public sealed class AllowBindingExplanation : IMessage<AllowBindingExplanation>, IEquatable<AllowBindingExplanation>, IDeepCloneable<AllowBindingExplanation>, IBufferMessage, IMessage
Reference documentation and code samples for the Policy Troubleshooter v3 API class AllowBindingExplanation.
Details about how a role binding in an allow policy affects a principal's
ability to use a permission.
public AllowAccessState AllowAccessState { get; set; }
Required. Indicates whether this role binding gives the specified
permission to the specified principal on the specified resource.
This field does not indicate whether the principal actually has the
permission on the resource. There might be another role binding that
overrides this role binding. To determine whether the principal actually
has the permission, use the overall_access_state field in the
[TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
public MapField<string, AllowBindingExplanation.Types.AnnotatedAllowMembership> Memberships { get; }
Indicates whether each role binding includes the principal specified in the
request, either directly or indirectly. Each key identifies a principal in
the role binding, and each value indicates whether the principal in the
role binding includes the principal in the request.
For example, suppose that a role binding includes the following principals:
user:alice@example.com
group:product-eng@example.com
You want to troubleshoot access for user:bob@example.com. This user is a
member of the group group:product-eng@example.com.
For the first principal in the role binding, the key is
user:alice@example.com, and the membership field in the value is set to
NOT_INCLUDED.
For the second principal in the role binding, the key is
group:product-eng@example.com, and the membership field in the value is
set to INCLUDED.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe \u003ccode\u003eAllowBindingExplanation\u003c/code\u003e class in the Policy Troubleshooter v3 API provides details on how a role binding in an allow policy affects a principal's permissions.\u003c/p\u003e\n"],["\u003cp\u003eThis class implements several interfaces including \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, \u003ccode\u003eIDeepCloneable\u003c/code\u003e, and \u003ccode\u003eIBufferMessage\u003c/code\u003e, ensuring compatibility with various data structures.\u003c/p\u003e\n"],["\u003cp\u003eKey properties of \u003ccode\u003eAllowBindingExplanation\u003c/code\u003e include \u003ccode\u003eAllowAccessState\u003c/code\u003e, \u003ccode\u003eCombinedMembership\u003c/code\u003e, \u003ccode\u003eCondition\u003c/code\u003e, and \u003ccode\u003eMemberships\u003c/code\u003e, which determine if a role binding grants a specified permission to a principal.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eRelevance\u003c/code\u003e, \u003ccode\u003eRolePermission\u003c/code\u003e, and \u003ccode\u003eRolePermissionRelevance\u003c/code\u003e properties indicate the importance of the role binding and its permissions in the overall policy.\u003c/p\u003e\n"],["\u003cp\u003eThis documentation includes 3 versions of the class: 1.2.0 (latest), 1.1.0, and 1.0.0, allowing users to explore specific version details.\u003c/p\u003e\n"]]],[],null,["# Policy Troubleshooter v3 API - Class AllowBindingExplanation (1.2.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.2.0 (latest)](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.AllowBindingExplanation)\n- [1.1.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/1.1.0/Google.Cloud.PolicyTroubleshooter.Iam.V3.AllowBindingExplanation)\n- [1.0.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/1.0.0/Google.Cloud.PolicyTroubleshooter.Iam.V3.AllowBindingExplanation) \n\n public sealed class AllowBindingExplanation : IMessage\u003cAllowBindingExplanation\u003e, IEquatable\u003cAllowBindingExplanation\u003e, IDeepCloneable\u003cAllowBindingExplanation\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Policy Troubleshooter v3 API class AllowBindingExplanation.\n\nDetails about how a role binding in an allow policy affects a principal's\nability to use a permission. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e AllowBindingExplanation \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[AllowBindingExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.AllowBindingExplanation), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[AllowBindingExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.AllowBindingExplanation), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[AllowBindingExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.AllowBindingExplanation), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.PolicyTroubleshooter.Iam.V3](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3)\n\nAssembly\n--------\n\nGoogle.Cloud.PolicyTroubleshooter.Iam.V3.dll\n\nConstructors\n------------\n\n### AllowBindingExplanation()\n\n public AllowBindingExplanation()\n\n### AllowBindingExplanation(AllowBindingExplanation)\n\n public AllowBindingExplanation(AllowBindingExplanation other)\n\nProperties\n----------\n\n### AllowAccessState\n\n public AllowAccessState AllowAccessState { get; set; }\n\nRequired. Indicates whether *this role binding* gives the specified\npermission to the specified principal on the specified resource.\n\nThis field does *not* indicate whether the principal actually has the\npermission on the resource. There might be another role binding that\noverrides this role binding. To determine whether the principal actually\nhas the permission, use the `overall_access_state` field in the\n\\[TroubleshootIamPolicyResponse\\]\\[google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse\\].\n\n### CombinedMembership\n\n public AllowBindingExplanation.Types.AnnotatedAllowMembership CombinedMembership { get; set; }\n\nThe combined result of all memberships. Indicates if the principal is\nincluded in any role binding, either directly or indirectly.\n\n### Condition\n\n public Expr Condition { get; set; }\n\nA condition expression that specifies when the role binding grants access.\n\nTo learn about IAM Conditions, see\n\u003chttps://cloud.google.com/iam/help/conditions/overview\u003e.\n\n### ConditionExplanation\n\n public ConditionExplanation ConditionExplanation { get; set; }\n\nCondition evaluation state for this role binding.\n\n### Memberships\n\n public MapField\u003cstring, AllowBindingExplanation.Types.AnnotatedAllowMembership\u003e Memberships { get; }\n\nIndicates whether each role binding includes the principal specified in the\nrequest, either directly or indirectly. Each key identifies a principal in\nthe role binding, and each value indicates whether the principal in the\nrole binding includes the principal in the request.\n\nFor example, suppose that a role binding includes the following principals:\n\n- `user:alice@example.com`\n- `group:product-eng@example.com`\n\nYou want to troubleshoot access for `user:bob@example.com`. This user is a\nmember of the group `group:product-eng@example.com`.\n\nFor the first principal in the role binding, the key is\n`user:alice@example.com`, and the `membership` field in the value is set to\n`NOT_INCLUDED`.\n\nFor the second principal in the role binding, the key is\n`group:product-eng@example.com`, and the `membership` field in the value is\nset to `INCLUDED`.\n\n### Relevance\n\n public HeuristicRelevance Relevance { get; set; }\n\nThe relevance of this role binding to the overall determination for the\nentire policy.\n\n### Role\n\n public string Role { get; set; }\n\nThe role that this role binding grants. For example,\n`roles/compute.admin`.\n\nFor a complete list of predefined IAM roles, as well as the permissions in\neach role, see \u003chttps://cloud.google.com/iam/help/roles/reference\u003e.\n\n### RolePermission\n\n public RolePermissionInclusionState RolePermission { get; set; }\n\nIndicates whether the role granted by this role binding contains the\nspecified permission.\n\n### RolePermissionRelevance\n\n public HeuristicRelevance RolePermissionRelevance { get; set; }\n\nThe relevance of the permission's existence, or nonexistence, in the role\nto the overall determination for the entire policy."]]
