Blame - docs/dyn/accesscontextmanager_v1.accessPolicies.accessLevels.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

78

<code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Create an Access Level. The longrunning</p>

80

81

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

82

<p class="firstline">Delete an Access Level by resource</p>

83

84

<code><a href="#get">get(name, accessLevelFormat=None, x__xgafv=None)</a></code></p>

85

<p class="firstline">Get an Access Level by resource</p>

86

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

87

<code><a href="#list">list(parent, pageToken=None, pageSize=None, accessLevelFormat=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

88

<p class="firstline">List all Access Levels for an access</p>

89

90

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

91

<p class="firstline">Retrieves the next page of results.</p>

92

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

93

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

94

<p class="firstline">Update an Access Level. The longrunning</p>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

95

96

<code><a href="#replaceAll">replaceAll(parent, body=None, x__xgafv=None)</a></code></p>

97

<p class="firstline">Replace all existing Access Levels in an Access</p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

<h3>Method Details</h3>

99

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

100

<code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

101

<pre>Create an Access Level. The longrunning

102

operation from this RPC will have a successful status once the Access

103

Level has

104

propagated to long-lasting storage. Access Levels containing

105

errors will result in an error response for the first error encountered.

106

107

Args:

108

parent: string, Required. Resource name for the access policy which owns this Access

109

Level.

110

111

Format: `accessPolicies/{policy_id}` (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

112

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

113

The object takes the form of:

114

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

115

{ # An `AccessLevel` is a label that can be applied to requests to Google Cloud

116

# services, along with a list of requirements necessary for the label to be

117

# applied.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

118

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

119

# must begin with a letter and only include alphanumeric and '_'. Format:

120

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

121

# of the `short_name` component is 50 characters.

122

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

123

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

124

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

125

# AND over its fields. So a Condition is true if: 1) the request IP is from one

126

# of the listed subnetworks AND 2) the originating device complies with the

127

# listed device policy AND 3) all listed access levels are granted AND 4) the

128

# request was sent at a time allowed by the DateTimeRestriction.

129

"regions": [ # The request must originate from one of the provided countries/regions.

130

# Must be valid ISO 3166-1 alpha-2 codes.

131

"A String",

132

],

133

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

134

# resource name. Referencing an `AccessLevel` which does not exist is an

135

# error. All access levels listed must be granted for the Condition

136

# to be true. Example:

137

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

138

"A String",

139

],

140

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

141

# Condition to be true. If not specified, all devices are allowed.

142

# given access level. A `DevicePolicy` specifies requirements for requests from

143

# devices to be granted access levels, it does not do any enforcement on the

144

# device. `DevicePolicy` acts as an AND over all specified fields, and each

145

# repeated field is an OR over its elements. Any unset fields are ignored. For

146

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

147

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

148

# true for requests originating from encrypted Linux desktops and encrypted

149

# Windows desktops.

150

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

151

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

152

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

153

# Defaults to `false`.

154

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

155

"A String",

156

],

157

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

162

{ # A restriction on the OS type and version of devices making requests.

163

"osType": "A String", # Required. The allowed OS type.

164

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

165

# Verifications includes requirements that the device is enterprise-managed,

166

# conformant to domain policies, and the caller has permission to call

167

# the API targeted by the request.

168

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

169

# satisfies the constraint. Format: `"major.minor.patch"`.

170

# Examples: `"10.5.301"`, `"9.2.1"`.

},

],

},

"members": [ # The request must be made by one of the provided user or service

175

# accounts. Groups are not supported.

176

# Syntax:

177

# `user:{emailid}`

178

# `serviceAccount:{emailid}`

179

# If not specified, a request may come from any user.

180

"A String",

181

],

182

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

183

# a CIDR IP address block, the specified IP address portion must be properly

184

# truncated (i.e. all the host bits must be zero) or the input is considered

185

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

186

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

187

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

188

# the listed subnets in order for this Condition to be true. If empty, all IP

189

# addresses are allowed.

190

"A String",

191

],

192

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

193

# its non-empty fields, each field must be false for the Condition overall to

194

# be satisfied. Defaults to false.

195

},

196

],

197

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

198

# granted this `AccessLevel`. If AND is used, each `Condition` in

199

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

200

# is used, at least one `Condition` in `conditions` must be satisfied for the

201

# `AccessLevel` to be applied. Default behavior is AND.

202

},

203

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

204

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

205

# to represent the necessary conditions for the level to apply to a request.

206

# See CEL spec at: https://github.com/google/cel-spec

207

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

208

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

209

# are documented at https://github.com/google/cel-spec.

210

#

211

# Example (Comparison):

212

#

213

# title: "Summary size limit"

214

# description: "Determines if a summary is less than 100 chars"

215

# expression: "document.summary.size() < 100"

216

#

217

# Example (Equality):

218

#

219

# title: "Requestor is owner"

220

# description: "Determines if requestor is the document owner"

221

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

226

# description: "Determine whether the document should be publicly visible"

227

# expression: "document.type != 'private' && document.type != 'internal'"

228

#

229

# Example (Data Manipulation):

230

#

231

# title: "Notification string"

232

# description: "Create a notification string with a timestamp."

233

# expression: "'New message received at ' + string(document.create_time)"

234

#

235

# The exact variables and functions that may be referenced within an expression

236

# are determined by the service that evaluates it. See the service

237

# documentation for additional information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

238

"expression": "A String", # Textual representation of an expression in Common Expression Language

239

# syntax.

240

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

241

# its purpose. This can be used e.g. in UIs which allow to enter the

242

# expression.

243

"location": "A String", # Optional. String indicating the location of the expression for error

244

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

245

"description": "A String", # Optional. Description of the expression. This is a longer text which

246

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

247

},

248

},

249

"title": "A String", # Human readable title. Must be unique within the Policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

250

}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

251

252

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

259

260

{ # This resource represents a long-running operation that is the result of a

261

# network API call.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

262

"name": "A String", # The server-assigned name, which is only unique within the same service that

263

# originally returns it. If you use the default HTTP mapping, the

264

# `name` should be a resource name ending with `operations/{unique_id}`.

265

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

266

# different programming environments, including REST APIs and RPC APIs. It is

267

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

268

# three pieces of data: error code, error message, and error details.

269

#

270

# You can find out more about this error model and how to work with it in the

271

# [API Design Guide](https://cloud.google.com/apis/design/errors).

272

"message": "A String", # A developer-facing error message, which should be in English. Any

273

# user-facing error message should be localized and sent in the

274

# google.rpc.Status.details field, or localized by the client.

275

"details": [ # A list of messages that carry the error details. There is a common set of

276

# message types for APIs to use.

277

{

278

"a_key": "", # Properties of the object. Contains field @type with type URL.

279

},

280

],

281

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

282

},

283

"metadata": { # Service-specific metadata associated with the operation. It typically

284

# contains progress information and common metadata such as create time.

285

# Some services might not provide such metadata. Any method that returns a

286

# long-running operation should document the metadata type, if any.

287

"a_key": "", # Properties of the object. Contains field @type with type URL.

288

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

289

"done": True or False, # If the value is `false`, it means the operation is still in progress.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

290

# If `true`, the operation is completed, and either `error` or `response` is

291

# available.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

292

"response": { # The normal response of the operation in case of success. If the original

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

293

# method returns no data on success, such as `Delete`, the response is

294

# `google.protobuf.Empty`. If the original method is standard

295

# `Get`/`Create`/`Update`, the response should be the resource. For other

296

# methods, the response should have the type `XxxResponse`, where `Xxx`

297

# is the original method name. For example, if the original method name

298

# is `TakeSnapshot()`, the inferred response type is

299

# `TakeSnapshotResponse`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

300

"a_key": "", # Properties of the object. Contains field @type with type URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

301

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

307

<pre>Delete an Access Level by resource

308

name. The longrunning operation from this RPC will have a successful status

309

once the Access Level has been removed

310

from long-lasting storage.

311

312

Args:

313

name: string, Required. Resource name for the Access Level.

314

315

Format:

316

`accessPolicies/{policy_id}/accessLevels/{access_level_id}` (required)

317

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

324

325

{ # This resource represents a long-running operation that is the result of a

326

# network API call.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

327

"name": "A String", # The server-assigned name, which is only unique within the same service that

328

# originally returns it. If you use the default HTTP mapping, the

329

# `name` should be a resource name ending with `operations/{unique_id}`.

330

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

331

# different programming environments, including REST APIs and RPC APIs. It is

332

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

333

# three pieces of data: error code, error message, and error details.

334

#

335

# You can find out more about this error model and how to work with it in the

336

# [API Design Guide](https://cloud.google.com/apis/design/errors).

337

"message": "A String", # A developer-facing error message, which should be in English. Any

338

# user-facing error message should be localized and sent in the

339

# google.rpc.Status.details field, or localized by the client.

340

"details": [ # A list of messages that carry the error details. There is a common set of

341

# message types for APIs to use.

342

{

343

"a_key": "", # Properties of the object. Contains field @type with type URL.

344

},

345

],

346

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

347

},

348

"metadata": { # Service-specific metadata associated with the operation. It typically

349

# contains progress information and common metadata such as create time.

350

# Some services might not provide such metadata. Any method that returns a

351

# long-running operation should document the metadata type, if any.

352

"a_key": "", # Properties of the object. Contains field @type with type URL.

353

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

354

"done": True or False, # If the value is `false`, it means the operation is still in progress.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

355

# If `true`, the operation is completed, and either `error` or `response` is

356

# available.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

357

"response": { # The normal response of the operation in case of success. If the original

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

358

# method returns no data on success, such as `Delete`, the response is

359

# `google.protobuf.Empty`. If the original method is standard

360

# `Get`/`Create`/`Update`, the response should be the resource. For other

361

# methods, the response should have the type `XxxResponse`, where `Xxx`

362

# is the original method name. For example, if the original method name

363

# is `TakeSnapshot()`, the inferred response type is

364

# `TakeSnapshotResponse`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

365

"a_key": "", # Properties of the object. Contains field @type with type URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

366

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="get">get(name, accessLevelFormat=None, x__xgafv=None)</code>

372

<pre>Get an Access Level by resource

name.

Args:

name: string, Required. Resource name for the Access Level.

377

378

Format:

379

`accessPolicies/{policy_id}/accessLevels/{access_level_id}` (required)

380

accessLevelFormat: string, Whether to return `BasicLevels` in the Cloud Common Expression

381

Language rather than as `BasicLevels`. Defaults to AS_DEFINED, where

382

Access Levels

383

are returned as `BasicLevels` or `CustomLevels` based on how they were

384

created. If set to CEL, all Access Levels are returned as

385

`CustomLevels`. In the CEL case, `BasicLevels` are translated to equivalent

386

`CustomLevels`.

387

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

394

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

395

{ # An `AccessLevel` is a label that can be applied to requests to Google Cloud

396

# services, along with a list of requirements necessary for the label to be

397

# applied.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

398

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

399

# must begin with a letter and only include alphanumeric and '_'. Format:

400

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

401

# of the `short_name` component is 50 characters.

402

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

403

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

404

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

405

# AND over its fields. So a Condition is true if: 1) the request IP is from one

406

# of the listed subnetworks AND 2) the originating device complies with the

407

# listed device policy AND 3) all listed access levels are granted AND 4) the

408

# request was sent at a time allowed by the DateTimeRestriction.

409

"regions": [ # The request must originate from one of the provided countries/regions.

410

# Must be valid ISO 3166-1 alpha-2 codes.

411

"A String",

412

],

413

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

414

# resource name. Referencing an `AccessLevel` which does not exist is an

415

# error. All access levels listed must be granted for the Condition

416

# to be true. Example:

417

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

418

"A String",

419

],

420

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

421

# Condition to be true. If not specified, all devices are allowed.

422

# given access level. A `DevicePolicy` specifies requirements for requests from

423

# devices to be granted access levels, it does not do any enforcement on the

424

# device. `DevicePolicy` acts as an AND over all specified fields, and each

425

# repeated field is an OR over its elements. Any unset fields are ignored. For

426

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

427

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

428

# true for requests originating from encrypted Linux desktops and encrypted

429

# Windows desktops.

430

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

431

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

432

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

433

# Defaults to `false`.

434

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

435

"A String",

436

],

437

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

442

{ # A restriction on the OS type and version of devices making requests.

443

"osType": "A String", # Required. The allowed OS type.

444

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

445

# Verifications includes requirements that the device is enterprise-managed,

446

# conformant to domain policies, and the caller has permission to call

447

# the API targeted by the request.

448

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

449

# satisfies the constraint. Format: `"major.minor.patch"`.

450

# Examples: `"10.5.301"`, `"9.2.1"`.

},

],

},

"members": [ # The request must be made by one of the provided user or service

455

# accounts. Groups are not supported.

456

# Syntax:

457

# `user:{emailid}`

458

# `serviceAccount:{emailid}`

459

# If not specified, a request may come from any user.

460

"A String",

461

],

462

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

463

# a CIDR IP address block, the specified IP address portion must be properly

464

# truncated (i.e. all the host bits must be zero) or the input is considered

465

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

466

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

467

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

468

# the listed subnets in order for this Condition to be true. If empty, all IP

469

# addresses are allowed.

470

"A String",

471

],

472

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

473

# its non-empty fields, each field must be false for the Condition overall to

474

# be satisfied. Defaults to false.

475

},

476

],

477

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

478

# granted this `AccessLevel`. If AND is used, each `Condition` in

479

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

480

# is used, at least one `Condition` in `conditions` must be satisfied for the

481

# `AccessLevel` to be applied. Default behavior is AND.

482

},

483

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

484

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

485

# to represent the necessary conditions for the level to apply to a request.

486

# See CEL spec at: https://github.com/google/cel-spec

487

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

488

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

489

# are documented at https://github.com/google/cel-spec.

490

#

491

# Example (Comparison):

492

#

493

# title: "Summary size limit"

494

# description: "Determines if a summary is less than 100 chars"

495

# expression: "document.summary.size() < 100"

496

#

497

# Example (Equality):

498

#

499

# title: "Requestor is owner"

500

# description: "Determines if requestor is the document owner"

501

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

506

# description: "Determine whether the document should be publicly visible"

507

# expression: "document.type != 'private' && document.type != 'internal'"

508

#

509

# Example (Data Manipulation):

510

#

511

# title: "Notification string"

512

# description: "Create a notification string with a timestamp."

513

# expression: "'New message received at ' + string(document.create_time)"

514

#

515

# The exact variables and functions that may be referenced within an expression

516

# are determined by the service that evaluates it. See the service

517

# documentation for additional information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

518

"expression": "A String", # Textual representation of an expression in Common Expression Language

519

# syntax.

520

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

521

# its purpose. This can be used e.g. in UIs which allow to enter the

522

# expression.

523

"location": "A String", # Optional. String indicating the location of the expression for error

524

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

525

"description": "A String", # Optional. Description of the expression. This is a longer text which

526

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

527

},

528

},

529

"title": "A String", # Human readable title. Must be unique within the Policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

534

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, accessLevelFormat=None, x__xgafv=None)</code>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

535

<pre>List all Access Levels for an access

policy.

Args:

parent: string, Required. Resource name for the access policy to list Access Levels from.

540

541

Format:

542

`accessPolicies/{policy_id}` (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

543

pageToken: string, Next page token for the next batch of Access Level instances.

544

Defaults to the first page of results.

545

pageSize: integer, Number of Access Levels to include in

546

the list. Default 100.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

547

accessLevelFormat: string, Whether to return `BasicLevels` in the Cloud Common Expression language, as

548

`CustomLevels`, rather than as `BasicLevels`. Defaults to returning

549

`AccessLevels` in the format they were defined.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

550

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

557

558

{ # A response to `ListAccessLevelsRequest`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

559

"nextPageToken": "A String", # The pagination token to retrieve the next page of results. If the value is

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

560

# empty, no further results remain.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

561

"accessLevels": [ # List of the Access Level instances.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

562

{ # An `AccessLevel` is a label that can be applied to requests to Google Cloud

563

# services, along with a list of requirements necessary for the label to be

564

# applied.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

565

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

566

# must begin with a letter and only include alphanumeric and '_'. Format:

567

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

568

# of the `short_name` component is 50 characters.

569

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

570

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

571

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

572

# AND over its fields. So a Condition is true if: 1) the request IP is from one

573

# of the listed subnetworks AND 2) the originating device complies with the

574

# listed device policy AND 3) all listed access levels are granted AND 4) the

575

# request was sent at a time allowed by the DateTimeRestriction.

576

"regions": [ # The request must originate from one of the provided countries/regions.

577

# Must be valid ISO 3166-1 alpha-2 codes.

578

"A String",

579

],

580

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

581

# resource name. Referencing an `AccessLevel` which does not exist is an

582

# error. All access levels listed must be granted for the Condition

583

# to be true. Example:

584

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

585

"A String",

586

],

587

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

588

# Condition to be true. If not specified, all devices are allowed.

589

# given access level. A `DevicePolicy` specifies requirements for requests from

590

# devices to be granted access levels, it does not do any enforcement on the

591

# device. `DevicePolicy` acts as an AND over all specified fields, and each

592

# repeated field is an OR over its elements. Any unset fields are ignored. For

593

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

594

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

595

# true for requests originating from encrypted Linux desktops and encrypted

596

# Windows desktops.

597

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

598

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

599

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

600

# Defaults to `false`.

601

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

602

"A String",

603

],

604

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

609

{ # A restriction on the OS type and version of devices making requests.

610

"osType": "A String", # Required. The allowed OS type.

611

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

612

# Verifications includes requirements that the device is enterprise-managed,

613

# conformant to domain policies, and the caller has permission to call

614

# the API targeted by the request.

615

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

616

# satisfies the constraint. Format: `"major.minor.patch"`.

617

# Examples: `"10.5.301"`, `"9.2.1"`.

},

],

},

"members": [ # The request must be made by one of the provided user or service

622

# accounts. Groups are not supported.

623

# Syntax:

624

# `user:{emailid}`

625

# `serviceAccount:{emailid}`

626

# If not specified, a request may come from any user.

627

"A String",

628

],

629

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

630

# a CIDR IP address block, the specified IP address portion must be properly

631

# truncated (i.e. all the host bits must be zero) or the input is considered

632

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

633

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

634

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

635

# the listed subnets in order for this Condition to be true. If empty, all IP

636

# addresses are allowed.

637

"A String",

638

],

639

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

640

# its non-empty fields, each field must be false for the Condition overall to

641

# be satisfied. Defaults to false.

642

},

643

],

644

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

645

# granted this `AccessLevel`. If AND is used, each `Condition` in

646

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

647

# is used, at least one `Condition` in `conditions` must be satisfied for the

648

# `AccessLevel` to be applied. Default behavior is AND.

649

},

650

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

651

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

652

# to represent the necessary conditions for the level to apply to a request.

653

# See CEL spec at: https://github.com/google/cel-spec

654

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

655

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

656

# are documented at https://github.com/google/cel-spec.

657

#

658

# Example (Comparison):

659

#

660

# title: "Summary size limit"

661

# description: "Determines if a summary is less than 100 chars"

662

# expression: "document.summary.size() < 100"

663

#

664

# Example (Equality):

665

#

666

# title: "Requestor is owner"

667

# description: "Determines if requestor is the document owner"

668

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

673

# description: "Determine whether the document should be publicly visible"

674

# expression: "document.type != 'private' && document.type != 'internal'"

675

#

676

# Example (Data Manipulation):

677

#

678

# title: "Notification string"

679

# description: "Create a notification string with a timestamp."

680

# expression: "'New message received at ' + string(document.create_time)"

681

#

682

# The exact variables and functions that may be referenced within an expression

683

# are determined by the service that evaluates it. See the service

684

# documentation for additional information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

685

"expression": "A String", # Textual representation of an expression in Common Expression Language

686

# syntax.

687

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

688

# its purpose. This can be used e.g. in UIs which allow to enter the

689

# expression.

690

"location": "A String", # Optional. String indicating the location of the expression for error

691

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

692

"description": "A String", # Optional. Description of the expression. This is a longer text which

693

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

694

},

695

},

696

"title": "A String", # Human readable title. Must be unique within the Policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

704

<pre>Retrieves the next page of results.

705

706

Args:

707

previous_request: The request for the previous page. (required)

708

previous_response: The response from the request for the previous page. (required)

709

710

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

711

A request object that you can call 'execute()' on to request the next

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

712

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

718

<pre>Update an Access Level. The longrunning

719

operation from this RPC will have a successful status once the changes to

720

the Access Level have propagated

721

to long-lasting storage. Access Levels containing

722

errors will result in an error response for the first error encountered.

723

724

Args:

725

name: string, Required. Resource name for the Access Level. The `short_name` component

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

726

must begin with a letter and only include alphanumeric and '_'. Format:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

727

`accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

728

of the `short_name` component is 50 characters. (required)

729

body: object, The request body.

730

The object takes the form of:

731

732

{ # An `AccessLevel` is a label that can be applied to requests to Google Cloud

733

# services, along with a list of requirements necessary for the label to be

734

# applied.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

735

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

736

# must begin with a letter and only include alphanumeric and '_'. Format:

737

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

738

# of the `short_name` component is 50 characters.

739

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

740

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

741

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

742

# AND over its fields. So a Condition is true if: 1) the request IP is from one

743

# of the listed subnetworks AND 2) the originating device complies with the

744

# listed device policy AND 3) all listed access levels are granted AND 4) the

745

# request was sent at a time allowed by the DateTimeRestriction.

746

"regions": [ # The request must originate from one of the provided countries/regions.

747

# Must be valid ISO 3166-1 alpha-2 codes.

748

"A String",

749

],

750

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

751

# resource name. Referencing an `AccessLevel` which does not exist is an

752

# error. All access levels listed must be granted for the Condition

753

# to be true. Example:

754

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

755

"A String",

756

],

757

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

758

# Condition to be true. If not specified, all devices are allowed.

759

# given access level. A `DevicePolicy` specifies requirements for requests from

760

# devices to be granted access levels, it does not do any enforcement on the

761

# device. `DevicePolicy` acts as an AND over all specified fields, and each

762

# repeated field is an OR over its elements. Any unset fields are ignored. For

763

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

764

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

765

# true for requests originating from encrypted Linux desktops and encrypted

766

# Windows desktops.

767

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

768

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

769

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

770

# Defaults to `false`.

771

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

772

"A String",

773

],

774

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

779

{ # A restriction on the OS type and version of devices making requests.

780

"osType": "A String", # Required. The allowed OS type.

781

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

782

# Verifications includes requirements that the device is enterprise-managed,

783

# conformant to domain policies, and the caller has permission to call

784

# the API targeted by the request.

785

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

786

# satisfies the constraint. Format: `"major.minor.patch"`.

787

# Examples: `"10.5.301"`, `"9.2.1"`.

},

],

},

"members": [ # The request must be made by one of the provided user or service

792

# accounts. Groups are not supported.

793

# Syntax:

794

# `user:{emailid}`

795

# `serviceAccount:{emailid}`

796

# If not specified, a request may come from any user.

797

"A String",

798

],

799

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

800

# a CIDR IP address block, the specified IP address portion must be properly

801

# truncated (i.e. all the host bits must be zero) or the input is considered

802

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

803

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

804

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

805

# the listed subnets in order for this Condition to be true. If empty, all IP

806

# addresses are allowed.

807

"A String",

808

],

809

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

810

# its non-empty fields, each field must be false for the Condition overall to

811

# be satisfied. Defaults to false.

812

},

813

],

814

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

815

# granted this `AccessLevel`. If AND is used, each `Condition` in

816

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

817

# is used, at least one `Condition` in `conditions` must be satisfied for the

818

# `AccessLevel` to be applied. Default behavior is AND.

819

},

820

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

821

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

822

# to represent the necessary conditions for the level to apply to a request.

823

# See CEL spec at: https://github.com/google/cel-spec

824

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

825

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

826

# are documented at https://github.com/google/cel-spec.

827

#

828

# Example (Comparison):

829

#

830

# title: "Summary size limit"

831

# description: "Determines if a summary is less than 100 chars"

832

# expression: "document.summary.size() < 100"

833

#

834

# Example (Equality):

835

#

836

# title: "Requestor is owner"

837

# description: "Determines if requestor is the document owner"

838

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

843

# description: "Determine whether the document should be publicly visible"

844

# expression: "document.type != 'private' && document.type != 'internal'"

845

#

846

# Example (Data Manipulation):

847

#

848

# title: "Notification string"

849

# description: "Create a notification string with a timestamp."

850

# expression: "'New message received at ' + string(document.create_time)"

851

#

852

# The exact variables and functions that may be referenced within an expression

853

# are determined by the service that evaluates it. See the service

854

# documentation for additional information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

855

"expression": "A String", # Textual representation of an expression in Common Expression Language

856

# syntax.

857

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

858

# its purpose. This can be used e.g. in UIs which allow to enter the

859

# expression.

860

"location": "A String", # Optional. String indicating the location of the expression for error

861

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

862

"description": "A String", # Optional. Description of the expression. This is a longer text which

863

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

864

},

865

},

866

"title": "A String", # Human readable title. Must be unique within the Policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

867

}

868

869

updateMask: string, Required. Mask to control which fields get updated. Must be non-empty.

870

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

877

878

{ # This resource represents a long-running operation that is the result of a

879

# network API call.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

880

"name": "A String", # The server-assigned name, which is only unique within the same service that

881

# originally returns it. If you use the default HTTP mapping, the

882

# `name` should be a resource name ending with `operations/{unique_id}`.

883

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

884

# different programming environments, including REST APIs and RPC APIs. It is

885

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

886

# three pieces of data: error code, error message, and error details.

887

#

888

# You can find out more about this error model and how to work with it in the

889

# [API Design Guide](https://cloud.google.com/apis/design/errors).

890

"message": "A String", # A developer-facing error message, which should be in English. Any

891

# user-facing error message should be localized and sent in the

892

# google.rpc.Status.details field, or localized by the client.

893

"details": [ # A list of messages that carry the error details. There is a common set of

894

# message types for APIs to use.

895

{

896

"a_key": "", # Properties of the object. Contains field @type with type URL.

897

},

898

],

899

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

900

},

901

"metadata": { # Service-specific metadata associated with the operation. It typically

902

# contains progress information and common metadata such as create time.

903

# Some services might not provide such metadata. Any method that returns a

904

# long-running operation should document the metadata type, if any.

905

"a_key": "", # Properties of the object. Contains field @type with type URL.

906

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

907

"done": True or False, # If the value is `false`, it means the operation is still in progress.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

908

# If `true`, the operation is completed, and either `error` or `response` is

909

# available.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

910

"response": { # The normal response of the operation in case of success. If the original

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

911

# method returns no data on success, such as `Delete`, the response is

912

# `google.protobuf.Empty`. If the original method is standard

913

# `Get`/`Create`/`Update`, the response should be the resource. For other

914

# methods, the response should have the type `XxxResponse`, where `Xxx`

915

# is the original method name. For example, if the original method name

916

# is `TakeSnapshot()`, the inferred response type is

917

# `TakeSnapshotResponse`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

918

"a_key": "", # Properties of the object. Contains field @type with type URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

919

},

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="replaceAll">replaceAll(parent, body=None, x__xgafv=None)</code>

925

<pre>Replace all existing Access Levels in an Access

926

Policy with

927

the Access Levels provided. This

928

is done atomically. The longrunning operation from this RPC will have a

929

successful status once all replacements have propagated to long-lasting

930

storage. Replacements containing errors will result in an error response

931

for the first error encountered. Replacement will be cancelled on error,

932

existing Access Levels will not be

933

affected. Operation.response field will contain

934

ReplaceAccessLevelsResponse. Removing Access Levels contained in existing

935

Service Perimeters will result in

error.

Args:

parent: string, Required. Resource name for the access policy which owns these

940

Access Levels.

941

942

Format: `accessPolicies/{policy_id}` (required)

943

body: object, The request body.

944

The object takes the form of:

945

946

{ # A request to replace all existing Access Levels in an Access Policy with

947

# the Access Levels provided. This is done atomically.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

948

"accessLevels": [ # Required. The desired Access Levels that should

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

949

# replace all existing Access Levels in the

950

# Access Policy.

951

{ # An `AccessLevel` is a label that can be applied to requests to Google Cloud

952

# services, along with a list of requirements necessary for the label to be

953

# applied.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

954

"name": "A String", # Required. Resource name for the Access Level. The `short_name` component

955

# must begin with a letter and only include alphanumeric and '_'. Format:

956

# `accessPolicies/{policy_id}/accessLevels/{short_name}`. The maximum length

957

# of the `short_name` component is 50 characters.

958

"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.

959

"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.

960

{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an

961

# AND over its fields. So a Condition is true if: 1) the request IP is from one

962

# of the listed subnetworks AND 2) the originating device complies with the

963

# listed device policy AND 3) all listed access levels are granted AND 4) the

964

# request was sent at a time allowed by the DateTimeRestriction.

965

"regions": [ # The request must originate from one of the provided countries/regions.

966

# Must be valid ISO 3166-1 alpha-2 codes.

967

"A String",

968

],

969

"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by

970

# resource name. Referencing an `AccessLevel` which does not exist is an

971

# error. All access levels listed must be granted for the Condition

972

# to be true. Example:

973

# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`

974

"A String",

975

],

976

"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the

977

# Condition to be true. If not specified, all devices are allowed.

978

# given access level. A `DevicePolicy` specifies requirements for requests from

979

# devices to be granted access levels, it does not do any enforcement on the

980

# device. `DevicePolicy` acts as an AND over all specified fields, and each

981

# repeated field is an OR over its elements. Any unset fields are ignored. For

982

# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :

983

# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be

984

# true for requests originating from encrypted Linux desktops and encrypted

985

# Windows desktops.

986

"requireCorpOwned": True or False, # Whether the device needs to be corp owned.

987

"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.

988

"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.

989

# Defaults to `false`.

990

"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.

991

"A String",

992

],

993

"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management

# levels.

"A String",

],

"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.

998

{ # A restriction on the OS type and version of devices making requests.

999

"osType": "A String", # Required. The allowed OS type.

1000

"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.

1001

# Verifications includes requirements that the device is enterprise-managed,

1002

# conformant to domain policies, and the caller has permission to call

1003

# the API targeted by the request.

1004

"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS

1005

# satisfies the constraint. Format: `"major.minor.patch"`.

1006

# Examples: `"10.5.301"`, `"9.2.1"`.

},

],

},

"members": [ # The request must be made by one of the provided user or service

1011

# accounts. Groups are not supported.

1012

# Syntax:

1013

# `user:{emailid}`

1014

# `serviceAccount:{emailid}`

1015

# If not specified, a request may come from any user.

1016

"A String",

1017

],

1018

"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for

1019

# a CIDR IP address block, the specified IP address portion must be properly

1020

# truncated (i.e. all the host bits must be zero) or the input is considered

1021

# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is

1022

# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas

1023

# "2001:db8::1/32" is not. The originating IP of a request must be in one of

1024

# the listed subnets in order for this Condition to be true. If empty, all IP

1025

# addresses are allowed.

1026

"A String",

1027

],

1028

"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over

1029

# its non-empty fields, each field must be false for the Condition overall to

1030

# be satisfied. Defaults to false.

1031

},

1032

],

1033

"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is

1034

# granted this `AccessLevel`. If AND is used, each `Condition` in

1035

# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR

1036

# is used, at least one `Condition` in `conditions` must be satisfied for the

1037

# `AccessLevel` to be applied. Default behavior is AND.

1038

},

1039

"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1040

"custom": { # `CustomLevel` is an `AccessLevel` using the Cloud Common Expression Language # A `CustomLevel` written in the Common Expression Language.

1041

# to represent the necessary conditions for the level to apply to a request.

1042

# See CEL spec at: https://github.com/google/cel-spec

1043

"expr": { # Represents a textual expression in the Common Expression Language (CEL) # Required. A Cloud CEL expression evaluating to a boolean.

1044

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1045

# are documented at https://github.com/google/cel-spec.

1046

#

1047

# Example (Comparison):

1048

#

1049

# title: "Summary size limit"

1050

# description: "Determines if a summary is less than 100 chars"

1051

# expression: "document.summary.size() < 100"

1052

#

1053

# Example (Equality):

1054

#

1055

# title: "Requestor is owner"

1056

# description: "Determines if requestor is the document owner"

1057

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1062

# description: "Determine whether the document should be publicly visible"

1063

# expression: "document.type != 'private' && document.type != 'internal'"

1064

#

1065

# Example (Data Manipulation):

1066

#

1067

# title: "Notification string"

1068

# description: "Create a notification string with a timestamp."

1069

# expression: "'New message received at ' + string(document.create_time)"

1070

#

1071

# The exact variables and functions that may be referenced within an expression

1072

# are determined by the service that evaluates it. See the service

1073

# documentation for additional information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1074

"expression": "A String", # Textual representation of an expression in Common Expression Language

1075

# syntax.

1076

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1077

# its purpose. This can be used e.g. in UIs which allow to enter the

1078

# expression.

1079

"location": "A String", # Optional. String indicating the location of the expression for error

1080

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1081

"description": "A String", # Optional. Description of the expression. This is a longer text which

1082

# describes the expression, e.g. when hovered over it in a UI.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1083

},

1084

},

1085

"title": "A String", # Human readable title. Must be unique within the Policy.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1086

},

1087

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1088

"etag": "A String", # Optional. The etag for the version of the Access Policy that this

1089

# replace operation is to be performed on. If, at the time of replace, the

1090

# etag for the Access Policy stored in Access Context Manager is different

1091

# from the specified etag, then the replace operation will not be performed

1092

# and the call will fail. This field is not required. If etag is not

1093

# provided, the operation will be performed as if a valid etag is provided.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1094

}

1095

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1096

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1103

1104

{ # This resource represents a long-running operation that is the result of a

1105

# network API call.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1106

"name": "A String", # The server-assigned name, which is only unique within the same service that

1107

# originally returns it. If you use the default HTTP mapping, the

1108

# `name` should be a resource name ending with `operations/{unique_id}`.

1109

"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.

1110

# different programming environments, including REST APIs and RPC APIs. It is

1111

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1112

# three pieces of data: error code, error message, and error details.

1113

#

1114

# You can find out more about this error model and how to work with it in the

1115

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1116

"message": "A String", # A developer-facing error message, which should be in English. Any

1117

# user-facing error message should be localized and sent in the

1118

# google.rpc.Status.details field, or localized by the client.

1119

"details": [ # A list of messages that carry the error details. There is a common set of

1120

# message types for APIs to use.

1121

{

1122

"a_key": "", # Properties of the object. Contains field @type with type URL.

1123

},

1124

],

1125

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1126

},

1127

"metadata": { # Service-specific metadata associated with the operation. It typically

1128

# contains progress information and common metadata such as create time.

1129

# Some services might not provide such metadata. Any method that returns a

1130

# long-running operation should document the metadata type, if any.

1131

"a_key": "", # Properties of the object. Contains field @type with type URL.

1132

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1133

"done": True or False, # If the value is `false`, it means the operation is still in progress.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1134

# If `true`, the operation is completed, and either `error` or `response` is

1135

# available.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1136

"response": { # The normal response of the operation in case of success. If the original

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1137

# method returns no data on success, such as `Delete`, the response is

1138

# `google.protobuf.Empty`. If the original method is standard

1139

# `Get`/`Create`/`Update`, the response should be the resource. For other

1140

# methods, the response should have the type `XxxResponse`, where `Xxx`

1141

# is the original method name. For example, if the original method name

1142

# is `TakeSnapshot()`, the inferred response type is

1143

# `TakeSnapshotResponse`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1144

"a_key": "", # Properties of the object. Contains field @type with type URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1145

},

Bu Sun Kim