public final class DenyRule extends GeneratedMessageV3 implements DenyRuleOrBuilder
   
   A deny rule in an IAM deny policy.
 Protobuf type google.iam.v2.DenyRule
    Inherited Members
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
      com.google.protobuf.GeneratedMessageV3.<ListT>makeMutableCopy(ListT)
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
  Static Fields
  
  DENIAL_CONDITION_FIELD_NUMBER
  
    public static final int DENIAL_CONDITION_FIELD_NUMBER
   
  
    
      
        | Field Value | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  DENIED_PERMISSIONS_FIELD_NUMBER
  
    public static final int DENIED_PERMISSIONS_FIELD_NUMBER
   
  
    
      
        | Field Value | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  DENIED_PRINCIPALS_FIELD_NUMBER
  
    public static final int DENIED_PRINCIPALS_FIELD_NUMBER
   
  
    
      
        | Field Value | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  EXCEPTION_PERMISSIONS_FIELD_NUMBER
  
    public static final int EXCEPTION_PERMISSIONS_FIELD_NUMBER
   
  
    
      
        | Field Value | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  EXCEPTION_PRINCIPALS_FIELD_NUMBER
  
    public static final int EXCEPTION_PRINCIPALS_FIELD_NUMBER
   
  
    
      
        | Field Value | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  Static Methods
  
  
  getDefaultInstance()
  
    public static DenyRule getDefaultInstance()
   
  
  
  getDescriptor()
  
    public static final Descriptors.Descriptor getDescriptor()
   
  
  
  newBuilder()
  
    public static DenyRule.Builder newBuilder()
   
  
  
  newBuilder(DenyRule prototype)
  
    public static DenyRule.Builder newBuilder(DenyRule prototype)
   
  
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | prototype | DenyRule
 | 
    
  
  
  
  
  
    public static DenyRule parseDelimitedFrom(InputStream input)
   
  
  
  
  
  
  
    public static DenyRule parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
   
  
  
  
  
  parseFrom(byte[] data)
  
    public static DenyRule parseFrom(byte[] data)
   
  
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | data | byte[]
 | 
    
  
  
  
  
  parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
  
    public static DenyRule parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
   
  
  
  
  
  parseFrom(ByteString data)
  
    public static DenyRule parseFrom(ByteString data)
   
  
  
  
  
  parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
  
    public static DenyRule parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
   
  
  
  
  
  
  
    public static DenyRule parseFrom(CodedInputStream input)
   
  
  
  
  
  
  
    public static DenyRule parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
   
  
  
  
  
  
  
    public static DenyRule parseFrom(InputStream input)
   
  
  
  
  
  
  
    public static DenyRule parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
   
  
  
  
  
  parseFrom(ByteBuffer data)
  
    public static DenyRule parseFrom(ByteBuffer data)
   
  
  
  
  
  parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
  
    public static DenyRule parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
   
  
  
  
  
  parser()
  
    public static Parser<DenyRule> parser()
   
  
  Methods
  
  
  equals(Object obj)
  
    public boolean equals(Object obj)
   
  
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | obj | Object
 | 
    
  
  
  Overrides
  
  
  getDefaultInstanceForType()
  
    public DenyRule getDefaultInstanceForType()
   
  
  
  getDenialCondition()
  
    public Expr getDenialCondition()
   
   The condition that determines whether this deny rule applies to a request.
 If the condition expression evaluates to true, then the deny rule is
 applied; otherwise, the deny rule is not applied.
 Each deny rule is evaluated independently. If this deny rule does not apply
 to a request, other deny rules might still apply.
 The condition can use CEL functions that evaluate
 resource
 tags. Other
 functions and operators are not supported.
 .google.type.Expr denial_condition = 5;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | com.google.type.Expr | The denialCondition. | 
    
  
  
  getDenialConditionOrBuilder()
  
    public ExprOrBuilder getDenialConditionOrBuilder()
   
   The condition that determines whether this deny rule applies to a request.
 If the condition expression evaluates to true, then the deny rule is
 applied; otherwise, the deny rule is not applied.
 Each deny rule is evaluated independently. If this deny rule does not apply
 to a request, other deny rules might still apply.
 The condition can use CEL functions that evaluate
 resource
 tags. Other
 functions and operators are not supported.
 .google.type.Expr denial_condition = 5;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | com.google.type.ExprOrBuilder |  | 
    
  
  
  getDeniedPermissions(int index)
  
    public String getDeniedPermissions(int index)
   
   The permissions that are explicitly denied by this rule. Each permission
 uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn}
 is the fully qualified domain name for the service. For example,
 iam.googleapis.com/roles.list.
 repeated string denied_permissions = 3;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the element to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | String | The deniedPermissions at the given index. | 
    
  
  
  getDeniedPermissionsBytes(int index)
  
    public ByteString getDeniedPermissionsBytes(int index)
   
   The permissions that are explicitly denied by this rule. Each permission
 uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn}
 is the fully qualified domain name for the service. For example,
 iam.googleapis.com/roles.list.
 repeated string denied_permissions = 3;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the value to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | ByteString | The bytes of the deniedPermissions at the given index. | 
    
  
  
  getDeniedPermissionsCount()
  
    public int getDeniedPermissionsCount()
   
   The permissions that are explicitly denied by this rule. Each permission
 uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn}
 is the fully qualified domain name for the service. For example,
 iam.googleapis.com/roles.list.
 repeated string denied_permissions = 3;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | int | The count of deniedPermissions. | 
    
  
  
  getDeniedPermissionsList()
  
    public ProtocolStringList getDeniedPermissionsList()
   
   The permissions that are explicitly denied by this rule. Each permission
 uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn}
 is the fully qualified domain name for the service. For example,
 iam.googleapis.com/roles.list.
 repeated string denied_permissions = 3;
getDeniedPrincipals(int index)
  
    public String getDeniedPrincipals(int index)
   
   The identities that are prevented from using one or more permissions on
 Google Cloud resources. This field can contain the following values:
- principalSet://goog/public:all: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
 
- principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example,- principal://goog/subject/alice@example.com.
 
- deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,- deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
 
- principalSet://goog/group/{group_id}: A Google group. For example,- principalSet://goog/group/admins@example.com.
 
- deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,- deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
 
- principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,- principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
 
- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
 
- principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,- principalSet://goog/cloudIdentityCustomerId/C01Abc35.
 
 repeated string denied_principals = 1;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the element to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | String | The deniedPrincipals at the given index. | 
    
  
  
  getDeniedPrincipalsBytes(int index)
  
    public ByteString getDeniedPrincipalsBytes(int index)
   
   The identities that are prevented from using one or more permissions on
 Google Cloud resources. This field can contain the following values:
- principalSet://goog/public:all: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
 
- principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example,- principal://goog/subject/alice@example.com.
 
- deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,- deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
 
- principalSet://goog/group/{group_id}: A Google group. For example,- principalSet://goog/group/admins@example.com.
 
- deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,- deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
 
- principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,- principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
 
- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
 
- principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,- principalSet://goog/cloudIdentityCustomerId/C01Abc35.
 
 repeated string denied_principals = 1;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the value to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | ByteString | The bytes of the deniedPrincipals at the given index. | 
    
  
  
  getDeniedPrincipalsCount()
  
    public int getDeniedPrincipalsCount()
   
   The identities that are prevented from using one or more permissions on
 Google Cloud resources. This field can contain the following values:
- principalSet://goog/public:all: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
 
- principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example,- principal://goog/subject/alice@example.com.
 
- deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,- deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
 
- principalSet://goog/group/{group_id}: A Google group. For example,- principalSet://goog/group/admins@example.com.
 
- deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,- deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
 
- principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,- principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
 
- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
 
- principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,- principalSet://goog/cloudIdentityCustomerId/C01Abc35.
 
 repeated string denied_principals = 1;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | int | The count of deniedPrincipals. | 
    
  
  
  getDeniedPrincipalsList()
  
    public ProtocolStringList getDeniedPrincipalsList()
   
   The identities that are prevented from using one or more permissions on
 Google Cloud resources. This field can contain the following values:
- principalSet://goog/public:all: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
 
- principal://goog/subject/{email_id}: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example,- principal://goog/subject/alice@example.com.
 
- deleted:principal://goog/subject/{email_id}?uid={uid}: A specific
Google Account that was deleted recently. For example,- deleted:principal://goog/subject/alice@example.com?uid=1234567890. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
 
- principalSet://goog/group/{group_id}: A Google group. For example,- principalSet://goog/group/admins@example.com.
 
- deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group
that was deleted recently. For example,- deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
 
- principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}:
A Google Cloud service account. For example,- principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.
 
- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}:
A Google Cloud service account that was deleted recently. For example,- deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
 
- principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example,- principalSet://goog/cloudIdentityCustomerId/C01Abc35.
 
 repeated string denied_principals = 1;
getExceptionPermissions(int index)
  
    public String getExceptionPermissions(int index)
   
   Specifies the permissions that this rule excludes from the set of denied
 permissions given by denied_permissions. If a permission appears in
 denied_permissions and in exception_permissions then it will not be
 denied.
 The excluded permissions can be specified using the same syntax as
 denied_permissions.
 repeated string exception_permissions = 4;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the element to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | String | The exceptionPermissions at the given index. | 
    
  
  
  getExceptionPermissionsBytes(int index)
  
    public ByteString getExceptionPermissionsBytes(int index)
   
   Specifies the permissions that this rule excludes from the set of denied
 permissions given by denied_permissions. If a permission appears in
 denied_permissions and in exception_permissions then it will not be
 denied.
 The excluded permissions can be specified using the same syntax as
 denied_permissions.
 repeated string exception_permissions = 4;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the value to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | ByteString | The bytes of the exceptionPermissions at the given index. | 
    
  
  
  getExceptionPermissionsCount()
  
    public int getExceptionPermissionsCount()
   
   Specifies the permissions that this rule excludes from the set of denied
 permissions given by denied_permissions. If a permission appears in
 denied_permissions and in exception_permissions then it will not be
 denied.
 The excluded permissions can be specified using the same syntax as
 denied_permissions.
 repeated string exception_permissions = 4;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | int | The count of exceptionPermissions. | 
    
  
  
  getExceptionPermissionsList()
  
    public ProtocolStringList getExceptionPermissionsList()
   
   Specifies the permissions that this rule excludes from the set of denied
 permissions given by denied_permissions. If a permission appears in
 denied_permissions and in exception_permissions then it will not be
 denied.
 The excluded permissions can be specified using the same syntax as
 denied_permissions.
 repeated string exception_permissions = 4;
getExceptionPrincipals(int index)
  
    public String getExceptionPrincipals(int index)
   
   The identities that are excluded from the deny rule, even if they are
 listed in the denied_principals. For example, you could add a Google
 group to the denied_principals, then exclude specific users who belong to
 that group.
 This field can contain the same values as the denied_principals field,
 excluding principalSet://goog/public:all, which represents all users on
 the internet.
 repeated string exception_principals = 2;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the element to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | String | The exceptionPrincipals at the given index. | 
    
  
  
  getExceptionPrincipalsBytes(int index)
  
    public ByteString getExceptionPrincipalsBytes(int index)
   
   The identities that are excluded from the deny rule, even if they are
 listed in the denied_principals. For example, you could add a Google
 group to the denied_principals, then exclude specific users who belong to
 that group.
 This field can contain the same values as the denied_principals field,
 excluding principalSet://goog/public:all, which represents all users on
 the internet.
 repeated string exception_principals = 2;
    
      
        | Parameter | 
      
        | Name | Description | 
      
        | index | int
 The index of the value to return. | 
    
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | ByteString | The bytes of the exceptionPrincipals at the given index. | 
    
  
  
  getExceptionPrincipalsCount()
  
    public int getExceptionPrincipalsCount()
   
   The identities that are excluded from the deny rule, even if they are
 listed in the denied_principals. For example, you could add a Google
 group to the denied_principals, then exclude specific users who belong to
 that group.
 This field can contain the same values as the denied_principals field,
 excluding principalSet://goog/public:all, which represents all users on
 the internet.
 repeated string exception_principals = 2;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | int | The count of exceptionPrincipals. | 
    
  
  
  getExceptionPrincipalsList()
  
    public ProtocolStringList getExceptionPrincipalsList()
   
   The identities that are excluded from the deny rule, even if they are
 listed in the denied_principals. For example, you could add a Google
 group to the denied_principals, then exclude specific users who belong to
 that group.
 This field can contain the same values as the denied_principals field,
 excluding principalSet://goog/public:all, which represents all users on
 the internet.
 repeated string exception_principals = 2;
getParserForType()
  
    public Parser<DenyRule> getParserForType()
   
  
  Overrides
  
  
  getSerializedSize()
  
    public int getSerializedSize()
   
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  Overrides
  
  
  hasDenialCondition()
  
    public boolean hasDenialCondition()
   
   The condition that determines whether this deny rule applies to a request.
 If the condition expression evaluates to true, then the deny rule is
 applied; otherwise, the deny rule is not applied.
 Each deny rule is evaluated independently. If this deny rule does not apply
 to a request, other deny rules might still apply.
 The condition can use CEL functions that evaluate
 resource
 tags. Other
 functions and operators are not supported.
 .google.type.Expr denial_condition = 5;
    
      
        | Returns | 
      
        | Type | Description | 
      
        | boolean | Whether the denialCondition field is set. | 
    
  
  
  hashCode()
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | int |  | 
    
  
  Overrides
  
  
  internalGetFieldAccessorTable()
  
    protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
   
  
  Overrides
  
  
  isInitialized()
  
    public final boolean isInitialized()
   
  
  Overrides
  
  
  newBuilderForType()
  
    public DenyRule.Builder newBuilderForType()
   
  
  
  newBuilderForType(GeneratedMessageV3.BuilderParent parent)
  
    protected DenyRule.Builder newBuilderForType(GeneratedMessageV3.BuilderParent parent)
   
  
  
  Overrides
  
  
  newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
  
    protected Object newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
   
  
  
    
      
        | Returns | 
      
        | Type | Description | 
      
        | Object |  | 
    
  
  Overrides
  
  
  toBuilder()
  
    public DenyRule.Builder toBuilder()
   
  
  
  writeTo(CodedOutputStream output)
  
    public void writeTo(CodedOutputStream output)
   
  
  Overrides