The request for creating an IdpCredential with its associated payload. An InboundSamlSsoProfile can own up to 2 credentials.
Request to cancel sent invitation for target email in UserInvitation.
The response message for MembershipsService.CheckTransitiveMembership.
Central instance to access all CloudIdentity related resource activities
A builder providing access to all methods supported on
customer resources.
It is not used directly, but through the
CloudIdentity
hub.
Cancels a UserInvitation that was already sent.
Retrieves a UserInvitation resource. Note: New consumer accounts with the customer’s verified domain created within the previous 48 hours will not appear in the result. This delay also applies to newly-verified domains.
Verifies whether a user account is eligible to receive a UserInvitation (is an unmanaged account). Eligibility is based on the following criteria: * the email address is a consumer account and it’s the primary email address of the account, and * the domain of the email address matches an existing verified Google Workspace or Cloud Identity domain If both conditions are met, the user is eligible. Note: This method is not supported for Workspace Essentials customers.
Retrieves a list of UserInvitation resources. Note: New consumer accounts with the customer’s verified domain created within the previous 48 hours will not appear in the result. This delay also applies to newly-verified domains.
Sends a UserInvitation to email. If the UserInvitation
does not exist for this request and it is a valid request, the request creates a UserInvitation
. Note: The get
and list
methods have a 48-hour delay where newly-created consumer accounts will not appear in the results. You can still send a UserInvitation
to those accounts if you know the unmanaged email address and IsInvitableUser==True.
Cancels an unfinished device wipe. This operation can be used to cancel device wipe in the gap between the wipe operation returning success and the device being wiped. This operation is possible when the device is in a “pending wipe” state. The device enters the “pending wipe” state when a wipe device command is issued, but has not yet been sent to the device. The cancel wipe will fail if the wipe command has already been issued to the device.
Creates a device. Only company-owned device may be created. Note: This method is available only to customers who have one of the following SKUs: Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium
Deletes the specified device.
Approves device to access user data.
Blocks device from accessing user data
Cancels an unfinished user account wipe. This operation can be used to cancel device wipe in the gap between the wipe operation returning success and the device being wiped.
Gets the client state for the device user
Lists the client states for the given search query.
Updates the client state for the device user Note: This method is available only to customers who have one of the following SKUs: Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium
Deletes the specified DeviceUser. This also revokes the user’s access to device data.
Retrieves the specified DeviceUser
Lists/Searches DeviceUsers.
Looks up resource names of the DeviceUsers associated with the caller’s credentials, as well as the properties provided in the request. This method must be called with end-user credentials with the scope: https://www.googleapis.com/auth/cloud-identity.devices.lookup If multiple properties are provided, only DeviceUsers having all of these properties are considered as matches - i.e. the query behaves like an AND. Different platforms require different amounts of information from the caller to ensure that the DeviceUser is uniquely identified. - iOS: No properties need to be passed, the caller’s credentials are sufficient to identify the corresponding DeviceUser. - Android: Specifying the ‘android_id’ field is required. - Desktop: Specifying the ‘raw_resource_id’ field is required.
Wipes the user’s account on a device. Other data on the device that is not associated with the user’s work account is not affected. For example, if a Gmail app is installed on a device that is used for personal and work purposes, and the user is logged in to the Gmail app with their personal account as well as their work account, wiping the “deviceUser” by their work administrator will not affect their personal account within Gmail or other apps such as Photos.
Retrieves the specified device.
Lists/Searches devices.
A builder providing access to all methods supported on
device resources.
It is not used directly, but through the
CloudIdentity
hub.
Wipes all data on the specified device.
Information of a DSA public key.
Dynamic group metadata like queries and status.
Defines a query on a resource.
The current status of a dynamic group along with timestamp.
A unique identifier for an entity in the Cloud Identity Groups API. An entity can represent either a group with an optional namespace
or a user without a namespace
. The combination of id
and namespace
must be unique; however, the same id
can be used with different namespace
s.
The MembershipRole
expiry details.
Resource representing the Android specific attributes of a Device.
Request message for approving the device to access user data.
Request message for blocking account on device.
Request message for cancelling an unfinished device wipe.
Request message for cancelling an unfinished user account wipe.
Represents the state associated with an API client calling the Devices API. Resource representing ClientState and supports updates from API users
Additional custom attribute values may be one of these types
A Device within the Cloud Identity Devices API. Represents a Device known to Google Cloud, independent of the device ownership, type, and whether it is assigned or in use by a user.
Represents a user’s use of a Device in the Cloud Identity Devices API. A DeviceUser is a resource representing a user’s use of a Device
Response message that is returned in ListClientStates.
Response message that is returned from the ListDeviceUsers method.
Response message that is returned from the ListDevices method.
Response containing resource names of the DeviceUsers associated with the caller’s credentials.
Request message for wiping all data on the device.
Request message for starting an account wipe on device.
A group within the Cloud Identity Groups API. A Group
is a collection of entities, where each entity is either a user, another group, or a service account.
Creates a Group.
Deletes a Group
.
Retrieves a Group
.
Get Security Settings
Lists the Group
resources under a customer or namespace.
Check a potential member for membership in a group. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. A member has membership to a group as long as there is a single viewable transitive membership between the group and the member. The actor must have view permissions to at least one transitive membership between the member and group.
Creates a Membership
.
Deletes a Membership
.
Retrieves a Membership
.
Get a membership graph of just a member or both a member and a group. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. Given a member, the response will contain all membership paths from the member. Given both a group and a member, the response will contain all membership paths between the group and the member.
Lists the Membership
s within a Group
.
Modifies the MembershipRole
s of a Membership
.
Searches direct groups of a member.
Search transitive groups of a member. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the member is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. A transitive group is any group that has a direct or indirect membership to the member. Actor must have view permissions all transitive groups.
Search transitive memberships of a group. Note: This feature is only available to Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education; and Cloud Identity Premium accounts. If the account of the group is not one of these, a 403 (PERMISSION_DENIED) HTTP status code will be returned. A transitive membership is any direct or indirect membership of a group. Actor must have view permissions to all transitive memberships.
A builder providing access to all methods supported on
group resources.
It is not used directly, but through the
CloudIdentity
hub.
Updates a Group
.
Message representing a transitive group of a user or a group.
Searches for Group
resources matching a specified query.
Update Security Settings
Credential for verifying signatures produced by the Identity Provider.
A
SAML 2.0 federation between a Google enterprise customer and a SAML identity provider.
Creates an InboundSamlSsoProfile for a customer.
Deletes an InboundSamlSsoProfile.
Gets an InboundSamlSsoProfile.
Adds an IdpCredential. Up to 2 credentials are allowed.
Deletes an IdpCredential.
Gets an IdpCredential.
Returns a list of IdpCredentials in an InboundSamlSsoProfile.
Lists InboundSamlSsoProfiles for a customer.
A builder providing access to all methods supported on
inboundSamlSsoProfile resources.
It is not used directly, but through the
CloudIdentity
hub.
Updates an InboundSamlSsoProfile.
Targets with “set” SSO assignments and their respective assignments.
Creates an InboundSsoAssignment for users and devices in a Customer
under a given Group
or OrgUnit
.
Deletes an InboundSsoAssignment. To disable SSO, Create (or Update) an assignment that has sso_mode
== SSO_OFF
.
Gets an InboundSsoAssignment.
Lists the InboundSsoAssignments for a Customer
.
A builder providing access to all methods supported on
inboundSsoAssignment resources.
It is not used directly, but through the
CloudIdentity
hub.
Updates an InboundSsoAssignment. The body of this request is the inbound_sso_assignment
field and the update_mask
is relative to that. For example: a PATCH to /v1/inboundSsoAssignments/0abcdefg1234567&update_mask=rank
with a body of { "rank": 1 }
moves that (presumably group-targeted) SSO assignment to the highest priority and shifts any other group-targeted assignments down in priority.
Response for IsInvitableUser RPC.
Response message for ListGroups operation.
Response of the InboundSamlSsoProfilesService.ListIdpCredentials method.
Response of the InboundSamlSsoProfilesService.ListInboundSamlSsoProfiles method.
Response of the InboundSsoAssignmentsService.ListInboundSsoAssignments method.
The response message for MembershipsService.ListMemberships.
Response message for UserInvitation listing request.
The response message for GroupsService.LookupGroupName.
The response message for MembershipsService.LookupMembershipName.
Message representing a transitive membership of a group.
The definition of MemberRestriction
A membership within the Cloud Identity Groups API. A Membership
defines a relationship between a Group
and an entity belonging to that Group
, referred to as a “member”.
Message containing membership relation.
A membership role within the Cloud Identity Groups API. A MembershipRole
defines the privileges granted to a Membership
.
The evaluated state of this restriction.
The request message for MembershipsService.ModifyMembershipRoles.
The response message for MembershipsService.ModifyMembershipRoles.
This resource represents a long-running operation that is the result of a network API call.
The evaluated state of this restriction.
Evaluations of restrictions applied to parent group on this membership.
Information of a RSA public key.
SAML IDP (identity provider) configuration.
SAML SP (service provider) configuration.
Details that are applicable when sso_mode
== SAML_SSO
.
The response message for MembershipsService.SearchDirectGroups.
The response message for GroupsService.SearchGroups.
The response message for MembershipsService.SearchTransitiveGroups.
The response message for MembershipsService.SearchTransitiveMemberships.
The definition of security settings.
A request to send email for inviting target user corresponding to the UserInvitation.
Controls sign-in behavior.
The
Status
type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by
gRPC. Each
Status
message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the
API Design Guide.
Message representing the role of a TransitiveMembership.
The details of an update to a MembershipRole
.
The UserInvitation
resource represents an email that can be sent to an unmanaged user account inviting them to join the customer’s Google Workspace or Cloud Identity account. An unmanaged account shares an email address domain with the Google Workspace or Cloud Identity account but is not managed by it yet. If the user accepts the UserInvitation
, the user account will become managed.