- 1.56.0 (latest)
- 1.55.0
- 1.54.2
- 1.53.0
- 1.52.0
- 1.51.0
- 1.49.1
- 1.48.0
- 1.47.0
- 1.46.0
- 1.45.1
- 1.44.0
- 1.43.0
- 1.41.0
- 1.40.1
- 1.39.0
- 1.38.0
- 1.37.0
- 1.36.0
- 1.35.0
- 1.34.1
- 1.33.0
- 1.32.1
- 1.31.0
- 1.29.0
- 1.28.0
- 1.27.0
- 1.25.0
- 1.24.0
- 1.23.0
- 1.22.0
- 1.21.0
- 1.20.1
- 1.19.0
- 1.18.1
- 1.17.1
- 1.16.1
- 1.10.0
- 1.9.3
- 1.8.0
- 1.7.0
- 1.6.23
- 1.5.1
- 1.4.1
- 1.3.4
- 1.2.12
public
final
class
DenyRule
extends
GeneratedMessageV3
implements
DenyRuleOrBuilder
A deny rule in an IAM deny policy.
Protobuf type google.iam.v2.DenyRule
Inheritance
Object > AbstractMessageLite<MessageType,BuilderType> > AbstractMessage > GeneratedMessageV3 > DenyRuleImplements
DenyRuleOrBuilderStatic Fields
DENIAL_CONDITION_FIELD_NUMBER
public
static
final
int
DENIAL_CONDITION_FIELD_NUMBER
DENIED_PERMISSIONS_FIELD_NUMBER
public
static
final
int
DENIED_PERMISSIONS_FIELD_NUMBER
DENIED_PRINCIPALS_FIELD_NUMBER
public
static
final
int
DENIED_PRINCIPALS_FIELD_NUMBER
EXCEPTION_PERMISSIONS_FIELD_NUMBER
public
static
final
int
EXCEPTION_PERMISSIONS_FIELD_NUMBER
EXCEPTION_PRINCIPALS_FIELD_NUMBER
public
static
final
int
EXCEPTION_PRINCIPALS_FIELD_NUMBER
Static Methods
getDefaultInstance()
public
static
DenyRule
getDefaultInstance
()
getDescriptor()
public
static
final
Descriptors
.
Descriptor
getDescriptor
()
newBuilder()
public
static
DenyRule
.
Builder
newBuilder
()
newBuilder(DenyRule prototype)
public
static
DenyRule
.
Builder
newBuilder
(
DenyRule
prototype
)
parseDelimitedFrom(InputStream input)
public
static
DenyRule
parseDelimitedFrom
(
InputStream
input
)
parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseDelimitedFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(byte[] data)
public
static
DenyRule
parseFrom
(
byte
[]
data
)
data
byte
[]
parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
byte
[]
data
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(ByteString data)
public
static
DenyRule
parseFrom
(
ByteString
data
)
parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
ByteString
data
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(CodedInputStream input)
public
static
DenyRule
parseFrom
(
CodedInputStream
input
)
parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
CodedInputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(InputStream input)
public
static
DenyRule
parseFrom
(
InputStream
input
)
parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
parseFrom(ByteBuffer data)
public
static
DenyRule
parseFrom
(
ByteBuffer
data
)
parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
ByteBuffer
data
,
ExtensionRegistryLite
extensionRegistry
)
parser()
public
static
Parser<DenyRule>
parser
()
Methods
equals(Object obj)
public
boolean
equals
(
Object
obj
)
getDefaultInstanceForType()
public
DenyRule
getDefaultInstanceForType
()
getDenialCondition()
public
Expr
getDenialCondition
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource
tags
. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
com.google.type.Expr
The denialCondition.
getDenialConditionOrBuilder()
public
ExprOrBuilder
getDenialConditionOrBuilder
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource
tags
. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
com.google.type.ExprOrBuilder
getDeniedPermissions(int index)
public
String
getDeniedPermissions
(
int
index
)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPermissionsBytes(int index)
public
ByteString
getDeniedPermissionsBytes
(
int
index
)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPermissionsCount()
public
int
getDeniedPermissionsCount
()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPermissionsList()
public
ProtocolStringList
getDeniedPermissionsList
()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
getDeniedPrincipals(int index)
public
String
getDeniedPrincipals
(
int
index
)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getDeniedPrincipalsBytes(int index)
public
ByteString
getDeniedPrincipalsBytes
(
int
index
)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getDeniedPrincipalsCount()
public
int
getDeniedPrincipalsCount
()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getDeniedPrincipalsList()
public
ProtocolStringList
getDeniedPrincipalsList
()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. -
principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com. -
deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. -
principalSet://goog/group/{group_id}: A Google group. For example,principalSet://goog/group/admins@example.com. -
deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. -
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com. -
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. -
principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35.
repeated string denied_principals = 1;
getExceptionPermissions(int index)
public
String
getExceptionPermissions
(
int
index
)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPermissionsBytes(int index)
public
ByteString
getExceptionPermissionsBytes
(
int
index
)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPermissionsCount()
public
int
getExceptionPermissionsCount
()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPermissionsList()
public
ProtocolStringList
getExceptionPermissionsList
()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
getExceptionPrincipals(int index)
public
String
getExceptionPrincipals
(
int
index
)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getExceptionPrincipalsBytes(int index)
public
ByteString
getExceptionPrincipalsBytes
(
int
index
)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getExceptionPrincipalsCount()
public
int
getExceptionPrincipalsCount
()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getExceptionPrincipalsList()
public
ProtocolStringList
getExceptionPrincipalsList
()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
getParserForType()
public
Parser<DenyRule>
getParserForType
()
getSerializedSize()
public
int
getSerializedSize
()
getUnknownFields()
public
final
UnknownFieldSet
getUnknownFields
()
hasDenialCondition()
public
boolean
hasDenialCondition
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource
tags
. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
hashCode()
public
int
hashCode
()
internalGetFieldAccessorTable()
protected
GeneratedMessageV3
.
FieldAccessorTable
internalGetFieldAccessorTable
()
isInitialized()
public
final
boolean
isInitialized
()
newBuilderForType()
public
DenyRule
.
Builder
newBuilderForType
()
newBuilderForType(GeneratedMessageV3.BuilderParent parent)
protected
DenyRule
.
Builder
newBuilderForType
(
GeneratedMessageV3
.
BuilderParent
parent
)
newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
protected
Object
newInstance
(
GeneratedMessageV3
.
UnusedPrivateParameter
unused
)
toBuilder()
public
DenyRule
.
Builder
toBuilder
()
writeTo(CodedOutputStream output)
public
void
writeTo
(
CodedOutputStream
output
)
