public sealed class ExplainedAllowPolicy : IMessage<ExplainedAllowPolicy>, IEquatable<ExplainedAllowPolicy>, IDeepCloneable<ExplainedAllowPolicy>, IBufferMessage, IMessage
Reference documentation and code samples for the Policy Troubleshooter v3 API class ExplainedAllowPolicy.
Details about how a specific IAM allow policy contributed to the final access
state.
public AllowAccessState AllowAccessState { get; set; }
Required. Indicates whether this policy provides the specified permission
to the specified principal for the specified resource.
This field does not indicate whether the principal actually has the
permission for the resource. There might be another policy that overrides
this policy. To determine whether the principal actually has the
permission, use the overall_access_state field in the
[TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
public RepeatedField<AllowBindingExplanation> BindingExplanations { get; }
Details about how each role binding in the policy affects the principal's
ability, or inability, to use the permission for the resource. The order of
the role bindings matches the role binding order in the policy.
If the sender of the request does not have access to the policy, this field
is omitted.
The full resource name that identifies the resource. For example,
//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance.
If the sender of the request does not have access to the policy, this field
is omitted.
The relevance of this policy to the overall access state in the
[TroubleshootIamPolicyResponse][google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse].
If the sender of the request does not have access to the policy, this field
is omitted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis documentation details the \u003ccode\u003eExplainedAllowPolicy\u003c/code\u003e class, part of the Policy Troubleshooter v3 API in Google Cloud, and its role in analyzing IAM allow policies.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eExplainedAllowPolicy\u003c/code\u003e class is sealed and implements several interfaces including \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, \u003ccode\u003eIDeepCloneable\u003c/code\u003e, and \u003ccode\u003eIBufferMessage\u003c/code\u003e, providing detailed information on how a specific IAM allow policy contributes to the final access state.\u003c/p\u003e\n"],["\u003cp\u003eKey properties of \u003ccode\u003eExplainedAllowPolicy\u003c/code\u003e include \u003ccode\u003eAllowAccessState\u003c/code\u003e (indicating whether the policy provides a specific permission), \u003ccode\u003eBindingExplanations\u003c/code\u003e (detailing role binding effects), \u003ccode\u003eFullResourceName\u003c/code\u003e (identifying the resource), \u003ccode\u003ePolicy\u003c/code\u003e (the attached IAM allow policy), and \u003ccode\u003eRelevance\u003c/code\u003e (the policy's importance to the overall access state).\u003c/p\u003e\n"],["\u003cp\u003eThere are two constructors available for the \u003ccode\u003eExplainedAllowPolicy\u003c/code\u003e class: one default constructor and another that takes an existing \u003ccode\u003eExplainedAllowPolicy\u003c/code\u003e object as a parameter.\u003c/p\u003e\n"],["\u003cp\u003eThe documentation is presented with three versions available for the class which are 1.2.0 (latest), 1.1.0, and 1.0.0.\u003c/p\u003e\n"]]],[],null,["# Policy Troubleshooter v3 API - Class ExplainedAllowPolicy (1.2.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.2.0 (latest)](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.ExplainedAllowPolicy)\n- [1.1.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/1.1.0/Google.Cloud.PolicyTroubleshooter.Iam.V3.ExplainedAllowPolicy)\n- [1.0.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/1.0.0/Google.Cloud.PolicyTroubleshooter.Iam.V3.ExplainedAllowPolicy) \n\n public sealed class ExplainedAllowPolicy : IMessage\u003cExplainedAllowPolicy\u003e, IEquatable\u003cExplainedAllowPolicy\u003e, IDeepCloneable\u003cExplainedAllowPolicy\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Policy Troubleshooter v3 API class ExplainedAllowPolicy.\n\nDetails about how a specific IAM allow policy contributed to the final access\nstate. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e ExplainedAllowPolicy \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[ExplainedAllowPolicy](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.ExplainedAllowPolicy), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[ExplainedAllowPolicy](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.ExplainedAllowPolicy), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[ExplainedAllowPolicy](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3.ExplainedAllowPolicy), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.PolicyTroubleshooter.Iam.V3](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.Iam.V3/latest/Google.Cloud.PolicyTroubleshooter.Iam.V3)\n\nAssembly\n--------\n\nGoogle.Cloud.PolicyTroubleshooter.Iam.V3.dll\n\nConstructors\n------------\n\n### ExplainedAllowPolicy()\n\n public ExplainedAllowPolicy()\n\n### ExplainedAllowPolicy(ExplainedAllowPolicy)\n\n public ExplainedAllowPolicy(ExplainedAllowPolicy other)\n\nProperties\n----------\n\n### AllowAccessState\n\n public AllowAccessState AllowAccessState { get; set; }\n\nRequired. Indicates whether *this policy* provides the specified permission\nto the specified principal for the specified resource.\n\nThis field does *not* indicate whether the principal actually has the\npermission for the resource. There might be another policy that overrides\nthis policy. To determine whether the principal actually has the\npermission, use the `overall_access_state` field in the\n\\[TroubleshootIamPolicyResponse\\]\\[google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse\\].\n\n### BindingExplanations\n\n public RepeatedField\u003cAllowBindingExplanation\u003e BindingExplanations { get; }\n\nDetails about how each role binding in the policy affects the principal's\nability, or inability, to use the permission for the resource. The order of\nthe role bindings matches the role binding order in the policy.\n\nIf the sender of the request does not have access to the policy, this field\nis omitted.\n\n### FullResourceName\n\n public string FullResourceName { get; set; }\n\nThe full resource name that identifies the resource. For example,\n`//compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/my-instance`.\n\nIf the sender of the request does not have access to the policy, this field\nis omitted.\n\nFor examples of full resource names for Google Cloud services, see\n\u003chttps://cloud.google.com/iam/help/troubleshooter/full-resource-names\u003e.\n\n### Policy\n\n public Policy Policy { get; set; }\n\nThe IAM allow policy attached to the resource.\n\nIf the sender of the request does not have access to the policy, this field\nis empty.\n\n### Relevance\n\n public HeuristicRelevance Relevance { get; set; }\n\nThe relevance of this policy to the overall access state in the\n\\[TroubleshootIamPolicyResponse\\]\\[google.cloud.policytroubleshooter.iam.v3.TroubleshootIamPolicyResponse\\].\n\nIf the sender of the request does not have access to the policy, this field\nis omitted."]]
