The email address of the authenticated user or a service account acting on
behalf of a third party principal making the request. For third party
identity callers, the principal_subject field is populated instead of
this field. For privacy reasons, the principal email address is sometimes
redacted. For more information, see Caller identities in audit
logs.
A string that represents the principal_subject that is associated with the
identity. Unlike principal_email, principal_subject supports principals
that aren't associated with email addresses, such as third party
principals. For most identities, the format is
principal://iam.googleapis.com/{identity pool name}/subject/{subject}.
Some GKE identities, such as GKE_WORKLOAD, FREEFORM, and GKE_HUB_WORKLOAD,
still use the legacy format serviceAccount:{identity pool
name}[{subject}].
public RepeatedField<ServiceAccountDelegationInfo> ServiceAccountDelegationInfo { get; }
The identity delegation history of an authenticated service account that
made the request. The serviceAccountDelegationInfo[] object contains
information about the real authorities that try to access Google Cloud
resources by delegating on a service account. When multiple authorities are
present, they are guaranteed to be sorted based on the original ordering of
the identity delegation events.
The name of the service account key that was used to create or exchange
credentials when authenticating the service account that made the request.
This is a scheme-less URI full resource name. For example:
A string that represents a username. The username provided depends on the
type of the finding and is likely not an IAM principal. For example, this
can be a system username if the finding is related to a virtual machine, or
it can be an application login username.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe \u003ccode\u003eAccess\u003c/code\u003e class in the Security Command Center v2 API represents an access event within the Google Cloud environment.\u003c/p\u003e\n"],["\u003cp\u003eThis class provides details about an access event, including the caller's IP address (\u003ccode\u003eCallerIp\u003c/code\u003e) and its geolocation (\u003ccode\u003eCallerIpGeo\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eIt contains information about the service account involved, including the method called (\u003ccode\u003eMethodName\u003c/code\u003e), the service called (\u003ccode\u003eServiceName\u003c/code\u003e), the principal email or subject (\u003ccode\u003ePrincipalEmail\u003c/code\u003e, \u003ccode\u003ePrincipalSubject\u003c/code\u003e), and key name used (\u003ccode\u003eServiceAccountKeyName\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAccess\u003c/code\u003e class also tracks the identity delegation history of the service account (\u003ccode\u003eServiceAccountDelegationInfo\u003c/code\u003e) and user-agent information such as the user-agent string (\u003ccode\u003eUserAgent\u003c/code\u003e), family (\u003ccode\u003eUserAgentFamily\u003c/code\u003e), and associated username (\u003ccode\u003eUserName\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAccess\u003c/code\u003e class is part of the \u003ccode\u003eGoogle.Cloud.SecurityCenter.V2\u003c/code\u003e namespace, with the latest version being 1.1.0 and an older version also available (1.0.0), and it inherits from \u003ccode\u003eobject\u003c/code\u003e and implements several interfaces such as \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, and \u003ccode\u003eIDeepCloneable\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Security Command Center v2 API - Class Access (1.2.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.2.0 (latest)](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/latest/Google.Cloud.SecurityCenter.V2.Access)\n- [1.1.0](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/1.1.0/Google.Cloud.SecurityCenter.V2.Access)\n- [1.0.0](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/1.0.0/Google.Cloud.SecurityCenter.V2.Access) \n\n public sealed class Access : IMessage\u003cAccess\u003e, IEquatable\u003cAccess\u003e, IDeepCloneable\u003cAccess\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the Security Command Center v2 API class Access.\n\nRepresents an access event. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e Access \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[Access](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/latest/Google.Cloud.SecurityCenter.V2.Access), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[Access](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/latest/Google.Cloud.SecurityCenter.V2.Access), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[Access](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/latest/Google.Cloud.SecurityCenter.V2.Access), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.SecurityCenter.V2](/dotnet/docs/reference/Google.Cloud.SecurityCenter.V2/latest/Google.Cloud.SecurityCenter.V2)\n\nAssembly\n--------\n\nGoogle.Cloud.SecurityCenter.V2.dll\n\nConstructors\n------------\n\n### Access()\n\n public Access()\n\n### Access(Access)\n\n public Access(Access other)\n\nProperties\n----------\n\n### CallerIp\n\n public string CallerIp { get; set; }\n\nCaller's IP address, such as \"1.1.1.1\".\n\n### CallerIpGeo\n\n public Geolocation CallerIpGeo { get; set; }\n\nThe caller IP's geolocation, which identifies where the call came from.\n\n### MethodName\n\n public string MethodName { get; set; }\n\nThe method that the service account called, e.g. \"SetIamPolicy\".\n\n### PrincipalEmail\n\n public string PrincipalEmail { get; set; }\n\nAssociated email, such as \"foo@google.com\".\n\nThe email address of the authenticated user or a service account acting on\nbehalf of a third party principal making the request. For third party\nidentity callers, the `principal_subject` field is populated instead of\nthis field. For privacy reasons, the principal email address is sometimes\nredacted. For more information, see [Caller identities in audit\nlogs](https://cloud.google.com/logging/docs/audit#user-id).\n\n### PrincipalSubject\n\n public string PrincipalSubject { get; set; }\n\nA string that represents the principal_subject that is associated with the\nidentity. Unlike `principal_email`, `principal_subject` supports principals\nthat aren't associated with email addresses, such as third party\nprincipals. For most identities, the format is\n`principal://iam.googleapis.com/{identity pool name}/subject/{subject}`.\nSome GKE identities, such as GKE_WORKLOAD, FREEFORM, and GKE_HUB_WORKLOAD,\nstill use the legacy format `serviceAccount:{identity pool\nname}[{subject}]`.\n\n### ServiceAccountDelegationInfo\n\n public RepeatedField\u003cServiceAccountDelegationInfo\u003e ServiceAccountDelegationInfo { get; }\n\nThe identity delegation history of an authenticated service account that\nmade the request. The `serviceAccountDelegationInfo[]` object contains\ninformation about the real authorities that try to access Google Cloud\nresources by delegating on a service account. When multiple authorities are\npresent, they are guaranteed to be sorted based on the original ordering of\nthe identity delegation events.\n\n### ServiceAccountKeyName\n\n public string ServiceAccountKeyName { get; set; }\n\nThe name of the service account key that was used to create or exchange\ncredentials when authenticating the service account that made the request.\nThis is a scheme-less URI full resource name. For example:\n\n\"//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}\".\n\n### ServiceName\n\n public string ServiceName { get; set; }\n\nThis is the API service that the service account made a call to, e.g.\n\"iam.googleapis.com\"\n\n### UserAgent\n\n public string UserAgent { get; set; }\n\nThe caller's user agent string associated with the finding.\n\n### UserAgentFamily\n\n public string UserAgentFamily { get; set; }\n\nType of user agent associated with the finding. For example, an operating\nsystem shell or an embedded or standalone application.\n\n### UserName\n\n public string UserName { get; set; }\n\nA string that represents a username. The username provided depends on the\ntype of the finding and is likely not an IAM principal. For example, this\ncan be a system username if the finding is related to a virtual machine, or\nit can be an application login username."]]
