Package google.privacy.dlp.v2

SaveFindings

Save resulting findings in a provided location.

PublishToPubSub

Publish a notification to a pubsub topic.

PublishSummaryToCscc

Publish summary to Cloud Security Command Center (Alpha).

PublishFindingsToCloudDataCatalog

Publish findings to Cloud Datahub.

JobNotificationEmails

Enable email notification for project owners and editors on job's completion/failure.

PublishToStackdriver

Enable Stackdriver metric dlp.googleapis.com/finding_count.

string

Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}.

OutputStorageConfig

Location to store findings outside of DLP.

string

Required. Resource name of the trigger to activate, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires one or more of the following IAM permissions on the specified resource name:

• dlp.jobTriggers.get
• dlp.jobs.create

PrivacyMetric

Privacy metric to compute.

BigQueryTable

Input dataset to compute metrics over.

RequestedRiskAnalysisOptions

The configuration used for this job.

NumericalStatsResult

Numerical stats result

CategoricalStatsResult

Categorical stats result

KAnonymityResult

K-anonymity result

LDiversityResult

L-divesity result

KMapEstimationResult

K-map result

DeltaPresenceEstimationResult

Delta-presence result

CategoricalStatsHistogramBucket

Histogram of value frequencies in the column.

int64

Lower bound on the value frequency of the values in this bucket.

int64

Upper bound on the value frequency of the values in this bucket.

int64

Total number of values in this bucket.

ValueFrequency

Sample of value frequencies in this bucket. The total number of values returned per bucket is capped at 20.

int64

Total number of distinct values in this bucket.

DeltaPresenceEstimationHistogramBucket

The intervals [min_probability, max_probability) do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_probability: 0, max_probability: 0.1, frequency: 17} {min_probability: 0.2, max_probability: 0.3, frequency: 42} {min_probability: 0.3, max_probability: 0.4, frequency: 99} mean that there are no record with an estimated probability in [0.1, 0.2) nor larger or equal to 0.4.

double

Between 0 and 1.

double

Always greater than or equal to min_probability.

int64

Number of records within these probability bounds.

DeltaPresenceEstimationQuasiIdValues

Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20.

int64

Total number of distinct quasi-identifier tuple values in this bucket.

Value

The quasi-identifier values.

double

The estimated probability that a given individual sharing these quasi-identifier values is in the dataset. This value, typically called δ, is the ratio between the number of records in the dataset with these quasi-identifier values, and the total number of individuals (inside and outside the dataset) with these quasi-identifier values. For example, if there are 15 individuals in the dataset who share the same quasi-identifier values, and an estimated 100 people in the entire population with these values, then δ is 0.15.

KAnonymityHistogramBucket

Histogram of k-anonymity equivalence classes.

Value

Set of values defining the equivalence class. One value per quasi-identifier column in the original KAnonymity metric message. The order is always the same as the original request.

int64

Size of the equivalence class, for example number of rows with the above set of values.

int64

Lower bound on the size of the equivalence classes in this bucket.

int64

Upper bound on the size of the equivalence classes in this bucket.

int64

Total number of equivalence classes in this bucket.

KAnonymityEquivalenceClass

Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20.

int64

Total number of distinct equivalence classes in this bucket.

KMapEstimationHistogramBucket

The intervals [min_anonymity, max_anonymity] do not overlap. If a value doesn't correspond to any such interval, the associated frequency is zero. For example, the following records: {min_anonymity: 1, max_anonymity: 1, frequency: 17} {min_anonymity: 2, max_anonymity: 3, frequency: 42} {min_anonymity: 5, max_anonymity: 10, frequency: 99} mean that there are no record with an estimated anonymity of 4, 5, or larger than 10.

int64

Always positive.

int64

Always greater than or equal to min_anonymity.

int64

Number of records within these anonymity bounds.

KMapEstimationQuasiIdValues

Sample of quasi-identifier tuple values in this bucket. The total number of classes returned per bucket is capped at 20.

int64

Total number of distinct quasi-identifier tuple values in this bucket.

Value

The quasi-identifier values.

int64

The estimated anonymity for these quasi-identifier values.

LDiversityHistogramBucket

Histogram of l-diversity equivalence class sensitive value frequencies.

Value

Quasi-identifier values defining the k-anonymity equivalence class. The order is always the same as the original request.

int64

Size of the k-anonymity equivalence class.

int64

Number of distinct sensitive values in this equivalence class.

ValueFrequency

Estimated frequencies of top sensitive values.

int64

Lower bound on the sensitive value frequencies of the equivalence classes in this bucket.

int64

Upper bound on the sensitive value frequencies of the equivalence classes in this bucket.

int64

Total number of equivalence classes in this bucket.

LDiversityEquivalenceClass

Sample of equivalence classes in this bucket. The total number of classes returned per bucket is capped at 20.

int64

Total number of distinct equivalence classes in this bucket.

Value

Minimum value appearing in the column.

Value

Maximum value appearing in the column.

Value

List of 99 values that partition the set of field values into 100 equal sized buckets.

RiskAnalysisJobConfig

The job config for the risk job.

BigQueryTable

Source table of the field.

FieldId

Designated field in the BigQuery table.

BigQueryTable

Complete BigQuery table reference.

int64

Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify inspect_job.storage_config.big_query_options.identifying_fields in CreateDlpJobRequest.

BigQueryTable

Complete BigQuery table reference.

FieldId

Table fields that may uniquely identify a row within the table. When actions.saveFindings.outputConfig.table is specified, the values of columns specified here are available in the output table under location.content_locations.record_location.record_key.id_values. Nested fields such as person.birthdate.year are allowed.

int64

Max number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

int32

Max percentage of rows to scan. The rest are omitted. The number of rows scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

SampleMethod

FieldId

References to fields excluded from scanning. This allows you to skip inspection of entire columns which you know have no findings.

string

The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.

string

Dataset ID of the table.

string

Name of the table.

int32

Top coordinate of the bounding box. (0,0) is upper left.

int32

Left coordinate of the bounding box. (0,0) is upper left.

int32

Width of the bounding box in pixels.

int32

Height of the bounding box in pixels.

Bucket

Set of buckets. Ranges must be non-overlapping.

Value

Lower bound of the range, inclusive. Type should be the same as max if used.

Value

Upper bound of the range, exclusive; type must match min.

Value

Required. Replacement value for this bucket.

BytesType

The type of data stored in the bytes string. Default will be TEXT_UTF8.

bytes

Content data to inspect or redact.

string

Required. The name of the DlpJob resource to be cancelled.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobs.cancel

string

Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for strings, and 0 for digits.

int32

Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.

bool

Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is false, then the input string 1234-5678-9012-3456 is masked as 00000000000000-3456. If masking_character is *, number_to_mask is 3, and reverse_order is true, then the string 12345 is masked as 12***.

CharsToIgnore

When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is 555-555-5555 and you instruct Cloud DLP to skip - and mask 5 characters with *, Cloud DLP returns ***-**5-5555.

string

Characters to not transform when masking.

CommonCharsToIgnore

Common characters to not transform when masking. Useful to avoid removing punctuation.

string

The url, in the format gs://<bucket>/<path>. Trailing wildcard in the path is allowed.

FileSet

The set of one or more files to scan.

int64

Max number of bytes to scan from a file. If a scanned file's size is bigger than this value then the rest of the bytes are omitted. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

int32

Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

FileType

List of file type groups to include in the scan. If empty, all files are scanned and available data format processors are applied. In addition, the binary content of the selected files is always scanned as well. Images are scanned only as binary if the specified region does not support image inspection and no file_types were specified. Image inspection is restricted to 'global', 'us', 'asia', and 'europe'.

SampleMethod

int32

Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0.

string

The Cloud Storage url of the file(s) to scan, in the format gs://<bucket>/<path>. Trailing wildcard in the path is allowed.

If the url ends in a trailing slash, the bucket or directory represented by the url will be scanned non-recursively (content in sub-directories will not be scanned). This means that gs://mybucket/ is equivalent to gs://mybucket/*, and gs://mybucket/directory/ is equivalent to gs://mybucket/directory/*.

Exactly one of url or regex_file_set must be set.

CloudStorageRegexFileSet

The regex-filtered set of files to scan. Exactly one of url or regex_file_set must be set.

string

A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

string

The name of a Cloud Storage bucket. Required.

string

A list of regular expressions matching file paths to include. All files in the bucket that match at least one of these regular expressions will be included in the set of files, except for those that also match an item in exclude_regex. Leaving this field empty will match all files by default (this is equivalent to including .* in the list).

Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

string

A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan.

Regular expressions use RE2 syntax; a guide can be found under the google/re2 repository on GitHub.

float

The amount of red in the color as a value in the interval [0, 1].

float

The amount of green in the color as a value in the interval [0, 1].

float

The amount of blue in the color as a value in the interval [0, 1].

string

Container type, for example BigQuery or Google Cloud Storage.

string

Project where the finding was found. Can be different from the project that owns the finding.

string

A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'

string

The root of the container. Examples: - For BigQuery table project_id:dataset_id.table_id, the root is dataset_id - For Google Cloud Storage file gs://bucket/folder/filename.txt, the root is gs://bucket

string

The rest of the path after the root. Examples: - For BigQuery table project_id:dataset_id.table_id, the relative path is table_id - Google Cloud Storage file gs://bucket/folder/filename.txt, the relative path is folder/filename.txt

Timestamp

Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

string

Findings container version, if available ("generation" for Google Cloud Storage).

string

String data to inspect or redact.

Table

Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.

ByteContentItem

Content data to inspect or redact. Replaces type and data.

string

Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows:

• BigQuery tables: {project_id}:{dataset_id}.{table_id}
• Cloud Storage files: gs://{bucket}/{path}
• Datastore namespace: {namespace}

Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).

Timestamp

Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

string

Findings container version, if available ("generation" for Google Cloud Storage).

RecordLocation

Location within a row or record of a database table.

ImageLocation

Location within an image's pixels.

DocumentLocation

Location data for document files.

MetadataLocation

Location within the metadata for inspected content.

string

Required. Parent resource name.

The format of this value varies depending on the scope of the request (project or organization) and whether you have specified a processing location:

• Projects scope, location specified:
  projects/PROJECT_ID/locations/LOCATION_ID
• Projects scope, no location specified (defaults to global):
  projects/PROJECT_ID
• Organizations scope, location specified:
  organizations/ORG_ID/locations/LOCATION_ID
• Organizations scope, no location specified (defaults to global):
  organizations/ORG_ID

The following example parent string specifies a parent project with the identifier example-project, and specifies the europe-west3 location for processing data:

parent=projects/example-project/locations/europe-west3

Authorization requires the following IAM permission on the specified resource parent:

• dlp.deidentifyTemplates.create

DeidentifyTemplate

Required. The DeidentifyTemplate to create.

string

The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

string

Deprecated. This field has no effect.

string

Required. Parent resource name.

The format of this value varies depending on whether you have specified a processing location:

• Projects scope, location specified:
  projects/PROJECT_ID/locations/LOCATION_ID
• Projects scope, no location specified (defaults to global):
  projects/PROJECT_ID

The following example parent string specifies a parent project with the identifier example-project, and specifies the europe-west3 location for processing data:

parent=projects/example-project/locations/europe-west3

Authorization requires the following IAM permission on the specified resource parent:

• dlp.jobs.create

string

The job id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

string

Deprecated. This field has no effect.

InspectJobConfig

Set to control what and how to inspect.

RiskAnalysisJobConfig

Set to choose what metric to calculate.

string

Required. Parent resource name.

The format of this value varies depending on the scope of the request (project or organization) and whether you have specified a processing location:

• Projects scope, location specified:
  projects/PROJECT_ID/locations/LOCATION_ID
• Projects scope, no location specified (defaults to global):
  projects/PROJECT_ID
• Organizations scope, location specified:
  organizations/ORG_ID/locations/LOCATION_ID
• Organizations scope, no location specified (defaults to global):
  organizations/ORG_ID

The following example parent string specifies a parent project with the identifier example-project, and specifies the europe-west3 location for processing data:

parent=projects/example-project/locations/europe-west3

Authorization requires the following IAM permission on the specified resource parent:

• dlp.inspectTemplates.create

InspectTemplate

Required. The InspectTemplate to create.

string

The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

string

Deprecated. This field has no effect.

string

Required. Parent resource name.

The format of this value varies depending on whether you have specified a processing location:

• Projects scope, location specified:
  projects/PROJECT_ID/locations/LOCATION_ID
• Projects scope, no location specified (defaults to global):
  projects/PROJECT_ID

The following example parent string specifies a parent project with the identifier example-project, and specifies the europe-west3 location for processing data:

parent=projects/example-project/locations/europe-west3

Authorization requires one or more of the following IAM permissions on the specified resource parent:

• dlp.jobTriggers.create
• dlp.jobs.create

JobTrigger

Required. The JobTrigger to create.

string

The trigger id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

string

Deprecated. This field has no effect.

string

Required. Parent resource name.

The format of this value varies depending on the scope of the request (project or organization) and whether you have specified a processing location:

• Projects scope, location specified:
  projects/PROJECT_ID/locations/LOCATION_ID
• Projects scope, no location specified (defaults to global):
  projects/PROJECT_ID
• Organizations scope, location specified:
  organizations/ORG_ID/locations/LOCATION_ID
• Organizations scope, no location specified (defaults to global):
  organizations/ORG_ID

The following example parent string specifies a parent project with the identifier example-project, and specifies the europe-west3 location for processing data:

parent=projects/example-project/locations/europe-west3

Authorization requires the following IAM permission on the specified resource parent:

• dlp.storedInfoType.create

StoredInfoTypeConfig

Required. Configuration of the storedInfoType to create.

string

The storedInfoType ID can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

string

Deprecated. This field has no effect.

CryptoKey

The key used by the encryption function.

InfoType

The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate}

For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc'

This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text.

Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text.

In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either

• reverse a surrogate that does not correspond to an actual identifier
• be unable to parse the surrogate and result in an error

Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.

FieldId

A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well.

If the context is not set, plaintext would be used as is for encryption. If the context is set but:

1. there is no record present when transforming a given value or
2. the field is not present when transforming a given value,

plaintext would be used as is for encryption.

Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and non-structured ContentItems.

CryptoKey

The key used by the hash function.

TransientCryptoKey

Transient crypto key

UnwrappedCryptoKey

Unwrapped crypto key

KmsWrappedCryptoKey

Kms wrapped key

CryptoKey

Required. The key used by the encryption algorithm.

FieldId

The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used.

If the context is set but:

1. there is no record present when transforming a given value or
2. the field is not present when transforming a given value,

a default tweak will be used.

Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and non-structured ContentItems. Currently, the referenced field may be of value type integer or string.

The tweak is constructed as a sequence of bytes in big endian byte order such that:

• a 64 bit integer is encoded followed by a single byte of value 1
• a string is encoded in UTF-8 format followed by a single byte of value 2

InfoType

The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate

For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc'

This annotation identifies the surrogate when inspecting content using the custom infoType SurrogateType. This facilitates reversal of the surrogate when it occurs in free text.

In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

FfxCommonNativeAlphabet

Common alphabets.

string

This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/

int32

The native way to select the alphabet. Must be in the range [2, 95].

InfoType

CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in InspectContent.info_types field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in InspectContent.info_types list then the name is treated as a custom info type.

Likelihood

Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to VERY_LIKELY if not specified.

DetectionRule

Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the surrogate_type CustomInfoType.

ExclusionType

If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.

Dictionary

A list of phrases to detect as a CustomInfoType.

Regex

Regular expression based CustomInfoType.

SurrogateType

Message for detecting output from deidentification transformations that support reversing.

StoredType

Load an existing StoredInfoType resource for use in InspectDataSource. Not currently supported in InspectContent.

HotwordRule

Hotword-based detection rule.

Regex

Regular expression pattern defining what qualifies as a hotword.

Proximity

Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "(\d{3}) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "(xxx)", where "xxx" is the area code in question.

LikelihoodAdjustment

Likelihood adjustment to apply to all matching findings.

Likelihood

Set the likelihood of a finding to a fixed value.

int32

Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be POSSIBLE without the detection rule and relative_likelihood is 1, then it is upgraded to LIKELY, while a value of -1 would downgrade it to UNLIKELY. Likelihood may never drop below VERY_UNLIKELY or exceed VERY_LIKELY, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is VERY_LIKELY will result in a final likelihood of LIKELY.

int32

Number of characters before the finding to consider.

int32

Number of characters after the finding to consider.

WordList

List of words or phrases to search for.

CloudStoragePath

Newline-delimited file of words in Cloud Storage. Only a single file is accepted.

string

Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]

string

Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.

int32

The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.

Key

Datastore entity key.

PartitionId

A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty.

KindExpression

The kind to process.

int32

Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction.

For example, 3 means shift date to at most 3 days into the future.

int32

Required. For example, -5 means shift date to at most 5 days back in the past.

FieldId

Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

CryptoKey

Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

Date

One or more of the following must be set. Must be a valid date or time value.

DayOfWeek

Day of week

TimeOfDay

Time of day

TimeZone

Time zone

int32

Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.

TransformationErrorHandling

Mode for handling transformation errors. If left unspecified, the default mode is TransformationErrorHandling.ThrowError.

InfoTypeTransformations

Treat the dataset as free-form text and apply the same free text transformation everywhere.

RecordTransformations

Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.

string

Parent resource name.

The format of this value varies depending on whether you have specified a processing location:

• Projects scope, location specified:
  projects/PROJECT_ID/locations/LOCATION_ID
• Projects scope, no location specified (defaults to global):
  projects/PROJECT_ID

The following example parent string specifies a parent project with the identifier example-project, and specifies the europe-west3 location for processing data:

parent=projects/example-project/locations/europe-west3

Authorization requires the following IAM permission on the specified resource parent:

• serviceusage.services.use

DeidentifyConfig

Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument.

InspectConfig

Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.

ContentItem

The item to de-identify. Will be treated as text.

string

Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

string

Template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

string

Deprecated. This field has no effect.

ContentItem

The de-identified item.

TransformationOverview

An overview of the changes that were made on the item.

string

Output only. The template name.

The template will have one of the following formats: projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID OR organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID

string

Display name (max 256 chars).

string

Short description (max 256 chars).

Timestamp

Output only. The creation timestamp of an inspectTemplate.

Timestamp

Output only. The last update timestamp of an inspectTemplate.

DeidentifyConfig

///////////// // The core content of the template // ///////////////

string

Required. Resource name of the organization and deidentify template to be deleted, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

Authorization requires the following IAM permission on the specified resource name:

• dlp.deidentifyTemplates.delete

string

Required. The name of the DlpJob resource to be deleted.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobs.delete

string

Required. Resource name of the organization and inspectTemplate to be deleted, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Authorization requires the following IAM permission on the specified resource name:

• dlp.inspectTemplates.delete

string

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires the following IAM permission on the specified resource name:

• dlp.triggeredJobs.delete

string

Required. Resource name of the organization and storedInfoType to be deleted, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Authorization requires the following IAM permission on the specified resource name:

• dlp.storedInfoTypes.delete

string

The server-assigned name.

DlpJobType

The type of job.

JobState

State of a job.

Timestamp

Time when the job was created.

Timestamp

Time when the job started.

Timestamp

Time when the job finished.

string

If created by a job trigger, the resource name of the trigger that instantiated the job.

Error

A stream of errors encountered running the job.

AnalyzeDataSourceRiskDetails

Results from analyzing risk of a data source.

InspectDataSourceDetails

Results from inspecting a data source.

int64

Offset of the line, from the beginning of the file, where the finding is located.

FieldId

Composite key indicating which field contains the entity identifier.

Status

Detailed error codes and messages.

Timestamp

The times the error occurred.

InfoType

InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for InspectionRuleSet.info_types containing "PHONE_NUMBER"and exclusion_rulecontainingexclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.

MatchingType

How the rule is applied, see MatchingType documentation for details.

Dictionary

Dictionary which defines the rule.

Regex

Regular expression which defines the rule.

ExcludeInfoTypes

Set of infoTypes for which findings would affect this rule.

string

Name describing the field.

FieldId

Required. Input field(s) to apply the transformation to.

RecordCondition

Only apply the transformation if the condition evaluates to true for the given RecordCondition. The conditions are allowed to reference fields that are not used in the actual transformation.

Example Use Cases:

• Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range.
• Redact a field if the date of birth field is greater than 85.

PrimitiveTransformation

Apply the transformation to the entire field.

InfoTypeTransformations

Treat the contents of the field as free text, and selectively transform content that matches an InfoType.

string

Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings.

string

The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if include_quote is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted.

InfoType

The type of content that might have been found. Provided if excluded_types is false.

Likelihood

Confidence of how likely it is that the info_type is correct.

Location

Where the content was found.

Timestamp

Timestamp when finding was detected.

QuoteInfo

Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.

string

The job that stored the finding.

string

Job trigger name, if applicable, for this finding.

map<string, string>

The labels associated with this Finding.

Label keys must be between 1 and 63 characters long and must conform to the following regular expression: [a-z]([-a-z0-9]*[a-z0-9])?.

Label values must be between 0 and 63 characters long and must conform to the regular expression ([a-z]([-a-z0-9]*[a-z0-9])?)?.

No more than 10 labels can be associated with a given finding.

Examples: * "environment" : "production" * "pipeline" : "etl"

Timestamp

Time the job started that produced this finding.

string

The job that stored the finding.

string

Required. The name of the DlpJob resource to be cancelled.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobs.finish

Value

Required. Lower bound value of buckets. All values less than lower_bound are grouped together into a single bucket; for example if lower_bound = 10, then all values less than 10 are replaced with the value "-10".

Value

Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if upper_bound = 89, then all values greater than 89 are replaced with the value "89+".

double

Required. Size of each bucket (except for minimum and maximum buckets). So if lower_bound = 10, upper_bound = 89, and bucket_size = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

string

Required. Resource name of the organization and deidentify template to be read, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

Authorization requires the following IAM permission on the specified resource name:

• dlp.deidentifyTemplates.get

string

Required. The name of the DlpJob resource.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobs.get

string

Required. Resource name of the organization and inspectTemplate to be read, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Authorization requires the following IAM permission on the specified resource name:

• dlp.inspectTemplates.get

string

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobTriggers.get

string

Required. Resource name of the organization and storedInfoType to be read, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Authorization requires the following IAM permission on the specified resource name:

• dlp.storedInfoTypes.get

ContentItem

The item to inspect.

HybridFindingDetails

Supplementary information that will be added to each finding.

Container

Details about the container where the content being inspected is from.

int64

Offset in bytes of the line, from the beginning of the file, where the finding is located. Populate if the item being scanned is only part of a bigger item, such as a shard of a file and you want to track the absolute position of the finding.

int64

Offset of the row for tables. Populate if the row(s) being scanned are part of a bigger dataset and you want to keep track of their absolute position.

TableOptions

If the container is a table, additional information to make findings meaningful such as the columns that are primary keys. If not known ahead of time, can also be set within each inspect hybrid call and the two will be merged. Note that identifying_fields will only be stored to BigQuery, and only if the BigQuery action has been included.

map<string, string>

Labels to represent user provided metadata about the data being inspected. If configured by the job, some key values may be required. The labels associated with Finding's produced by hybrid inspection.

Label keys must be between 1 and 63 characters long and must conform to the following regular expression: [a-z]([-a-z0-9]*[a-z0-9])?.

Label values must be between 0 and 63 characters long and must conform to the regular expression ([a-z]([-a-z0-9]*[a-z0-9])?)?.

No more than 10 labels can be associated with a given finding.

Examples: * "environment" : "production" * "pipeline" : "etl"

string

Required. Resource name of the job to execute a hybrid inspect on, for example projects/dlp-test-project/dlpJob/53234423.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobs.hybridInspect

HybridContentItem

The item to inspect.

string

Required. Resource name of the trigger to execute a hybrid inspect on, for example projects/dlp-test-project/jobTriggers/53234423.

Authorization requires the following IAM permission on the specified resource name:

• dlp.jobTriggers.hybridInspect

HybridContentItem

The item to inspect.

int64

The number of hybrid inspection requests processed within this job.

int64

The number of hybrid inspection requests aborted because the job ran out of quota or was ended before they could be processed.

int64

The number of hybrid requests currently being processed. Only populated when called via method getDlpJob. A burst of traffic may cause hybrid inspect requests to be enqueued. Processing will take place as quickly as possible, but resource limitations may impact how long a request is enqueued for.

string

A short description of where the data is coming from. Will be stored once in the job. 256 max length.

string

These are labels that each inspection request must include within their 'finding_labels' map. Request may contain others, but any missing one of these will be rejected.

Label keys must be between 1 and 63 characters long and must conform to the following regular expression: [a-z]([-a-z0-9]*[a-z0-9])?.

No more than 10 keys can be required.

map<string, string>

To organize findings, these labels will be added to each finding.

Label keys must be between 1 and 63 characters long and must conform to the following regular expression: