public sealed class DenyRuleExplanation : IMessage<DenyRuleExplanation>, IEquatable<DenyRuleExplanation>, IDeepCloneable<DenyRuleExplanation>, IBufferMessage, IMessage
Reference documentation and code samples for the Policy Troubleshooter v3 API class DenyRuleExplanation.
Details about how a deny rule in a deny policy affects a principal's ability
to use a permission.
public MapField<string, DenyRuleExplanation.Types.AnnotatedDenyPrincipalMatching> DeniedPrincipals { get; }
Lists all denied principals in the deny rule and indicates whether each
principal matches the principal in the request, either directly or through
membership in a principal set.
Each key identifies a denied principal in the rule, and each value
indicates whether the denied principal matches the principal in the
request.
public DenyAccessState DenyAccessState { get; set; }
Required. Indicates whether this rule denies the specified permission to
the specified principal for the specified resource.
This field does not indicate whether the principal is actually denied on
the permission for the resource. There might be another rule that overrides
this rule. To determine whether the principal actually has the permission,
use the overall_access_state field in the
[TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
public MapField<string, DenyRuleExplanation.Types.AnnotatedPermissionMatching> ExceptionPermissions { get; }
Lists all exception permissions in the deny rule and indicates whether each
permission matches the permission in the request.
Each key identifies a exception permission in the rule, and each value
indicates whether the exception permission matches the permission in the
request.
public MapField<string, DenyRuleExplanation.Types.AnnotatedDenyPrincipalMatching> ExceptionPrincipals { get; }
Lists all exception principals in the deny rule and indicates whether each
principal matches the principal in the request, either directly or through
membership in a principal set.
Each key identifies a exception principal in the rule, and each value
indicates whether the exception principal matches the principal in the
request.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis documentation is for the \u003ccode\u003eDenyRuleExplanation\u003c/code\u003e class within the Policy Troubleshooter v3 API, specifically for the .NET environment, providing details on deny rule effects.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eDenyRuleExplanation\u003c/code\u003e class, which can be instantiated with or without another \u003ccode\u003eDenyRuleExplanation\u003c/code\u003e object, is designed to analyze and describe how a deny rule in a policy influences a principal's ability to use a permission.\u003c/p\u003e\n"],["\u003cp\u003eIt features properties such as \u003ccode\u003eCombinedDeniedPermission\u003c/code\u003e, \u003ccode\u003eCombinedDeniedPrincipal\u003c/code\u003e, \u003ccode\u003eCondition\u003c/code\u003e, and \u003ccode\u003eDenyAccessState\u003c/code\u003e, to determine whether the principal is denied access under certain conditions.\u003c/p\u003e\n"],["\u003cp\u003eIt also includes detailed maps like \u003ccode\u003eDeniedPermissions\u003c/code\u003e, \u003ccode\u003eDeniedPrincipals\u003c/code\u003e, \u003ccode\u003eExceptionPermissions\u003c/code\u003e, and \u003ccode\u003eExceptionPrincipals\u003c/code\u003e, each providing comprehensive lists and matching details regarding permissions and principals within deny rules.\u003c/p\u003e\n"],["\u003cp\u003eThe class implements multiple interfaces, including \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, and \u003ccode\u003eIDeepCloneable\u003c/code\u003e, to support various functionalities within the Google Cloud environment.\u003c/p\u003e\n"]]],[],null,["# Policy Troubleshooter v3 API - Class DenyRuleExplanation (1.2.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.2.0 (latest)](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.DenyRuleExplanation)\n- [1.1.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/1.1.0/Google.Cloud.PolicyTroubleshooter.Iam.V3.DenyRuleExplanation)\n- [1.0.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/1.0.0/Google.Cloud.PolicyTroubleshooter.Iam.V3.DenyRuleExplanation) \n\n public sealed class DenyRuleExplanation : IMessage\u003cDenyRuleExplanation\u003e, IEquatable\u003cDenyRuleExplanation\u003e, IDeepCloneable\u003cDenyRuleExplanation\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Policy Troubleshooter v3 API class DenyRuleExplanation.\n\nDetails about how a deny rule in a deny policy affects a principal's ability\nto use a permission. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e DenyRuleExplanation \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[DenyRuleExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.DenyRuleExplanation), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[DenyRuleExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.DenyRuleExplanation), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[DenyRuleExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.DenyRuleExplanation), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.PolicyTroubleshooter.Iam.V3](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3)\n\nAssembly\n--------\n\nGoogle.Cloud.PolicyTroubleshooter.Iam.V3.dll\n\nConstructors\n------------\n\n### DenyRuleExplanation()\n\n public DenyRuleExplanation()\n\n### DenyRuleExplanation(DenyRuleExplanation)\n\n public DenyRuleExplanation(DenyRuleExplanation other)\n\nProperties\n----------\n\n### CombinedDeniedPermission\n\n public DenyRuleExplanation.Types.AnnotatedPermissionMatching CombinedDeniedPermission { get; set; }\n\nIndicates whether the permission in the request is listed as a denied\npermission in the deny rule.\n\n### CombinedDeniedPrincipal\n\n public DenyRuleExplanation.Types.AnnotatedDenyPrincipalMatching CombinedDeniedPrincipal { get; set; }\n\nIndicates whether the principal is listed as a denied principal in the\ndeny rule, either directly or through membership in a principal set.\n\n### CombinedExceptionPermission\n\n public DenyRuleExplanation.Types.AnnotatedPermissionMatching CombinedExceptionPermission { get; set; }\n\nIndicates whether the permission in the request is listed as an exception\npermission in the deny rule.\n\n### CombinedExceptionPrincipal\n\n public DenyRuleExplanation.Types.AnnotatedDenyPrincipalMatching CombinedExceptionPrincipal { get; set; }\n\nIndicates whether the principal is listed as an exception principal in the\ndeny rule, either directly or through membership in a principal set.\n\n### Condition\n\n public Expr Condition { get; set; }\n\nA condition expression that specifies when the deny rule denies the\nprincipal access.\n\nTo learn about IAM Conditions, see\n\u003chttps://cloud.google.com/iam/help/conditions/overview\u003e.\n\n### ConditionExplanation\n\n public ConditionExplanation ConditionExplanation { get; set; }\n\nCondition evaluation state for this role binding.\n\n### DeniedPermissions\n\n public MapField\u003cstring, DenyRuleExplanation.Types.AnnotatedPermissionMatching\u003e DeniedPermissions { get; }\n\nLists all denied permissions in the deny rule and indicates whether each\npermission matches the permission in the request.\n\nEach key identifies a denied permission in the rule, and each value\nindicates whether the denied permission matches the permission in the\nrequest.\n\n### DeniedPrincipals\n\n public MapField\u003cstring, DenyRuleExplanation.Types.AnnotatedDenyPrincipalMatching\u003e DeniedPrincipals { get; }\n\nLists all denied principals in the deny rule and indicates whether each\nprincipal matches the principal in the request, either directly or through\nmembership in a principal set.\n\nEach key identifies a denied principal in the rule, and each value\nindicates whether the denied principal matches the principal in the\nrequest.\n\n### DenyAccessState\n\n public DenyAccessState DenyAccessState { get; set; }\n\nRequired. Indicates whether *this rule* denies the specified permission to\nthe specified principal for the specified resource.\n\nThis field does *not* indicate whether the principal is actually denied on\nthe permission for the resource. There might be another rule that overrides\nthis rule. To determine whether the principal actually has the permission,\nuse the `overall_access_state` field in the\n\\[TroubleshootIamPolicyResponse\\]\\[google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse\\].\n\n### ExceptionPermissions\n\n public MapField\u003cstring, DenyRuleExplanation.Types.AnnotatedPermissionMatching\u003e ExceptionPermissions { get; }\n\nLists all exception permissions in the deny rule and indicates whether each\npermission matches the permission in the request.\n\nEach key identifies a exception permission in the rule, and each value\nindicates whether the exception permission matches the permission in the\nrequest.\n\n### ExceptionPrincipals\n\n public MapField\u003cstring, DenyRuleExplanation.Types.AnnotatedDenyPrincipalMatching\u003e ExceptionPrincipals { get; }\n\nLists all exception principals in the deny rule and indicates whether each\nprincipal matches the principal in the request, either directly or through\nmembership in a principal set.\n\nEach key identifies a exception principal in the rule, and each value\nindicates whether the exception principal matches the principal in the\nrequest.\n\n### Relevance\n\n public HeuristicRelevance Relevance { get; set; }\n\nThe relevance of this role binding to the overall determination for the\nentire policy."]]
