Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Creates and starts a Replay using the given ReplayConfig.
Gets the specified Replay. Each Replay is available for at least 7 days.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Lists operations that match the specified filter in the request. If the server doesn’t support this method, it returns UNIMPLEMENTED.
Lists the results of running a Replay.
A builder providing access to all methods supported on
folder resources.
It is not used directly, but through the
PolicySimulator hub.
Similar to PolicySpec but with an extra ‘launch’ field for launch reference. The PolicySpec here is specific for dry-run/darklaunch.
A custom constraint defined by customers which can only be applied to the given resource types and organization. By creating a custom constraint, customers can apply policies of this custom constraint. Creating a custom constraint itself does NOT apply any policy enforcement.
Defines an organization policy which is used to specify constraints for configurations of Google Cloud resources.
Defines a Google Cloud policy specification which is used to specify constraints for configurations of Google Cloud resources.
A rule used to express this policy.
A message that holds specific allowed and denied values. This message can define specific values and subtrees of the Resource Manager resource hierarchy (Organizations, Folders, Projects) that are allowed or denied. This is achieved by using the under: and optional is: prefixes. The under: prefix is used to denote resource subtree values. The is: prefix is used to denote specific values, and is required only if the value contains a “:”. Values prefixed with “is:” are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - projects/ (for example, projects/tokyo-rain-123) - folders/ (for example, folders/1234) - organizations/ (for example, organizations/1234) The supports_under field of the associated Constraint defines whether ancestry prefixes can be used.
A summary and comparison of the principal’s access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple.
Information about the principal, resource, and permission to check.
Details about how a binding in a policy affects a principal’s ability to use a permission.
Details about whether the binding includes the principal.
Details about how a set of policies, listed in ExplainedPolicy, resulted in a certain AccessState when replaying an access tuple.
Details about how a specific IAM Policy contributed to the access check.
ListOrgPolicyViolationsPreviewsResponse is the response message for OrgPolicyViolationsPreviewService.ListOrgPolicyViolationsPreviews.
ListOrgPolicyViolationsResponse is the response message for OrgPolicyViolationsPreviewService.ListOrgPolicyViolations
Response message for Simulator.ListReplayResults.
The proposed changes to OrgPolicy.
A change to an OrgPolicy custom constraint.
A change to an OrgPolicy.
OrgPolicyViolation is a resource representing a single resource violating a single OrgPolicy constraint.
OrgPolicyViolationsPreview is a resource providing a preview of the violations that will exist if an OrgPolicy change is made. The list of violations are modeled as child resources and retrieved via a ListOrgPolicyViolations API call. There are potentially more OrgPolicyViolations than could fit in an embedded field. Thus, the use of a child resource instead of a field.
A summary of the state of all resources scanned for compliance with the changed OrgPolicy.
A resource describing a Replay, or simulation.
The configuration used for a Replay.
The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a principal’s access could change if the proposed policies were applied.
The result of replaying a single access tuple against a simulated state.
Summary statistics about the replayed log entries.
ResourceContext provides the context we know about a resource. It is similar in concept to google.cloud.asset.v1.Resource, but focuses on the information specifically used by Simulator.
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs. If there are AuditConfigs for both allServices and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted. Example Policy with multiple AuditConfigs: { “audit_configs”: [ { “service”: “allServices”, “audit_log_configs”: [ { “log_type”: “DATA_READ”, “exempted_members”: [ “user:jose@example.com” ] }, { “log_type”: “DATA_WRITE” }, { “log_type”: “ADMIN_READ” } ] }, { “service”: “sampleservice.googleapis.com”, “audit_log_configs”: [ { “log_type”: “DATA_READ” }, { “log_type”: “DATA_WRITE”, “exempted_members”: [ “user:aliya@example.com” ] } ] } ] } For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com from DATA_READ logging, and aliya@example.com from DATA_WRITE logging.
Provides the configuration for logging a type of permissions. Example: { “audit_log_configs”: [ { “log_type”: “DATA_READ”, “exempted_members”: [ “user:jose@example.com” ] }, { “log_type”: “DATA_WRITE” } ] } This enables ‘DATA_READ’ and ‘DATA_WRITE’ logging, while exempting jose@example.com from DATA_READ logging.
Associates members, or principals, with a role.
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A
Policy is a collection of
bindings. A
binding binds one or more
members, or principals, to a single
role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A
role is a named list of permissions; each
role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a
binding can also specify a
condition, which is a logical expression that allows access to a resource only if the expression evaluates to
true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the
IAM documentation.
JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the
IAM documentation.
The response message for Operations.ListOperations.
This resource represents a long-running operation that is the result of a network API call.
The
Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by
gRPC. Each
Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the
API Design Guide.
Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: “Summary size limit” description: “Determines if a summary is less than 100 chars” expression: “document.summary.size() < 100” Example (Equality): title: “Requestor is owner” description: “Determines if requestor is the document owner” expression: “document.owner == request.auth.claims.email” Example (Logic): title: “Public documents” description: “Determine whether the document should be publicly visible” expression: “document.type != ‘private’ && document.type != ‘internal’” Example (Data Manipulation): title: “Notification string” description: “Create a notification string with a timestamp.” expression: “’New message received at ’ + string(document.create_time)” The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Lists operations that match the specified filter in the request. If the server doesn’t support this method, it returns UNIMPLEMENTED.
A builder providing access to all methods supported on
operation resources.
It is not used directly, but through the
PolicySimulator hub.
CreateOrgPolicyViolationsPreview creates an OrgPolicyViolationsPreview for the proposed changes in the provided OrgPolicyViolationsPreview.OrgPolicyOverlay. The changes to OrgPolicy are specified by this OrgPolicyOverlay. The resources to scan are inferred from these specified changes.
GetOrgPolicyViolationsPreview gets the specified OrgPolicyViolationsPreview. Each OrgPolicyViolationsPreview is available for at least 7 days.
ListOrgPolicyViolationsPreviews lists each OrgPolicyViolationsPreview in an organization. Each OrgPolicyViolationsPreview is available for at least 7 days.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
ListOrgPolicyViolations lists the OrgPolicyViolations that are present in an OrgPolicyViolationsPreview.
Creates and starts a Replay using the given ReplayConfig.
Gets the specified Replay. Each Replay is available for at least 7 days.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Lists operations that match the specified filter in the request. If the server doesn’t support this method, it returns UNIMPLEMENTED.
Lists the results of running a Replay.
A builder providing access to all methods supported on
organization resources.
It is not used directly, but through the
PolicySimulator hub.
Central instance to access all PolicySimulator related resource activities
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Creates and starts a Replay using the given ReplayConfig.
Gets the specified Replay. Each Replay is available for at least 7 days.
Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.
Lists operations that match the specified filter in the request. If the server doesn’t support this method, it returns UNIMPLEMENTED.
Lists the results of running a Replay.
A builder providing access to all methods supported on
project resources.
It is not used directly, but through the
PolicySimulator hub.