public
final
class
DenyRule
extends
GeneratedMessageV3
implements
DenyRuleOrBuilder
A deny rule in an IAM deny policy.
Protobuf type google.iam.v2.DenyRule
Static Fields
DENIAL_CONDITION_FIELD_NUMBER
public
static
final
int
DENIAL_CONDITION_FIELD_NUMBER
Field Value
DENIED_PERMISSIONS_FIELD_NUMBER
public
static
final
int
DENIED_PERMISSIONS_FIELD_NUMBER
Field Value
DENIED_PRINCIPALS_FIELD_NUMBER
public
static
final
int
DENIED_PRINCIPALS_FIELD_NUMBER
Field Value
EXCEPTION_PERMISSIONS_FIELD_NUMBER
public
static
final
int
EXCEPTION_PERMISSIONS_FIELD_NUMBER
Field Value
EXCEPTION_PRINCIPALS_FIELD_NUMBER
public
static
final
int
EXCEPTION_PRINCIPALS_FIELD_NUMBER
Field Value
Static Methods
getDefaultInstance()
public
static
DenyRule
getDefaultInstance
()
Returns
getDescriptor()
public
static
final
Descriptors
.
Descriptor
getDescriptor
()
Returns
newBuilder()
public
static
DenyRule
.
Builder
newBuilder
()
Returns
newBuilder(DenyRule prototype)
public
static
DenyRule
.
Builder
newBuilder
(
DenyRule
prototype
)
Parameter
Returns
public
static
DenyRule
parseDelimitedFrom
(
InputStream
input
)
Parameter
Returns
Exceptions
public
static
DenyRule
parseDelimitedFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
Parameters
Returns
Exceptions
parseFrom(byte[] data)
public
static
DenyRule
parseFrom
(
byte
[]
data
)
Parameter
Returns
Exceptions
parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
byte
[]
data
,
ExtensionRegistryLite
extensionRegistry
)
Parameters
Returns
Exceptions
parseFrom(ByteString data)
public
static
DenyRule
parseFrom
(
ByteString
data
)
Parameter
Returns
Exceptions
parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
ByteString
data
,
ExtensionRegistryLite
extensionRegistry
)
Parameters
Returns
Exceptions
public
static
DenyRule
parseFrom
(
CodedInputStream
input
)
Parameter
Returns
Exceptions
public
static
DenyRule
parseFrom
(
CodedInputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
Parameters
Returns
Exceptions
public
static
DenyRule
parseFrom
(
InputStream
input
)
Parameter
Returns
Exceptions
public
static
DenyRule
parseFrom
(
InputStream
input
,
ExtensionRegistryLite
extensionRegistry
)
Parameters
Returns
Exceptions
parseFrom(ByteBuffer data)
public
static
DenyRule
parseFrom
(
ByteBuffer
data
)
Parameter
Returns
Exceptions
parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
public
static
DenyRule
parseFrom
(
ByteBuffer
data
,
ExtensionRegistryLite
extensionRegistry
)
Parameters
Returns
Exceptions
parser()
public
static
Parser<DenyRule>
parser
()
Returns
Methods
equals(Object obj)
public
boolean
equals
(
Object
obj
)
Parameter
Returns
Overrides
getDefaultInstanceForType()
public
DenyRule
getDefaultInstanceForType
()
Returns
getDenialCondition()
public
Expr
getDenialCondition
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource
tags
. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Returns
getDenialConditionOrBuilder()
public
ExprOrBuilder
getDenialConditionOrBuilder
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource
tags
. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Returns
getDeniedPermissions(int index)
public
String
getDeniedPermissions
(
int
index
)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Parameter | Name |
Description |
index
|
int
The index of the element to return.
|
Returns | Type |
Description |
String
|
The deniedPermissions at the given index.
|
getDeniedPermissionsBytes(int index)
public
ByteString
getDeniedPermissionsBytes
(
int
index
)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Parameter | Name |
Description |
index
|
int
The index of the value to return.
|
Returns | Type |
Description |
ByteString
|
The bytes of the deniedPermissions at the given index.
|
getDeniedPermissionsCount()
public
int
getDeniedPermissionsCount
()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Returns | Type |
Description |
int
|
The count of deniedPermissions.
|
getDeniedPermissionsList()
public
ProtocolStringList
getDeniedPermissionsList
()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Returns
getDeniedPrincipals(int index)
public
String
getDeniedPrincipals
(
int
index
)
The identities that are prevented from using one or more permissions on
Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all
: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
-
principal://goog/subject/{email_id}
: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com
.
-
deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific
Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
-
principalSet://goog/group/{group_id}
: A Google group. For example, principalSet://goog/group/admins@example.com
.
-
deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group
that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
-
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
:
A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.
-
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
:
A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
-
principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Parameter | Name |
Description |
index
|
int
The index of the element to return.
|
Returns | Type |
Description |
String
|
The deniedPrincipals at the given index.
|
getDeniedPrincipalsBytes(int index)
public
ByteString
getDeniedPrincipalsBytes
(
int
index
)
The identities that are prevented from using one or more permissions on
Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all
: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
-
principal://goog/subject/{email_id}
: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com
.
-
deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific
Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
-
principalSet://goog/group/{group_id}
: A Google group. For example, principalSet://goog/group/admins@example.com
.
-
deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group
that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
-
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
:
A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.
-
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
:
A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
-
principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Parameter | Name |
Description |
index
|
int
The index of the value to return.
|
Returns | Type |
Description |
ByteString
|
The bytes of the deniedPrincipals at the given index.
|
getDeniedPrincipalsCount()
public
int
getDeniedPrincipalsCount
()
The identities that are prevented from using one or more permissions on
Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all
: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
-
principal://goog/subject/{email_id}
: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com
.
-
deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific
Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
-
principalSet://goog/group/{group_id}
: A Google group. For example, principalSet://goog/group/admins@example.com
.
-
deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group
that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
-
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
:
A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.
-
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
:
A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
-
principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Returns | Type |
Description |
int
|
The count of deniedPrincipals.
|
getDeniedPrincipalsList()
public
ProtocolStringList
getDeniedPrincipalsList
()
The identities that are prevented from using one or more permissions on
Google Cloud resources. This field can contain the following values:
-
principalSet://goog/public:all
: A special identifier that represents
any principal that is on the internet, even if they do not have a Google
Account or are not logged in.
-
principal://goog/subject/{email_id}
: A specific Google Account.
Includes Gmail, Cloud Identity, and Google Workspace user accounts. For
example, principal://goog/subject/alice@example.com
.
-
deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific
Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If
the Google Account is recovered, this identifier reverts to the standard
identifier for a Google Account.
-
principalSet://goog/group/{group_id}
: A Google group. For example, principalSet://goog/group/admins@example.com
.
-
deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group
that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If
the Google group is restored, this identifier reverts to the standard
identifier for a Google group.
-
principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
:
A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.
-
deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
:
A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
.
If the service account is undeleted, this identifier reverts to the
standard identifier for a service account.
-
principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the
principals associated with the specified Google Workspace or Cloud
Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Returns
getExceptionPermissions(int index)
public
String
getExceptionPermissions
(
int
index
)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
Parameter | Name |
Description |
index
|
int
The index of the element to return.
|
Returns | Type |
Description |
String
|
The exceptionPermissions at the given index.
|
getExceptionPermissionsBytes(int index)
public
ByteString
getExceptionPermissionsBytes
(
int
index
)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
Parameter | Name |
Description |
index
|
int
The index of the value to return.
|
Returns | Type |
Description |
ByteString
|
The bytes of the exceptionPermissions at the given index.
|
getExceptionPermissionsCount()
public
int
getExceptionPermissionsCount
()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
Returns | Type |
Description |
int
|
The count of exceptionPermissions.
|
getExceptionPermissionsList()
public
ProtocolStringList
getExceptionPermissionsList
()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in denied_permissions
and
in exception_permissions
then it will not
be
denied.
The excluded permissions can be specified using the same syntax as denied_permissions
.
repeated string exception_permissions = 4;
Returns
getExceptionPrincipals(int index)
public
String
getExceptionPrincipals
(
int
index
)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Parameter | Name |
Description |
index
|
int
The index of the element to return.
|
Returns | Type |
Description |
String
|
The exceptionPrincipals at the given index.
|
getExceptionPrincipalsBytes(int index)
public
ByteString
getExceptionPrincipalsBytes
(
int
index
)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Parameter | Name |
Description |
index
|
int
The index of the value to return.
|
Returns | Type |
Description |
ByteString
|
The bytes of the exceptionPrincipals at the given index.
|
getExceptionPrincipalsCount()
public
int
getExceptionPrincipalsCount
()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Returns | Type |
Description |
int
|
The count of exceptionPrincipals.
|
getExceptionPrincipalsList()
public
ProtocolStringList
getExceptionPrincipalsList
()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Returns
getParserForType()
public
Parser<DenyRule>
getParserForType
()
Returns
Overrides
getSerializedSize()
public
int
getSerializedSize
()
Returns
Overrides
getUnknownFields()
public
final
UnknownFieldSet
getUnknownFields
()
Returns
Overrides
hasDenialCondition()
public
boolean
hasDenialCondition
()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate resource
tags
. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Returns | Type |
Description |
boolean
|
Whether the denialCondition field is set.
|
hashCode()
Returns
Overrides
internalGetFieldAccessorTable()
protected
GeneratedMessageV3
.
FieldAccessorTable
internalGetFieldAccessorTable
()
Returns
Overrides
isInitialized()
public
final
boolean
isInitialized
()
Returns
Overrides
newBuilderForType()
public
DenyRule
.
Builder
newBuilderForType
()
Returns
newBuilderForType(GeneratedMessageV3.BuilderParent parent)
protected
DenyRule
.
Builder
newBuilderForType
(
GeneratedMessageV3
.
BuilderParent
parent
)
Parameter
Returns
Overrides
newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
protected
Object
newInstance
(
GeneratedMessageV3
.
UnusedPrivateParameter
unused
)
Parameter
Returns
Overrides
toBuilder()
public
DenyRule
.
Builder
toBuilder
()
Returns
writeTo(CodedOutputStream output)
public
void
writeTo
(
CodedOutputStream
output
)
Parameter
Overrides
Exceptions
