REST Resource: organizations.gcpUserAccessBindings

Resource: GcpUserAccessBinding
- JSON representation
SessionSettings
- JSON representation
SessionReauthMethod
Application
- JSON representation
ScopedAccessSettings
- JSON representation
AccessScope
- JSON representation
ClientScope
- JSON representation
AccessSettings
- JSON representation
Methods

Resource: GcpUserAccessBinding

Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access.

JSON representation

JSON representation
{ "name": string, "groupKey": string, "accessLevels": [ string ], "dryRunAccessLevels": [ string ], "sessionSettings": { object (`SessionSettings`) }, "restrictedClientApplications": [ { object (`Application`) } ], "scopedAccessSettings": [ { object (`ScopedAccessSettings`) } ] }

{
  "name": string,
  "groupKey": string,
  "accessLevels": [
    string
  ],
  "dryRunAccessLevels": [
    string
  ],
  "sessionSettings": {
    object (SessionSettings)
  },
  "restrictedClientApplications": [
    {
      object (Application)
    }
  ],
  "scopedAccessSettings": [
    {
      object (ScopedAccessSettings)
    }
  ]
}

Fields
`name`	`string` Immutable. Assigned by the server during creation. The last segment has an arbitrary length and has only URI unreserved characters (as defined by RFC 3986 Section 2.3). Should not be specified by the client during creation. Example: "organizations/256/gcpUserAccessBindings/b3-BhcX_Ud5N"
`groupKey`	`string` Required. Immutable. Google Group id whose members are subject to this binding's restrictions. See "id" in the G Suite Directory API's Groups resource. If a group's email address/alias is changed, this resource will continue to point at the changed group. This field does not accept group email addresses or aliases. Example: "01d520gv4vjcrht"
`accessLevels[]`	`string` Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
`dryRunAccessLevels[]`	`string` Optional. Dry run access level that will be evaluated but will not be enforced. The access denial based on dry run policy will be logged. Only one access level is supported, not multiple. This list must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
`sessionSettings`	`object (SessionSettings)` Optional. GCSL policy for the group key.
`restrictedClientApplications[]`	`object (Application)` Optional. A list of applications that are subject to this binding's restrictions. If the list is empty, the binding restrictions will universally apply to all applications.
`scopedAccessSettings[]`	`object (ScopedAccessSettings)` Optional. A list of scoped access settings that set this binding's restrictions on a subset of applications. This field cannot be set if restrictedClientApplications is set.

SessionSettings

Stores settings related to Google Cloud Session Length including session duration, the type of challenge (i.e. method) they should face when their session expires, and other related settings.

JSON representation
{ "sessionReauthMethod": enum (`SessionReauthMethod`), "sessionLength": string, "maxInactivity": string, "useOidcMaxAge": boolean, "sessionLengthEnabled": boolean }

Fields
`sessionReauthMethod`	`enum (SessionReauthMethod)` Optional. Session method when users GCP session is up.
`sessionLength`	`string (Duration format)` Optional. The session length. Setting this field to zero is equal to disabling. Session. Also can set infinite session by flipping the enabled bit to false below. If useOidcMaxAge is true, for OIDC apps, the session length will be the minimum of this field and OIDC max_age param. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`maxInactivity`	`string (Duration format)` Optional. How long a user is allowed to take between actions before a new access token must be issued. Presently only set for Cloud Apps. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`useOidcMaxAge`	`boolean` Optional. Only useful for OIDC apps. When false, the OIDC max_age param, if passed in the authentication request will be ignored. When true, the re-auth period will be the minimum of the sessionLength field and the max_age OIDC param.
`sessionLengthEnabled`	`boolean` Optional. Big red button to turn off GCSL. When false, all fields set above will be disregarded and the session length is basically infinite.

SessionReauthMethod

The session challenges proposed to users when the GCP session length is up.

Enums
`SESSION_REAUTH_METHOD_UNSPECIFIED`	If method undefined in API, we will use LOGIN by default.
`LOGIN`	The user will prompted to perform regular login. Users who are enrolled for two-step verification and haven't chosen to "Remember this computer" will be prompted for their second factor.
`SECURITY_KEY`	The user will be prompted to autheticate using their security key. If no security key has been configured, then we will fallback to LOGIN.
`PASSWORD`	The user will be prompted for their password.

Application

An application that accesses Google Cloud APIs.

JSON representation
{ // Union field `identifier` can be only one of the following: "clientId": string, "name": string // End of list of possible types for union field `identifier`. }

Fields

Fields
Union field `identifier`. An identifier of the application. `identifier` can be only one of the following:
`clientId`	`string` The OAuth client ID of the application.
`name`	`string` The name of the application. Example: "Cloud Console"

Union field identifier. An identifier of the application. identifier can be only one of the following:

clientId

string

The OAuth client ID of the application.

name

string

The name of the application. Example: "Cloud Console"

ScopedAccessSettings

A relationship between access settings and its scope.

JSON representation
{ "scope": { object (`AccessScope`) }, "activeSettings": { object (`AccessSettings`) }, "dryRunSettings": { object (`AccessSettings`) } }

Fields

Fields
`scope`	`object (AccessScope)` Optional. Application, etc. to which the access settings will be applied to. Implicitly, this is the scoped access settings key; as such, it must be unique and non-empty.
`activeSettings`	`object (AccessSettings)` Optional. Access settings for this scoped access settings. This field may be empty if dryRunSettings is set.
`dryRunSettings`	`object (AccessSettings)` Optional. Dry-run access settings for this scoped access settings. This field may be empty if activeSettings is set.

scope

object (AccessScope)

Optional. Application, etc. to which the access settings will be applied to. Implicitly, this is the scoped access settings key; as such, it must be unique and non-empty.

activeSettings

object (AccessSettings)

Optional. Access settings for this scoped access settings. This field may be empty if dryRunSettings is set.

dryRunSettings

object (AccessSettings)

Optional. Dry-run access settings for this scoped access settings. This field may be empty if activeSettings is set.

AccessScope

Access scope represents the client scope, etc. to which the settings will be applied to.

JSON representation
{ "clientScope": { object (`ClientScope`) } }

Fields

Fields
`clientScope`	`object (ClientScope)` Optional. Client scope for this access scope.

clientScope

object (ClientScope)

Optional. Client scope for this access scope.

ClientScope

Client scope represents the application, etc. subject to this binding's restrictions.

JSON representation
{ // Union field `scope` can be only one of the following: "restrictedClientApplication": { object (`Application`) } // End of list of possible types for union field `scope`. }

Fields

Fields
Union field `scope`. Client Scope Identifier `scope` can be only one of the following:
`restrictedClientApplication`	`object (Application)` Optional. The application that is subject to this binding's scope.

Union field scope. Client Scope Identifier scope can be only one of the following:

restrictedClientApplication

object (Application)

Optional. The application that is subject to this binding's scope.

AccessSettings

Access settings represent the set of conditions that must be met for access to be granted. At least one of the fields must be set.

JSON representation
{ "accessLevels": [ string ], "sessionSettings": { object (`SessionSettings`) } }

Fields

Fields
`accessLevels[]`	`string` Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"
`sessionSettings`	`object (SessionSettings)` Optional. Session settings applied to user access on a given AccessScope.

accessLevels[]

string

Optional. Access level that a user must have to be granted access. Only one access level is supported, not multiple. This repeated field must have exactly one element. Example: "accessPolicies/9522/accessLevels/device_trusted"

sessionSettings

object (SessionSettings)

Optional. Session settings applied to user access on a given AccessScope.

Methods
`create`	Creates a `GcpUserAccessBinding`.
`delete`	Deletes a `GcpUserAccessBinding`.
`get`	Gets the `GcpUserAccessBinding` with the given name.
`list`	Lists all `GcpUserAccessBindings` for a Google Cloud organization.
`patch`	Updates a `GcpUserAccessBinding`.

REST Resource: organizations.gcpUserAccessBindings

Resource: GcpUserAccessBinding

SessionSettings

SessionReauthMethod

Application

ScopedAccessSettings

AccessScope

ClientScope

AccessSettings

Methods

`create`

`delete`

`get`

`list`

`patch`