public
final
class
DenyRule
extends
GeneratedMessage
implements
DenyRuleOrBuilder
A deny rule in an IAM deny policy.
Protobuf type google.iam.v2.DenyRule
Inheritance
Object > AbstractMessageLite<MessageType,BuilderType> > AbstractMessage > GeneratedMessage > DenyRuleImplements
DenyRuleOrBuilderStatic Fields
DENIAL_CONDITION_FIELD_NUMBER
public
static
final
int
DENIAL_CONDITION_FIELD_NUMBER
DENIED_PERMISSIONS_FIELD_NUMBER
public
static
final
int
DENIED_PERMISSIONS_FIELD_NUMBER
DENIED_PRINCIPALS_FIELD_NUMBER
public
static
final
int
DENIED_PRINCIPALS_FIELD_NUMBER
EXCEPTION_PERMISSIONS_FIELD_NUMBER
public
static
final
int
EXCEPTION_PERMISSIONS_FIELD_NUMBER
EXCEPTION_PRINCIPALS_FIELD_NUMBER
public
static
final
int
EXCEPTION_PRINCIPALS_FIELD_NUMBER
Static Methods
getDefaultInstance()
public
static
DenyRule
getDefaultInstance
()
getDescriptor()
public
static
final
Descriptors
.
Descriptor
getDescriptor
()
newBuilder()
public
static
DenyRule
.
Builder
newBuilder
()
newBuilder(DenyRule prototype)
public
static
DenyRule
.
Builder
newBuilder
(
DenyRule
prototype
)
parseDelimitedFrom(InputStream input)
public
static
DenyRule
parseDelimitedFrom
(
InputStream
input
)
parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseDelimitedFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(byte[] data)
public
static
DenyRule
parseFrom
(
byte
[]
data
)
data
byte
[]
parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
byte
[]
data
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(ByteString data)
public
static
DenyRule
parseFrom
(
ByteString
data
)
parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
ByteString
data
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(CodedInputStream input)
public
static
DenyRule
parseFrom
(
CodedInputStream
input
)
parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
CodedInputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(InputStream input)
public
static
DenyRule
parseFrom
(
InputStream
input
)
parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(ByteBuffer data)
public
static
DenyRule
parseFrom
(
ByteBuffer
data
)
parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
ByteBuffer
data
,
ExtensionRegistryLite
extensionRegistry
)
parser()
public
static
Parser<DenyRule>
parser
()
Methods
equals(Object obj)
public
boolean
equals
(
Object
obj
)
getDefaultInstanceForType()
public
DenyRule
getDefaultInstanceForType
()
getDenialCondition()
public
Expr
getDenialCondition
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource tags . Other functions and operators are not supported.
.google.type.Expr denial_condition = 5;
com.google.type.Expr
The denialCondition.
getDenialConditionOrBuilder()
public
ExprOrBuilder
getDenialConditionOrBuilder
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource tags . Other functions and operators are not supported.
.google.type.Expr denial_condition = 5;
com.google.type.ExprOrBuilder
getDeniedPermissions(int index)
public
String
getDeniedPermissions
(
int
index
)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPermissionsBytes(int index)
public
ByteString
getDeniedPermissionsBytes
(
int
index
)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPermissionsCount()
public
int
getDeniedPermissionsCount
()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPermissionsList()
public
ProtocolStringList
getDeniedPermissionsList
()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPrincipals(int index)
public
String
getDeniedPrincipals
(
int
index
)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getDeniedPrincipalsBytes(int index)
public
ByteString
getDeniedPrincipalsBytes
(
int
index
)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getDeniedPrincipalsCount()
public
int
getDeniedPrincipalsCount
()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getDeniedPrincipalsList()
public
ProtocolStringList
getDeniedPrincipalsList
()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getExceptionPermissions(int index)
public
String
getExceptionPermissions
(
int
index
)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPermissionsBytes(int index)
public
ByteString
getExceptionPermissionsBytes
(
int
index
)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPermissionsCount()
public
int
getExceptionPermissionsCount
()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPermissionsList()
public
ProtocolStringList
getExceptionPermissionsList
()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPrincipals(int index)
public
String
getExceptionPrincipals
(
int
index
)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getExceptionPrincipalsBytes(int index)
public
ByteString
getExceptionPrincipalsBytes
(
int
index
)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getExceptionPrincipalsCount()
public
int
getExceptionPrincipalsCount
()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getExceptionPrincipalsList()
public
ProtocolStringList
getExceptionPrincipalsList
()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getParserForType()
public
Parser<DenyRule>
getParserForType
()
getSerializedSize()
public
int
getSerializedSize
()
hasDenialCondition()
public
boolean
hasDenialCondition
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource tags . Other functions and operators are not supported.
.google.type.Expr denial_condition = 5;
hashCode()
public
int
hashCode
()
internalGetFieldAccessorTable()
protected
GeneratedMessage
.
FieldAccessorTable
internalGetFieldAccessorTable
()
isInitialized()
public
final
boolean
isInitialized
()
newBuilderForType()
public
DenyRule
.
Builder
newBuilderForType
()
newBuilderForType(AbstractMessage.BuilderParent parent)
protected
DenyRule
.
Builder
newBuilderForType
(
AbstractMessage
.
BuilderParent
parent
)
toBuilder()
public
DenyRule
.
Builder
toBuilder
()
writeTo(CodedOutputStream output)
public
void
writeTo
(
CodedOutputStream
output
)
