Settings on a Project/Folder/Organization related to Access Approval.
JSON representation |
---|
{
"name": string,
"notificationEmails": [
string
],
"enrolledServices": [
{
object ( |
Fields | |
---|---|
name |
The resource name of the settings. Format is one of:
|
notificationEmails[] |
A list of email addresses to which notifications relating to approval requests should be sent. Notifications relating to a resource will be sent to all emails in the settings of ancestor resources of that resource. A maximum of 50 email addresses are allowed. |
enrolledServices[] |
A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. If name refers to an organization, enrollment can be done for individual services. If name refers to a folder or project, enrollment can only be done on an all or nothing basis. If a cloudProduct is repeated in this list, the first entry will be honored and all following entries will be discarded. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. |
enrolledAncestor |
Output only. This field is read only (not settable via projects.updateAccessApprovalSettings method). If the field is true, that indicates that at least one service is enrolled for Access Approval in one or more ancestors of the Project or Folder (this field will always be unset for the organization since organizations do not have ancestors). |
activeKeyVersion |
The asymmetric crypto key version to use for signing approval requests. Empty activeKeyVersion indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of this resource, and new non-empty values may not be set. |
ancestorHasActiveKeyVersion |
Output only. This field is read only (not settable via projects.updateAccessApprovalSettings method). If the field is true, that indicates that an ancestor of this Project or Folder has set activeKeyVersion (this field will always be unset for the organization since organizations do not have ancestors). |
invalidKeyVersion |
Output only. This field is read only (not settable via projects.updateAccessApprovalSettings method). If the field is true, that indicates that there is some configuration issue with the activeKeyVersion configured at this level in the resource hierarchy (e.g. it doesn't exist or the Access Approval service account doesn't have the correct permissions on it, etc.) This key version is not necessarily the effective key version at this level, as key versions are inherited top-down. |
preferredRequestExpirationDays |
This preference is shared with Google personnel, but can be overridden if said personnel deems necessary. The approver ultimately can set the expiration at approval time. |
preferNoBroadApprovalRequests |
This preference is communicated to Google personnel when sending an approval request but can be overridden if necessary. |
EnrolledService
Represents the enrollment of a cloud resource into a specific service.
JSON representation |
---|
{
"cloudProduct": string,
"enrollmentLevel": enum ( |
Fields | |
---|---|
cloudProduct |
The product for which Access Approval will be enrolled. Allowed values are listed below (case-sensitive):
Note: These values are supported as input for legacy purposes, but will not be returned from the API.
Calls to projects.updateAccessApprovalSettings using 'all' or any of the XXX.googleapis.com will be translated to the associated product name ('all', 'App Engine', etc.). Note: 'all' will enroll the resource in all products supported at both 'GA' and 'Preview' levels. More information about levels of support is available at https://cloud.google.com/access-approval/docs/supported-services |
enrollmentLevel |
The enrollment level of the service. |
EnrollmentLevel
Represents the type of enrollment for a given service to Access Approval.
Enums | |
---|---|
ENROLLMENT_LEVEL_UNSPECIFIED |
Default value for proto, shouldn't be used. |
BLOCK_ALL |
Service is enrolled in Access Approval for all requests |