The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
public RepeatedField<string> DeniedPermissions { get; }
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list.
public RepeatedField<string> DeniedPrincipals { get; }
The identities that are prevented from using one or more permissions on
Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com.
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,
deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
principalSet://goog/group/{group_id}: A Google group. For example,
principalSet://goog/group/admins@example.com.
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,
deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,
principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,
principalSet://goog/cloudIdentityCustomerId/C01Abc35.
public RepeatedField<string> ExceptionPermissions { get; }
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions. If a permission appears in
denied_permissionsand in exception_permissions then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions.
public RepeatedField<string> ExceptionPrincipals { get; }
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals. For example, you could add a Google
group to the denied_principals, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals field,
excluding principalSet://goog/public:all, which represents all users on
the internet.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis documentation details the \u003ccode\u003eDenyRule\u003c/code\u003e class, a core component of the Google Cloud Identity and Access Management (IAM) v2 API for defining deny policies.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eDenyRule\u003c/code\u003e class implements interfaces for message handling, equality checks, deep cloning, and buffer messages, extending from the base \u003ccode\u003eobject\u003c/code\u003e class.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eDenyRule\u003c/code\u003e class has several key properties like \u003ccode\u003eDeniedPermissions\u003c/code\u003e, \u003ccode\u003eDeniedPrincipals\u003c/code\u003e, \u003ccode\u003eExceptionPermissions\u003c/code\u003e, \u003ccode\u003eExceptionPrincipals\u003c/code\u003e, and \u003ccode\u003eDenialCondition\u003c/code\u003e that define which permissions are denied, for which identities, under what conditions, and with what exceptions.\u003c/p\u003e\n"],["\u003cp\u003eThere are two constructors available for \u003ccode\u003eDenyRule\u003c/code\u003e, one being a default constructor, the other allows you to clone an existing \u003ccode\u003eDenyRule\u003c/code\u003e object, using another \u003ccode\u003eDenyRule\u003c/code\u003e instance as a parameter.\u003c/p\u003e\n"],["\u003cp\u003eThe class is versioned with four versions available, with version \u003ccode\u003e1.3.0\u003c/code\u003e being the latest.\u003c/p\u003e\n"]]],[],null,["# Google Cloud Identity and Access Management (IAM) v2 API - Class DenyRule (1.3.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.3.0 (latest)](/dotnet/docs/reference/Google.Cloud.Iam.V2/latest/Google.Cloud.Iam.V2.DenyRule)\n- [1.2.0](/dotnet/docs/reference/Google.Cloud.Iam.V2/1.2.0/Google.Cloud.Iam.V2.DenyRule)\n- [1.1.0](/dotnet/docs/reference/Google.Cloud.Iam.V2/1.1.0/Google.Cloud.Iam.V2.DenyRule)\n- [1.0.0](/dotnet/docs/reference/Google.Cloud.Iam.V2/1.0.0/Google.Cloud.Iam.V2.DenyRule) \n\n public sealed class DenyRule : IMessage\u003cDenyRule\u003e, IEquatable\u003cDenyRule\u003e, IDeepCloneable\u003cDenyRule\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Google Cloud Identity and Access Management (IAM) v2 API class DenyRule.\n\nA deny rule in an IAM deny policy. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e DenyRule \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[DenyRule](/dotnet/docs/reference/Google.Cloud.Iam.V2/latest/Google.Cloud.Iam.V2.DenyRule), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[DenyRule](/dotnet/docs/reference/Google.Cloud.Iam.V2/latest/Google.Cloud.Iam.V2.DenyRule), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[DenyRule](/dotnet/docs/reference/Google.Cloud.Iam.V2/latest/Google.Cloud.Iam.V2.DenyRule), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.Iam.V2](/dotnet/docs/reference/Google.Cloud.Iam.V2/latest/Google.Cloud.Iam.V2)\n\nAssembly\n--------\n\nGoogle.Cloud.Iam.V2.dll\n\nConstructors\n------------\n\n### DenyRule()\n\n public DenyRule()\n\n### DenyRule(DenyRule)\n\n public DenyRule(DenyRule other)\n\nProperties\n----------\n\n### DenialCondition\n\n public Expr DenialCondition { get; set; }\n\nThe condition that determines whether this deny rule applies to a request.\nIf the condition expression evaluates to `true`, then the deny rule is\napplied; otherwise, the deny rule is not applied.\n\nEach deny rule is evaluated independently. If this deny rule does not apply\nto a request, other deny rules might still apply.\n\nThe condition can use CEL functions that evaluate\n[resource\ntags](https://cloud.google.com/iam/help/conditions/resource-tags). Other\nfunctions and operators are not supported.\n\n### DeniedPermissions\n\n public RepeatedField\u003cstring\u003e DeniedPermissions { get; }\n\nThe permissions that are explicitly denied by this rule. Each permission\nuses the format `{service_fqdn}/{resource}.{verb}`, where `{service_fqdn}`\nis the fully qualified domain name for the service. For example,\n`iam.googleapis.com/roles.list`.\n\n### DeniedPrincipals\n\n public RepeatedField\u003cstring\u003e DeniedPrincipals { get; }\n\nThe identities that are prevented from using one or more permissions on\nGoogle Cloud resources. This field can contain the following values:\n\n- `principalSet://goog/public:all`: A special identifier that represents\n any principal that is on the internet, even if they do not have a Google\n Account or are not logged in.\n\n- `principal://goog/subject/{email_id}`: A specific Google Account.\n Includes Gmail, Cloud Identity, and Google Workspace user accounts. For\n example, `principal://goog/subject/alice@example.com`.\n\n- `deleted:principal://goog/subject/{email_id}?uid={uid}`: A specific\n Google Account that was deleted recently. For example,\n `deleted:principal://goog/subject/alice@example.com?uid=1234567890`. If\n the Google Account is recovered, this identifier reverts to the standard\n identifier for a Google Account.\n\n- `principalSet://goog/group/{group_id}`: A Google group. For example,\n `principalSet://goog/group/admins@example.com`.\n\n- `deleted:principalSet://goog/group/{group_id}?uid={uid}`: A Google group\n that was deleted recently. For example,\n `deleted:principalSet://goog/group/admins@example.com?uid=1234567890`. If\n the Google group is restored, this identifier reverts to the standard\n identifier for a Google group.\n\n- `principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}`:\n A Google Cloud service account. For example,\n `principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com`.\n\n- `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}`:\n A Google Cloud service account that was deleted recently. For example,\n `deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890`.\n If the service account is undeleted, this identifier reverts to the\n standard identifier for a service account.\n\n- `principalSet://goog/cloudIdentityCustomerId/{customer_id}`: All of the\n principals associated with the specified Google Workspace or Cloud\n Identity customer ID. For example,\n `principalSet://goog/cloudIdentityCustomerId/C01Abc35`.\n\n### ExceptionPermissions\n\n public RepeatedField\u003cstring\u003e ExceptionPermissions { get; }\n\nSpecifies the permissions that this rule excludes from the set of denied\npermissions given by `denied_permissions`. If a permission appears in\n`denied_permissions` *and* in `exception_permissions` then it will *not* be\ndenied.\n\nThe excluded permissions can be specified using the same syntax as\n`denied_permissions`.\n\n### ExceptionPrincipals\n\n public RepeatedField\u003cstring\u003e ExceptionPrincipals { get; }\n\nThe identities that are excluded from the deny rule, even if they are\nlisted in the `denied_principals`. For example, you could add a Google\ngroup to the `denied_principals`, then exclude specific users who belong to\nthat group.\n\nThis field can contain the same values as the `denied_principals` field,\nexcluding `principalSet://goog/public:all`, which represents all users on\nthe internet."]]
