Identity and Access Management (IAM) V3BETA API - Class Google::Iam::V3beta::AccessPolicyRule (v0.6.0)

Reference documentation and code samples for the Identity and Access Management (IAM) V3BETA API class Google::Iam::V3beta::AccessPolicyRule.

Access Policy Rule that determines the behavior of the policy.

Inherits

  • Object

Extended By

  • Google::Protobuf::MessageExts::ClassMethods

Includes

  • Google::Protobuf::MessageExts

Methods

#conditions

def conditions() -> ::Google::Protobuf::Map{::String => ::Google::Type::Expr}
Returns
  • (::Google::Protobuf::Map{::String => ::Google::Type::Expr}) —

    Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

    "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

    Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

    • eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

    • iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

#conditions=

def conditions=(value) -> ::Google::Protobuf::Map{::String => ::Google::Type::Expr}
Parameter
  • value (::Google::Protobuf::Map{::String => ::Google::Type::Expr}) —

    Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

    "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

    Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

    • eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

    • iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

Returns
  • (::Google::Protobuf::Map{::String => ::Google::Type::Expr}) —

    Optional. The conditions that determine whether this rule applies to a request. Conditions are identified by their key, which is the FQDN of the service that they are relevant to. For example:

    "conditions": { "iam.googleapis.com": { "expression": <cel expression> } }

    Each rule is evaluated independently. If this rule does not apply to a request, other rules might still apply. Currently supported keys are as follows:

    • eventarc.googleapis.com: Can use CEL functions that evaluate resource fields.

    • iam.googleapis.com: Can use CEL functions that evaluate resource tags and combine them using boolean and logical operators. Other functions and operators are not supported.

#description

def description() -> ::String
Returns
  • (::String) — Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

#description=

def description=(value) -> ::String
Parameter
  • value (::String) — Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.
Returns
  • (::String) — Optional. Customer specified description of the rule. Must be less than or equal to 256 characters.

#effect

def effect() -> ::Google::Iam::V3beta::AccessPolicyRule::Effect
Returns

#effect=

def effect=(value) -> ::Google::Iam::V3beta::AccessPolicyRule::Effect
Parameter
Returns

#excluded_principals

def excluded_principals() -> ::Array<::String>
Returns
  • (::Array<::String>) — Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

#excluded_principals=

def excluded_principals=(value) -> ::Array<::String>
Parameter
  • value (::Array<::String>) — Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.
Returns
  • (::Array<::String>) — Optional. The identities that are excluded from the access policy rule, even if they are listed in the principals. For example, you could add a Google group to the principals, then exclude specific users who belong to that group.

#operation

def operation() -> ::Google::Iam::V3beta::AccessPolicyRule::Operation
Returns

#operation=

def operation=(value) -> ::Google::Iam::V3beta::AccessPolicyRule::Operation
Parameter
Returns

#principals

def principals() -> ::Array<::String>
Returns
  • (::Array<::String>) —

    Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

    If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

#principals=

def principals=(value) -> ::Array<::String>
Parameter
  • value (::Array<::String>) —

    Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

    If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

Returns
  • (::Array<::String>) —

    Required. The identities for which this rule's effect governs using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

    If an identifier that was previously set on a policy is soft deleted, then calls to read that policy will return the identifier with a deleted prefix. Users cannot set identifiers with this syntax.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.