Index
DlpService
(interface)Action
(message)Action.Deidentify
(message)Action.JobNotificationEmails
(message)Action.PublishFindingsToCloudDataCatalog
(message)Action.PublishSummaryToCscc
(message)Action.PublishToPubSub
(message)Action.PublishToStackdriver
(message)Action.SaveFindings
(message)ActivateJobTriggerRequest
(message)AnalyzeDataSourceRiskDetails
(message)AnalyzeDataSourceRiskDetails.CategoricalStatsResult
(message)AnalyzeDataSourceRiskDetails.CategoricalStatsResult.CategoricalStatsHistogramBucket
(message)AnalyzeDataSourceRiskDetails.DeltaPresenceEstimationResult
(message)AnalyzeDataSourceRiskDetails.DeltaPresenceEstimationResult.DeltaPresenceEstimationHistogramBucket
(message)AnalyzeDataSourceRiskDetails.DeltaPresenceEstimationResult.DeltaPresenceEstimationQuasiIdValues
(message)AnalyzeDataSourceRiskDetails.KAnonymityResult
(message)AnalyzeDataSourceRiskDetails.KAnonymityResult.KAnonymityEquivalenceClass
(message)AnalyzeDataSourceRiskDetails.KAnonymityResult.KAnonymityHistogramBucket
(message)AnalyzeDataSourceRiskDetails.KMapEstimationResult
(message)AnalyzeDataSourceRiskDetails.KMapEstimationResult.KMapEstimationHistogramBucket
(message)AnalyzeDataSourceRiskDetails.KMapEstimationResult.KMapEstimationQuasiIdValues
(message)AnalyzeDataSourceRiskDetails.LDiversityResult
(message)AnalyzeDataSourceRiskDetails.LDiversityResult.LDiversityEquivalenceClass
(message)AnalyzeDataSourceRiskDetails.LDiversityResult.LDiversityHistogramBucket
(message)AnalyzeDataSourceRiskDetails.NumericalStatsResult
(message)AnalyzeDataSourceRiskDetails.RequestedRiskAnalysisOptions
(message)BigQueryField
(message)BigQueryKey
(message)BigQueryOptions
(message)BigQueryOptions.SampleMethod
(enum)BigQueryTable
(message)BoundingBox
(message)BucketingConfig
(message)BucketingConfig.Bucket
(message)ByteContentItem
(message)ByteContentItem.BytesType
(enum)CancelDlpJobRequest
(message)CharacterMaskConfig
(message)CharsToIgnore
(message)CharsToIgnore.CommonCharsToIgnore
(enum)CloudStorageFileSet
(message)CloudStorageOptions
(message)CloudStorageOptions.FileSet
(message)CloudStorageOptions.SampleMethod
(enum)CloudStoragePath
(message)CloudStorageRegexFileSet
(message)Color
(message)Container
(message)ContentItem
(message)ContentLocation
(message)ContentOption
(enum)CreateDeidentifyTemplateRequest
(message)CreateDlpJobRequest
(message)CreateInspectTemplateRequest
(message)CreateJobTriggerRequest
(message)CreateStoredInfoTypeRequest
(message)CryptoDeterministicConfig
(message)CryptoHashConfig
(message)CryptoKey
(message)CryptoReplaceFfxFpeConfig
(message)CryptoReplaceFfxFpeConfig.FfxCommonNativeAlphabet
(enum)CustomInfoType
(message)CustomInfoType.DetectionRule
(message)CustomInfoType.DetectionRule.HotwordRule
(message)CustomInfoType.DetectionRule.LikelihoodAdjustment
(message)CustomInfoType.DetectionRule.Proximity
(message)CustomInfoType.Dictionary
(message)CustomInfoType.Dictionary.WordList
(message)CustomInfoType.ExclusionType
(enum)CustomInfoType.Regex
(message)CustomInfoType.SurrogateType
(message)DataProfileAction
(message)DataProfileAction.EventType
(enum)DataProfileAction.Export
(message)DataProfileAction.PubSubNotification
(message)DataProfileAction.PubSubNotification.DetailLevel
(enum)DataProfileConfigSnapshot
(message)DataProfileJobConfig
(message)DataProfileLocation
(message)DataProfilePubSubCondition
(message)DataProfilePubSubCondition.ProfileScoreBucket
(enum)DataProfilePubSubCondition.PubSubCondition
(message)DataProfilePubSubCondition.PubSubExpressions
(message)DataProfilePubSubCondition.PubSubExpressions.PubSubLogicalOperator
(enum)DataProfilePubSubMessage
(message)DataRiskLevel
(message)DataRiskLevel.DataRiskLevelScore
(enum)DatastoreKey
(message)DatastoreOptions
(message)DateShiftConfig
(message)DateTime
(message)DateTime.TimeZone
(message)DeidentifyConfig
(message)DeidentifyContentRequest
(message)DeidentifyContentResponse
(message)DeidentifyTemplate
(message)DeleteDeidentifyTemplateRequest
(message)DeleteDlpJobRequest
(message)DeleteInspectTemplateRequest
(message)DeleteJobTriggerRequest
(message)DeleteStoredInfoTypeRequest
(message)DlpJob
(message)DlpJob.JobState
(enum)DlpJobType
(enum)DocumentLocation
(message)EncryptionStatus
(enum)EntityId
(message)Error
(message)ExcludeByHotword
(message)ExcludeInfoTypes
(message)ExclusionRule
(message)FieldId
(message)FieldTransformation
(message)FileType
(enum)Finding
(message)FinishDlpJobRequest
(message)FixedSizeBucketingConfig
(message)GetDeidentifyTemplateRequest
(message)GetDlpJobRequest
(message)GetInspectTemplateRequest
(message)GetJobTriggerRequest
(message)GetStoredInfoTypeRequest
(message)HybridContentItem
(message)HybridFindingDetails
(message)HybridInspectDlpJobRequest
(message)HybridInspectJobTriggerRequest
(message)HybridInspectResponse
(message)HybridInspectStatistics
(message)HybridOptions
(message)ImageLocation
(message)ImageTransformations
(message)ImageTransformations.ImageTransformation
(message)ImageTransformations.ImageTransformation.AllInfoTypes
(message)ImageTransformations.ImageTransformation.AllText
(message)ImageTransformations.ImageTransformation.SelectedInfoTypes
(message)InfoType
(message)InfoTypeCategory
(message)InfoTypeCategory.IndustryCategory
(enum)InfoTypeCategory.LocationCategory
(enum)InfoTypeCategory.TypeCategory
(enum)InfoTypeDescription
(message)InfoTypeStats
(message)InfoTypeSummary
(message)InfoTypeSupportedBy
(enum)InfoTypeTransformations
(message)InfoTypeTransformations.InfoTypeTransformation
(message)InspectConfig
(message)InspectConfig.FindingLimits
(message)InspectConfig.FindingLimits.InfoTypeLimit
(message)InspectContentRequest
(message)InspectContentResponse
(message)InspectDataSourceDetails
(message)InspectDataSourceDetails.RequestedOptions
(message)InspectDataSourceDetails.Result
(message)InspectJobConfig
(message)InspectResult
(message)InspectTemplate
(message)InspectionRule
(message)InspectionRuleSet
(message)JobTrigger
(message)JobTrigger.Status
(enum)JobTrigger.Trigger
(message)Key
(message)Key.PathElement
(message)KindExpression
(message)KmsWrappedCryptoKey
(message)LargeCustomDictionaryConfig
(message)LargeCustomDictionaryStats
(message)Likelihood
(enum)ListDeidentifyTemplatesRequest
(message)ListDeidentifyTemplatesResponse
(message)ListDlpJobsRequest
(message)ListDlpJobsResponse
(message)ListInfoTypesRequest
(message)ListInfoTypesResponse
(message)ListInspectTemplatesRequest
(message)ListInspectTemplatesResponse
(message)ListJobTriggersRequest
(message)ListJobTriggersResponse
(message)ListStoredInfoTypesRequest
(message)ListStoredInfoTypesResponse
(message)Location
(message)Manual
(message)MatchingType
(enum)MetadataLocation
(message)MetadataType
(enum)OtherInfoTypeSummary
(message)OutputStorageConfig
(message)OutputStorageConfig.OutputSchema
(enum)PartitionId
(message)PrimitiveTransformation
(message)PrivacyMetric
(message)PrivacyMetric.CategoricalStatsConfig
(message)PrivacyMetric.DeltaPresenceEstimationConfig
(message)PrivacyMetric.KAnonymityConfig
(message)PrivacyMetric.KMapEstimationConfig
(message)PrivacyMetric.KMapEstimationConfig.AuxiliaryTable
(message)PrivacyMetric.KMapEstimationConfig.AuxiliaryTable.QuasiIdField
(message)PrivacyMetric.KMapEstimationConfig.TaggedField
(message)PrivacyMetric.LDiversityConfig
(message)PrivacyMetric.NumericalStatsConfig
(message)ProfileStatus
(message)QuasiId
(message)QuoteInfo
(message)Range
(message)RecordCondition
(message)RecordCondition.Condition
(message)RecordCondition.Conditions
(message)RecordCondition.Expressions
(message)RecordCondition.Expressions.LogicalOperator
(enum)RecordKey
(message)RecordLocation
(message)RecordSuppression
(message)RecordTransformation
(message)RecordTransformations
(message)RedactConfig
(message)RedactImageRequest
(message)RedactImageRequest.ImageRedactionConfig
(message)RedactImageResponse
(message)ReidentifyContentRequest
(message)ReidentifyContentResponse
(message)RelationalOperator
(enum)ReplaceDictionaryConfig
(message)ReplaceValueConfig
(message)ReplaceWithInfoTypeConfig
(message)ResourceVisibility
(enum)RiskAnalysisJobConfig
(message)Schedule
(message)SensitivityScore
(message)SensitivityScore.SensitivityScoreLevel
(enum)StatisticalTable
(message)StatisticalTable.QuasiIdentifierField
(message)StorageConfig
(message)StorageConfig.TimespanConfig
(message)StorageMetadataLabel
(message)StoredInfoType
(message)StoredInfoTypeConfig
(message)StoredInfoTypeState
(enum)StoredInfoTypeStats
(message)StoredInfoTypeVersion
(message)StoredType
(message)Table
(message)Table.Row
(message)TableDataProfile
(message)TableDataProfile.State
(enum)TableLocation
(message)TableOptions
(message)TimePartConfig
(message)TimePartConfig.TimePart
(enum)TransformationConfig
(message)TransformationContainerType
(enum)TransformationDescription
(message)TransformationDetails
(message)TransformationDetailsStorageConfig
(message)TransformationErrorHandling
(message)TransformationErrorHandling.LeaveUntransformed
(message)TransformationErrorHandling.ThrowError
(message)TransformationLocation
(message)TransformationOverview
(message)TransformationResultStatus
(message)TransformationResultStatusType
(enum)TransformationSummary
(message)TransformationSummary.SummaryResult
(message)TransformationSummary.TransformationResultCode
(enum)TransformationType
(enum)TransientCryptoKey
(message)UnwrappedCryptoKey
(message)UpdateDeidentifyTemplateRequest
(message)UpdateInspectTemplateRequest
(message)UpdateJobTriggerRequest
(message)UpdateStoredInfoTypeRequest
(message)Value
(message)ValueFrequency
(message)VersionDescription
(message)
DlpService
The Cloud Data Loss Prevention (DLP) API is a service that allows clients to detect the presence of Personally Identifiable Information (PII) and other privacy-sensitive data in user-supplied, unstructured data streams, like text blocks or images. The service also includes methods for sensitive data redaction and scheduling of data scans on Google Cloud Platform based data sets.
To learn more about concepts and find how-to guides see https://cloud.google.com/dlp/docs/.
ActivateJobTrigger |
---|
Activate a job trigger. Causes the immediate execute of a trigger instead of waiting on the trigger event to occur.
|
CancelDlpJob |
---|
Starts asynchronous cancellation on a long-running DlpJob. The server makes a best effort to cancel the DlpJob, but success is not guaranteed. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.
|
CreateDeidentifyTemplate |
---|
Creates a DeidentifyTemplate for reusing frequently used configuration for de-identifying content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
|
CreateDlpJob |
---|
Creates a new job to inspect storage or calculate risk metrics. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more. When no InfoTypes or CustomInfoTypes are specified in inspect jobs, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.
|
CreateInspectTemplate |
---|
Creates an InspectTemplate for reusing frequently used configuration for inspecting content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates to learn more.
|
CreateJobTrigger |
---|
Creates a job trigger to run DLP actions such as scanning storage for sensitive information on a set schedule. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.
|
CreateStoredInfoType |
---|
Creates a pre-built stored infoType to be used for inspection. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.
|
DeidentifyContent |
---|
De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.
|
DeleteDeidentifyTemplate |
---|
Deletes a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
|
DeleteDlpJob |
---|
Deletes a long-running DlpJob. This method indicates that the client is no longer interested in the DlpJob result. The job will be canceled if possible. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.
|
DeleteInspectTemplate |
---|
Deletes an InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.
|
DeleteJobTrigger |
---|
Deletes a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.
|
DeleteStoredInfoType |
---|
Deletes a stored infoType. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.
|
FinishDlpJob |
---|
Finish a running hybrid DlpJob. Triggers the finalization steps and running of any enabled actions that have not yet run.
|
GetDeidentifyTemplate |
---|
Gets a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
|
GetDlpJob |
---|
Gets the latest state of a long-running DlpJob. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.
|
GetInspectTemplate |
---|
Gets an InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.
|
GetJobTrigger |
---|
Gets a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.
|
GetStoredInfoType |
---|
Gets a stored infoType. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.
|
HybridInspectDlpJob |
---|
Inspect hybrid content and store findings to a job. To review the findings, inspect the job. Inspection will occur asynchronously.
|
HybridInspectJobTrigger |
---|
Inspect hybrid content and store findings to a trigger. The inspection will be processed asynchronously. To review the findings monitor the jobs within the trigger.
|
InspectContent |
---|
Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,
|
ListDeidentifyTemplates |
---|
Lists DeidentifyTemplates. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
|
ListDlpJobs |
---|
Lists DlpJobs that match the specified filter in the request. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.
|
ListInfoTypes |
---|
Returns a list of the sensitive information types that DLP API supports. See https://cloud.google.com/dlp/docs/infotypes-reference to learn more.
|
ListInspectTemplates |
---|
Lists InspectTemplates. See https://cloud.google.com/dlp/docs/creating-templates to learn more.
|
ListJobTriggers |
---|
Lists job triggers. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.
|
ListStoredInfoTypes |
---|
Lists stored infoTypes. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.
|
RedactImage |
---|
Redacts potentially sensitive info from an image. This method has limits on input size, processing time, and output size. See https://cloud.google.com/dlp/docs/redacting-sensitive-data-images to learn more. When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.
|
ReidentifyContent |
---|
Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.
|
UpdateDeidentifyTemplate |
---|
Updates the DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.
|
UpdateInspectTemplate |
---|
Updates the InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.
|
UpdateJobTrigger |
---|
Updates a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.
|
UpdateStoredInfoType |
---|
Updates the stored infoType by creating a new version. The existing version will continue to be used until the new version is ready. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.
|
Action
A task to execute on the completion of a job. See https://cloud.google.com/dlp/docs/concepts-actions to learn more.
Fields | |
---|---|
Union field
|
|
save_findings |
Save resulting findings in a provided location. |
pub_sub |
Publish a notification to a Pub/Sub topic. |
publish_summary_to_cscc |
Publish summary to Cloud Security Command Center (Alpha). |
publish_findings_to_cloud_data_catalog |
Publish findings to Cloud Datahub. |
deidentify |
Create a de-identified copy of the input data. |
job_notification_emails |
Sends an email when the job completes. The email goes to IAM project owners and technical Essential Contacts. |
publish_to_stackdriver |
Enable Stackdriver metric dlp.googleapis.com/finding_count. |
Deidentify
Create a de-identified copy of the requested table or files.
A TransformationDetail will be created for each transformation.
If any rows in BigQuery are skipped during de-identification (transformation errors or row size exceeds BigQuery insert API limits) they are placed in the failure output table. If the original row exceeds the BigQuery insert API limit it will be truncated when written to the failure output table. The failure output table can be set in the action.deidentify.output.big_query_output.deidentified_failure_output_table field, if no table is set, a table will be automatically created in the same project and dataset as the original table.
Compatible with: Inspect
Fields | |
---|---|
transformation_config |
User specified deidentify templates and configs for structured, unstructured, and image files. |
transformation_details_storage_config |
Config for storing transformation details. This is separate from the de-identified content, and contains metadata about the successful transformations and/or failures that occurred while de-identifying. This needs to be set in order for users to access information about the status of each transformation (see |
file_types_to_transform[] |
List of user-specified file type groups to transform. If specified, only the files with these filetypes will be transformed. If empty, all supported files will be transformed. Supported types may be automatically added over time. If a file type is set in this field that isn't supported by the Deidentify action then the job will fail and will not be successfully created/started. Currently the only filetypes supported are: IMAGES, TEXT_FILES, CSV, TSV. |
Union field
|
|
cloud_storage_output |
Required. User settable Cloud Storage bucket and folders to store de-identified files. This field must be set for cloud storage deidentification. The output Cloud Storage bucket must be different from the input bucket. De-identified files will overwrite files in the output path. Form of: gs://bucket/folder/ or gs://bucket |
JobNotificationEmails
Sends an email when the job completes. The email goes to IAM project owners and technical Essential Contacts.
PublishFindingsToCloudDataCatalog
Publish findings of a DlpJob to Data Catalog. In Data Catalog, tag templates are applied to the resource that Cloud DLP scanned. Data Catalog tag templates are stored in the same project and region where the BigQuery table exists. For Cloud DLP to create and apply the tag template, the Cloud DLP service agent must have the roles/datacatalog.tagTemplateOwner
permission on the project. The tag template contains fields summarizing the results of the DlpJob. Any field values previously written by another DlpJob are deleted. InfoType naming patterns
are strictly enforced when using this feature.
Findings are persisted in Data Catalog storage and are governed by service-specific policies for Data Catalog. For more information, see Service Specific Terms.
Only a single instance of this action can be specified. This action is allowed only if all resources being scanned are BigQuery tables. Compatible with: Inspect
PublishSummaryToCscc
Publish the result summary of a DlpJob to Security Command Center. This action is available for only projects that belong to an organization. This action publishes the count of finding instances and their infoTypes. The summary of findings are persisted in Security Command Center and are governed by service-specific policies for Security Command Center. Only a single instance of this action can be specified. Compatible with: Inspect
PublishToPubSub
Publish a message into a given Pub/Sub topic when DlpJob has completed. The message contains a single field, DlpJobName
, which is equal to the finished job's DlpJob.name
. Compatible with: Inspect, Risk
Fields | |
---|---|
topic |
Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}. |
PublishToStackdriver
Enable Stackdriver metric dlp.googleapis.com/finding_count. This will publish a metric to stack driver on each infotype requested and how many findings were found for it. CustomDetectors will be bucketed as 'Custom' under the Stackdriver label 'info_type'.
SaveFindings
If set, the detailed findings will be persisted to the specified OutputStorageConfig. Only a single instance of this action can be specified. Compatible with: Inspect, Risk
Fields | |
---|---|
output_config |
Location to store findings outside of DLP. |
ActivateJobTriggerRequest
Request message for ActivateJobTrigger.
Fields | |
---|---|
name |
Required. Resource name of the trigger to activate, for example Authorization requires one or more of the following IAM permissions on the specified resource
|
AnalyzeDataSourceRiskDetails
Result of a risk analysis operation request.
Fields | |
---|---|
requested_privacy_metric |
Privacy metric to compute. |
requested_source_table |
Input dataset to compute metrics over. |
requested_options |
The configuration used for this job. |
Union field result . Values associated with this metric. result can be only one of the following: |
|
numerical_stats_result |
Numerical stats result |
categorical_stats_result |
Categorical stats result |
k_anonymity_result |
K-anonymity result |
l_diversity_result |
L-divesity result |
k_map_estimation_result |
K-map result |
delta_presence_estimation_result |
Delta-presence result |
CategoricalStatsResult
Result of the categorical stats computation.
Fields | |
---|---|
value_frequency_histogram_buckets[] |
Histogram of value frequencies in the column. |
CategoricalStatsHistogramBucket
Histogram of value frequencies in the column.
Fields | |
---|---|
value_frequency_lower_bound |
Lower bound on the value frequency of the values in this bucket. |
value_frequency_upper_bound |
Upper bound on the value frequency of the values in this bucket. |
bucket_size |
Total number of values in this bucket. |
bucket_values[] |
Sample of value frequencies in this bucket. The total number of values returned per bucket is capped at 20. |
bucket_value_count |
Total number of distinct values in this bucket. |
DeltaPresenceEstimationResult
Result of the δ-presence computation. Note that these results are an estimation, not exact values.
Fields | |
---|---|
delta_presence_estimation_histogram[] |
The intervals [min_probability, max_probability) do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_probability: 0, max_probability: 0.1, frequency: 17} {min_probability: 0.2, max_probability: 0.3, frequency: 42} {min_probability: 0.3, max_probability: 0.4, frequency: 99} mean that there are no record with an estimated probability in [0.1, 0.2) nor larger or equal to 0.4. |
DeltaPresenceEstimationHistogramBucket
A DeltaPresenceEstimationHistogramBucket message with the following values: min_probability: 0.1 max_probability: 0.2 frequency: 42 means that there are 42 records for which δ is in [0.1, 0.2). An important particular case is when min_probability = max_probability = 1: then, every individual who shares this quasi-identifier combination is in the dataset.
Fields | |
---|---|
min_probability |
Between 0 and 1. |
max_probability |
Always greater than or equal to min_probability. |
bucket_size |
Number of records within these probability bounds. |
bucket_values[] |
Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20. |
bucket_value_count |
Total number of distinct quasi-identifier tuple values in this bucket. |
DeltaPresenceEstimationQuasiIdValues
A tuple of values for the quasi-identifier columns.
Fields | |
---|---|
quasi_ids_values[] |
The quasi-identifier values. |
estimated_probability |
The estimated probability that a given individual sharing these quasi-identifier values is in the dataset. This value, typically called δ, is the ratio between the number of records in the dataset with these quasi-identifier values, and the total number of individuals (inside and outside the dataset) with these quasi-identifier values. For example, if there are 15 individuals in the dataset who share the same quasi-identifier values, and an estimated 100 people in the entire population with these values, then δ is 0.15. |
KAnonymityResult
Result of the k-anonymity computation.
Fields | |
---|---|
equivalence_class_histogram_buckets[] |
Histogram of k-anonymity equivalence classes. |
KAnonymityEquivalenceClass
The set of columns' values that share the same ldiversity value
Fields | |
---|---|
quasi_ids_values[] |
Set of values defining the equivalence class. One value per quasi-identifier column in the original KAnonymity metric message. The order is always the same as the original request. |
equivalence_class_size |
Size of the equivalence class, for example number of rows with the above set of values. |
KAnonymityHistogramBucket
Histogram of k-anonymity equivalence classes.
Fields | |
---|---|
equivalence_class_size_lower_bound |
Lower bound on the size of the equivalence classes in this bucket. |
equivalence_class_size_upper_bound |
Upper bound on the size of the equivalence classes in this bucket. |
bucket_size |
Total number of equivalence classes in this bucket. |
bucket_values[] |
Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20. |
bucket_value_count |
Total number of distinct equivalence classes in this bucket. |
KMapEstimationResult
Result of the reidentifiability analysis. Note that these results are an estimation, not exact values.
Fields | |
---|---|
k_map_estimation_histogram[] |
The intervals [min_anonymity, max_anonymity] do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_anonymity: 1, max_anonymity: 1, frequency: 17} {min_anonymity: 2, max_anonymity: 3, frequency: 42} {min_anonymity: 5, max_anonymity: 10, frequency: 99} mean that there are no record with an estimated anonymity of 4, 5, or larger than 10. |
KMapEstimationHistogramBucket
A KMapEstimationHistogramBucket message with the following values: min_anonymity: 3 max_anonymity: 5 frequency: 42 means that there are 42 records whose quasi-identifier values correspond to 3, 4 or 5 people in the overlying population. An important particular case is when min_anonymity = max_anonymity = 1: the frequency field then corresponds to the number of uniquely identifiable records.
Fields | |
---|---|
min_anonymity |
Always positive. |
max_anonymity |
Always greater than or equal to min_anonymity. |
bucket_size |
Number of records within these anonymity bounds. |
bucket_values[] |
Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20. |
bucket_value_count |
Total number of distinct quasi-identifier tuple values in this bucket. |
KMapEstimationQuasiIdValues
A tuple of values for the quasi-identifier columns.
Fields | |
---|---|
quasi_ids_values[] |
The quasi-identifier values. |
estimated_anonymity |
The estimated anonymity for these quasi-identifier values. |
LDiversityResult
Result of the l-diversity computation.
Fields | |
---|---|
sensitive_value_frequency_histogram_buckets[] |
Histogram of l-diversity equivalence class sensitive value frequencies. |
LDiversityEquivalenceClass
The set of columns' values that share the same ldiversity value.
Fields | |
---|---|
quasi_ids_values[] |
Quasi-identifier values defining the k-anonymity equivalence class. The order is always the same as the original request. |
equivalence_class_size |
Size of the k-anonymity equivalence class. |
num_distinct_sensitive_values |
Number of distinct sensitive values in this equivalence class. |
top_sensitive_values[] |
Estimated frequencies of top sensitive values. |
LDiversityHistogramBucket
Histogram of l-diversity equivalence class sensitive value frequencies.
Fields | |
---|---|
sensitive_value_frequency_lower_bound |
Lower bound on the sensitive value frequencies of the equivalence classes in this bucket. |
sensitive_value_frequency_upper_bound |
Upper bound on the sensitive value frequencies of the equivalence classes in this bucket. |
bucket_size |
Total number of equivalence classes in this bucket. |
bucket_values[] |
Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20. |
bucket_value_count |
Total number of distinct equivalence classes in this bucket. |
NumericalStatsResult
Result of the numerical stats computation.
Fields | |
---|---|
min_value |
Minimum value appearing in the column. |
max_value |
Maximum value appearing in the column. |
quantile_values[] |
List of 99 values that partition the set of field values into 100 equal sized buckets. |
RequestedRiskAnalysisOptions
Risk analysis options.
Fields | |
---|---|
job_config |
The job config for the risk job. |
BigQueryField
Message defining a field of a BigQuery table.
Fields | |
---|---|
table |
Source table of the field. |
field |
Designated field in the BigQuery table. |
BigQueryKey
Row key for identifying a record in BigQuery table.
Fields | |
---|---|
table_reference |
Complete BigQuery table reference. |
row_number |
Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify |
BigQueryOptions
Options defining BigQuery table and row identifiers.
Fields | |
---|---|
table_reference |
Complete BigQuery table reference. |
identifying_fields[] |
Table fields that may uniquely identify a row within the table. When |
rows_limit |
Max number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig. |
rows_limit_percent |
Max percentage of rows to scan. The rest are omitted. The number of rows scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig. |
sample_method |
|
excluded_fields[] |
References to fields excluded from scanning. This allows you to skip inspection of entire columns which you know have no findings. |
included_fields[] |
Limit scanning only to these fields. |
SampleMethod
How to sample rows if not all rows are scanned. Meaningful only when used in conjunction with either rows_limit or rows_limit_percent. If not specified, rows are scanned in the order BigQuery reads them.
Enums | |
---|---|
SAMPLE_METHOD_UNSPECIFIED |
|
TOP |
Scan groups of rows in the order BigQuery provides (default). Multiple groups of rows may be scanned in parallel, so results may not appear in the same order the rows are read. |
RANDOM_START |
Randomly pick groups of rows to scan. |
BigQueryTable
Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: <project_id>:<dataset_id>.<table_id>
or <project_id>.<dataset_id>.<table_id>
.
Fields | |
---|---|
project_id |
The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call. |
dataset_id |
Dataset ID of the table. |
table_id |
Name of the table. |
BoundingBox
Bounding box encompassing detected text within an image.
Fields | |
---|---|
top |
Top coordinate of the bounding box. (0,0) is upper left. |
left |
Left coordinate of the bounding box. (0,0) is upper left. |
width |
Width of the bounding box in pixels. |
height |
Height of the bounding box in pixels. |
BucketingConfig
Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound Value
type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Fields | |
---|---|
buckets[] |
Set of buckets. Ranges must be non-overlapping. |
Bucket
Bucket is represented as a range, along with replacement values.
Fields | |
---|---|
min |
Lower bound of the range, inclusive. Type should be the same as max if used. |
max |
Upper bound of the range, exclusive; type must match min. |
replacement_value |
Required. Replacement value for this bucket. |
ByteContentItem
Container for bytes to inspect or redact.
Fields | |
---|---|
type |
The type of data stored in the bytes string. Default will be TEXT_UTF8. |
data |
Content data to inspect or redact. |
BytesType
The type of data being sent for inspection. To learn more, see Supported file types.
Enums | |
---|---|
BYTES_TYPE_UNSPECIFIED |
Unused |
IMAGE |
Any image type. |
IMAGE_JPEG |
jpeg |
IMAGE_BMP |
bmp |
IMAGE_PNG |
png |
IMAGE_SVG |
svg |
TEXT_UTF8 |
plain text |
WORD_DOCUMENT |
docx, docm, dotx, dotm |
PDF |
|
POWERPOINT_DOCUMENT |
pptx, pptm, potx, potm, pot |
EXCEL_DOCUMENT |
xlsx, xlsm, xltx, xltm |
AVRO |
avro |
CSV |
csv |
TSV |
tsv |
CancelDlpJobRequest
The request message for canceling a DLP job.
Fields | |
---|---|
name |
Required. The name of the DlpJob resource to be cancelled. Authorization requires the following IAM permission on the specified resource
|
CharacterMaskConfig
Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3.
Fields | |
---|---|
masking_character |
Character to use to mask the sensitive values—for example, |
number_to_mask |
Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. If
The resulting de-identified string is |
reverse_order |
Mask characters in reverse order. For example, if |
characters_to_ignore[] |
When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is |
CharsToIgnore
Characters to skip when doing deidentification of a value. These will be left alone and skipped.
Fields | |
---|---|
Union field
|
|
characters_to_skip |
Characters to not transform when masking. |
common_characters_to_ignore |
Common characters to not transform when masking. Useful to avoid removing punctuation. |
CommonCharsToIgnore
Convenience enum for indicating common characters to not transform.
Enums | |
---|---|
COMMON_CHARS_TO_IGNORE_UNSPECIFIED |
Unused. |
NUMERIC |
0-9 |
ALPHA_UPPER_CASE |
A-Z |
ALPHA_LOWER_CASE |
a-z |
PUNCTUATION |
US Punctuation, one of !"#$%&'()*+,-./:;<=>?@[]^_`{|}~ |
WHITESPACE |
Whitespace character, one of [ \t\n\x0B\f\r] |
CloudStorageFileSet
Message representing a set of files in Cloud Storage.
Fields | |
---|---|
url |
The url, in the format |
CloudStorageOptions
Options defining a file or a set of files within a Cloud Storage bucket.
Fields | |
---|---|
file_set |
The set of one or more files to scan. |
bytes_limit_per_file |
Max number of bytes to scan from a file. If a scanned file's size is bigger than this value then the rest of the bytes are omitted. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified. Cannot be set if de-identification is requested. |
bytes_limit_per_file_percent |
Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified. Cannot be set if de-identification is requested. |
file_types[] |
List of file type groups to include in the scan. If empty, all files are scanned and available data format processors are applied. In addition, the binary content of the selected files is always scanned as well. Images are scanned only as binary if the specified region does not support image inspection and no file_types were specified. Image inspection is restricted to 'global', 'us', 'asia', and 'europe'. |
sample_method |
|
files_limit_percent |
Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. |
FileSet
Set of files to scan.
Fields | |
---|---|
url |
The Cloud Storage url of the file(s) to scan, in the format If the url ends in a trailing slash, the bucket or directory represented by the url will be scanned non-recursively (content in sub-directories will not be scanned). This means that Exactly one of |
regex_file_set |
The regex-filtered set of files to scan. Exactly one of |
SampleMethod
How to sample bytes if not all bytes are scanned. Meaningful only when used in conjunction with bytes_limit_per_file. If not specified, scanning would start from the top.
Enums | |
---|---|
SAMPLE_METHOD_UNSPECIFIED |
|
TOP |
Scan from the top (default). |
RANDOM_START |
For each file larger than bytes_limit_per_file, randomly pick the offset to start scanning. The scanned bytes are contiguous. |
CloudStoragePath
Message representing a single file or path in Cloud Storage.
Fields | |
---|---|
path |
A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt |
CloudStorageRegexFileSet
Message representing a set of files in a Cloud Storage bucket. Regular expressions are used to allow fine-grained control over which files in the bucket to include.
Included files are those that match at least one item in include_regex
and do not match any items in exclude_regex
. Note that a file that matches items from both lists will not be included. For a match to occur, the entire file path (i.e., everything in the url after the bucket name) must match the regular expression.
For example, given the input {bucket_name: "mybucket", include_regex:
["directory1/.*"], exclude_regex:
["directory1/excluded.*"]}
:
gs://mybucket/directory1/myfile
will be includedgs://mybucket/directory1/directory2/myfile
will be included (.*
matches across/
)gs://mybucket/directory0/directory1/myfile
will not be included (the full path doesn't match any items ininclude_regex
)gs://mybucket/directory1/excludedfile
will not be included (the path matches an item inexclude_regex
)
If include_regex
is left empty, it will match all files by default (this is equivalent to setting include_regex: [".*"]
).
Some other common use cases:
{bucket_name: "mybucket", exclude_regex: [".*\.pdf"]}
will include all files inmybucket
except for .pdf files{bucket_name: "mybucket", include_regex: ["directory/[^/]+"]}
will include all files directly undergs://mybucket/directory/
, without matching across/
Fields | |
---|---|
bucket_name |
The name of a Cloud Storage bucket. Required. |
include_regex[] |
A list of regular expressions matching file paths to include. All files in the bucket that match at least one of these regular expressions will be included in the set of files, except for those that also match an item in Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub. |
exclude_regex[] |
A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan. Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub. |
Color
Represents a color in the RGB color space.
Fields | |
---|---|
red |
The amount of red in the color as a value in the interval [0, 1]. |
green |
The amount of green in the color as a value in the interval [0, 1]. |
blue |
The amount of blue in the color as a value in the interval [0, 1]. |
Container
Represents a container that may contain DLP findings. Examples of a container include a file, table, or database record.
Fields | |
---|---|
type |
Container type, for example BigQuery or Cloud Storage. |
project_id |
Project where the finding was found. Can be different from the project that owns the finding. |
full_path |
A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Cloud Storage: 'gs://Bucket/folders/filename.txt' |
root_path |
The root of the container. Examples:
|
relative_path |
The rest of the path after the root. Examples:
|
update_time |
Findings container modification timestamp, if applicable. For Cloud Storage, this field contains the last file modification timestamp. For a BigQuery table, this field contains the last_modified_time property. For Datastore, this field isn't populated. |
version |
Findings container version, if available ("generation" for Cloud Storage). |
ContentItem
Fields | |
---|---|
Union field data_item . Data of the item either in the byte array or UTF-8 string form, or table. data_item can be only one of the following: |
|
value |
String data to inspect or redact. |
table |
Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. |
byte_item |
Content data to inspect or redact. Replaces |
ContentLocation
Precise location of the finding within a document, record, image, or metadata container.
Fields | |
---|---|
container_name |
Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows:
Nested names could be absent if the embedded object has no string identifier (for example, an image contained within a document). |
container_timestamp |
Finding container modification timestamp, if applicable. For Cloud Storage, this field contains the last file modification timestamp. For a BigQuery table, this field contains the last_modified_time property. For Datastore, this field isn't populated. |
container_version |
Finding container version, if available ("generation" for Cloud Storage). |
Union field location . Type of the container within the file with location of the finding. location can be only one of the following: |
|
record_location |
Location within a row or record of a database table. |
image_location |
Location within an image's pixels. |
document_location |
Location data for document files. |
metadata_location |
Location within the metadata for inspected content. |
ContentOption
Deprecated and unused.
Enums | |
---|---|
CONTENT_UNSPECIFIED |
Includes entire content of a file or a data stream. |
CONTENT_TEXT |
Text content within the data, excluding any metadata. |
CONTENT_IMAGE |
Images found in the data. |
CreateDeidentifyTemplateRequest
Request message for CreateDeidentifyTemplate.
Fields | |
---|---|
parent |
Required. Parent resource name. The format of this value varies depending on the scope of the request (project or organization) and whether you have specified a processing location:
The following example
Authorization requires the following IAM permission on the specified resource
|
deidentify_template |
Required. The DeidentifyTemplate to create. |
template_id |
The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: |
location_id |
Deprecated. This field has no effect. |
CreateDlpJobRequest
Request message for CreateDlpJobRequest. Used to initiate long running jobs such as calculating risk metrics or inspecting Google Cloud Storage.
Fields | |
---|---|
parent |
Required. Parent resource name. The format of this value varies depending on whether you have specified a processing location:
The following example
Authorization requires the following IAM permission on the specified resource
|
job_id |
The job id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: |
location_id |
Deprecated. This field has no effect. |
Union field job . The configuration details for the specific type of job to run. job can be only one of the following: |
|
inspect_job |
An inspection job scans a storage repository for InfoTypes. |
risk_job |
A risk analysis job calculates re-identification risk metrics for a BigQuery table. |
CreateInspectTemplateRequest
Request message for CreateInspectTemplate.
Fields | |
---|---|
parent |
Required. Parent resource name. The format of this value varies depending on the scope of the request (project or organization) and whether you have specified a processing location:
The following example
Authorization requires the following IAM permission on the specified resource
|
inspect_template |
Required. The InspectTemplate to create. |
template_id |
The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: |
location_id |
Deprecated. This field has no effect. |
CreateJobTriggerRequest
Request message for CreateJobTrigger.
Fields | |
---|---|
parent |
Required. Parent resource name. The format of this value varies depending on whether you have specified a processing location:
The following example
Authorization requires one or more of the following IAM permissions on the specified resource
|
job_trigger |
Required. The JobTrigger to create. |
trigger_id |
The trigger id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: |
location_id |
Deprecated. This field has no effect. |
CreateStoredInfoTypeRequest
Request message for CreateStoredInfoType.
Fields | |
---|---|
parent |
Required. Parent resource name. The format of this value varies depending on the scope of the request (project or organization) and whether you have specified a processing location:
The following example
Authorization requires the following IAM permission on the specified resource
|
config |
Required. Configuration of the storedInfoType to create. |
stored_info_type_id |
The storedInfoType ID can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: |
location_id |
Deprecated. This field has no effect. |
CryptoDeterministicConfig
Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
Fields | |
---|---|
crypto_key |
The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. |
surrogate_info_type |
The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either
Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. |
context |
A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but:
plaintext would be used as is for encryption. Note that case (1) is expected when an |
CryptoHashConfig
Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
Fields | |
---|---|
crypto_key |
The key used by the hash function. |
CryptoKey
This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by Cloud Key Management Service (Cloud KMS). When using Cloud KMS to wrap or unwrap a DEK, be sure to set an appropriate IAM policy on the KEK to ensure an attacker cannot unwrap the DEK.
Fields | |
---|---|
Union field source . Sources of crypto keys. source can be only one of the following: |
|
transient |
Transient crypto key |
unwrapped |
Unwrapped crypto key |
kms_wrapped |
Key wrapped using Cloud KMS |
CryptoReplaceFfxFpeConfig
Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the ReidentifyContent
API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity.
Fields | |
---|---|
crypto_key |
Required. The key used by the encryption algorithm. |
context |
The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but:
a default tweak will be used. Note that case (1) is expected when an The tweak is constructed as a sequence of bytes in big endian byte order such that:
|
surrogate_info_type |
The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE |
Union field alphabet . Choose an alphabet which the data being transformed will be made up of. alphabet can be only one of the following: |
|