public sealed class BindingExplanation : IMessage<BindingExplanation>, IEquatable<BindingExplanation>, IDeepCloneable<BindingExplanation>, IBufferMessage, IMessage
Reference documentation and code samples for the Policy Troubleshooter v1 API class BindingExplanation.
Details about how a binding in a policy affects a principal's ability to use
a permission.
Required. Indicates whether this binding provides the specified
permission to the specified principal for the specified resource.
This field does not indicate whether the principal actually has the
permission for the resource. There might be another binding that overrides
this binding. To determine whether the principal actually has the
permission, use the access field in the
[TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
public MapField<string, BindingExplanation.Types.AnnotatedMembership> Memberships { get; }
Indicates whether each principal in the binding includes the principal
specified in the request, either directly or indirectly. Each key
identifies a principal in the binding, and each value indicates whether the
principal in the binding includes the principal in the request.
For example, suppose that a binding includes the following principals:
user:alice@example.com
group:product-eng@example.com
You want to troubleshoot access for user:bob@example.com. This user is a
principal of the group group:product-eng@example.com.
For the first principal in the binding, the key is
user:alice@example.com, and the membership field in the value is set to
MEMBERSHIP_NOT_INCLUDED.
For the second principal in the binding, the key is
group:product-eng@example.com, and the membership field in the value is
set to MEMBERSHIP_INCLUDED.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis page provides documentation for the \u003ccode\u003eBindingExplanation\u003c/code\u003e class within the Google Cloud Policy Troubleshooter v1 API, detailing how a binding in a policy affects a principal's access.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eBindingExplanation\u003c/code\u003e class is part of the \u003ccode\u003eGoogle.Cloud.PolicyTroubleshooter.V1\u003c/code\u003e namespace and is available in multiple versions, with 2.5.0 being the latest release.\u003c/p\u003e\n"],["\u003cp\u003eThe class implements several interfaces, including \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, \u003ccode\u003eIDeepCloneable\u003c/code\u003e, and \u003ccode\u003eIBufferMessage\u003c/code\u003e, and inherits from \u003ccode\u003eobject\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eKey properties of \u003ccode\u003eBindingExplanation\u003c/code\u003e include \u003ccode\u003eAccess\u003c/code\u003e, \u003ccode\u003eCondition\u003c/code\u003e, \u003ccode\u003eMemberships\u003c/code\u003e, \u003ccode\u003eRelevance\u003c/code\u003e, \u003ccode\u003eRole\u003c/code\u003e, \u003ccode\u003eRolePermission\u003c/code\u003e, and \u003ccode\u003eRolePermissionRelevance\u003c/code\u003e, which collectively determine the effect of the binding on a principal's permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eBindingExplanation\u003c/code\u003e class has constructors for creating new instances and copying existing instances, facilitating its use in various scenarios.\u003c/p\u003e\n"]]],[],null,["# Policy Troubleshooter v1 API - Class BindingExplanation (2.5.0)\n\nVersion latestkeyboard_arrow_down\n\n- [2.5.0 (latest)](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/latest/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [2.4.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/2.4.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [2.3.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/2.3.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [2.2.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/2.2.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [2.1.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/2.1.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [2.0.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/2.0.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [1.2.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/1.2.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation)\n- [1.1.0](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/1.1.0/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation) \n\n public sealed class BindingExplanation : IMessage\u003cBindingExplanation\u003e, IEquatable\u003cBindingExplanation\u003e, IDeepCloneable\u003cBindingExplanation\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Policy Troubleshooter v1 API class BindingExplanation.\n\nDetails about how a binding in a policy affects a principal's ability to use\na permission. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e BindingExplanation \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[BindingExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/latest/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[BindingExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/latest/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[BindingExplanation](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/latest/Google.Cloud.PolicyTroubleshooter.V1.BindingExplanation), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.PolicyTroubleshooter.V1](/dotnet/docs/reference/Google.Cloud.PolicyTroubleshooter.V1/latest/Google.Cloud.PolicyTroubleshooter.V1)\n\nAssembly\n--------\n\nGoogle.Cloud.PolicyTroubleshooter.V1.dll\n\nConstructors\n------------\n\n### BindingExplanation()\n\n public BindingExplanation()\n\n### BindingExplanation(BindingExplanation)\n\n public BindingExplanation(BindingExplanation other)\n\nProperties\n----------\n\n### Access\n\n public AccessState Access { get; set; }\n\nRequired. Indicates whether *this binding* provides the specified\npermission to the specified principal for the specified resource.\n\nThis field does *not* indicate whether the principal actually has the\npermission for the resource. There might be another binding that overrides\nthis binding. To determine whether the principal actually has the\npermission, use the `access` field in the\n\\[TroubleshootIamPolicyResponse\\]\\[IamChecker.TroubleshootIamPolicyResponse\\].\n\n### Condition\n\n public Expr Condition { get; set; }\n\nA condition expression that prevents this binding from granting access\nunless the expression evaluates to `true`.\n\nTo learn about IAM Conditions, see\n\u003chttps://cloud.google.com/iam/help/conditions/overview\u003e.\n\n### Memberships\n\n public MapField\u003cstring, BindingExplanation.Types.AnnotatedMembership\u003e Memberships { get; }\n\nIndicates whether each principal in the binding includes the principal\nspecified in the request, either directly or indirectly. Each key\nidentifies a principal in the binding, and each value indicates whether the\nprincipal in the binding includes the principal in the request.\n\nFor example, suppose that a binding includes the following principals:\n\n- `user:alice@example.com`\n- `group:product-eng@example.com`\n\nYou want to troubleshoot access for `user:bob@example.com`. This user is a\nprincipal of the group `group:product-eng@example.com`.\n\nFor the first principal in the binding, the key is\n`user:alice@example.com`, and the `membership` field in the value is set to\n`MEMBERSHIP_NOT_INCLUDED`.\n\nFor the second principal in the binding, the key is\n`group:product-eng@example.com`, and the `membership` field in the value is\nset to `MEMBERSHIP_INCLUDED`.\n\n### Relevance\n\n public HeuristicRelevance Relevance { get; set; }\n\nThe relevance of this binding to the overall determination for the entire\npolicy.\n\n### Role\n\n public string Role { get; set; }\n\nThe role that this binding grants. For example,\n`roles/compute.serviceAgent`.\n\nFor a complete list of predefined IAM roles, as well as the permissions in\neach role, see \u003chttps://cloud.google.com/iam/help/roles/reference\u003e.\n\n### RolePermission\n\n public BindingExplanation.Types.RolePermission RolePermission { get; set; }\n\nIndicates whether the role granted by this binding contains the specified\npermission.\n\n### RolePermissionRelevance\n\n public HeuristicRelevance RolePermissionRelevance { get; set; }\n\nThe relevance of the permission's existence, or nonexistence, in the role\nto the overall determination for the entire policy."]]
