241

# of yielding reliable detection is to include one or more unicode characters

12242

# that are highly improbable to exist in your data.

12243

# For example, assuming your data is entered from a regular ASCII keyboard,

12244

# the symbol with the hex code point 29DD might be used like so:

12245

# ⧝MY_TOKEN_TYPE.

12246

"name": "A String", # Name of the information type. Either a name of your choosing when

12247

# creating a CustomInfoType, or one of the names listed

12248

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12249

# a built-in type. InfoType names should conform to the pattern

12250

# `[a-zA-Z0-9_]{1,64}`.

12251

},

12252

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

12253

# referential integrity such that the same identifier in two different

12254

# contexts will be given a distinct surrogate. The context is appended to

12255

# plaintext value being encrypted. On decryption the provided context is

12256

# validated against the value used during encryption. If a context was

12257

# provided during encryption, same context must be provided during decryption

12258

# as well.

12259

#

12260

# If the context is not set, plaintext would be used as is for encryption.

12261

# If the context is set but:

12262

#

12263

# 1. there is no record present when transforming a given value or

12264

# 2. the field is not present when transforming a given value,

12265

#

12266

# plaintext would be used as is for encryption.

12267

#

12268

# Note that case (1) is expected when an `InfoTypeTransformation` is

12269

# applied to both structured and non-structured `ContentItem`s.

12270

"name": "A String", # Name describing the field.

12271

},

12272

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

12273

# a key encryption key (KEK) stored by KMS).

12274

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12275

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12276

# unwrap the data crypto key.

12277

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12278

# The wrapped key must be a 128/192/256 bit key.

12279

# Authorization requires the following IAM permissions when sending a request

12280

# to perform a crypto transformation using a kms-wrapped crypto key:

12281

# dlp.kms.encrypt

12282

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12283

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12284

},

12285

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12286

# leaking the key. Choose another type of key if possible.

12287

"key": "A String", # Required. A 128/192/256 bit key.

12288

},

12289

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12290

# It will be discarded after the request finishes.

12291

"name": "A String", # Required. Name of the key.

12292

# This is an arbitrary string used to differentiate different keys.

12293

# A unique key is generated per name: two separate `TransientCryptoKey`

12294

# protos share the same generated key if their names are the same.

12295

# When the data crypto key is generated, this name is not used in any way

12296

# (repeating the api call will result in a different key being generated).

},

},

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

12301

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

12302

# output would be 'My phone number is '.

12303

},

12304

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

12305

# replacement values are dynamically provided by the user for custom behavior,

12306

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

12307

# This can be used on

12308

# data of type: number, long, string, timestamp.

12309

# If the bound `Value` type differs from the type of data being transformed, we

12310

# will first attempt converting the type of the data to be transformed to match

12311

# the type of the bound before comparing.

12312

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

12313

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

12314

{ # Bucket is represented as a range, along with replacement values.

12315

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

12316

# used.

12317

# Note that for the purposes of inspection or transformation, the number

12318

# of bytes considered to comprise a 'Value' is based on its representation

12319

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12320

# 123456789, the number of bytes would be counted as 9, even though an

12321

# int64 only holds up to 8 bytes of data.

12322

"booleanValue": True or False, # boolean

12323

"floatValue": 3.14, # float

12324

"dayOfWeekValue": "A String", # day of week

12325

"timestampValue": "A String", # timestamp

12326

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12327

# and time zone are either specified elsewhere or are not significant. The date

12328

# is relative to the Proleptic Gregorian Calendar. This can represent:

12329

#

12330

# * A full date, with non-zero year, month and day values

12331

# * A month and day value, with a zero year, e.g. an anniversary

12332

# * A year on its own, with zero month and day values

12333

# * A year and month value, with a zero day, e.g. a credit card expiration date

12334

#

12335

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12336

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12337

# a year.

12338

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12339

# month and day.

12340

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12341

# if specifying a year by itself or a year and month where the day is not

12342

# significant.

12343

},

12344

"stringValue": "A String", # string

12345

"integerValue": "A String", # integer

12346

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12347

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12348

# types are google.type.Date and `google.protobuf.Timestamp`.

12349

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12350

# allow the value 60 if it allows leap-seconds.

12351

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12352

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12353

# to allow the value "24:00:00" for scenarios like business closing time.

12354

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12355

},

12356

},

12357

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

12358

# Note that for the purposes of inspection or transformation, the number

12359

# of bytes considered to comprise a 'Value' is based on its representation

12360

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12361

# 123456789, the number of bytes would be counted as 9, even though an

12362

# int64 only holds up to 8 bytes of data.

12363

"booleanValue": True or False, # boolean

12364

"floatValue": 3.14, # float

12365

"dayOfWeekValue": "A String", # day of week

12366

"timestampValue": "A String", # timestamp

12367

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12368

# and time zone are either specified elsewhere or are not significant. The date

12369

# is relative to the Proleptic Gregorian Calendar. This can represent:

12370

#

12371

# * A full date, with non-zero year, month and day values

12372

# * A month and day value, with a zero year, e.g. an anniversary

12373

# * A year on its own, with zero month and day values

12374

# * A year and month value, with a zero day, e.g. a credit card expiration date

12375

#

12376

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12377

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12378

# a year.

12379

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12380

# month and day.

12381

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12382

# if specifying a year by itself or a year and month where the day is not

12383

# significant.

12384

},

12385

"stringValue": "A String", # string

12386

"integerValue": "A String", # integer

12387

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12388

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12389

# types are google.type.Date and `google.protobuf.Timestamp`.

12390

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12391

# allow the value 60 if it allows leap-seconds.

12392

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12393

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12394

# to allow the value "24:00:00" for scenarios like business closing time.

12395

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12396

},

12397

},

12398

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

12399

# the default behavior will be to hyphenate the min-max range.

12400

# Note that for the purposes of inspection or transformation, the number

12401

# of bytes considered to comprise a 'Value' is based on its representation

12402

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12403

# 123456789, the number of bytes would be counted as 9, even though an

12404

# int64 only holds up to 8 bytes of data.

12405

"booleanValue": True or False, # boolean

12406

"floatValue": 3.14, # float

12407

"dayOfWeekValue": "A String", # day of week

12408

"timestampValue": "A String", # timestamp

12409

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12410

# and time zone are either specified elsewhere or are not significant. The date

12411

# is relative to the Proleptic Gregorian Calendar. This can represent:

12412

#

12413

# * A full date, with non-zero year, month and day values

12414

# * A month and day value, with a zero year, e.g. an anniversary

12415

# * A year on its own, with zero month and day values

12416

# * A year and month value, with a zero day, e.g. a credit card expiration date

12417

#

12418

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12419

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12420

# a year.

12421

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12422

# month and day.

12423

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12424

# if specifying a year by itself or a year and month where the day is not

12425

# significant.

12426

},

12427

"stringValue": "A String", # string

12428

"integerValue": "A String", # integer

12429

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12430

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12431

# types are google.type.Date and `google.protobuf.Timestamp`.

12432

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12433

# allow the value 60 if it allows leap-seconds.

12434

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12435

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12436

# to allow the value "24:00:00" for scenarios like business closing time.

12437

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

],

},

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

12444

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

12445

# Note that for the purposes of inspection or transformation, the number

12446

# of bytes considered to comprise a 'Value' is based on its representation

12447

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12448

# 123456789, the number of bytes would be counted as 9, even though an

12449

# int64 only holds up to 8 bytes of data.

12450

"booleanValue": True or False, # boolean

12451

"floatValue": 3.14, # float

12452

"dayOfWeekValue": "A String", # day of week

12453

"timestampValue": "A String", # timestamp

12454

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12455

# and time zone are either specified elsewhere or are not significant. The date

12456

# is relative to the Proleptic Gregorian Calendar. This can represent:

12457

#

12458

# * A full date, with non-zero year, month and day values

12459

# * A month and day value, with a zero year, e.g. an anniversary

12460

# * A year on its own, with zero month and day values

12461

# * A year and month value, with a zero day, e.g. a credit card expiration date

12462

#

12463

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12464

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12465

# a year.

12466

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12467

# month and day.

12468

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12469

# if specifying a year by itself or a year and month where the day is not

12470

# significant.

12471

},

12472

"stringValue": "A String", # string

12473

"integerValue": "A String", # integer

12474

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12475

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12476

# types are google.type.Date and `google.protobuf.Timestamp`.

12477

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12478

# allow the value 60 if it allows leap-seconds.

12479

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12480

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12481

# to allow the value "24:00:00" for scenarios like business closing time.

12482

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

},

},

},

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

12487

# fixed character. Masking can start from the beginning or end of the string.

12488

# This can be used on data of any type (numbers, longs, and so on) and when

12489

# de-identifying structured data we'll attempt to preserve the original data's

12490

# type. (This allows you to take a long like 123 and modify it to a string like

12491

# **3.

12492

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

12493

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

12494

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

12495

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

12496

# is `true`, then the string `12345` is masked as `12***`.

12497

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

12498

# characters. For example, if the input string is `555-555-5555` and you

12499

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

12500

# returns `***-**5-5555`.

12501

{ # Characters to skip when doing deidentification of a value. These will be left

12502

# alone and skipped.

12503

"charactersToSkip": "A String", # Characters to not transform when masking.

12504

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

12509

# masked. Skipped characters do not count towards this tally.

12510

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

12511

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

12512

# code or credit card number. This string must have a length of 1. If not

12513

# supplied, this value defaults to `*` for strings, and `0` for digits.

12514

},

12515

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

12516

# Bucketing transformation can provide all of this functionality,

12517

# but requires more configuration. This message is provided as a convenience to

12518

# the user for simple bucketing strategies.

12519

#

12520

# The transformed value will be a hyphenated string of

12521

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

12522

# all values that are within this bucket will be replaced with "10-20".

12523

#

12524

# This can be used on data of type: double, long.

12525

#

12526

# If the bound Value type differs from the type of data

12527

# being transformed, we will first attempt converting the type of the data to

12528

# be transformed to match the type of the bound before comparing.

12529

#

12530

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

12531

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

12532

# grouped together into a single bucket; for example if `lower_bound` = 10,

12533

# then all values less than 10 are replaced with the value "-10".

12534

# Note that for the purposes of inspection or transformation, the number

12535

# of bytes considered to comprise a 'Value' is based on its representation

12536

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12537

# 123456789, the number of bytes would be counted as 9, even though an

12538

# int64 only holds up to 8 bytes of data.

12539

"booleanValue": True or False, # boolean

12540

"floatValue": 3.14, # float

12541

"dayOfWeekValue": "A String", # day of week

12542

"timestampValue": "A String", # timestamp

12543

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12544

# and time zone are either specified elsewhere or are not significant. The date

12545

# is relative to the Proleptic Gregorian Calendar. This can represent:

12546

#

12547

# * A full date, with non-zero year, month and day values

12548

# * A month and day value, with a zero year, e.g. an anniversary

12549

# * A year on its own, with zero month and day values

12550

# * A year and month value, with a zero day, e.g. a credit card expiration date

12551

#

12552

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12553

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12554

# a year.

12555

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12556

# month and day.

12557

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12558

# if specifying a year by itself or a year and month where the day is not

12559

# significant.

12560

},

12561

"stringValue": "A String", # string

12562

"integerValue": "A String", # integer

12563

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12564

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12565

# types are google.type.Date and `google.protobuf.Timestamp`.

12566

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12567

# allow the value 60 if it allows leap-seconds.

12568

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12569

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12570

# to allow the value "24:00:00" for scenarios like business closing time.

12571

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12572

},

12573

},

12574

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

12575

# grouped together into a single bucket; for example if `upper_bound` = 89,

12576

# then all values greater than 89 are replaced with the value "89+".

12577

# Note that for the purposes of inspection or transformation, the number

12578

# of bytes considered to comprise a 'Value' is based on its representation

12579

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12580

# 123456789, the number of bytes would be counted as 9, even though an

12581

# int64 only holds up to 8 bytes of data.

12582

"booleanValue": True or False, # boolean

12583

"floatValue": 3.14, # float

12584

"dayOfWeekValue": "A String", # day of week

12585

"timestampValue": "A String", # timestamp

12586

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12587

# and time zone are either specified elsewhere or are not significant. The date

12588

# is relative to the Proleptic Gregorian Calendar. This can represent:

12589

#

12590

# * A full date, with non-zero year, month and day values

12591

# * A month and day value, with a zero year, e.g. an anniversary

12592

# * A year on its own, with zero month and day values

12593

# * A year and month value, with a zero day, e.g. a credit card expiration date

12594

#

12595

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12596

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12597

# a year.

12598

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12599

# month and day.

12600

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12601

# if specifying a year by itself or a year and month where the day is not

12602

# significant.

12603

},

12604

"stringValue": "A String", # string

12605

"integerValue": "A String", # integer

12606

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12607

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12608

# types are google.type.Date and `google.protobuf.Timestamp`.

12609

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12610

# allow the value 60 if it allows leap-seconds.

12611

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12612

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12613

# to allow the value "24:00:00" for scenarios like business closing time.

12614

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12615

},

12616

},

12617

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

12618

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

12619

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

12620

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

},

},

},

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

12625

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12626

},

Bu Sun Kim