As alterações nos seus recursos serão aplicadas apenas se todas as partes da operação em massa forem bem-sucedidas. Por exemplo, se sua operação em massa tentar remover um nível de acesso que está sendo usado por um perímetro de serviço, será gerado um erro. Como um erro é encontrado, toda a operação falha e nenhum recurso é atualizado.
Este tópico descreve apenas a substituição em massa dos níveis de acesso. Para mais informações sobre substituição em massa de perímetros de serviço, consulte a documentação do VPC Service Controls.
Antes de começar
Como as operações em massa afetam todos os níveis de acesso da sua organização, talvez você
queira ver uma lista completa dos níveis de acesso. A lista pode ser
formatada como YAML, o que também pode fazer alterações em massa nos níveis de acesso
com mais facilidade.
ETAG (opcional) é uma string que representa a versão de
destino da política de acesso da sua organização. Se você não incluir uma
ETag, a operação em massa terá como alvo a versão mais recente da
política de acesso da sua organização.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels.replaceAll?alt=json
Onde:
POLICY_NAME é o nome da política de acesso da organização.
Corpo da solicitação
O corpo da solicitação precisa incluir uma lista de objetos AccessLevel que especifiquem as alterações que você quer fazer.
Opcionalmente, para direcionar uma versão específica da política de acesso da sua organização, é possível incluir um etag. Se você não incluir uma ETag, a operação em massa
terá como alvo a versão mais recente da política de acesso da sua organização.
Caso a chamada seja bem-sucedida, o corpo da resposta incluirá um
recurso Operation que fornece detalhes sobre a
operação de publicação.
Exemplo de resposta:
{"name":"operations/accessPolicies/11271009391/replaceLevels/1583523446234255","done":true,"response":{"@type":"type.googleapis.com/google.identity.accesscontextmanager.v1.ReplaceAccessLevelsResponse","accessLevels":[{"name":"accessPolicies/11271009391/accessLevels/corpnet_access","title":"Corpnet access","description":"Permit access to corpnet.","basic":{"conditions":[{"ipSubnetworks":["252.0.2.0/24"]}]}},{"name":"accessPolicies/11271009391/accessLevels/prodnet_access","title":"Prodnet access","description":"Permit access to prodnet.","basic":{"conditions":[{"ipSubnetworks":["176.0.2.0/24"]}]}}]}}
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-18 UTC."],[[["\u003cp\u003eBulk updates to access levels and service perimeters can be made to resources within an organization's access policy.\u003c/p\u003e\n"],["\u003cp\u003eBulk operations will only be applied if all parts of the operation are successful, and any error encountered will fail the entire operation, leaving resources unchanged.\u003c/p\u003e\n"],["\u003cp\u003eBulk replacement of access levels will affect all existing access levels; any not included in the operation will be deleted.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud access-context-manager levels replace-all\u003c/code\u003e command or the \u003ccode\u003eaccessLevels.replaceAll\u003c/code\u003e API can be used for bulk replacement, but the Google Cloud console is not supported for bulk operations.\u003c/p\u003e\n"],["\u003cp\u003eWhen using \u003ccode\u003egcloud\u003c/code\u003e, a .yaml file defining new conditions is needed, while the API requires a list of \u003ccode\u003eAccessLevel\u003c/code\u003e objects in the request body.\u003c/p\u003e\n"]]],[],null,["# Making bulk changes to access levels\n\nUsing Access Context Manager, you can make bulk updates to resources that belong to\nyour organization's [access policy](/access-context-manager/docs/overview#access-policies), such as\n[access levels](/access-context-manager/docs/overview#access-levels) and [service perimeters](/vpc-service-controls/docs/service-perimeters).\n\nChanges to your resources are applied only if all parts of the bulk operation\nare successful. For example, if your bulk operation attempts to remove an access\nlevel that is in use by a service perimeter, an error is raised. Because an\nerror is encountered, the entire operation fails and no resources are updated.\n\nThis topic describes only bulk replacement of access levels. For more\ninformation about bulk replacement of service perimeters,\n[refer to the VPC Service Controls documentation](/vpc-service-controls/docs/bulk-operations).\n| **Note:** The Google Cloud console cannot be used for bulk operations.\n\nBefore you begin\n----------------\n\nBecause bulk operations affect *all* access levels for your organization, you\nmay want to obtain a complete list of your access levels. The list can be\nformatted as YAML, which may also make bulk changes to your access levels\neasier.\n\nTo get a formatted list of access levels, refer to\n[List access levels (formatted)](/access-context-manager/docs/manage-access-levels#formatted_access_levels).\n\nBulk replace access levels\n--------------------------\n\nThe following section details how to bulk replace your access levels.\n**Warning:** Bulk replace operations will affect *all* of your access levels. If existing access levels aren't included in the operation, those access levels are deleted. \n\n### gcloud\n\nTo bulk replace all access levels, use the\n`replace-all` command. \n\n```bash\ngcloud access-context-manager levels replace-all \\\n --source-file=FILE \\\n --etag=ETAG \\\n [--policy=POLICY_NAME]\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003eFILE\u003c/var\u003e is the name of a .yaml file that defines\n the new conditions for your existing access levels.\n\n For example: \n\n - name: accessPolicies/11271009391/accessLevels/corpnet_access\n title: Corpnet Access\n description: Permit access to corpnet.\n basic:\n combiningFunction: AND\n conditions:\n - ipSubnetworks:\n - 252.0.2.0/24\n - 2001:db8::/32\n - name: accessPolicies/11271009391/accessLevels/prodnet_access\n title: Prodnet Access\n description: Permit access to prodnet.\n basic:\n combiningFunction: OR\n conditions:\n - members:\n - user:exampleuser@example.com\n - serviceAccount:exampleaccount@example.iam.gserviceaccount.com\n - ipSubnetworks:\n - 176.0.2.0/24\n\n For further examples of the YAML structure of conditions, refer to\n the [example YAML file](/access-context-manager/docs/example-yaml-file).\n- \u003cvar translate=\"no\"\u003eETAG\u003c/var\u003e (optional) is a string that represents the target\n version of your organization's access policy. If you do not include an\n etag, the bulk operation targets the latest version of the your\n organization's access policy.\n\n To obtain the latest etag of your access policy,\n [`list` your access policies](/access-context-manager/docs/manage-access-policy#get_the_name_of_an_access_policy).\n- \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e is the name of your organization's access policy.\n This value is required only if you haven't set a\n [default access policy](/access-context-manager/docs/manage-access-policy#set-default).\n\n### API\n\nTo bulk replace all access levels,\ncall [`accessLevels.replaceAll`](/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels/replaceAll). \n\n```\nPOST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/accessLevels.replaceAll?alt=json\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e is the name of your organization's access policy.\n\n### Request body\n\nThe request body must include a list of [`AccessLevel`](/access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels#AccessLevel)\nobjects that specify the changes you want to make.\n\nOptionally, to target a specific version of your organization's access\npolicy, you can include an etag. If you do not include an etag, the bulk\noperation targets the latest version of your organization's access policy.\n\nFor example: \n\n```json\n{\n \"accessLevels\": [\n object (AccessLevel),\n object (AccessLevel),\n ...\n ]\n \"etag\": string\n}\n```\n\n### Response body\n\nIf successful, the response body for the call contains an\n[`Operation`](/access-context-manager/docs/reference/rest/Shared.Types/Operation) resource that provides details about the\npost operation.\n\nExample response: \n\n {\n \"name\": \"operations/accessPolicies/11271009391/replaceLevels/1583523446234255\",\n \"done\": true,\n \"response\": {\n \"@type\": \"type.googleapis.com/google.identity.accesscontextmanager.v1.ReplaceAccessLevelsResponse\",\n \"accessLevels\": [\n {\n \"name\": \"accessPolicies/11271009391/accessLevels/corpnet_access\",\n \"title\": \"Corpnet access\",\n \"description\": \"Permit access to corpnet.\",\n \"basic\": {\n \"conditions\": [\n {\n \"ipSubnetworks\": [\n \"252.0.2.0/24\"\n ]\n }\n ]\n }\n },\n {\n \"name\": \"accessPolicies/11271009391/accessLevels/prodnet_access\",\n \"title\": \"Prodnet access\",\n \"description\": \"Permit access to prodnet.\",\n \"basic\": {\n \"conditions\": [\n {\n \"ipSubnetworks\": [\n \"176.0.2.0/24\"\n ]\n }\n ]\n }\n }\n ]\n }\n }"]]
