Console
    Start free

    Google Cloud Iam V2 Client - Class DenyRule (0.4.2)

    Reference documentation and code samples for the Google Cloud Iam V2 Client class DenyRule.

    A deny rule in an IAM deny policy.

    Generated from protobuf message google.iam.v2.DenyRule

    Namespace

    Google \ Cloud \ Iam \ V2

    Methods

    __construct

    Constructor.

    Parameters
    Name
    Description
    data
    array

    Optional. Data for populating the Message object.

    ↳ denied_principals
    array

    The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * principalSet://goog/public:all : A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * principal://goog/subject/{email_id} : A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com . * deleted:principal://goog/subject/{email_id}?uid={uid} : A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890 . If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * principalSet://goog/group/{group_id} : A Google group. For example, principalSet://goog/group/admins@example.com . * deleted:principalSet://goog/group/{group_id}?uid={uid} : A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890 . If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id} : A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com . * deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid} : A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890 . If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * principalSet://goog/cloudIdentityCustomerId/{customer_id} : All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35 .

    ↳ exception_principals
    array

    The identities that are excluded from the deny rule, even if they are listed in the denied_principals . For example, you could add a Google group to the denied_principals , then exclude specific users who belong to that group. This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all , which represents all users on the internet.

    ↳ denied_permissions
    array

    The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb} , where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list .

    ↳ exception_permissions
    array

    Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions . If a permission appears in denied_permissions and in exception_permissions then it will not be denied. The excluded permissions can be specified using the same syntax as denied_permissions .

    ↳ denial_condition
    Google\Type\Expr

    The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true , then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate resource tags . Other functions and operators are not supported.

    getDeniedPrincipals

    The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principalSet://goog/public:all : A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

    • principal://goog/subject/{email_id} : A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com .

    • deleted:principal://goog/subject/{email_id}?uid={uid} : A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890 . If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
    • principalSet://goog/group/{group_id} : A Google group. For example, principalSet://goog/group/admins@example.com .
    • deleted:principalSet://goog/group/{group_id}?uid={uid} : A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890 . If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id} : A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com .
    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid} : A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890 . If the service account is undeleted, this identifier reverts to the standard identifier for a service account.
    • principalSet://goog/cloudIdentityCustomerId/{customer_id} : All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35 .
    Returns
    Type
    Description
    Google\Protobuf\Internal\RepeatedField

    setDeniedPrincipals

    The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principalSet://goog/public:all : A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

    • principal://goog/subject/{email_id} : A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com .

    • deleted:principal://goog/subject/{email_id}?uid={uid} : A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890 . If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.
    • principalSet://goog/group/{group_id} : A Google group. For example, principalSet://goog/group/admins@example.com .
    • deleted:principalSet://goog/group/{group_id}?uid={uid} : A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890 . If the Google group is restored, this identifier reverts to the standard identifier for a Google group.
    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id} : A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com .
    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid} : A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890 . If the service account is undeleted, this identifier reverts to the standard identifier for a service account.
    • principalSet://goog/cloudIdentityCustomerId/{customer_id} : All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35 .
    Parameter
    Name
    Description
    var
    string[]
    Returns
    Type
    Description
    $this

    getExceptionPrincipals

    The identities that are excluded from the deny rule, even if they are listed in the denied_principals . For example, you could add a Google group to the denied_principals , then exclude specific users who belong to that group.

    This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all , which represents all users on the internet.

    Returns
    Type
    Description
    Google\Protobuf\Internal\RepeatedField

    setExceptionPrincipals

    The identities that are excluded from the deny rule, even if they are listed in the denied_principals . For example, you could add a Google group to the denied_principals , then exclude specific users who belong to that group.

    This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all , which represents all users on the internet.

    Parameter
    Name
    Description
    var
    string[]
    Returns
    Type
    Description
    $this

    getDeniedPermissions

    The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb} , where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list .

    Returns
    Type
    Description
    Google\Protobuf\Internal\RepeatedField

    setDeniedPermissions

    The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb} , where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list .

    Parameter
    Name
    Description
    var
    string[]
    Returns
    Type
    Description
    $this

    getExceptionPermissions

    Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions . If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

    The excluded permissions can be specified using the same syntax as denied_permissions .

    Returns
    Type
    Description
    Google\Protobuf\Internal\RepeatedField

    setExceptionPermissions

    Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions . If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

    The excluded permissions can be specified using the same syntax as denied_permissions .

    Parameter
    Name
    Description
    var
    string[]
    Returns
    Type
    Description
    $this

    getDenialCondition

    The condition that determines whether this deny rule applies to a request.

    If the condition expression evaluates to true , then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate resource tags . Other functions and operators are not supported.

    Returns
    Type
    Description
    Google\Type\Expr |null

    hasDenialCondition

    clearDenialCondition

    setDenialCondition

    The condition that determines whether this deny rule applies to a request.

    If the condition expression evaluates to true , then the deny rule is applied; otherwise, the deny rule is not applied. Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply. The condition can use CEL functions that evaluate resource tags . Other functions and operators are not supported.

    Parameter
    Name
    Description
    var
    Google\Type\Expr
    Returns
    Type
    Description
    $this
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: