Class AllowBindingExplanation (1.61.0)

Details about how a role binding in an allow policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation

Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request.

For example, suppose that a role binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

  For the first principal in the role binding, the key is user:alice@example.com, and the membership field in the value is set to NOT_INCLUDED.

  For the second principal in the role binding, the key is group:product-eng@example.com, and the membership field in the value is set to INCLUDED.

map<string, .google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership> memberships = 6;

Required. Indicates whether this role binding gives the specified permission to the specified principal on the specified resource.

This field does not indicate whether the principal actually has the permission on the resource. There might be another role binding that overrides this role binding. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.AllowAccessState allow_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

Required. Indicates whether this role binding gives the specified permission to the specified principal on the specified resource.

This field does not indicate whether the principal actually has the permission on the resource. There might be another role binding that overrides this role binding. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.AllowAccessState allow_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

The combined result of all memberships. Indicates if the principal is included in any role binding, either directly or indirectly.

.google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership combined_membership = 5;

The combined result of all memberships. Indicates if the principal is included in any role binding, either directly or indirectly.

.google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership combined_membership = 5;

A condition expression that specifies when the role binding grants access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 8;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 9;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 9;

A condition expression that specifies when the role binding grants access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 8;

Use #getMembershipsMap() instead.

Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request.

For example, suppose that a role binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

  For the first principal in the role binding, the key is user:alice@example.com, and the membership field in the value is set to NOT_INCLUDED.

  For the second principal in the role binding, the key is group:product-eng@example.com, and the membership field in the value is set to INCLUDED.

map<string, .google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership> memberships = 6;

Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request.

For example, suppose that a role binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

  For the first principal in the role binding, the key is user:alice@example.com, and the membership field in the value is set to NOT_INCLUDED.

  For the second principal in the role binding, the key is group:product-eng@example.com, and the membership field in the value is set to INCLUDED.

map<string, .google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership> memberships = 6;

Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request.

For example, suppose that a role binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

  For the first principal in the role binding, the key is user:alice@example.com, and the membership field in the value is set to NOT_INCLUDED.

  For the second principal in the role binding, the key is group:product-eng@example.com, and the membership field in the value is set to INCLUDED.

map<string, .google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership> memberships = 6;

Indicates whether each role binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the role binding, and each value indicates whether the principal in the role binding includes the principal in the request.

For example, suppose that a role binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a member of the group group:product-eng@example.com.

  For the first principal in the role binding, the key is user:alice@example.com, and the membership field in the value is set to NOT_INCLUDED.

  For the second principal in the role binding, the key is group:product-eng@example.com, and the membership field in the value is set to INCLUDED.

map<string, .google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership> memberships = 6;

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 7;

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 7;

The role that this role binding grants. For example, roles/compute.admin.

For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

string role = 2;

The role that this role binding grants. For example, roles/compute.admin.

For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

string role = 2;

Indicates whether the role granted by this role binding contains the specified permission.

.google.cloud.policytroubleshooter.iam.v3.RolePermissionInclusionState role_permission = 3;

The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance role_permission_relevance = 4;

The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance role_permission_relevance = 4;

Indicates whether the role granted by this role binding contains the specified permission.

.google.cloud.policytroubleshooter.iam.v3.RolePermissionInclusionState role_permission = 3;

The combined result of all memberships. Indicates if the principal is included in any role binding, either directly or indirectly.

.google.cloud.policytroubleshooter.iam.v3.AllowBindingExplanation.AnnotatedAllowMembership combined_membership = 5;

A condition expression that specifies when the role binding grants access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 8;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 9;