Blame - docs/dyn/healthcare_v1.projects.locations.datasets.html - platform/external/python/google-api-python-client

<h1><a href="healthcare_v1.html">Cloud Healthcare API</a> . <a href="healthcare_v1.projects.html">projects</a> . <a href="healthcare_v1.projects.locations.html">locations</a> . <a href="healthcare_v1.projects.locations.datasets.html">datasets</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="healthcare_v1.projects.locations.datasets.dicomStores.html">dicomStores()</a></code>

79

</p>

80

<p class="firstline">Returns the dicomStores Resource.</p>

81

82

83

<code><a href="healthcare_v1.projects.locations.datasets.fhirStores.html">fhirStores()</a></code>

84

</p>

85

<p class="firstline">Returns the fhirStores Resource.</p>

86

87

88

<code><a href="healthcare_v1.projects.locations.datasets.hl7V2Stores.html">hl7V2Stores()</a></code>

89

</p>

90

<p class="firstline">Returns the hl7V2Stores Resource.</p>

91

92

93

<code><a href="healthcare_v1.projects.locations.datasets.operations.html">operations()</a></code>

94

</p>

95

<p class="firstline">Returns the operations Resource.</p>

96

97

98

<code><a href="#create">create(parent, body=None, datasetId=None, x__xgafv=None)</a></code></p>

99

<p class="firstline">Creates a new health dataset. Results are returned through the</p>

100

101

<code><a href="#deidentify">deidentify(sourceDataset, body=None, x__xgafv=None)</a></code></p>

102

<p class="firstline">Creates a new dataset containing de-identified data from the source</p>

103

104

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

105

<p class="firstline">Deletes the specified health dataset and all data contained in the dataset.</p>

106

107

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

108

<p class="firstline">Gets any metadata associated with a dataset.</p>

109

110

<code><a href="#getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</a></code></p>

111

<p class="firstline">Gets the access control policy for a resource.</p>

112

113

<code><a href="#list">list(parent, pageSize=None, pageToken=None, x__xgafv=None)</a></code></p>

114

<p class="firstline">Lists the health datasets in the current project.</p>

115

116

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

117

<p class="firstline">Retrieves the next page of results.</p>

118

119

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

120

<p class="firstline">Updates dataset metadata.</p>

121

122

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

123

<p class="firstline">Sets the access control policy on the specified resource. Replaces any</p>

124

125

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

126

<p class="firstline">Returns permissions that a caller has on the specified resource.</p>

127

<h3>Method Details</h3>

128

129

<code class="details" id="create">create(parent, body=None, datasetId=None, x__xgafv=None)</code>

130

<pre>Creates a new health dataset. Results are returned through the

131

Operation interface which returns either an

132

`Operation.response` which contains a Dataset or

133

`Operation.error`. The metadata

134

field type is OperationMetadata.

135

A Google Cloud Platform project can contain up to 500 datasets across all

regions.

Args:

parent: string, The name of the project where the server creates the dataset. For

140

example, `projects/{project_id}/locations/{location_id}`. (required)

141

body: object, The request body.

142

The object takes the form of:

143

144

{ # A message representing a health dataset.

145

#

146

# A health dataset represents a collection of healthcare data pertaining to one

147

# or more patients. This may include multiple modalities of healthcare data,

148

# such as electronic medical records or medical imaging data.

149

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

150

# time zone name such as "America/New_York" or empty, which defaults to UTC.

151

# This is used for parsing times in resources, such as HL7 messages, where no

152

# explicit timezone is specified.

153

"name": "A String", # Output only. Resource name of the dataset, of the form

154

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

155

}

156

157

datasetId: string, The ID of the dataset that is being created.

158

The string must match the following regex: `[\p{L}\p{N}_\-\.]{1,256}`.

159

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

166

167

{ # This resource represents a long-running operation that is the result of a

168

# network API call.

169

"metadata": { # Service-specific metadata associated with the operation. It typically

170

# contains progress information and common metadata such as create time.

171

# Some services might not provide such metadata. Any method that returns a

172

# long-running operation should document the metadata type, if any.

173

"a_key": "", # Properties of the object. Contains field @type with type URL.

174

},

175

"done": True or False, # If the value is `false`, it means the operation is still in progress.

176

# If `true`, the operation is completed, and either `error` or `response` is

177

# available.

178

"response": { # The normal response of the operation in case of success. If the original

179

# method returns no data on success, such as `Delete`, the response is

180

# `google.protobuf.Empty`. If the original method is standard

181

# `Get`/`Create`/`Update`, the response should be the resource. For other

182

# methods, the response should have the type `XxxResponse`, where `Xxx`

183

# is the original method name. For example, if the original method name

184

# is `TakeSnapshot()`, the inferred response type is

185

# `TakeSnapshotResponse`.

186

"a_key": "", # Properties of the object. Contains field @type with type URL.

187

},

188

"name": "A String", # The server-assigned name, which is only unique within the same service that

189

# originally returns it. If you use the default HTTP mapping, the

190

# `name` should be a resource name ending with `operations/{unique_id}`.

191

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

192

# different programming environments, including REST APIs and RPC APIs. It is

193

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

194

# three pieces of data: error code, error message, and error details.

195

#

196

# You can find out more about this error model and how to work with it in the

197

# [API Design Guide](https://cloud.google.com/apis/design/errors).

198

"details": [ # A list of messages that carry the error details. There is a common set of

199

# message types for APIs to use.

200

{

201

"a_key": "", # Properties of the object. Contains field @type with type URL.

202

},

203

],

204

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

205

"message": "A String", # A developer-facing error message, which should be in English. Any

206

# user-facing error message should be localized and sent in the

207

# google.rpc.Status.details field, or localized by the client.

},

}</pre>

</div>

<code class="details" id="deidentify">deidentify(sourceDataset, body=None, x__xgafv=None)</code>

214

<pre>Creates a new dataset containing de-identified data from the source

215

dataset. The metadata field type

216

is OperationMetadata.

217

If the request is successful, the

218

response field type is

219

DeidentifySummary.

220

If errors occur, error is set.

221

The LRO result may still be successful if de-identification fails for some

222

DICOM instances. The new de-identified dataset will not contain these

223

failed resources. Failed resource totals are tracked in

224

Operation.metadata.

225

Error details are also logged to Cloud Logging. For more information,

226

see [Viewing logs](/healthcare/docs/how-tos/logging).

227

228

Args:

229

sourceDataset: string, Source dataset resource name. For example,

230

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

231

body: object, The request body.

232

The object takes the form of:

233

234

{ # Redacts identifying information from the specified dataset.

235

"config": { # Configures de-id options specific to different types of content. # Deidentify configuration.

236

# Each submessage customizes the handling of an

237

# https://tools.ietf.org/html/rfc6838 media type or subtype. Configs are

238

# applied in a nested manner at runtime.

239

"text": { # Configures de-identification of text wherever it is found in the

240

# source_dataset.

241

"transformations": [ # The transformations to apply to the detected data.

242

{ # A transformation to apply to text that is identified as a specific

243

# info_type.

244

"dateShiftConfig": { # Shift a date forward or backward in time by a random amount which is # Config for date shift.

245

# consistent for a given patient and crypto key combination.

246

"cryptoKey": "A String", # An AES 128/192/256 bit key. Causes the shift to be computed based on this

247

# key and the patient ID. A default key is generated for each

248

# Deidentify operation and is used wherever crypto_key is not specified.

249

},

250

"characterMaskConfig": { # Mask a string by replacing its characters with a fixed character. # Config for character mask.

251

"maskingCharacter": "A String", # Character to mask the sensitive values. If not supplied, defaults to "*".

252

},

253

"redactConfig": { # Define how to redact sensitive values. Default behaviour is erase. # Config for text redaction.

254

# For example, "My name is Jane." becomes "My name is ."

255

},

256

"infoTypes": [ # InfoTypes to apply this transformation to. If this is not specified, the

257

# transformation applies to any info_type.

258

"A String",

259

],

260

"replaceWithInfoTypeConfig": { # When using the # Config for replace with InfoType.

261

# INSPECT_AND_TRANSFORM

262

# action, each match is replaced with the name of the info_type. For example,

263

# "My name is Jane" becomes "My name is [PERSON_NAME]." The

264

# TRANSFORM

265

# action is equivalent to redacting.

266

},

267

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Config for crypto hash.

268

# Uses SHA-256.

269

# Outputs a base64-encoded representation of the hashed output

270

# (for example, `L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=`).

271

"cryptoKey": "A String", # An AES 128/192/256 bit key. Causes the hash to be computed based on this

272

# key. A default key is generated for each Deidentify operation and is used

273

# wherever crypto_key is not specified.

},

},

],

},

"dicom": { # Specifies the parameters needed for de-identification of DICOM stores. # Configures de-id of application/DICOM content.

279

"filterProfile": "A String", # Tag filtering profile that determines which tags to keep/remove.

280

"skipIdRedaction": True or False, # If true, skip replacing StudyInstanceUID, SeriesInstanceUID,

281

# SOPInstanceUID, and MediaStorageSOPInstanceUID and leave them untouched.

282

# The Cloud Healthcare API regenerates these UIDs by default based on the

283

# DICOM Standard's reasoning: "Whilst these UIDs cannot be mapped directly

284

# to an individual out of context, given access to the original images, or

285

# to a database of the original images containing the UIDs, it would be

286

# possible to recover the individual's identity."

287

# http://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html

288

"keepList": { # List of tags to be filtered. # List of tags to keep. Remove all other tags.

289

"tags": [ # Tags to be filtered. Tags must be DICOM Data Elements, File Meta

290

# Elements, or Directory Structuring Elements, as defined at:

291

# http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,.

292

# They may be provided by "Keyword" or "Tag". For example "PatientID",

# "00100010".

"A String",

],

},

"removeList": { # List of tags to be filtered. # List of tags to remove. Keep all other tags.

298

"tags": [ # Tags to be filtered. Tags must be DICOM Data Elements, File Meta

299

# Elements, or Directory Structuring Elements, as defined at:

300

# http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,.

301

# They may be provided by "Keyword" or "Tag". For example "PatientID",

# "00100010".

"A String",

],

},

},

"fhir": { # Specifies how to handle de-identification of a FHIR store. # Configures de-id of application/FHIR content.

308

"fieldMetadataList": [ # Specifies FHIR paths to match and how to transform them. Any field that

309

# is not matched by a FieldMetadata is passed through to the output

310

# dataset unmodified. All extensions are removed in the output.

311

{ # Specifies FHIR paths to match, and how to handle de-identification of

312

# matching fields.

313

"action": "A String", # Deidentify action for one field.

314

"paths": [ # List of paths to FHIR fields to be redacted. Each path is a

315

# period-separated list where each component is either a field name or

316

# FHIR type name, for example: Patient, HumanName.

317

# For "choice" types (those defined in the FHIR spec with the form:

318

# field[x]) we use two separate components. For example,

319

# "deceasedAge.unit" is matched by "Deceased.Age.unit".

320

# Supported types are: AdministrativeGenderCode, Code, Date, DateTime,

321

# Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid,

# Xhtml.

"A String",

],

},

],

},

"image": { # Specifies how to handle de-identification of image pixels. # Configures de-identification of image pixels wherever they are found in the

329

# source_dataset.

330

"textRedactionMode": "A String", # Determines how to redact text from image.

331

},

332

},

333

"destinationDataset": "A String", # The name of the dataset resource to create and write the redacted data to.

334

#

335

# * The destination dataset must not exist.

336

# * The destination dataset must be in the same project and location as the

337

# source dataset. De-identifying data across multiple projects or locations

# is not supported.

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

348

349

{ # This resource represents a long-running operation that is the result of a

350

# network API call.

351

"metadata": { # Service-specific metadata associated with the operation. It typically

352

# contains progress information and common metadata such as create time.

353

# Some services might not provide such metadata. Any method that returns a

354

# long-running operation should document the metadata type, if any.

355

"a_key": "", # Properties of the object. Contains field @type with type URL.

356

},

357

"done": True or False, # If the value is `false`, it means the operation is still in progress.

358

# If `true`, the operation is completed, and either `error` or `response` is

359

# available.

360

"response": { # The normal response of the operation in case of success. If the original

361

# method returns no data on success, such as `Delete`, the response is

362

# `google.protobuf.Empty`. If the original method is standard

363

# `Get`/`Create`/`Update`, the response should be the resource. For other

364

# methods, the response should have the type `XxxResponse`, where `Xxx`

365

# is the original method name. For example, if the original method name

366

# is `TakeSnapshot()`, the inferred response type is

367

# `TakeSnapshotResponse`.

368

"a_key": "", # Properties of the object. Contains field @type with type URL.

369

},

370

"name": "A String", # The server-assigned name, which is only unique within the same service that

371

# originally returns it. If you use the default HTTP mapping, the

372

# `name` should be a resource name ending with `operations/{unique_id}`.

373

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

374

# different programming environments, including REST APIs and RPC APIs. It is

375

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

376

# three pieces of data: error code, error message, and error details.

377

#

378

# You can find out more about this error model and how to work with it in the

379

# [API Design Guide](https://cloud.google.com/apis/design/errors).

380

"details": [ # A list of messages that carry the error details. There is a common set of

381

# message types for APIs to use.

382

{

383

"a_key": "", # Properties of the object. Contains field @type with type URL.

384

},

385

],

386

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

387

"message": "A String", # A developer-facing error message, which should be in English. Any

388

# user-facing error message should be localized and sent in the

389

# google.rpc.Status.details field, or localized by the client.

},

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

396

<pre>Deletes the specified health dataset and all data contained in the dataset.

397

Deleting a dataset does not affect the sources from which the dataset was

imported (if any).

Args:

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

403

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

410

411

{ # A generic empty message that you can re-use to avoid defining duplicated

412

# empty messages in your APIs. A typical example is to use it as the request

413

# or the response type of an API method. For instance:

414

#

415

# service Foo {

416

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

417

# }

418

#

419

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

425

<pre>Gets any metadata associated with a dataset.

Args:

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

430

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

437

438

{ # A message representing a health dataset.

439

#

440

# A health dataset represents a collection of healthcare data pertaining to one

441

# or more patients. This may include multiple modalities of healthcare data,

442

# such as electronic medical records or medical imaging data.

443

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

444

# time zone name such as "America/New_York" or empty, which defaults to UTC.

445

# This is used for parsing times in resources, such as HL7 messages, where no

446

# explicit timezone is specified.

447

"name": "A String", # Output only. Resource name of the dataset, of the form

448

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, options_requestedPolicyVersion=None, x__xgafv=None)</code>

454

<pre>Gets the access control policy for a resource.

455

Returns an empty policy if the resource exists and does not have a policy

set.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

460

See the operation documentation for the appropriate value for this field. (required)

461

options_requestedPolicyVersion: integer, Optional. The policy format version to be returned.

462

463

Valid values are 0, 1, and 3. Requests specifying an invalid value will be

464

rejected.

465

466

Requests for policies with any conditional bindings must specify version 3.

467

Policies without any conditional bindings may specify any valid value or

468

leave the field unset.

469

470

To learn which resources support conditions in their IAM policies, see the

471

[IAM

472

documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

473

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

480

481

{ # An Identity and Access Management (IAM) policy, which specifies access

482

# controls for Google Cloud resources.

483

#

484

#

485

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

486

# `members` to a single `role`. Members can be user accounts, service accounts,

487

# Google groups, and domains (such as G Suite). A `role` is a named list of

488

# permissions; each `role` can be an IAM predefined role or a user-created

489

# custom role.

490

#

491

# For some types of Google Cloud resources, a `binding` can also specify a

492

# `condition`, which is a logical expression that allows access to a resource

493

# only if the expression evaluates to `true`. A condition can add constraints

494

# based on attributes of the request, the resource, or both. To learn which

495

# resources support conditions in their IAM policies, see the

496

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

504

# "members": [

505

# "user:mike@example.com",

506

# "group:admins@example.com",

507

# "domain:google.com",

508

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

513

# "members": [

514

# "user:eve@example.com"

515

# ],

516

# "condition": {

517

# "title": "expirable access",

518

# "description": "Does not grant access after Sep 2020",

519

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

532

# - group:admins@example.com

533

# - domain:google.com

534

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

535

# role: roles/resourcemanager.organizationAdmin

536

# - members:

537

# - user:eve@example.com

538

# role: roles/resourcemanager.organizationViewer

539

# condition:

540

# title: expirable access

541

# description: Does not grant access after Sep 2020

542

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

543

# - etag: BwWWja0YfJA=

544

# - version: 3

545

#

546

# For a description of IAM and its features, see the

547

# [IAM documentation](https://cloud.google.com/iam/docs/).

548

"version": 42, # Specifies the format of the policy.

549

#

550

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

551

# are rejected.

552

#

553

# Any operation that affects conditional role bindings must specify version

554

# `3`. This requirement applies to the following operations:

555

#

556

# * Getting a policy that includes a conditional role binding

557

# * Adding a conditional role binding to a policy

558

# * Changing a conditional role binding in a policy

559

# * Removing any role binding, with or without a condition, from a policy

560

# that includes conditions

561

#

562

# **Important:** If you use IAM Conditions, you must include the `etag` field

563

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

564

# you to overwrite a version `3` policy with a version `1` policy, and all of

565

# the conditions in the version `3` policy are lost.

566

#

567

# If a policy does not include any conditions, operations on that policy may

568

# specify any valid version or leave the field unset.

569

#

570

# To learn which resources support conditions in their IAM policies, see the

571

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

572

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

573

{ # Specifies the audit configuration for a service.

574

# The configuration determines which permission types are logged, and what

575

# identities, if any, are exempted from logging.

576

# An AuditConfig must have one or more AuditLogConfigs.

577

#

578

# If there are AuditConfigs for both `allServices` and a specific service,

579

# the union of the two AuditConfigs is used for that service: the log_types

580

# specified in each AuditConfig are enabled, and the exempted_members in each

581

# AuditLogConfig are exempted.

582

#

583

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

589

# "audit_log_configs": [

590

# {

591

# "log_type": "DATA_READ",

592

# "exempted_members": [

593

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

598

# },

599

# {

600

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

606

# "audit_log_configs": [

607

# {

608

# "log_type": "DATA_READ",

609

# },

610

# {

611

# "log_type": "DATA_WRITE",

612

# "exempted_members": [

613

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

622

# logging. It also exempts jose@example.com from DATA_READ logging, and

623

# aliya@example.com from DATA_WRITE logging.

624

"service": "A String", # Specifies a service that will be enabled for audit logging.

625

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

626

# `allServices` is a special value that covers all services.

627

"auditLogConfigs": [ # The configuration for logging of each type of permission.

628

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

633

# {

634

# "log_type": "DATA_READ",

635

# "exempted_members": [

636

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

646

# jose@example.com from DATA_READ logging.

647

"logType": "A String", # The log type that this config enables.

648

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

649

# permission.

650

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

658

# `condition` that determines how and when the `bindings` are applied. Each

659

# of the `bindings` must contain at least one member.

660

{ # Associates `members` with a `role`.

661

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

662

#

663

# If the condition evaluates to `true`, then this binding applies to the

664

# current request.

665

#

666

# If the condition evaluates to `false`, then this binding does not apply to

667

# the current request. However, a different role binding might grant the same

668

# role to one or more of the members in this binding.

669

#

670

# To learn which resources support conditions in their IAM policies, see the

671

# [IAM

672

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

673

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

674

# are documented at https://github.com/google/cel-spec.

675

#

676

# Example (Comparison):

677

#

678

# title: "Summary size limit"

679

# description: "Determines if a summary is less than 100 chars"

680

# expression: "document.summary.size() < 100"

681

#

682

# Example (Equality):

683

#

684

# title: "Requestor is owner"

685

# description: "Determines if requestor is the document owner"

686

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

691

# description: "Determine whether the document should be publicly visible"

692

# expression: "document.type != 'private' && document.type != 'internal'"

693

#

694

# Example (Data Manipulation):

695

#

696

# title: "Notification string"

697

# description: "Create a notification string with a timestamp."

698

# expression: "'New message received at ' + string(document.create_time)"

699

#

700

# The exact variables and functions that may be referenced within an expression

701

# are determined by the service that evaluates it. See the service

702

# documentation for additional information.

703

"description": "A String", # Optional. Description of the expression. This is a longer text which

704

# describes the expression, e.g. when hovered over it in a UI.

705

"expression": "A String", # Textual representation of an expression in Common Expression Language

706

# syntax.

707

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

708

# its purpose. This can be used e.g. in UIs which allow to enter the

709

# expression.

710

"location": "A String", # Optional. String indicating the location of the expression for error

711

# reporting, e.g. a file name and a position in the file.

712

},

713

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

714

# `members` can have the following values:

715

#

716

# * `allUsers`: A special identifier that represents anyone who is

717

# on the internet; with or without a Google account.

718

#

719

# * `allAuthenticatedUsers`: A special identifier that represents anyone

720

# who is authenticated with a Google account or a service account.

721

#

722

# * `user:{emailid}`: An email address that represents a specific Google

723

# account. For example, `alice@example.com` .

724

#

725

#

726

# * `serviceAccount:{emailid}`: An email address that represents a service

727

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

728

#

729

# * `group:{emailid}`: An email address that represents a Google group.

730

# For example, `admins@example.com`.

731

#

732

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

733

# identifier) representing a user that has been recently deleted. For

734

# example, `alice@example.com?uid=123456789012345678901`. If the user is

735

# recovered, this value reverts to `user:{emailid}` and the recovered user

736

# retains the role in the binding.

737

#

738

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

739

# unique identifier) representing a service account that has been recently

740

# deleted. For example,

741

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

742

# If the service account is undeleted, this value reverts to

743

# `serviceAccount:{emailid}` and the undeleted service account retains the

744

# role in the binding.

745

#

746

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

747

# identifier) representing a Google group that has been recently

748

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

749

# the group is recovered, this value reverts to `group:{emailid}` and the

750

# recovered group retains the role in the binding.

751

#

752

#

753

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

754

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

759

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

760

},

761

],

762

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

763

# prevent simultaneous updates of a policy from overwriting each other.

764

# It is strongly suggested that systems make use of the `etag` in the

765

# read-modify-write cycle to perform policy updates in order to avoid race

766

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

767

# systems are expected to put that etag in the request to `setIamPolicy` to

768

# ensure that their change will be applied to the same version of the policy.

769

#

770

# **Important:** If you use IAM Conditions, you must include the `etag` field

771

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

772

# you to overwrite a version `3` policy with a version `1` policy, and all of

773

# the conditions in the version `3` policy are lost.

}</pre>

</div>

<code class="details" id="list">list(parent, pageSize=None, pageToken=None, x__xgafv=None)</code>

779

<pre>Lists the health datasets in the current project.

780

781

Args:

782

parent: string, The name of the project whose datasets should be listed.

783

For example, `projects/{project_id}/locations/{location_id}`. (required)

784

pageSize: integer, The maximum number of items to return. Capped to 100 if not specified.

785

May not be larger than 1000.

786

pageToken: string, The next_page_token value returned from a previous List request, if any.

787

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

794

795

{ # Lists the available datasets.

796

"datasets": [ # The first page of datasets.

797

{ # A message representing a health dataset.

798

#

799

# A health dataset represents a collection of healthcare data pertaining to one

800

# or more patients. This may include multiple modalities of healthcare data,

801

# such as electronic medical records or medical imaging data.

802

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

803

# time zone name such as "America/New_York" or empty, which defaults to UTC.

804

# This is used for parsing times in resources, such as HL7 messages, where no

805

# explicit timezone is specified.

806

"name": "A String", # Output only. Resource name of the dataset, of the form

807

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

808

},

809

],

810

"nextPageToken": "A String", # Token to retrieve the next page of results, or empty if there are no

811

# more results in the list.

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

817

<pre>Retrieves the next page of results.

818

819

Args:

820

previous_request: The request for the previous page. (required)

821

previous_response: The response from the request for the previous page. (required)

822

823

Returns:

824

A request object that you can call 'execute()' on to request the next

825

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

831

<pre>Updates dataset metadata.

Args:

`projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`. (required)

836

body: object, The request body.

837

The object takes the form of:

838

839

{ # A message representing a health dataset.

840

#

841

# A health dataset represents a collection of healthcare data pertaining to one

842

# or more patients. This may include multiple modalities of healthcare data,

843

# such as electronic medical records or medical imaging data.

844

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

845

# time zone name such as "America/New_York" or empty, which defaults to UTC.

846

# This is used for parsing times in resources, such as HL7 messages, where no

847

# explicit timezone is specified.

848

"name": "A String", # Output only. Resource name of the dataset, of the form

849

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

850

}

851

852

updateMask: string, The update mask applies to the resource. For the `FieldMask` definition,

853

see

854

https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

855

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

862

863

{ # A message representing a health dataset.

864

#

865

# A health dataset represents a collection of healthcare data pertaining to one

866

# or more patients. This may include multiple modalities of healthcare data,

867

# such as electronic medical records or medical imaging data.

868

"timeZone": "A String", # The default timezone used by this dataset. Must be a either a valid IANA

869

# time zone name such as "America/New_York" or empty, which defaults to UTC.

870

# This is used for parsing times in resources, such as HL7 messages, where no

871

# explicit timezone is specified.

872

"name": "A String", # Output only. Resource name of the dataset, of the form

873

# `projects/{project_id}/locations/{location_id}/datasets/{dataset_id}`.

}</pre>

</div>

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

879

<pre>Sets the access control policy on the specified resource. Replaces any

880

existing policy.

881

882

Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.

883

884

Args:

885

resource: string, REQUIRED: The resource for which the policy is being specified.

886

See the operation documentation for the appropriate value for this field. (required)

887

body: object, The request body.

888

The object takes the form of:

889

890

{ # Request message for `SetIamPolicy` method.

891

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

892

# the policy is limited to a few 10s of KB. An empty policy is a

893

# valid policy but certain Cloud Platform services (such as Projects)

894

# might reject them.

895

# controls for Google Cloud resources.

896

#

897

#

898

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

899

# `members` to a single `role`. Members can be user accounts, service accounts,

900

# Google groups, and domains (such as G Suite). A `role` is a named list of

901

# permissions; each `role` can be an IAM predefined role or a user-created

902

# custom role.

903

#

904

# For some types of Google Cloud resources, a `binding` can also specify a

905

# `condition`, which is a logical expression that allows access to a resource

906

# only if the expression evaluates to `true`. A condition can add constraints

907

# based on attributes of the request, the resource, or both. To learn which

908

# resources support conditions in their IAM policies, see the

909

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

917

# "members": [

918

# "user:mike@example.com",

919

# "group:admins@example.com",

920

# "domain:google.com",

921

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

926

# "members": [

927

# "user:eve@example.com"

928

# ],

929

# "condition": {

930

# "title": "expirable access",

931

# "description": "Does not grant access after Sep 2020",

932

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

945

# - group:admins@example.com

946

# - domain:google.com

947

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

948

# role: roles/resourcemanager.organizationAdmin

949

# - members:

950

# - user:eve@example.com

951

# role: roles/resourcemanager.organizationViewer

952

# condition:

953

# title: expirable access

954

# description: Does not grant access after Sep 2020

955

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

956

# - etag: BwWWja0YfJA=

957

# - version: 3

958

#

959

# For a description of IAM and its features, see the

960

# [IAM documentation](https://cloud.google.com/iam/docs/).

961

"version": 42, # Specifies the format of the policy.

962

#

963

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

964

# are rejected.

965

#

966

# Any operation that affects conditional role bindings must specify version

967

# `3`. This requirement applies to the following operations:

968

#

969

# * Getting a policy that includes a conditional role binding

970

# * Adding a conditional role binding to a policy

971

# * Changing a conditional role binding in a policy

972

# * Removing any role binding, with or without a condition, from a policy

973

# that includes conditions

974

#

975

# **Important:** If you use IAM Conditions, you must include the `etag` field

976

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

977

# you to overwrite a version `3` policy with a version `1` policy, and all of

978

# the conditions in the version `3` policy are lost.

979

#

980

# If a policy does not include any conditions, operations on that policy may

981

# specify any valid version or leave the field unset.

982

#

983

# To learn which resources support conditions in their IAM policies, see the

984

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

985

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

986

{ # Specifies the audit configuration for a service.

987

# The configuration determines which permission types are logged, and what

988

# identities, if any, are exempted from logging.

989

# An AuditConfig must have one or more AuditLogConfigs.

990

#

991

# If there are AuditConfigs for both `allServices` and a specific service,

992

# the union of the two AuditConfigs is used for that service: the log_types

993

# specified in each AuditConfig are enabled, and the exempted_members in each

994

# AuditLogConfig are exempted.

995

#

996

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

1002

# "audit_log_configs": [

1003

# {

1004

# "log_type": "DATA_READ",

1005

# "exempted_members": [

1006

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1011

# },

1012

# {

1013

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1019

# "audit_log_configs": [

1020

# {

1021

# "log_type": "DATA_READ",

1022

# },

1023

# {

1024

# "log_type": "DATA_WRITE",

1025

# "exempted_members": [

1026

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1035

# logging. It also exempts jose@example.com from DATA_READ logging, and

1036

# aliya@example.com from DATA_WRITE logging.

1037

"service": "A String", # Specifies a service that will be enabled for audit logging.

1038

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1039

# `allServices` is a special value that covers all services.

1040

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1041

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1046

# {

1047

# "log_type": "DATA_READ",

1048

# "exempted_members": [

1049

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1059

# jose@example.com from DATA_READ logging.

1060

"logType": "A String", # The log type that this config enables.

1061

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1062

# permission.

1063

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1071

# `condition` that determines how and when the `bindings` are applied. Each

1072

# of the `bindings` must contain at least one member.

1073

{ # Associates `members` with a `role`.

1074

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1075

#

1076

# If the condition evaluates to `true`, then this binding applies to the

1077

# current request.

1078

#

1079

# If the condition evaluates to `false`, then this binding does not apply to

1080

# the current request. However, a different role binding might grant the same

1081

# role to one or more of the members in this binding.

1082

#

1083

# To learn which resources support conditions in their IAM policies, see the

1084

# [IAM

1085

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1086

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1087

# are documented at https://github.com/google/cel-spec.

1088

#

1089

# Example (Comparison):

1090

#

1091

# title: "Summary size limit"

1092

# description: "Determines if a summary is less than 100 chars"

1093

# expression: "document.summary.size() < 100"

1094

#

1095

# Example (Equality):

1096

#

1097

# title: "Requestor is owner"

1098

# description: "Determines if requestor is the document owner"

1099

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1104

# description: "Determine whether the document should be publicly visible"

1105

# expression: "document.type != 'private' && document.type != 'internal'"

1106

#

1107

# Example (Data Manipulation):

1108

#

1109

# title: "Notification string"

1110

# description: "Create a notification string with a timestamp."

1111

# expression: "'New message received at ' + string(document.create_time)"

1112

#

1113

# The exact variables and functions that may be referenced within an expression

1114

# are determined by the service that evaluates it. See the service

1115

# documentation for additional information.

1116

"description": "A String", # Optional. Description of the expression. This is a longer text which

1117

# describes the expression, e.g. when hovered over it in a UI.

1118

"expression": "A String", # Textual representation of an expression in Common Expression Language

1119

# syntax.

1120

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1121

# its purpose. This can be used e.g. in UIs which allow to enter the

1122

# expression.

1123

"location": "A String", # Optional. String indicating the location of the expression for error

1124

# reporting, e.g. a file name and a position in the file.

1125

},

1126

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1127

# `members` can have the following values:

1128

#

1129

# * `allUsers`: A special identifier that represents anyone who is

1130

# on the internet; with or without a Google account.

1131

#

1132

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1133

# who is authenticated with a Google account or a service account.

1134

#

1135

# * `user:{emailid}`: An email address that represents a specific Google

1136

# account. For example, `alice@example.com` .

1137

#

1138

#

1139

# * `serviceAccount:{emailid}`: An email address that represents a service

1140

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1141

#

1142

# * `group:{emailid}`: An email address that represents a Google group.

1143

# For example, `admins@example.com`.

1144

#

1145

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1146

# identifier) representing a user that has been recently deleted. For

1147

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1148

# recovered, this value reverts to `user:{emailid}` and the recovered user

1149

# retains the role in the binding.

1150

#

1151

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1152

# unique identifier) representing a service account that has been recently

1153

# deleted. For example,

1154

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1155

# If the service account is undeleted, this value reverts to

1156

# `serviceAccount:{emailid}` and the undeleted service account retains the

1157

# role in the binding.

1158

#

1159

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1160

# identifier) representing a Google group that has been recently

1161

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1162

# the group is recovered, this value reverts to `group:{emailid}` and the

1163

# recovered group retains the role in the binding.

1164

#

1165

#

1166

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1167

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

1172

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1173

},

1174

],

1175

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1176

# prevent simultaneous updates of a policy from overwriting each other.

1177

# It is strongly suggested that systems make use of the `etag` in the

1178

# read-modify-write cycle to perform policy updates in order to avoid race

1179

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1180

# systems are expected to put that etag in the request to `setIamPolicy` to

1181

# ensure that their change will be applied to the same version of the policy.

1182

#

1183

# **Important:** If you use IAM Conditions, you must include the `etag` field

1184

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1185

# you to overwrite a version `3` policy with a version `1` policy, and all of

1186

# the conditions in the version `3` policy are lost.

1187

},

1188

"updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only

1189

# the fields in the mask will be modified. If no mask is provided, the

1190

# following default mask is used:

1191

#

1192

# `paths: "bindings, etag"`

1193

}

1194

1195

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1202

1203

{ # An Identity and Access Management (IAM) policy, which specifies access

1204

# controls for Google Cloud resources.

1205

#

1206

#

1207

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1208

# `members` to a single `role`. Members can be user accounts, service accounts,

1209

# Google groups, and domains (such as G Suite). A `role` is a named list of

1210

# permissions; each `role` can be an IAM predefined role or a user-created

1211

# custom role.

1212

#

1213

# For some types of Google Cloud resources, a `binding` can also specify a

1214

# `condition`, which is a logical expression that allows access to a resource

1215

# only if the expression evaluates to `true`. A condition can add constraints

1216

# based on attributes of the request, the resource, or both. To learn which

1217

# resources support conditions in their IAM policies, see the

1218

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

#

# **JSON example:**

#

# {

# "bindings": [

# {

# "role": "roles/resourcemanager.organizationAdmin",

1226

# "members": [

1227

# "user:mike@example.com",

1228

# "group:admins@example.com",

1229

# "domain:google.com",

1230

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

# ]

# },

# {

# "role": "roles/resourcemanager.organizationViewer",

1235

# "members": [

1236

# "user:eve@example.com"

1237

# ],

1238

# "condition": {

1239

# "title": "expirable access",

1240

# "description": "Does not grant access after Sep 2020",

1241

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

# }

# }

# ],

# "etag": "BwWWja0YfJA=",

# "version": 3

# }

#

# **YAML example:**

#

# bindings:

# - members:

# - user:mike@example.com

1254

# - group:admins@example.com

1255

# - domain:google.com

1256

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1257

# role: roles/resourcemanager.organizationAdmin

1258

# - members:

1259

# - user:eve@example.com

1260

# role: roles/resourcemanager.organizationViewer

1261

# condition:

1262

# title: expirable access

1263

# description: Does not grant access after Sep 2020

1264

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

1265

# - etag: BwWWja0YfJA=

1266

# - version: 3

1267

#

1268

# For a description of IAM and its features, see the

1269

# [IAM documentation](https://cloud.google.com/iam/docs/).

1270

"version": 42, # Specifies the format of the policy.

1271

#

1272

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1273

# are rejected.

1274

#

1275

# Any operation that affects conditional role bindings must specify version

1276

# `3`. This requirement applies to the following operations:

1277

#

1278

# * Getting a policy that includes a conditional role binding

1279

# * Adding a conditional role binding to a policy

1280

# * Changing a conditional role binding in a policy

1281

# * Removing any role binding, with or without a condition, from a policy

1282

# that includes conditions

1283

#

1284

# **Important:** If you use IAM Conditions, you must include the `etag` field

1285

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1286

# you to overwrite a version `3` policy with a version `1` policy, and all of

1287

# the conditions in the version `3` policy are lost.

1288

#

1289

# If a policy does not include any conditions, operations on that policy may

1290

# specify any valid version or leave the field unset.

1291

#

1292

# To learn which resources support conditions in their IAM policies, see the

1293

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1294

"auditConfigs": [ # Specifies cloud audit logging configuration for this policy.

1295

{ # Specifies the audit configuration for a service.

1296

# The configuration determines which permission types are logged, and what

1297

# identities, if any, are exempted from logging.

1298

# An AuditConfig must have one or more AuditLogConfigs.

1299

#

1300

# If there are AuditConfigs for both `allServices` and a specific service,

1301

# the union of the two AuditConfigs is used for that service: the log_types

1302

# specified in each AuditConfig are enabled, and the exempted_members in each

1303

# AuditLogConfig are exempted.

1304

#

1305

# Example Policy with multiple AuditConfigs:

#

# {

# "audit_configs": [

# {

# "service": "allServices"

1311

# "audit_log_configs": [

1312

# {

1313

# "log_type": "DATA_READ",

1314

# "exempted_members": [

1315

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

1320

# },

1321

# {

1322

# "log_type": "ADMIN_READ",

# }

# ]

# },

# {

# "service": "sampleservice.googleapis.com"

1328

# "audit_log_configs": [

1329

# {

1330

# "log_type": "DATA_READ",

1331

# },

1332

# {

1333

# "log_type": "DATA_WRITE",

1334

# "exempted_members": [

1335

# "user:aliya@example.com"

# ]

# }

# ]

# }

# ]

# }

#

# For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ

1344

# logging. It also exempts jose@example.com from DATA_READ logging, and

1345

# aliya@example.com from DATA_WRITE logging.

1346

"service": "A String", # Specifies a service that will be enabled for audit logging.

1347

# For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.

1348

# `allServices` is a special value that covers all services.

1349

"auditLogConfigs": [ # The configuration for logging of each type of permission.

1350

{ # Provides the configuration for logging a type of permissions.

# Example:

#

# {

# "audit_log_configs": [

1355

# {

1356

# "log_type": "DATA_READ",

1357

# "exempted_members": [

1358

# "user:jose@example.com"

# ]

# },

# {

# "log_type": "DATA_WRITE",

# }

# ]

# }

#

# This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting

1368

# jose@example.com from DATA_READ logging.

1369

"logType": "A String", # The log type that this config enables.

1370

"exemptedMembers": [ # Specifies the identities that do not cause logging for this type of

1371

# permission.

1372

# Follows the same format of Binding.members.

"A String",

],

},

],

},

],

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

1380

# `condition` that determines how and when the `bindings` are applied. Each

1381

# of the `bindings` must contain at least one member.

1382

{ # Associates `members` with a `role`.

1383

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1384

#

1385

# If the condition evaluates to `true`, then this binding applies to the

1386

# current request.

1387

#

1388

# If the condition evaluates to `false`, then this binding does not apply to

1389

# the current request. However, a different role binding might grant the same

1390

# role to one or more of the members in this binding.

1391

#

1392

# To learn which resources support conditions in their IAM policies, see the

1393

# [IAM

1394

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1395

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1396

# are documented at https://github.com/google/cel-spec.

1397

#

1398

# Example (Comparison):

1399

#

1400

# title: "Summary size limit"

1401

# description: "Determines if a summary is less than 100 chars"

1402

# expression: "document.summary.size() < 100"

1403

#

1404

# Example (Equality):

1405

#

1406

# title: "Requestor is owner"

1407

# description: "Determines if requestor is the document owner"

1408

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1413

# description: "Determine whether the document should be publicly visible"

1414

# expression: "document.type != 'private' && document.type != 'internal'"

1415

#

1416

# Example (Data Manipulation):

1417

#

1418

# title: "Notification string"

1419

# description: "Create a notification string with a timestamp."

1420

# expression: "'New message received at ' + string(document.create_time)"

1421

#

1422

# The exact variables and functions that may be referenced within an expression

1423

# are determined by the service that evaluates it. See the service

1424

# documentation for additional information.

1425

"description": "A String", # Optional. Description of the expression. This is a longer text which

1426

# describes the expression, e.g. when hovered over it in a UI.

1427

"expression": "A String", # Textual representation of an expression in Common Expression Language

1428

# syntax.

1429

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1430

# its purpose. This can be used e.g. in UIs which allow to enter the

1431

# expression.

1432

"location": "A String", # Optional. String indicating the location of the expression for error

1433

# reporting, e.g. a file name and a position in the file.

1434

},

1435

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1436

# `members` can have the following values:

1437

#

1438

# * `allUsers`: A special identifier that represents anyone who is

1439

# on the internet; with or without a Google account.

1440

#

1441

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1442

# who is authenticated with a Google account or a service account.

1443

#

1444

# * `user:{emailid}`: An email address that represents a specific Google

1445

# account. For example, `alice@example.com` .

1446

#

1447

#

1448

# * `serviceAccount:{emailid}`: An email address that represents a service

1449

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1450

#

1451

# * `group:{emailid}`: An email address that represents a Google group.

1452

# For example, `admins@example.com`.

1453

#

1454

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1455

# identifier) representing a user that has been recently deleted. For

1456

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1457

# recovered, this value reverts to `user:{emailid}` and the recovered user

1458

# retains the role in the binding.

1459

#

1460

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1461

# unique identifier) representing a service account that has been recently

1462

# deleted. For example,

1463

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1464

# If the service account is undeleted, this value reverts to

1465

# `serviceAccount:{emailid}` and the undeleted service account retains the

1466

# role in the binding.

1467

#

1468

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1469

# identifier) representing a Google group that has been recently

1470

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1471

# the group is recovered, this value reverts to `group:{emailid}` and the

1472

# recovered group retains the role in the binding.

1473

#

1474

#

1475

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1476

# users of that domain. For example, `google.com` or `example.com`.

#

"A String",

],

"role": "A String", # Role that is assigned to `members`.

1481

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1482

},

1483

],

1484

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1485

# prevent simultaneous updates of a policy from overwriting each other.

1486

# It is strongly suggested that systems make use of the `etag` in the

1487

# read-modify-write cycle to perform policy updates in order to avoid race

1488

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1489

# systems are expected to put that etag in the request to `setIamPolicy` to

1490

# ensure that their change will be applied to the same version of the policy.

1491

#

1492

# **Important:** If you use IAM Conditions, you must include the `etag` field

1493

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1494

# you to overwrite a version `3` policy with a version `1` policy, and all of

1495

# the conditions in the version `3` policy are lost.

}</pre>

</div>

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

1501

<pre>Returns permissions that a caller has on the specified resource.

1502

If the resource does not exist, this will return an empty set of

1503

permissions, not a `NOT_FOUND` error.

1504

1505

Note: This operation is designed to be used for building permission-aware

1506

UIs and command-line tools, not for authorization checking. This operation

1507

may "fail open" without warning.

1508

1509

Args:

1510

resource: string, REQUIRED: The resource for which the policy detail is being requested.

1511

See the operation documentation for the appropriate value for this field. (required)

1512

body: object, The request body.

1513

The object takes the form of:

1514

1515

{ # Request message for `TestIamPermissions` method.

1516

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

1517

# wildcards (such as '*' or 'storage.*') are not allowed. For more

1518

# information see

1519

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

"A String",

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1531

1532

{ # Response message for `TestIamPermissions` method.

1533

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

# allowed.

"A String",

],

}</pre>

</div>

</body></html>