Package google.privacy.dlp.v2

Index

DlpService

The Cloud Data Loss Prevention (DLP) API is a service that allows clients to detect the presence of Personally Identifiable Information (PII) and other privacy-sensitive data in user-supplied, unstructured data streams, like text blocks or images. The service also includes methods for sensitive data redaction and scheduling of data scans on Google Cloud Platform based data sets.

To learn more about concepts and find how-to guides see https://cloud.google.com/dlp/docs/.

ActivateJobTrigger

rpc ActivateJobTrigger(ActivateJobTriggerRequest) returns (DlpJob)

Activate a job trigger. Causes the immediate execute of a trigger instead of waiting on the trigger event to occur.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CancelDlpJob

rpc CancelDlpJob(CancelDlpJobRequest) returns (Empty)

Starts asynchronous cancellation on a long-running DlpJob. The server makes a best effort to cancel the DlpJob, but success is not guaranteed. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateDeidentifyTemplate

rpc CreateDeidentifyTemplate(CreateDeidentifyTemplateRequest) returns (DeidentifyTemplate)

Creates a DeidentifyTemplate for re-using frequently used configuration for de-identifying content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateDlpJob

rpc CreateDlpJob(CreateDlpJobRequest) returns (DlpJob)

Creates a new job to inspect storage or calculate risk metrics. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

When no InfoTypes or CustomInfoTypes are specified in inspect jobs, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateInspectTemplate

rpc CreateInspectTemplate(CreateInspectTemplateRequest) returns (InspectTemplate)

Creates an InspectTemplate for re-using frequently used configuration for inspecting content, images, and storage. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateJobTrigger

rpc CreateJobTrigger(CreateJobTriggerRequest) returns (JobTrigger)

Creates a job trigger to run DLP actions such as scanning storage for sensitive information on a set schedule. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateStoredInfoType

rpc CreateStoredInfoType(CreateStoredInfoTypeRequest) returns (StoredInfoType)

Creates a pre-built stored infoType to be used for inspection. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeidentifyContent

rpc DeidentifyContent(DeidentifyContentRequest) returns (DeidentifyContentResponse)

De-identifies potentially sensitive info from a ContentItem. This method has limits on input size and output size. See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to learn more.

When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteDeidentifyTemplate

rpc DeleteDeidentifyTemplate(DeleteDeidentifyTemplateRequest) returns (Empty)

Deletes a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteDlpJob

rpc DeleteDlpJob(DeleteDlpJobRequest) returns (Empty)

Deletes a long-running DlpJob. This method indicates that the client is no longer interested in the DlpJob result. The job will be cancelled if possible. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteInspectTemplate

rpc DeleteInspectTemplate(DeleteInspectTemplateRequest) returns (Empty)

Deletes an InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteJobTrigger

rpc DeleteJobTrigger(DeleteJobTriggerRequest) returns (Empty)

Deletes a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteStoredInfoType

rpc DeleteStoredInfoType(DeleteStoredInfoTypeRequest) returns (Empty)

Deletes a stored infoType. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetDeidentifyTemplate

rpc GetDeidentifyTemplate(GetDeidentifyTemplateRequest) returns (DeidentifyTemplate)

Gets a DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetDlpJob

rpc GetDlpJob(GetDlpJobRequest) returns (DlpJob)

Gets the latest state of a long-running DlpJob. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetInspectTemplate

rpc GetInspectTemplate(GetInspectTemplateRequest) returns (InspectTemplate)

Gets an InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetJobTrigger

rpc GetJobTrigger(GetJobTriggerRequest) returns (JobTrigger)

Gets a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetStoredInfoType

rpc GetStoredInfoType(GetStoredInfoTypeRequest) returns (StoredInfoType)

Gets a stored infoType. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

InspectContent

rpc InspectContent(InspectContentRequest) returns (InspectContentResponse)

Finds potentially sensitive info in content. This method has limits on input size, processing time, and output size.

When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images and https://cloud.google.com/dlp/docs/inspecting-text,

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListDeidentifyTemplates

rpc ListDeidentifyTemplates(ListDeidentifyTemplatesRequest) returns (ListDeidentifyTemplatesResponse)

Lists DeidentifyTemplates. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListDlpJobs

rpc ListDlpJobs(ListDlpJobsRequest) returns (ListDlpJobsResponse)

Lists DlpJobs that match the specified filter in the request. See https://cloud.google.com/dlp/docs/inspecting-storage and https://cloud.google.com/dlp/docs/compute-risk-analysis to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListInfoTypes

rpc ListInfoTypes(ListInfoTypesRequest) returns (ListInfoTypesResponse)

Returns a list of the sensitive information types that the DLP API supports. See https://cloud.google.com/dlp/docs/infotypes-reference to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListInspectTemplates

rpc ListInspectTemplates(ListInspectTemplatesRequest) returns (ListInspectTemplatesResponse)

Lists InspectTemplates. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListJobTriggers

rpc ListJobTriggers(ListJobTriggersRequest) returns (ListJobTriggersResponse)

Lists job triggers. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListStoredInfoTypes

rpc ListStoredInfoTypes(ListStoredInfoTypesRequest) returns (ListStoredInfoTypesResponse)

Lists stored infoTypes. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

RedactImage

rpc RedactImage(RedactImageRequest) returns (RedactImageResponse)

Redacts potentially sensitive info from an image. This method has limits on input size, processing time, and output size. See https://cloud.google.com/dlp/docs/redacting-sensitive-data-images to learn more.

When no InfoTypes or CustomInfoTypes are specified in this request, the system will automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ReidentifyContent

rpc ReidentifyContent(ReidentifyContentRequest) returns (ReidentifyContentResponse)

Re-identifies content that has been de-identified. See https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateDeidentifyTemplate

rpc UpdateDeidentifyTemplate(UpdateDeidentifyTemplateRequest) returns (DeidentifyTemplate)

Updates the DeidentifyTemplate. See https://cloud.google.com/dlp/docs/creating-templates-deid to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateInspectTemplate

rpc UpdateInspectTemplate(UpdateInspectTemplateRequest) returns (InspectTemplate)

Updates the InspectTemplate. See https://cloud.google.com/dlp/docs/creating-templates to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateJobTrigger

rpc UpdateJobTrigger(UpdateJobTriggerRequest) returns (JobTrigger)

Updates a job trigger. See https://cloud.google.com/dlp/docs/creating-job-triggers to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateStoredInfoType

rpc UpdateStoredInfoType(UpdateStoredInfoTypeRequest) returns (StoredInfoType)

Updates the stored infoType by creating a new version. The existing version will continue to be used until the new version is ready. See https://cloud.google.com/dlp/docs/creating-stored-infotypes to learn more.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Action

A task to execute on the completion of a job. See https://cloud.google.com/dlp/docs/concepts-actions to learn more.

Fields

Union field action.

action can be only one of the following:

save_findings

SaveFindings

Save resulting findings in a provided location.

pub_sub

PublishToPubSub

Publish a notification to a pubsub topic.

publish_summary_to_cscc

PublishSummaryToCscc

Publish summary to Cloud Security Command Center (Alpha).

publish_findings_to_cloud_data_catalog

PublishFindingsToCloudDataCatalog

Publish findings to Cloud Datahub.

job_notification_emails

JobNotificationEmails

Enable email notification to project owners and editors on job's completion/failure.

publish_to_stackdriver

PublishToStackdriver

Enable Stackdriver metric dlp.googleapis.com/finding_count.

JobNotificationEmails

Enable email notification to project owners and editors on jobs's completion/failure.

PublishFindingsToCloudDataCatalog

Publish findings of a DlpJob to Cloud Data Catalog. Labels summarizing the results of the DlpJob will be applied to the entry for the resource scanned in Cloud Data Catalog. Any labels previously written by another DlpJob will be deleted. InfoType naming patterns are strictly enforced when using this feature. Note that the findings will be persisted in Cloud Data Catalog storage and are governed by Data Catalog service-specific policy, see https://cloud.google.com/terms/service-terms Only a single instance of this action can be specified and only allowed if all resources being scanned are BigQuery tables. Compatible with: Inspect

PublishSummaryToCscc

Publish the result summary of a DlpJob to the Cloud Security Command Center (CSCC Alpha). This action is only available for projects which are parts of an organization and whitelisted for the alpha Cloud Security Command Center. The action will publish count of finding instances and their info types. The summary of findings will be persisted in CSCC and are governed by CSCC service-specific policy, see https://cloud.google.com/terms/service-terms Only a single instance of this action can be specified. Compatible with: Inspect

PublishToPubSub

Publish a message into given Pub/Sub topic when DlpJob has completed. The message contains a single field, DlpJobName, which is equal to the finished job's DlpJob.name. Compatible with: Inspect, Risk

Fields
topic

string

Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}.

PublishToStackdriver

Enable Stackdriver metric dlp.googleapis.com/finding_count. This will publish a metric to stack driver on each infotype requested and how many findings were found for it. CustomDetectors will be bucketed as 'Custom' under the Stackdriver label 'info_type'.

SaveFindings

If set, the detailed findings will be persisted to the specified OutputStorageConfig. Only a single instance of this action can be specified. Compatible with: Inspect, Risk

Fields
output_config

OutputStorageConfig

ActivateJobTriggerRequest

Request message for ActivateJobTrigger.

Fields
name

string

Required. Resource name of the trigger to activate, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires one or more of the following Google IAM permissions on the specified resource name:

  • dlp.jobTriggers.get
  • dlp.jobs.create

AnalyzeDataSourceRiskDetails

Result of a risk analysis operation request.

Fields
requested_privacy_metric

PrivacyMetric

Privacy metric to compute.

requested_source_table

BigQueryTable

Input dataset to compute metrics over.

Union field result. Values associated with this metric. result can be only one of the following:
numerical_stats_result

NumericalStatsResult

categorical_stats_result

CategoricalStatsResult

k_anonymity_result

KAnonymityResult

l_diversity_result

LDiversityResult

k_map_estimation_result

KMapEstimationResult

delta_presence_estimation_result

DeltaPresenceEstimationResult

CategoricalStatsResult

Result of the categorical stats computation.

Fields
value_frequency_histogram_buckets[]

CategoricalStatsHistogramBucket

Histogram of value frequencies in the column.

CategoricalStatsHistogramBucket

Fields
value_frequency_lower_bound

int64

Lower bound on the value frequency of the values in this bucket.

value_frequency_upper_bound

int64

Upper bound on the value frequency of the values in this bucket.

bucket_size

int64

Total number of values in this bucket.

bucket_values[]

ValueFrequency

Sample of value frequencies in this bucket. The total number of values returned per bucket is capped at 20.

bucket_value_count

int64

Total number of distinct values in this bucket.

DeltaPresenceEstimationResult

Result of the δ-presence computation. Note that these results are an estimation, not exact values.

Fields
delta_presence_estimation_histogram[]

DeltaPresenceEstimationHistogramBucket

The intervals [min_probability, max_probability) do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_probability: 0, max_probability: 0.1, frequency: 17} {min_probability: 0.2, max_probability: 0.3, frequency: 42} {min_probability: 0.3, max_probability: 0.4, frequency: 99} mean that there are no record with an estimated probability in [0.1, 0.2) nor larger or equal to 0.4.

DeltaPresenceEstimationHistogramBucket

A DeltaPresenceEstimationHistogramBucket message with the following values: min_probability: 0.1 max_probability: 0.2 frequency: 42 means that there are 42 records for which δ is in [0.1, 0.2). An important particular case is when min_probability = max_probability = 1: then, every individual who shares this quasi-identifier combination is in the dataset.

Fields
min_probability

double

Between 0 and 1.

max_probability

double

Always greater than or equal to min_probability.

bucket_size

int64

Number of records within these probability bounds.

bucket_values[]

DeltaPresenceEstimationQuasiIdValues

Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20.

bucket_value_count

int64

Total number of distinct quasi-identifier tuple values in this bucket.

DeltaPresenceEstimationQuasiIdValues

A tuple of values for the quasi-identifier columns.

Fields
quasi_ids_values[]

Value

The quasi-identifier values.

estimated_probability

double

The estimated probability that a given individual sharing these quasi-identifier values is in the dataset. This value, typically called δ, is the ratio between the number of records in the dataset with these quasi-identifier values, and the total number of individuals (inside and outside the dataset) with these quasi-identifier values. For example, if there are 15 individuals in the dataset who share the same quasi-identifier values, and an estimated 100 people in the entire population with these values, then δ is 0.15.

KAnonymityResult

Result of the k-anonymity computation.

Fields
equivalence_class_histogram_buckets[]

KAnonymityHistogramBucket

Histogram of k-anonymity equivalence classes.

KAnonymityEquivalenceClass

The set of columns' values that share the same ldiversity value

Fields
quasi_ids_values[]

Value

Set of values defining the equivalence class. One value per quasi-identifier column in the original KAnonymity metric message. The order is always the same as the original request.

equivalence_class_size

int64

Size of the equivalence class, for example number of rows with the above set of values.

KAnonymityHistogramBucket

Fields
equivalence_class_size_lower_bound

int64

Lower bound on the size of the equivalence classes in this bucket.

equivalence_class_size_upper_bound

int64

Upper bound on the size of the equivalence classes in this bucket.

bucket_size

int64

Total number of equivalence classes in this bucket.

bucket_values[]

KAnonymityEquivalenceClass

Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20.

bucket_value_count

int64

Total number of distinct equivalence classes in this bucket.

KMapEstimationResult

Result of the reidentifiability analysis. Note that these results are an estimation, not exact values.

Fields
k_map_estimation_histogram[]

KMapEstimationHistogramBucket

The intervals [min_anonymity, max_anonymity] do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_anonymity: 1, max_anonymity: 1, frequency: 17} {min_anonymity: 2, max_anonymity: 3, frequency: 42} {min_anonymity: 5, max_anonymity: 10, frequency: 99} mean that there are no record with an estimated anonymity of 4, 5, or larger than 10.

KMapEstimationHistogramBucket

A KMapEstimationHistogramBucket message with the following values: min_anonymity: 3 max_anonymity: 5 frequency: 42 means that there are 42 records whose quasi-identifier values correspond to 3, 4 or 5 people in the overlying population. An important particular case is when min_anonymity = max_anonymity = 1: the frequency field then corresponds to the number of uniquely identifiable records.

Fields
min_anonymity

int64

Always positive.

max_anonymity

int64

Always greater than or equal to min_anonymity.

bucket_size

int64

Number of records within these anonymity bounds.

bucket_values[]

KMapEstimationQuasiIdValues

Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20.

bucket_value_count

int64

Total number of distinct quasi-identifier tuple values in this bucket.

KMapEstimationQuasiIdValues

A tuple of values for the quasi-identifier columns.

Fields
quasi_ids_values[]

Value

The quasi-identifier values.

estimated_anonymity

int64

The estimated anonymity for these quasi-identifier values.

LDiversityResult

Result of the l-diversity computation.

Fields
sensitive_value_frequency_histogram_buckets[]

LDiversityHistogramBucket

Histogram of l-diversity equivalence class sensitive value frequencies.

LDiversityEquivalenceClass

The set of columns' values that share the same ldiversity value.

Fields
quasi_ids_values[]

Value

Quasi-identifier values defining the k-anonymity equivalence class. The order is always the same as the original request.

equivalence_class_size

int64

Size of the k-anonymity equivalence class.

num_distinct_sensitive_values

int64

Number of distinct sensitive values in this equivalence class.

top_sensitive_values[]

ValueFrequency

Estimated frequencies of top sensitive values.

LDiversityHistogramBucket

Fields
sensitive_value_frequency_lower_bound

int64

Lower bound on the sensitive value frequencies of the equivalence classes in this bucket.

sensitive_value_frequency_upper_bound

int64

Upper bound on the sensitive value frequencies of the equivalence classes in this bucket.

bucket_size

int64

Total number of equivalence classes in this bucket.

bucket_values[]

LDiversityEquivalenceClass

Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20.

bucket_value_count

int64

Total number of distinct equivalence classes in this bucket.

NumericalStatsResult

Result of the numerical stats computation.

Fields
min_value

Value

Minimum value appearing in the column.

max_value

Value

Maximum value appearing in the column.

quantile_values[]

Value

List of 99 values that partition the set of field values into 100 equal sized buckets.

BigQueryField

Message defining a field of a BigQuery table.

Fields
table

BigQueryTable

Source table of the field.

field

FieldId

Designated field in the BigQuery table.

BigQueryKey

Row key for identifying a record in BigQuery table.

Fields
table_reference

BigQueryTable

Complete BigQuery table reference.

row_number

int64

Absolute number of the row from the beginning of the table at the time of scanning.

BigQueryOptions

Options defining BigQuery table and row identifiers.

Fields
table_reference

BigQueryTable

Complete BigQuery table reference.

identifying_fields[]

FieldId

References to fields uniquely identifying rows within the table. Nested fields in the format, like person.birthdate.year, are allowed.

rows_limit

int64

Max number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

rows_limit_percent

int32

Max percentage of rows to scan. The rest are omitted. The number of rows scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

sample_method

SampleMethod

excluded_fields[]

FieldId

References to fields excluded from scanning. This allows you to skip inspection of entire columns which you know have no findings.

SampleMethod

How to sample rows if not all rows are scanned. Meaningful only when used in conjunction with either rows_limit or rows_limit_percent. If not specified, scanning would start from the top.

Enums
SAMPLE_METHOD_UNSPECIFIED
TOP Scan from the top (default).
RANDOM_START Randomly pick the row to start scanning. The scanned rows are contiguous.

BigQueryTable

Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: <project_id>:<dataset_id>.<table_id> or <project_id>.<dataset_id>.<table_id>.

Fields
project_id

string

The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.

dataset_id

string

Dataset ID of the table.

table_id

string

Name of the table.

BoundingBox

Bounding box encompassing detected text within an image.

Fields
top

int32

Top coordinate of the bounding box. (0,0) is upper left.

left

int32

Left coordinate of the bounding box. (0,0) is upper left.

width

int32

Width of the bounding box in pixels.

height

int32

Height of the bounding box in pixels.

BucketingConfig

Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Fields
buckets[]

Bucket

Set of buckets. Ranges must be non-overlapping.

Bucket

Bucket is represented as a range, along with replacement values.

Fields
min

Value

Lower bound of the range, inclusive. Type should be the same as max if used.

max

Value

Upper bound of the range, exclusive; type must match min.

replacement_value

Value

Replacement value for this bucket. If not provided the default behavior will be to hyphenate the min-max range.

ByteContentItem

Container for bytes to inspect or redact.

Fields
type

BytesType

The type of data stored in the bytes string. Default will be TEXT_UTF8.

data

bytes

Content data to inspect or redact.

BytesType

Enums
BYTES_TYPE_UNSPECIFIED
IMAGE
IMAGE_JPEG
IMAGE_BMP
IMAGE_PNG
IMAGE_SVG
TEXT_UTF8
AVRO

CancelDlpJobRequest

The request message for canceling a DLP job.

Fields
name

string

Required. The name of the DlpJob resource to be cancelled.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.jobs.cancel

CharacterMaskConfig

Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3.

Fields
masking_character

string

Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for strings, and 0 for digits.

number_to_mask

int32

Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

reverse_order

bool

Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is false, then the input string 1234-5678-9012-3456 is masked as 00000000000000-3456. If masking_character is *, number_to_mask is 3, and reverse_order is true, then the string 12345 is masked as 12***.

characters_to_ignore[]

CharsToIgnore

When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is 555-555-5555 and you instruct Cloud DLP to skip - and mask 5 characters with *, Cloud DLP returns ***-**5-5555.

CharsToIgnore

Characters to skip when doing deidentification of a value. These will be left alone and skipped.

Fields

Union field characters.

characters can be only one of the following:

characters_to_skip

string

common_characters_to_ignore

CommonCharsToIgnore

CommonCharsToIgnore

Enums
COMMON_CHARS_TO_IGNORE_UNSPECIFIED
NUMERIC 0-9
ALPHA_UPPER_CASE A-Z
ALPHA_LOWER_CASE a-z
PUNCTUATION US Punctuation, one of !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
WHITESPACE Whitespace character, one of [ \t\n\x0B\f\r]

CloudStorageFileSet

Message representing a set of files in Cloud Storage.

Fields
url

string

The url, in the format gs://<bucket>/<path>. Trailing wildcard in the path is allowed.

CloudStorageOptions

Options defining a file or a set of files within a Google Cloud Storage bucket.

Fields
file_set

FileSet

The set of one or more files to scan.

bytes_limit_per_file

int64

Max number of bytes to scan from a file. If a scanned file's size is bigger than this value then the rest of the bytes are omitted. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

bytes_limit_per_file_percent

int32

Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

file_types[]

FileType

List of file type groups to include in the scan. If empty, all files are scanned and available data format processors are applied. In addition, the binary content of the selected files is always scanned as well.

sample_method

SampleMethod

files_limit_percent

int32

Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0.

FileSet

Set of files to scan.

Fields
url

string

The Cloud Storage url of the file(s) to scan, in the format gs://<bucket>/<path>. Trailing wildcard in the path is allowed.

If the url ends in a trailing slash, the bucket or directory represented by the url will be scanned non-recursively (content in sub-directories will not be scanned). This means that gs://mybucket/ is equivalent to gs://mybucket/*, and gs://mybucket/directory/ is equivalent to gs://mybucket/directory/*.

Exactly one of url or regex_file_set must be set.

regex_file_set

CloudStorageRegexFileSet

The regex-filtered set of files to scan. Exactly one of url or regex_file_set must be set.

SampleMethod

How to sample bytes if not all bytes are scanned. Meaningful only when used in conjunction with bytes_limit_per_file. If not specified, scanning would start from the top.

Enums
SAMPLE_METHOD_UNSPECIFIED
TOP Scan from the top (default).
RANDOM_START For each file larger than bytes_limit_per_file, randomly pick the offset to start scanning. The scanned bytes are contiguous.

CloudStoragePath

Message representing a single file or path in Cloud Storage.

Fields
path

string

A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

CloudStorageRegexFileSet

Message representing a set of files in a Cloud Storage bucket. Regular expressions are used to allow fine-grained control over which files in the bucket to include.

Included files are those that match at least one item in include_regex and do not match any items in exclude_regex. Note that a file that matches items from both lists will not be included. For a match to occur, the entire file path (i.e., everything in the url after the bucket name) must match the regular expression.

For example, given the input {bucket_name: "mybucket", include_regex: ["directory1/.*"], exclude_regex: ["directory1/excluded.*"]}:

  • gs://mybucket/directory1/myfile will be included
  • gs://mybucket/directory1/directory2/myfile will be included (.* matches across /)
  • gs://mybucket/directory0/directory1/myfile will not be included (the full path doesn't match any items in include_regex)
  • gs://mybucket/directory1/excludedfile will not be included (the path matches an item in exclude_regex)

If include_regex is left empty, it will match all files by default (this is equivalent to setting include_regex: [".*"]).

Some other common use cases:

  • {bucket_name: "mybucket", exclude_regex: [".*\.pdf"]} will include all files in mybucket except for .pdf files
  • {bucket_name: "mybucket", include_regex: ["directory/[^/]+"]} will include all files directly under gs://mybucket/directory/, without matching across /
Fields
bucket_name

string

The name of a Cloud Storage bucket. Required.

include_regex[]

string

A list of regular expressions matching file paths to include. All files in the bucket that match at least one of these regular expressions will be included in the set of files, except for those that also match an item in exclude_regex. Leaving this field empty will match all files by default (this is equivalent to including .* in the list).

Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

exclude_regex[]

string

A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan.

Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

Color

Represents a color in the RGB color space.

Fields
red

float

The amount of red in the color as a value in the interval [0, 1].

green

float

The amount of green in the color as a value in the interval [0, 1].

blue

float

The amount of blue in the color as a value in the interval [0, 1].

ContentItem

Container structure for the content to inspect.

Fields
Union field data_item. Data of the item either in the byte array or UTF-8 string form, or table. data_item can be only one of the following:
value

string

String data to inspect or redact.

table

Table

Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

byte_item

ByteContentItem

Content data to inspect or redact. Replaces type and data.

ContentLocation

Findings container location data.

Fields
container_name

string

Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows:

  • BigQuery tables: <project_id>:<dataset_id>.<table_id>
  • Cloud Storage files: gs://<bucket>/<path>
  • Datastore namespace:

Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).

container_timestamp

Timestamp

Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

container_version

string

Findings container version, if available ("generation" for Google Cloud Storage).

Union field location. Type of the container within the file with location of the finding. location can be only one of the following:
record_location

RecordLocation

Location within a row or record of a database table.

image_location

ImageLocation

Location within an image's pixels.

document_location

DocumentLocation

Location data for document files.

ContentOption

Options describing which parts of the provided content should be scanned.

Enums
CONTENT_UNSPECIFIED Includes entire content of a file or a data stream.
CONTENT_TEXT Text content within the data, excluding any metadata.
CONTENT_IMAGE Images found in the data.

CreateDeidentifyTemplateRequest

Request message for CreateDeidentifyTemplate.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id or organizations/my-org-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.deidentifyTemplates.create

deidentify_template

DeidentifyTemplate

The DeidentifyTemplate to create.

template_id

string

The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

location_id

string

The geographic location to store the deidentification template. Reserved for future extensions.

CreateDlpJobRequest

Request message for CreateDlpJobRequest. Used to initiate long running jobs such as calculating risk metrics or inspecting Google Cloud Storage.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.jobs.create

job_id

string

The job id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

location_id

string

The geographic location to store and process the job. Reserved for future extensions.

Union field job. The configuration details for the specific type of job to run. job can be only one of the following:
inspect_job

InspectJobConfig

risk_job

RiskAnalysisJobConfig

CreateInspectTemplateRequest

Request message for CreateInspectTemplate.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id or organizations/my-org-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.inspectTemplates.create

inspect_template

InspectTemplate

The InspectTemplate to create.

template_id

string

The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

location_id

string

The geographic location to store the inspection template. Reserved for future extensions.

CreateJobTriggerRequest

Request message for CreateJobTrigger.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id.

Authorization requires one or more of the following Google IAM permissions on the specified resource parent:

  • dlp.jobTriggers.create
  • dlp.jobs.create

job_trigger

JobTrigger

The JobTrigger to create.

trigger_id

string

The trigger id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

location_id

string

The geographic location to store the job trigger. Reserved for future extensions.

CreateStoredInfoTypeRequest

Request message for CreateStoredInfoType.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id or organizations/my-org-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.storedInfoType.create

config

StoredInfoTypeConfig

Configuration of the storedInfoType to create.

stored_info_type_id

string

The storedInfoType ID can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

location_id

string

The geographic location to store the stored infoType. Reserved for future extensions.

CryptoDeterministicConfig

Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

Fields
crypto_key

CryptoKey

The key used by the encryption function.

surrogate_info_type

InfoType

The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: ():

For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc'

This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text.

Note: For record transformations where the entire cell in a table is being transformed, surrogates are optional to use. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text.

In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either

  • reverse a surrogate that does not correspond to an actual identifier
  • be unable to parse the surrogate and result in an error

Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

context

FieldId

Optional. A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well.

If the context is not set, plaintext would be used as is for encryption. If the context is set but:

  1. there is no record present when transforming a given value or
  2. the field is not present when transforming a given value,

plaintext would be used as is for encryption.

Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and non-structured ContentItems.

CryptoHashConfig

Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

Fields
crypto_key

CryptoKey

The key used by the hash function.

CryptoKey

This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key.

Fields

Union field source.

source can be only one of the following:

transient

TransientCryptoKey

unwrapped

UnwrappedCryptoKey

kms_wrapped

KmsWrappedCryptoKey

CryptoReplaceFfxFpeConfig

Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the ReidentifyContent API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity.

Fields
crypto_key

CryptoKey

The key used by the encryption algorithm. [required]

context

FieldId

The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used.

If the context is set but:

  1. there is no record present when transforming a given value or
  2. the field is not present when transforming a given value,

a default tweak will be used.

Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and non-structured ContentItems. Currently, the referenced field may be of value type integer or string.

The tweak is constructed as a sequence of bytes in big endian byte order such that:

  • a 64 bit integer is encoded followed by a single byte of value 1
  • a string is encoded in UTF-8 format followed by a single byte of value 2

surrogate_info_type

InfoType

The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate

For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc'

This annotation identifies the surrogate when inspecting content using the custom infoType SurrogateType. This facilitates reversal of the surrogate when it occurs in free text.

In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

Union field alphabet.

alphabet can be only one of the following:

common_alphabet

FfxCommonNativeAlphabet

custom_alphabet

string

This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter.

radix

int32

The native way to select the alphabet. Must be in the range [2, 95].

FfxCommonNativeAlphabet

These are commonly used subsets of the alphabet that the FFX mode natively supports. In the algorithm, the alphabet is selected using the "radix". Therefore each corresponds to particular radix.

Enums
FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED
NUMERIC [0-9] (radix of 10)
HEXADECIMAL [0-9A-F] (radix of 16)
UPPER_CASE_ALPHA_NUMERIC [0-9A-Z] (radix of 36)
ALPHA_NUMERIC [0-9A-Za-z] (radix of 62)

CustomInfoType

Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.

Fields
info_type

InfoType

CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in InspectContent.info_types field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in InspectContent.info_types list then the name is treated as a custom info type.

likelihood

Likelihood

Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to VERY_LIKELY if not specified.

detection_rules[]

DetectionRule

Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the surrogate_type CustomInfoType.

exclusion_type

ExclusionType

If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

Union field type.

type can be only one of the following:

dictionary

Dictionary

A list of phrases to detect as a CustomInfoType.

regex

Regex

Regular expression based CustomInfoType.

surrogate_type

SurrogateType

Message for detecting output from deidentification transformations that support reversing.

stored_type

StoredType

Load an existing StoredInfoType resource for use in InspectDataSource. Not currently supported in InspectContent.

DetectionRule

Deprecated; use InspectionRuleSet instead. Rule for modifying a CustomInfoType to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the surrogate_type custom infoType.

Fields
hotword_rule

HotwordRule

Hotword-based detection rule.

HotwordRule

The rule that adjusts the likelihood of findings within a certain proximity of hotwords.

Fields
hotword_regex

Regex

Regular expression pattern defining what qualifies as a hotword.

proximity

Proximity

Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "(\d{3}) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "(xxx)", where "xxx" is the area code in question.

likelihood_adjustment

LikelihoodAdjustment

Likelihood adjustment to apply to all matching findings.

LikelihoodAdjustment

Message for specifying an adjustment to the likelihood of a finding as part of a detection rule.

Fields

Union field adjustment.

adjustment can be only one of the following:

fixed_likelihood

Likelihood

Set the likelihood of a finding to a fixed value.

relative_likelihood

int32

Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be POSSIBLE without the detection rule and relative_likelihood is 1, then it is upgraded to LIKELY, while a value of -1 would downgrade it to UNLIKELY. Likelihood may never drop below VERY_UNLIKELY or exceed VERY_LIKELY, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is VERY_LIKELY will result in a final likelihood of LIKELY.

Proximity

Message for specifying a window around a finding to apply a detection rule.

Fields
window_before

int32

Number of characters before the finding to consider.

window_after

int32

Number of characters after the finding to consider.

Dictionary

Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles.

Dictionary words are case-insensitive and all characters other than letters and digits in the unicode Basic Multilingual Plane will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer".

Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The limits page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using LargeCustomDictionaryConfig in the StoredInfoType API.

Fields

Union field source.

source can be only one of the following:

word_list

WordList

List of words or phrases to search for.

cloud_storage_path

CloudStoragePath

Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

WordList

Message defining a list of words or phrases to search for in the data.

Fields
words[]

string

Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

ExclusionType

Enums
EXCLUSION_TYPE_UNSPECIFIED A finding of this custom info type will not be excluded from results.
EXCLUSION_TYPE_EXCLUDE A finding of this custom info type will be excluded from final results, but can still affect rule execution.

Regex

Message defining a custom regular expression.

Fields
pattern

string

Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

group_indexes[]

int32

The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

SurrogateType

Message for detecting output from deidentification transformations such as CryptoReplaceFfxFpeConfig. These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as surrogate_info_type. This CustomInfoType does not support the use of detection_rules.

DatastoreKey

Record key for a finding in Cloud Datastore.

Fields
entity_key

Key

Datastore entity key.

DatastoreOptions

Options defining a data set within Google Cloud Datastore.

Fields
partition_id

PartitionId

A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty.

kind

KindExpression

The kind to process.

DateShiftConfig

Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more.

Fields
upper_bound_days

int32

Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction.

For example, 3 means shift date to at most 3 days into the future. [Required]

lower_bound_days

int32

For example, -5 means shift date to at most 5 days back in the past. [Required]

context

FieldId

Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

crypto_key

CryptoKey

Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

DateTime

Message for a date time object. e.g. 2018-01-01, 5th August.

Fields
date

Date

One or more of the following must be set. All fields are optional, but when set must be valid date or time values.

day_of_week

DayOfWeek

time

TimeOfDay

time_zone

TimeZone

TimeZone

Fields
offset_minutes

int32

Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.

DeidentifyConfig

The configuration that controls how the data will change.

Fields

Union field transformation.

transformation can be only one of the following:

info_type_transformations

InfoTypeTransformations

Treat the dataset as free-form text and apply the same free text transformation everywhere.

record_transformations

RecordTransformations

Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

DeidentifyContentRequest

Request to de-identify a list of items.

Fields
parent

string

The parent resource name, for example projects/my-project-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • serviceusage.services.use

deidentify_config

DeidentifyConfig

Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument.

inspect_config

InspectConfig

Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.

item

ContentItem

The item to de-identify. Will be treated as text.

inspect_template_name

string

Optional template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

deidentify_template_name

string

Optional template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

location_id

string

The geographic location to process de-identification. Reserved for future extensions.

DeidentifyContentResponse

Results of de-identifying a ContentItem.

Fields
item

ContentItem

The de-identified item.

overview

TransformationOverview

An overview of the changes that were made on the item.

DeidentifyTemplate

DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Fields
name

string

The template name. Output only.

The template will have one of the following formats: projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID OR organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID

display_name

string

Display name (max 256 chars).

description

string

Short description (max 256 chars).

create_time

Timestamp

The creation timestamp of an inspectTemplate, output only field.

update_time

Timestamp

The last update timestamp of an inspectTemplate, output only field.

deidentify_config

DeidentifyConfig

///////////// // The core content of the template // ///////////////

DeleteDeidentifyTemplateRequest

Request message for DeleteDeidentifyTemplate.

Fields
name

string

Required. Resource name of the organization and deidentify template to be deleted, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.deidentifyTemplates.delete

DeleteDlpJobRequest

The request message for deleting a DLP job.

Fields
name

string

Required. The name of the DlpJob resource to be deleted.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.jobs.delete

DeleteInspectTemplateRequest

Request message for DeleteInspectTemplate.

Fields
name

string

Required. Resource name of the organization and inspectTemplate to be deleted, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.inspectTemplates.delete

DeleteJobTriggerRequest

Request message for DeleteJobTrigger.

Fields
name

string

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.triggeredJobs.delete

DeleteStoredInfoTypeRequest

Request message for DeleteStoredInfoType.

Fields
name

string

Required. Resource name of the organization and storedInfoType to be deleted, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.storedInfoTypes.delete

DlpJob

Combines all of the information about a DLP job.

Fields
name

string

The server-assigned name.

type

DlpJobType

The type of job.

state

JobState

State of a job.

create_time

Timestamp

Time when the job was created.

start_time

Timestamp

Time when the job started.

end_time

Timestamp

Time when the job finished.

job_trigger_name

string

If created by a job trigger, the resource name of the trigger that instantiated the job.

errors[]

Error

A stream of errors encountered running the job.

Union field details.

details can be only one of the following:

risk_details

AnalyzeDataSourceRiskDetails

Results from analyzing risk of a data source.

inspect_details

InspectDataSourceDetails

Results from inspecting a data source.

JobState

Enums
JOB_STATE_UNSPECIFIED
PENDING The job has not yet started.
RUNNING The job is currently running.
DONE The job is no longer running.
CANCELED The job was canceled before it could complete.
FAILED The job had an error and did not complete.

DlpJobType

An enum to represent the various type of DLP jobs.

Enums
DLP_JOB_TYPE_UNSPECIFIED
INSPECT_JOB The job inspected Google Cloud for sensitive data.
RISK_ANALYSIS_JOB The job executed a Risk Analysis computation.

DocumentLocation

Location of a finding within a document.

Fields
file_offset

int64

Offset of the line, from the beginning of the file, where the finding is located.

EntityId

An entity in a dataset is a field or set of fields that correspond to a single person. For example, in medical records the EntityId might be a patient identifier, or for financial records it might be an account identifier. This message is used when generalizations or analysis must take into account that multiple rows correspond to the same entity.

Fields
field

FieldId

Composite key indicating which field contains the entity identifier.

Error

Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger. Output only field.

Fields
details

Status

timestamps[]

Timestamp

The times the error occurred.

ExcludeInfoTypes

List of exclude infoTypes.

Fields
info_types[]

InfoType

InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for InspectionRuleSet.info_types containing "PHONE_NUMBER"and exclusion_rulecontainingexclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

ExclusionRule

The rule that specifies conditions when findings of infoTypes specified in InspectionRuleSet are removed from results.

Fields
matching_type

MatchingType

How the rule is applied, see MatchingType documentation for details.

Union field type.

type can be only one of the following:

dictionary

Dictionary

Dictionary which defines the rule.

regex

Regex

Regular expression which defines the rule.

exclude_info_types

ExcludeInfoTypes

Set of infoTypes for which findings would affect this rule.

FieldId

General identifier of a data field in a storage service.

Fields
name

string

Name describing the field.

FieldTransformation

The transformation to apply to the field.

Fields
fields[]

FieldId

Input field(s) to apply the transformation to. [required]

condition

RecordCondition

Only apply the transformation if the condition evaluates to true for the given RecordCondition. The conditions are allowed to reference fields that are not used in the actual transformation. [optional]

Example Use Cases:

  • Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range.
  • Redact a field if the date of birth field is greater than 85.

Union field transformation. Transformation to apply. [required] transformation can be only one of the following:
primitive_transformation

PrimitiveTransformation

Apply the transformation to the entire field.

info_type_transformations

InfoTypeTransformations

Treat the contents of the field as free text, and selectively transform content that matches an InfoType.

FileType

Definitions of file type groups to scan.

Enums
FILE_TYPE_UNSPECIFIED Includes all files.
BINARY_FILE Includes all file extensions not covered by text file types.
TEXT_FILE Included file extensions: asc, brf, c, cc, cpp, csv, cxx, c++, cs, css, dart, eml, go, h, hh, hpp, hxx, h++, hs, html, htm, shtml, shtm, xhtml, lhs, ini, java, js, json, ocaml, md, mkd, markdown, m, ml, mli, pl, pm, php, phtml, pht, py, pyw, rb, rbw, rs, rc, scala, sh, sql, tex, txt, text, tsv, vcard, vcs, wml, xml, xsl, xsd, yml, yaml.
IMAGE Included file extensions: bmp, gif, jpg, jpeg, jpe, png. bytes_limit_per_file has no effect on image files.
AVRO Included file extensions: avro

Finding

Represents a piece of potentially sensitive content.

Fields
quote

string

The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if include_quote is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted.

info_type

InfoType

The type of content that might have been found. Provided if excluded_types is false.

likelihood

Likelihood

Confidence of how likely it is that the info_type is correct.

location

Location

Where the content was found.

create_time

Timestamp

Timestamp when finding was detected.

quote_info

QuoteInfo

Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.

FixedSizeBucketingConfig

Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies.

The transformed value will be a hyphenated string of -, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20".

This can be used on data of type: double, long.

If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing.

See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Fields
lower_bound

Value

Lower bound value of buckets. All values less than lower_bound are grouped together into a single bucket; for example if lower_bound = 10, then all values less than 10 are replaced with the value “-10”. [Required].

upper_bound

Value

Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if upper_bound = 89, then all values greater than 89 are replaced with the value “89+”. [Required].

bucket_size

double

Size of each bucket (except for minimum and maximum buckets). So if lower_bound = 10, upper_bound = 89, and bucket_size = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].

GetDeidentifyTemplateRequest

Request message for GetDeidentifyTemplate.

Fields
name

string

Required. Resource name of the organization and deidentify template to be read, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.deidentifyTemplates.get

GetDlpJobRequest

The request message for [DlpJobs.GetDlpJob][].

Fields
name

string

Required. The name of the DlpJob resource.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.jobs.get

GetInspectTemplateRequest

Request message for GetInspectTemplate.

Fields
name

string

Required. Resource name of the organization and inspectTemplate to be read, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.inspectTemplates.get

GetJobTriggerRequest

Request message for GetJobTrigger.

Fields
name

string

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.jobTriggers.get

GetStoredInfoTypeRequest

Request message for GetStoredInfoType.

Fields
name

string

Required. Resource name of the organization and storedInfoType to be read, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.storedInfoTypes.get

ImageLocation

Location of the finding within an image.

Fields
bounding_boxes[]

BoundingBox

Bounding boxes locating the pixels within the image containing the finding.

InfoType

Type of information detected by the API.

Fields
name

string

Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. InfoType names should conform to the pattern [a-zA-Z0-9_]{1,64}.

InfoTypeDescription

InfoType description.

Fields
name

string

Internal name of the infoType.

display_name

string

Human readable form of the infoType name.

supported_by[]

InfoTypeSupportedBy

Which parts of the API supports this InfoType.

description

string

Description of the infotype. Translated when language is provided in the request.

InfoTypeStats

Statistics regarding a specific InfoType.

Fields
info_type

InfoType

The type of finding this stat is for.

count

int64

Number of findings for this infoType.

InfoTypeSupportedBy

Parts of the APIs which use certain infoTypes.

Enums
ENUM_TYPE_UNSPECIFIED
INSPECT Supported by the inspect operations.
RISK_ANALYSIS Supported by the risk analysis operations.

InfoTypeTransformations

A type of transformation that will scan unstructured text and apply various PrimitiveTransformations to each finding, where the transformation is applied to only values that were identified as a specific info_type.

Fields
transformations[]

InfoTypeTransformation

Transformation for each infoType. Cannot specify more than one for a given infoType. [required]

InfoTypeTransformation

A transformation to apply to text that is identified as a specific info_type.

Fields
info_types[]

InfoType

InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in InspectConfig.

primitive_transformation

PrimitiveTransformation

Primitive transformation to apply to the infoType. [required]

InspectConfig

Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used.

Fields
info_types[]

InfoType

Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference.

When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated.

If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

min_likelihood

Likelihood

Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.

limits

FindingLimits

include_quote

bool

When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.

exclude_info_types

bool

When true, excludes type information of the findings.

custom_info_types[]

CustomInfoType

CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.

content_options[]

ContentOption

List of options defining data content to scan. If empty, text, images, and other content will be included.

rule_set[]

InspectionRuleSet

Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.

FindingLimits

Fields
max_findings_per_item

int32

Max number of findings that will be returned for each item scanned. When set within InspectDataSourceRequest, the maximum returned is 2000 regardless if this is set higher. When set within InspectContentRequest, this field is ignored.

max_findings_per_request

int32

Max number of findings that will be returned per request/job. When set within InspectContentRequest, the maximum returned is 2000 regardless if this is set higher.

max_findings_per_info_type[]

InfoTypeLimit

Configuration of findings limit given for specified infoTypes.

InfoTypeLimit

Max findings configuration per infoType, per content item or long running DlpJob.

Fields
info_type

InfoType

Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.

max_findings

int32

Max findings limit for the given infoType.

InspectContentRequest

Request to search for potentially sensitive info in a ContentItem.

Fields
parent

string

The parent resource name, for example projects/my-project-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • serviceusage.services.use

inspect_config

InspectConfig

Configuration for the inspector. What specified here will override the template referenced by the inspect_template_name argument.

item

ContentItem

The item to inspect.

inspect_template_name

string

Optional template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

location_id

string

The geographic location to process content inspection. Reserved for future extensions.

InspectContentResponse

Results of inspecting an item.

Fields
result

InspectResult

The findings.

InspectDataSourceDetails

The results of an inspect DataSource job.

Fields
requested_options

RequestedOptions

The configuration used for this job.

result

Result

A summary of the outcome of this inspect job.

RequestedOptions

Fields
snapshot_inspect_template

InspectTemplate

If run with an InspectTemplate, a snapshot of its state at the time of this run.

job_config

InspectJobConfig

Result

All result fields mentioned below are updated while the job is processing.

Fields
processed_bytes

int64

Total size in bytes that were processed.

total_estimated_bytes

int64

Estimate of the number of bytes to process.

info_type_stats[]

InfoTypeStats

Statistics of how many instances of each info type were found during inspect job.

InspectJobConfig

Fields
storage_config

StorageConfig

The data to scan.

inspect_config

InspectConfig

How and what to scan for.

inspect_template_name

string

If provided, will be used as the default for all values in InspectConfig. inspect_config will be merged into the values persisted as part of the template.

actions[]

Action

Actions to execute at the completion of the job.

InspectResult

All the findings for a single scanned item.

Fields
findings[]

Finding

List of findings for an item.

findings_truncated

bool

If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches.

InspectTemplate

The inspectTemplate contains a configuration (set of types of sensitive data to be detected) to be used anywhere you otherwise would normally specify InspectConfig. See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Fields
name

string

The template name. Output only.

The template will have one of the following formats: projects/PROJECT_ID/inspectTemplates/TEMPLATE_ID OR organizations/ORGANIZATION_ID/inspectTemplates/TEMPLATE_ID

display_name

string

Display name (max 256 chars).

description

string

Short description (max 256 chars).

create_time

Timestamp

The creation timestamp of an inspectTemplate, output only field.

update_time

Timestamp

The last update timestamp of an inspectTemplate, output only field.

inspect_config

InspectConfig

The core content of the template. Configuration of the scanning process.

InspectionRule

A single inspection rule to be applied to infoTypes, specified in InspectionRuleSet.

Fields

Union field type.

type can be only one of the following:

hotword_rule

HotwordRule

Hotword-based detection rule.

exclusion_rule

ExclusionRule

Exclusion rule.

InspectionRuleSet

Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.

Fields
info_types[]

InfoType

List of infoTypes this rule set is applied to.

rules[]

InspectionRule

Set of rules to be applied to infoTypes. The rules are applied in order.

JobTrigger

Contains a configuration to make dlp api calls on a repeating basis. See https://cloud.google.com/dlp/docs/concepts-job-triggers to learn more.

Fields
name

string

Unique resource name for the triggeredJob, assigned by the service when the triggeredJob is created, for example projects/dlp-test-project/jobTriggers/53234423.

display_name

string

Display name (max 100 chars)

description

string

User provided description (max 256 chars)

triggers[]

Trigger

A list of triggers which will be OR'ed together. Only one in the list needs to trigger for a job to be started. The list may contain only a single Schedule trigger and must have at least one object.

errors[]

Error

A stream of errors encountered when the trigger was activated. Repeated errors may result in the JobTrigger automatically being paused. Will return the last 100 errors. Whenever the JobTrigger is modified this list will be cleared. Output only field.

create_time

Timestamp

The creation timestamp of a triggeredJob, output only field.

update_time

Timestamp

The last update timestamp of a triggeredJob, output only field.

last_run_time

Timestamp

The timestamp of the last time this trigger executed, output only field.

status

Status

A status for this trigger. [required]

inspect_job

InspectJobConfig

Status

Whether the trigger is currently active. If PAUSED or CANCELLED, no jobs will be created with this configuration. The service may automatically pause triggers experiencing frequent errors. To restart a job, set the status to HEALTHY after correcting user errors.

Enums
STATUS_UNSPECIFIED
HEALTHY Trigger is healthy.
PAUSED Trigger is temporarily paused.
CANCELLED Trigger is cancelled and can not be resumed.

Trigger

What event needs to occur for a new job to be started.

Fields
schedule

Schedule

Create a job on a repeating basis based on the elapse of time.

Key

A unique identifier for a Datastore entity. If a key's partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts.

Fields
partition_id

PartitionId

Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition.

path[]

PathElement

The entity path. An entity path consists of one or more elements composed of a kind and a string or numerical identifier, which identify entities. The first element identifies a root entity, the second element identifies a child of the root entity, the third element identifies a child of the second entity, and so forth. The entities identified by all prefixes of the path are called the element's ancestors.

A path can never be empty, and a path can have at most 100 elements.

PathElement

A (kind, ID/name) pair used to construct a key path.

If either name or ID is set, the element is complete. If neither is set, the element is incomplete.

Fields
kind

string

The kind of the entity. A kind matching regex __.*__ is reserved/read-only. A kind must not contain more than 1500 bytes when UTF-8 encoded. Cannot be "".

Union field id_type. The type of ID. id_type can be only one of the following:
id

int64

The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future.

name

string

The name of the entity. A name matching regex __.*__ is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be "".

KindExpression

A representation of a Datastore kind.

Fields
name

string

The name of the kind.

KmsWrappedCryptoKey

Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt

Fields
wrapped_key

bytes

The wrapped data crypto key. [required]

crypto_key_name

string

The resource name of the KMS CryptoKey to use for unwrapping. [required]

LargeCustomDictionaryConfig

Configuration for a custom dictionary created from a data source of any size up to the maximum size defined in the limits page. The artifacts of dictionary creation are stored in the specified Google Cloud Storage location. Consider using CustomInfoType.Dictionary for smaller dictionaries that satisfy the size requirements.

Fields
output_path

CloudStoragePath

Location to store dictionary artifacts in Google Cloud Storage. These files will only be accessible by project owners and the DLP API. If any of these artifacts are modified, the dictionary is considered invalid and can no longer be used.

Union field source.

source can be only one of the following:

cloud_storage_file_set

CloudStorageFileSet

Set of files containing newline-delimited lists of dictionary phrases.

big_query_field

BigQueryField

Field in a BigQuery table where each cell represents a dictionary phrase.

LargeCustomDictionaryStats

Summary statistics of a custom dictionary.

Fields
approx_num_phrases

int64

Approximate number of distinct phrases in the dictionary.

Likelihood

Categorization of results based on how likely they are to represent a match, based on the number of elements they contain which imply a match.

Enums
LIKELIHOOD_UNSPECIFIED Default value; same as POSSIBLE.
VERY_UNLIKELY Few matching elements.
UNLIKELY
POSSIBLE Some matching elements.
LIKELY
VERY_LIKELY Many matching elements.

ListDeidentifyTemplatesRequest

Request message for ListDeidentifyTemplates.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id or organizations/my-org-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.deidentifyTemplates.list

page_token

string

Optional page token to continue retrieval. Comes from previous call to ListDeidentifyTemplates.

page_size

int32

Optional size of the page, can be limited by server. If zero server returns a page of max size 100.

order_by

string

Optional comma separated list of fields to order by, followed by asc or desc postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant.

Example: name asc,update_time, create_time desc

Supported fields are:

  • create_time: corresponds to time the template was created.
  • update_time: corresponds to time the template was last updated.
  • name: corresponds to template's name.
  • display_name: corresponds to template's display name.

location_id

string

The geographic location where deidentifications templates will be retrieved from. Use - for all locations. Reserved for future extensions.

ListDeidentifyTemplatesResponse

Response message for ListDeidentifyTemplates.

Fields
deidentify_templates[]

DeidentifyTemplate

List of deidentify templates, up to page_size in ListDeidentifyTemplatesRequest.

next_page_token

string

If the next page is available then the next page token to be used in following ListDeidentifyTemplates request.

ListDlpJobsRequest

The request message for listing DLP jobs.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.jobs.list

filter

string

Optional. Allows filtering.

Supported syntax:

  • Filter expressions are made up of one or more restrictions.
  • Restrictions can be combined by AND or OR logical operators. A sequence of restrictions implicitly uses AND.
  • A restriction has the form of <field> <operator> <value>.
  • Supported fields/values for inspect jobs:
    • state - PENDING|RUNNING|CANCELED|FINISHED|FAILED
    • inspected_storage - DATASTORE|CLOUD_STORAGE|BIGQUERY
    • trigger_name - The resource name of the trigger that created job.
    • 'end_time` - Corresponds to time the job finished.
    • 'start_time` - Corresponds to time the job finished.
  • Supported fields for risk analysis jobs:
    • state - RUNNING|CANCELED|FINISHED|FAILED
    • 'end_time` - Corresponds to time the job finished.
    • 'start_time` - Corresponds to time the job finished.
  • The operator must be = or !=.

Examples:

  • inspected_storage = cloud_storage AND state = done
  • inspected_storage = cloud_storage OR inspected_storage = bigquery
  • inspected_storage = cloud_storage AND (state = done OR state = canceled)
  • end_time > "2017-12-12T00:00:00+00:00"

The length of this field should be no more than 500 characters.

page_size

int32

The standard list page size.

page_token

string

The standard list page token.

type

DlpJobType

The type of job. Defaults to DlpJobType.INSPECT

order_by

string

Optional comma separated list of fields to order by, followed by asc or desc postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant.

Example: name asc, end_time asc, create_time desc

Supported fields are:

  • create_time: corresponds to time the job was created.
  • end_time: corresponds to time the job ended.
  • name: corresponds to job's name.
  • state: corresponds to state

location_id

string

The geographic location where jobs will be retrieved from. Use - for all locations. Reserved for future extensions.

ListDlpJobsResponse

The response message for listing DLP jobs.

Fields
jobs[]

DlpJob

A list of DlpJobs that matches the specified filter in the request.

next_page_token

string

The standard List next-page token.

ListInfoTypesRequest

Request for the list of infoTypes.

Fields
language_code

string

Optional BCP-47 language code for localized infoType friendly names. If omitted, or if localized strings are not available, en-US strings will be returned.

filter

string

Optional filter to only return infoTypes supported by certain parts of the API. Defaults to supported_by=INSPECT.

location_id

string

The geographic location to list info types. Reserved for future extensions.

ListInfoTypesResponse

Response to the ListInfoTypes request.

Fields
info_types[]

InfoTypeDescription

Set of sensitive infoTypes.

ListInspectTemplatesRequest

Request message for ListInspectTemplates.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id or organizations/my-org-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.inspectTemplates.list

page_token

string

Optional page token to continue retrieval. Comes from previous call to ListInspectTemplates.

page_size

int32

Optional size of the page, can be limited by server. If zero server returns a page of max size 100.

order_by

string

Optional comma separated list of fields to order by, followed by asc or desc postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant.

Example: name asc,update_time, create_time desc

Supported fields are:

  • create_time: corresponds to time the template was created.
  • update_time: corresponds to time the template was last updated.
  • name: corresponds to template's name.
  • display_name: corresponds to template's display name.

location_id

string

The geographic location where inspection templates will be retrieved from. Use - for all locations. Reserved for future extensions.

ListInspectTemplatesResponse

Response message for ListInspectTemplates.

Fields
inspect_templates[]

InspectTemplate

List of inspectTemplates, up to page_size in ListInspectTemplatesRequest.

next_page_token

string

If the next page is available then the next page token to be used in following ListInspectTemplates request.

ListJobTriggersRequest

Request message for ListJobTriggers.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.jobTriggers.list

page_token

string

Optional page token to continue retrieval. Comes from previous call to ListJobTriggers. order_by field must not change for subsequent calls.

page_size

int32

Optional size of the page, can be limited by a server.

order_by

string

Optional comma separated list of triggeredJob fields to order by, followed by asc or desc postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant.

Example: name asc,update_time, create_time desc

Supported fields are:

  • create_time: corresponds to time the JobTrigger was created.
  • update_time: corresponds to time the JobTrigger was last updated.
  • last_run_time: corresponds to the last time the JobTrigger ran.
  • name: corresponds to JobTrigger's name.
  • display_name: corresponds to JobTrigger's display name.
  • status: corresponds to JobTrigger's status.

filter

string

Optional. Allows filtering.

Supported syntax:

  • Filter expressions are made up of one or more restrictions.
  • Restrictions can be combined by AND or OR logical operators. A sequence of restrictions implicitly uses AND.
  • A restriction has the form of <field> <operator> <value>.
  • Supported fields/values for inspect jobs:
    • status - HEALTHY|PAUSED|CANCELLED
    • inspected_storage - DATASTORE|CLOUD_STORAGE|BIGQUERY
    • 'last_run_time` - RFC 3339 formatted timestamp, surrounded by quotation marks. Nanoseconds are ignored.
    • 'error_count' - Number of errors that have occurred while running.
  • The operator must be = or != for status and inspected_storage.

Examples:

  • inspected_storage = cloud_storage AND status = HEALTHY
  • inspected_storage = cloud_storage OR inspected_storage = bigquery
  • inspected_storage = cloud_storage AND (state = PAUSED OR state = HEALTHY)
  • last_run_time > "2017-12-12T00:00:00+00:00"

The length of this field should be no more than 500 characters.

location_id

string

The geographic location where job triggers will be retrieved from. Use - for all locations. Reserved for future extensions.

ListJobTriggersResponse

Response message for ListJobTriggers.

Fields
job_triggers[]

JobTrigger

List of triggeredJobs, up to page_size in ListJobTriggersRequest.

next_page_token

string

If the next page is available then the next page token to be used in following ListJobTriggers request.

ListStoredInfoTypesRequest

Request message for ListStoredInfoTypes.

Fields
parent

string

Required. The parent resource name, for example projects/my-project-id or organizations/my-org-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • dlp.storedInfoTypes.list

page_token

string

Optional page token to continue retrieval. Comes from previous call to ListStoredInfoTypes.

page_size

int32

Optional size of the page, can be limited by server. If zero server returns a page of max size 100.

order_by

string

Optional comma separated list of fields to order by, followed by asc or desc postfix. This list is case-insensitive, default sorting order is ascending, redundant space characters are insignificant.

Example: name asc, display_name, create_time desc

Supported fields are:

  • create_time: corresponds to time the most recent version of the resource was created.
  • state: corresponds to the state of the resource.
  • name: corresponds to resource name.
  • display_name: corresponds to info type's display name.

location_id

string

The geographic location where stored infoTypes will be retrieved from. Use - for all locations. Reserved for future extensions.

ListStoredInfoTypesResponse

Response message for ListStoredInfoTypes.

Fields
stored_info_types[]

StoredInfoType

List of storedInfoTypes, up to page_size in ListStoredInfoTypesRequest.

next_page_token

string

If the next page is available then the next page token to be used in following ListStoredInfoTypes request.

Location

Specifies the location of the finding.

Fields
byte_range

Range

Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.

codepoint_range

Range

Unicode character offsets delimiting the finding. These are relative to the finding's containing element. Provided when the content is text.

content_locations[]

ContentLocation

List of nested objects pointing to the precise location of the finding within the file or record.

MatchingType

Type of the match which can be applied to different ways of matching, like Dictionary, regular expression and intersecting with findings of another info type.

Enums
MATCHING_TYPE_UNSPECIFIED Invalid.
MATCHING_TYPE_FULL_MATCH

Full match.

  • Dictionary: join of Dictionary results matched complete finding quote
  • Regex: all regex matches fill a finding quote start to end
  • Exclude info type: completely inside affecting info types findings
MATCHING_TYPE_PARTIAL_MATCH

Partial match.

  • Dictionary: at least one of the tokens in the finding matches
  • Regex: substring of the finding matches
  • Exclude info type: intersects with affecting info types findings
MATCHING_TYPE_INVERSE_MATCH

Inverse match.

  • Dictionary: no tokens in the finding match the dictionary
  • Regex: finding doesn't match the regex
  • Exclude info type: no intersection with affecting info types findings

OutputStorageConfig

Cloud repository for storing output.

Fields
output_schema

OutputSchema

Schema used for writing the findings for Inspect jobs. This field is only used for Inspect and must be unspecified for Risk jobs. Columns are derived from the Finding object. If appending to an existing table, any columns from the predefined schema that are missing will be added. No columns in the existing table will be deleted.

If unspecified, then all available columns will be used for a new table or an (existing) table with no schema, and no changes will be made to an existing table that has a schema.

table

BigQueryTable

Store findings in an existing table or a new table in an existing dataset. If table_id is not set a new one will be generated for you with the following format: dlp_googleapis_yyyy_mm_dd_[dlp_job_id]. Pacific timezone will be used for generating the date details.

For Inspect, each column in an existing output table must have the same name, type, and mode of a field in the Finding object.

For Risk, an existing output table should be the output of a previous Risk analysis job run on the same source table, with the same privacy metric and quasi-identifiers. Risk jobs that analyze the same table but compute a different privacy metric, or use different sets of quasi-identifiers, cannot store their results in the same table.

OutputSchema

Predefined schemas for storing findings.

Enums
OUTPUT_SCHEMA_UNSPECIFIED
BASIC_COLUMNS Basic schema including only info_type, quote, certainty, and timestamp.
GCS_COLUMNS Schema tailored to findings from scanning Google Cloud Storage.
DATASTORE_COLUMNS Schema tailored to findings from scanning Google Datastore.
BIG_QUERY_COLUMNS Schema tailored to findings from scanning Google BigQuery.
ALL_COLUMNS Schema containing all columns.

PartitionId

Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty.

A partition ID contains several dimensions: project ID and namespace ID.

Fields
project_id

string

The ID of the project to which the entities belong.

namespace_id

string

If not empty, the ID of the namespace to which the entities belong.

PrimitiveTransformation

A rule for transforming a value.

Fields

Union field transformation.

transformation can be only one of the following:

replace_config

ReplaceValueConfig

redact_config

RedactConfig

character_mask_config

CharacterMaskConfig

crypto_replace_ffx_fpe_config

CryptoReplaceFfxFpeConfig

fixed_size_bucketing_config

FixedSizeBucketingConfig

bucketing_config

BucketingConfig

replace_with_info_type_config

ReplaceWithInfoTypeConfig

time_part_config

TimePartConfig

crypto_hash_config

CryptoHashConfig

date_shift_config

DateShiftConfig

crypto_deterministic_config

CryptoDeterministicConfig

PrivacyMetric

Privacy metric to compute for reidentification risk analysis.

Fields

Union field type.

type can be only one of the following:

numerical_stats_config

NumericalStatsConfig

categorical_stats_config

CategoricalStatsConfig

k_anonymity_config

KAnonymityConfig

l_diversity_config

LDiversityConfig

k_map_estimation_config

KMapEstimationConfig

delta_presence_estimation_config

DeltaPresenceEstimationConfig

CategoricalStatsConfig

Compute numerical stats over an individual column, including number of distinct values and value count distribution.

Fields
field

FieldId

Field to compute categorical stats on. All column types are supported except for arrays and structs. However, it may be more informative to use NumericalStats when the field type is supported, depending on the data.

DeltaPresenceEstimationConfig

δ-presence metric, used to estimate how likely it is for an attacker to figure out that one given individual appears in a de-identified dataset. Similarly to the k-map metric, we cannot compute δ-presence exactly without knowing the attack dataset, so we use a statistical model instead.

Fields
quasi_ids[]

QuasiId

Fields considered to be quasi-identifiers. No two fields can have the same tag. [required]

region_code

string

ISO 3166-1 alpha-2 region code to use in the statistical modeling. Required if no column is tagged with a region-specific InfoType (like US_ZIP_5) or a region code.

auxiliary_tables[]

StatisticalTable

Several auxiliary tables can be used in the analysis. Each custom_tag used to tag a quasi-identifiers field must appear in exactly one field of one auxiliary table.

KAnonymityConfig

k-anonymity metric, used for analysis of reidentification risk.

Fields
quasi_ids[]

FieldId

Set of fields to compute k-anonymity over. When multiple fields are specified, they are considered a single composite key. Structs and repeated data types are not supported; however, nested fields are supported so long as they are not structs themselves or nested within a repeated field.

entity_id

EntityId

Optional message indicating that multiple rows might be associated to a single individual. If the same entity_id is associated to multiple quasi-identifier tuples over distinct rows, we consider the entire collection of tuples as the composite quasi-identifier. This collection is a multiset: the order in which the different tuples appear in the dataset is ignored, but their frequency is taken into account.

Important note: a maximum of 1000 rows can be associated to a single entity ID. If more rows are associated with the same entity ID, some might be ignored.

KMapEstimationConfig

Reidentifiability metric. This corresponds to a risk model similar to what is called "journalist risk" in the literature, except the attack dataset is statistically modeled instead of being perfectly known. This can be done using publicly available data (like the US Census), or using a custom statistical model (indicated as one or several BigQuery tables), or by extrapolating from the distribution of values in the input dataset. A column with a semantic tag attached.

Fields
quasi_ids[]

TaggedField

Fields considered to be quasi-identifiers. No two columns can have the same tag. [required]

region_code

string

ISO 3166-1 alpha-2 region code to use in the statistical modeling. Required if no column is tagged with a region-specific InfoType (like US_ZIP_5) or a region code.

auxiliary_tables[]

AuxiliaryTable

Several auxiliary tables can be used in the analysis. Each custom_tag used to tag a quasi-identifiers column must appear in exactly one column of one auxiliary table.

AuxiliaryTable

An auxiliary table contains statistical information on the relative frequency of different quasi-identifiers values. It has one or several quasi-identifiers columns, and one column that indicates the relative frequency of each quasi-identifier tuple. If a tuple is present in the data but not in the auxiliary table, the corresponding relative frequency is assumed to be zero (and thus, the tuple is highly reidentifiable).

Fields
table

BigQueryTable

Auxiliary table location. [required]

quasi_ids[]

QuasiIdField

Quasi-identifier columns. [required]

relative_frequency

FieldId

The relative frequency column must contain a floating-point number between 0 and 1 (inclusive). Null values are assumed to be zero. [required]

QuasiIdField

A quasi-identifier column has a custom_tag, used to know which column in the data corresponds to which column in the statistical model.

Fields
field

FieldId

custom_tag

string

TaggedField

Fields
field

FieldId

Identifies the column. [required]

Union field tag. Semantic tag that identifies what a column contains, to determine which statistical model to use to estimate the reidentifiability of each value. [required] tag can be only one of the following:
info_type

InfoType

A column can be tagged with a InfoType to use the relevant public dataset as a statistical model of population, if available. We currently support US ZIP codes, region codes, ages and genders. To programmatically obtain the list of supported InfoTypes, use ListInfoTypes with the supported_by=RISK_ANALYSIS filter.

custom_tag

string

A column can be tagged with a custom tag. In this case, the user must indicate an auxiliary table that contains statistical information on the possible values of this column (below).

inferred

Empty

If no semantic tag is indicated, we infer the statistical model from the distribution of values in the input data

LDiversityConfig

l-diversity metric, used for analysis of reidentification risk.

Fields
quasi_ids[]

FieldId

Set of quasi-identifiers indicating how equivalence classes are defined for the l-diversity computation. When multiple fields are specified, they are considered a single composite key.

sensitive_attribute

FieldId

Sensitive field for computing the l-value.

NumericalStatsConfig

Compute numerical stats over an individual column, including min, max, and quantiles.

Fields
field

FieldId

Field to compute numerical stats on. Supported types are integer, float, date, datetime, timestamp, time.

QuasiId

A column with a semantic tag attached.

Fields
field

FieldId

Identifies the column. [required]

Union field tag. Semantic tag that identifies what a column contains, to determine which statistical model to use to estimate the reidentifiability of each value. [required] tag can be only one of the following:
info_type

InfoType

A column can be tagged with a InfoType to use the relevant public dataset as a statistical model of population, if available. We currently support US ZIP codes, region codes, ages and genders. To programmatically obtain the list of supported InfoTypes, use ListInfoTypes with the supported_by=RISK_ANALYSIS filter.

custom_tag

string

A column can be tagged with a custom tag. In this case, the user must indicate an auxiliary table that contains statistical information on the possible values of this column (below).

inferred

Empty

If no semantic tag is indicated, we infer the statistical model from the distribution of values in the input data

QuoteInfo

Message for infoType-dependent details parsed from quote.

Fields
date_time

DateTime

The date time indicated by the quote.

Range

Generic half-open interval [start, end)

Fields
start

int64

Index of the first character of the range (inclusive).

end

int64

Index of the last character of the range (exclusive).

RecordCondition

A condition for determining whether a transformation should be applied to a field.

Fields
expressions

Expressions

An expression.

Condition

The field type of value and field do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A value of type:

  • string can be compared against all other types
  • boolean can only be compared against other booleans
  • integer can be compared against doubles or a string if the string value can be parsed as an integer.
  • double can be compared against integers or a string if the string can be parsed as a double.
  • Timestamp can be compared against strings in RFC 3339 date string format.
  • TimeOfDay can be compared against timestamps and strings in the format of 'HH:mm:ss'.

If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.

Fields
field

FieldId

Field within the record this condition is evaluated against. [required]

operator

RelationalOperator

Operator used to compare the field or infoType to the value. [required]

value

Value

Value to compare against. [Required, except for EXISTS tests.]

Conditions

A collection of conditions.

Fields
conditions[]

Condition

Expressions

An expression, consisting or an operator and conditions.

Fields
logical_operator

LogicalOperator

The operator to apply to the result of conditions. Default and currently only supported value is AND.

conditions

Conditions

LogicalOperator

Enums
LOGICAL_OPERATOR_UNSPECIFIED
AND

RecordKey

Message for a unique key indicating a record that contains a finding.

Fields
id_values[]

string

Values of identifying columns in the given row. Order of values matches the order of field identifiers specified in the scanning request.

Union field type.

type can be only one of the following:

datastore_key

DatastoreKey

big_query_key

BigQueryKey

RecordLocation

Location of a finding within a row or record.

Fields
record_key

RecordKey

Key of the finding.

field_id

FieldId

Field id of the field containing the finding.

table_location

TableLocation

Location within a ContentItem.Table.

RecordSuppression

Configuration to suppress records whose suppression conditions evaluate to true.

Fields
condition

RecordCondition

A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

RecordTransformations

A type of transformation that is applied over structured data such as a table.

Fields
field_transformations[]

FieldTransformation

Transform the record by applying various field transformations.

record_suppressions[]

RecordSuppression

Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output [optional].

RedactConfig

Redact a given value. For example, if used with an InfoTypeTransformation transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '.

RedactImageRequest

Request to search for potentially sensitive info in an image and redact it by covering it with a colored rectangle.

Fields
parent

string

The parent resource name, for example projects/my-project-id.

Authorization requires the following Google IAM permission on the specified resource parent:

  • serviceusage.services.use

location_id

string

The geographic location to process the request. Reserved for future extensions.

inspect_config

InspectConfig

Configuration for the inspector.

image_redaction_configs[]

ImageRedactionConfig

The configuration for specifying what content to redact from images.

include_findings

bool

Whether the response should include findings along with the redacted image.

byte_item

ByteContentItem

The content must be PNG, JPEG, SVG or BMP.

ImageRedactionConfig

Configuration for determining how redaction of images should occur.

Fields
redaction_color

Color

The color to use when redacting content from an image. If not specified, the default is black.

Union field target. Type of information to redact from images. target can be only one of the following:
info_type

InfoType

Only one per info_type should be provided per request. If not specified, and redact_all_text is false, the DLP API will redact all text that it matches against all info_types that are found, but not specified in another ImageRedactionConfig.

redact_all_text

bool

If true, all text found in the image, regardless whether it matches an info_type, is redacted. Only one should be provided.

RedactImageResponse

Results of redacting an image.

Fields
redacted_image

bytes

The redacted image. The type will be the same as the original image.

extracted_text

string

If an image was being inspected and the InspectConfig's include_quote was set to true, then this field will include all text, if any, that was found in the image.

inspect_result

InspectResult

The findings. Populated when include_findings in the request is true.

ReidentifyContentRequest

Request to re-identify an item.

Fields
parent

string

Required. The parent resource name.

Authorization requires the following Google IAM permission on the specified resource parent:

  • serviceusage.services.use

reidentify_config

DeidentifyConfig

Configuration for the re-identification of the content item. This field shares the same proto message type that is used for de-identification, however its usage here is for the reversal of the previous de-identification. Re-identification is performed by examining the transformations used to de-identify the items and executing the reverse. This requires that only reversible transformations be provided here. The reversible transformations are:

  • CryptoDeterministicConfig
  • CryptoReplaceFfxFpeConfig

inspect_config

InspectConfig

Configuration for the inspector.

item

ContentItem

The item to re-identify. Will be treated as text.

inspect_template_name

string

Optional template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

reidentify_template_name

string

Optional template to use. References an instance of DeidentifyTemplate. Any configuration directly specified in reidentify_config or inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

location_id

string

The geographic location to process content reidentification. Reserved for future extensions.

ReidentifyContentResponse

Results of re-identifying a item.

Fields
item

ContentItem

The re-identified item.

overview

TransformationOverview

An overview of the changes that were made to the item.

RelationalOperator

Operators available for comparing the value of fields.

Enums
RELATIONAL_OPERATOR_UNSPECIFIED
EQUAL_TO Equal. Attempts to match even with incompatible types.
NOT_EQUAL_TO Not equal to. Attempts to match even with incompatible types.
GREATER_THAN Greater than.
LESS_THAN Less than.
GREATER_THAN_OR_EQUALS Greater than or equals.
LESS_THAN_OR_EQUALS Less than or equals.
EXISTS Exists

ReplaceValueConfig

Replace each input value with a given Value.

Fields
new_value

Value

Value to replace it with.

ReplaceWithInfoTypeConfig

Replace each matching finding with the name of the info_type.

RiskAnalysisJobConfig

Configuration for a risk analysis job. See https://cloud.google.com/dlp/docs/concepts-risk-analysis to learn more.

Fields
privacy_metric

PrivacyMetric

Privacy metric to compute.

source_table

BigQueryTable

Input dataset to compute metrics over.

actions[]

Action

Actions to execute at the completion of the job. Are executed in the order provided.

Schedule

Schedule for triggeredJobs.

Fields
recurrence_period_duration

Duration

With this option a job is started a regular periodic basis. For example: every day (86400 seconds).

A scheduled start time will be skipped if the previous execution has not ended when its scheduled time occurs.

This value must be set to a time duration greater than or equal to 1 day and can be no longer than 60 days.

StatisticalTable

An auxiliary table containing statistical information on the relative frequency of different quasi-identifiers values. It has one or several quasi-identifiers columns, and one column that indicates the relative frequency of each quasi-identifier tuple. If a tuple is present in the data but not in the auxiliary table, the corresponding relative frequency is assumed to be zero (and thus, the tuple is highly reidentifiable).

Fields
table

BigQueryTable

Auxiliary table location. [required]

quasi_ids[]

QuasiIdentifierField

Quasi-identifier columns. [required]

relative_frequency

FieldId

The relative frequency column must contain a floating-point number between 0 and 1 (inclusive). Null values are assumed to be zero. [required]

QuasiIdentifierField

A quasi-identifier column has a custom_tag, used to know which column in the data corresponds to which column in the statistical model.

Fields
field

FieldId

custom_tag

string

StorageConfig

Shared message indicating Cloud storage type.

Fields
timespan_config

TimespanConfig

Union field type.

type can be only one of the following:

datastore_options

DatastoreOptions

Google Cloud Datastore options specification.

cloud_storage_options

CloudStorageOptions

Google Cloud Storage options specification.

big_query_options

BigQueryOptions

BigQuery options specification.

TimespanConfig

Configuration of the timespan of the items to include in scanning. Currently only supported when inspecting Google Cloud Storage and BigQuery.

Fields
start_time

Timestamp

Exclude files or rows older than this value.

end_time

Timestamp

Exclude files or rows newer than this value. If set to zero, no upper time limit is applied.

timestamp_field

FieldId

Specification of the field containing the timestamp of scanned items. Used for data sources like Datastore and BigQuery.

For BigQuery: Required to filter out rows based on the given start and end times. If not specified and the table was modified between the given start and end times, the entire table will be scanned. The valid data types of the timestamp field are: INTEGER, DATE, TIMESTAMP, or DATETIME BigQuery column.

For Datastore. Valid data types of the timestamp field are: TIMESTAMP. Datastore entity will be scanned if the timestamp property does not exist or its value is empty or invalid.

enable_auto_population_of_timespan_config

bool

When the job is started by a JobTrigger we will automatically figure out a valid start_time to avoid scanning files that have not been modified since the last time the JobTrigger executed. This will be based on the time of the execution of the last run of the JobTrigger.

StoredInfoType

StoredInfoType resource message that contains information about the current version and any pending updates.

Fields
name

string

Resource name.

current_version

StoredInfoTypeVersion

Current version of the stored info type.

pending_versions[]

StoredInfoTypeVersion

Pending versions of the stored info type. Empty if no versions are pending.

StoredInfoTypeConfig

Configuration for a StoredInfoType.

Fields
display_name

string

Display name of the StoredInfoType (max 256 characters).

description

string

Description of the StoredInfoType (max 256 characters).

large_custom_dictionary

LargeCustomDictionaryConfig

StoredInfoType where findings are defined by a dictionary of phrases.

StoredInfoTypeState

State of a StoredInfoType version.

Enums
STORED_INFO_TYPE_STATE_UNSPECIFIED
PENDING StoredInfoType version is being created.
READY StoredInfoType version is ready for use.
FAILED StoredInfoType creation failed. All relevant error messages are returned in the StoredInfoTypeVersion message.
INVALID StoredInfoType is no longer valid because artifacts stored in user-controlled storage were modified. To fix an invalid StoredInfoType, use the UpdateStoredInfoType method to create a new version.

StoredInfoTypeStats

Statistics for a StoredInfoType.

Fields
large_custom_dictionary

LargeCustomDictionaryStats

StoredInfoType where findings are defined by a dictionary of phrases.

StoredInfoTypeVersion

Version of a StoredInfoType, including the configuration used to build it, create timestamp, and current state.

Fields
config

StoredInfoTypeConfig

StoredInfoType configuration.

create_time

Timestamp

Create timestamp of the version. Read-only, determined by the system when the version is created.

state

StoredInfoTypeState

Stored info type version state. Read-only, updated by the system during dictionary creation.

errors[]

Error

Errors that occurred when creating this storedInfoType version, or anomalies detected in the storedInfoType data that render it unusable. Only the five most recent errors will be displayed, with the most recent error appearing first.

For example, some of the data for stored custom dictionaries is put in the user's Google Cloud Storage bucket, and if this data is modified or deleted by the user or another system, the dictionary becomes invalid.

If any errors occur, fix the problem indicated by the error message and use the UpdateStoredInfoType API method to create another version of the storedInfoType to continue using it, reusing the same config if it was not the source of the error.

stats

StoredInfoTypeStats

Statistics about this storedInfoType version.

StoredType

A reference to a StoredInfoType to use with scanning.

Fields
name

string

Resource name of the requested StoredInfoType, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

create_time

Timestamp

Timestamp indicating when the version of the StoredInfoType used for inspection was created. Output-only field, populated by the system.

Table

Structured content to inspect. Up to 50,000 Values per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

Fields
headers[]

FieldId

rows[]

Row

Row

Fields
values[]

Value

TableLocation

Location of a finding within a table.

Fields
row_index

int64

The zero-based index of the row where the finding is located.

TimePartConfig

For use with Date, Timestamp, and TimeOfDay, extract or preserve a portion of the value.

Fields
part_to_extract

TimePart

TimePart

Enums
TIME_PART_UNSPECIFIED
YEAR [0-9999]
MONTH [1-12]
DAY_OF_MONTH [1-31]
DAY_OF_WEEK [1-7]
WEEK_OF_YEAR [1-53]
HOUR_OF_DAY [0-23]

TransformationOverview

Overview of the modifications that occurred.

Fields
transformed_bytes

int64

Total size in bytes that were transformed in some way.

transformation_summaries[]

TransformationSummary

Transformations applied to the dataset.

TransformationSummary

Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.

Fields
info_type

InfoType

Set if the transformation was limited to a specific InfoType.

field

FieldId

Set if the transformation was limited to a specific FieldId.

transformation

PrimitiveTransformation

The specific transformation these stats apply to.

field_transformations[]

FieldTransformation

The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.

record_suppress

RecordSuppression

The specific suppression option these stats apply to.

results[]

SummaryResult

transformed_bytes

int64

Total size in bytes that were transformed in some way.

SummaryResult

A collection that informs the user the number of times a particular TransformationResultCode and error details occurred.

Fields
count

int64

code

TransformationResultCode

details

string

A place for warnings or errors to show up if a transformation didn't work as expected.

TransformationResultCode

Possible outcomes of transformations.

Enums
TRANSFORMATION_RESULT_CODE_UNSPECIFIED
SUCCESS
ERROR

TransientCryptoKey

Use this to have a random data crypto key generated. It will be discarded after the request finishes.

Fields
name

string

Name of the key. [required] This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate TransientCryptoKey protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

UnwrappedCryptoKey

Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible.

Fields
key

bytes

A 128/192/256 bit key. [required]

UpdateDeidentifyTemplateRequest

Request message for UpdateDeidentifyTemplate.

Fields
name

string

Required. Resource name of organization and deidentify template to be updated, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.deidentifyTemplates.update

deidentify_template

DeidentifyTemplate

New DeidentifyTemplate value.

update_mask

FieldMask

Mask to control which fields get updated.

UpdateInspectTemplateRequest

Request message for UpdateInspectTemplate.

Fields
name

string

Required. Resource name of organization and inspectTemplate to be updated, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.inspectTemplates.update

inspect_template

InspectTemplate

New InspectTemplate value.

update_mask

FieldMask

Mask to control which fields get updated.

UpdateJobTriggerRequest

Request message for UpdateJobTrigger.

Fields
name

string

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires one or more of the following Google IAM permissions on the specified resource name:

  • dlp.jobTriggers.update
  • dlp.jobs.create

job_trigger

JobTrigger

New JobTrigger value.

update_mask

FieldMask

Mask to control which fields get updated.

UpdateStoredInfoTypeRequest

Request message for UpdateStoredInfoType.

Fields
name

string

Required. Resource name of organization and storedInfoType to be updated, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Authorization requires the following Google IAM permission on the specified resource name:

  • dlp.storedInfoTypes.update

config

StoredInfoTypeConfig

Updated configuration for the storedInfoType. If not provided, a new version of the storedInfoType will be created with the existing configuration.

update_mask

FieldMask

Mask to control which fields get updated.

Value

Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.

Fields

Union field type.

type can be only one of the following:

integer_value

int64

float_value

double

string_value

string

boolean_value

bool

timestamp_value

Timestamp

time_value

TimeOfDay

date_value

Date

day_of_week_value

DayOfWeek

ValueFrequency

A value of a field, including its frequency.

Fields
value

Value

A value contained in the field in question.

count

int64

How many times the value is contained in the field.

¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

Data Loss Prevention Documentation