REST Resource: folders.locations.entitlements.grants

Resource: Grant
Methods

Resource: Grant

A grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for.

JSON representation

JSON representation
{ "name": string, "createTime": string, "updateTime": string, "requester": string, "requestedDuration": string, "justification": { object (`Justification`) }, "state": enum (`State`), "timeline": { object (`Timeline`) }, "privilegedAccess": { object (`PrivilegedAccess`) }, "auditTrail": { object (`AuditTrail`) }, "additionalEmailRecipients": [ string ], "externallyModified": boolean }

{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "requester": string,
  "requestedDuration": string,
  "justification": {
    object (Justification)
  },
  "state": enum (State),
  "timeline": {
    object (Timeline)
  },
  "privilegedAccess": {
    object (PrivilegedAccess)
  },
  "auditTrail": {
    object (AuditTrail)
  },
  "additionalEmailRecipients": [
    string
  ],
  "externallyModified": boolean
}

Fields
`name`	`string` Identifier. Name of this grant. Possible formats: `organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` `folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` `projects/{project-id\|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}` The last segment of this name (`{grant-id}`) is autogenerated.
`createTime`	`string (Timestamp format)` Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`updateTime`	`string (Timestamp format)` Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`requester`	`string` Output only. Username of the user who created this grant.
`requestedDuration`	`string (Duration format)` Required. The amount of time access is needed for. This value should be less than the `maxRequestDuration` value of the entitlement. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`justification`	`object (Justification)` Optional. Justification of why this access is needed.
`state`	`enum (State)` Output only. Current state of this grant.
`timeline`	`object (Timeline)` Output only. Timeline of this grant.
`privilegedAccess`	`object (PrivilegedAccess)` Output only. The access that would be granted by this grant.
`auditTrail`	`object (AuditTrail)` Output only. Audit trail of access provided by this grant. If unspecified then access was never granted.
`additionalEmailRecipients[]`	`string` Optional. Additional email addresses to notify for all the actions performed on the grant.
`externallyModified`	`boolean` Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM. After it is set, this flag remains set forever irrespective of the grant state. A `true` value here indicates that PAM no longer has any certainty on the access a user has because of this grant.

Justification

Justification represents a justification for requesting access.

JSON representation
{ // Union field `justification` can be only one of the following: "unstructuredJustification": string // End of list of possible types for union field `justification`. }

Fields

Fields
Union field `justification`. `justification` can be only one of the following:
`unstructuredJustification`	`string` A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string.

Union field justification.

justification can be only one of the following:

unstructuredJustification

string

A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string.

State

Different states a grant can be in.

Enums
`STATE_UNSPECIFIED`	Unspecified state. This value is never returned by the server.
`APPROVAL_AWAITED`	The entitlement had an approval workflow configured and this grant is waiting for the workflow to complete.
`DENIED`	The approval workflow completed with a denied result. No access is granted for this grant. This is a terminal state.
`SCHEDULED`	The approval workflow completed successfully with an approved result or none was configured. Access is provided at an appropriate time.
`ACTIVATING`	Access is being given.
`ACTIVE`	Access was successfully given and is currently active.
`ACTIVATION_FAILED`	The system could not give access due to a non-retriable error. This is a terminal state.
`EXPIRED`	Expired after waiting for the approval workflow to complete. This is a terminal state.
`REVOKING`	Access is being revoked.
`REVOKED`	Access was revoked by a user. This is a terminal state.
`ENDED`	System took back access as the requested duration was over. This is a terminal state.

Timeline

Timeline of a grant describing what happened to it and when.

JSON representation
{ "events": [ { object (`Event`) } ] }

Fields

Fields
`events[]`	`object (Event)` Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type `Requested` and there is always at least one entry in this array.

events[]

object (Event)

Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type Requested and there is always at least one entry in this array.

Event

A single operation on the grant.

JSON representation

JSON representation
{ "eventTime": string, // Union field `event` can be only one of the following: "requested": { object (`Requested`) }, "approved": { object (`Approved`) }, "denied": { object (`Denied`) }, "revoked": { object (`Revoked`) }, "scheduled": { object (`Scheduled`) }, "activated": { object (`Activated`) }, "activationFailed": { object (`ActivationFailed`) }, "expired": { object (`Expired`) }, "ended": { object (`Ended`) }, "externallyModified": { object (`ExternallyModified`) } // End of list of possible types for union field `event`. }

{
  "eventTime": string,

  // Union field event can be only one of the following:
  "requested": {
    object (Requested)
  },
  "approved": {
    object (Approved)
  },
  "denied": {
    object (Denied)
  },
  "revoked": {
    object (Revoked)
  },
  "scheduled": {
    object (Scheduled)
  },
  "activated": {
    object (Activated)
  },
  "activationFailed": {
    object (ActivationFailed)
  },
  "expired": {
    object (Expired)
  },
  "ended": {
    object (Ended)
  },
  "externallyModified": {
    object (ExternallyModified)
  }
  // End of list of possible types for union field event.
}

Fields
`eventTime`	`string (Timestamp format)` Output only. The time (as recorded at server) when this event occurred. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
Union field `event`. `event` can be only one of the following:
`requested`	`object (Requested)` The grant was requested.
`approved`	`object (Approved)` The grant was approved.
`denied`	`object (Denied)` The grant was denied.
`revoked`	`object (Revoked)` The grant was revoked.
`scheduled`	`object (Scheduled)` The grant has been scheduled to give access.
`activated`	`object (Activated)` The grant was successfully activated to give access.
`activationFailed`	`object (ActivationFailed)` There was a non-retriable error while trying to give access.
`expired`	`object (Expired)` The approval workflow did not complete in the necessary duration, and so the grant is expired.
`ended`	`object (Ended)` Access given by the grant ended automatically as the approved duration was over.
`externallyModified`	`object (ExternallyModified)` The policy bindings made by grant have been modified outside of PAM.

Requested

An event representing that a grant was requested.

JSON representation
{ "expireTime": string }

Fields

Fields
`expireTime`	`string (Timestamp format)` Output only. The time at which this grant expires unless the approval workflow completes. If omitted, then the request never expires. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.

expireTime

string (Timestamp format)

Output only. The time at which this grant expires unless the approval workflow completes. If omitted, then the request never expires.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Approved

An event representing that the grant was approved.

JSON representation
{ "reason": string, "actor": string }

Fields

Fields
`reason`	`string` Output only. The reason provided by the approver for approving the grant.
`actor`	`string` Output only. Username of the user who approved the grant.

reason

string

Output only. The reason provided by the approver for approving the grant.

actor

string

Output only. Username of the user who approved the grant.

Denied

An event representing that the grant was denied.

JSON representation
{ "reason": string, "actor": string }

Fields

Fields
`reason`	`string` Output only. The reason provided by the approver for denying the grant.
`actor`	`string` Output only. Username of the user who denied the grant.

reason

string

Output only. The reason provided by the approver for denying the grant.

actor

string

Output only. Username of the user who denied the grant.

Revoked

An event representing that the grant was revoked.

JSON representation
{ "reason": string, "actor": string }

Fields

Fields
`reason`	`string` Output only. The reason provided by the user for revoking the grant.
`actor`	`string` Output only. Username of the user who revoked the grant.

reason

string

Output only. The reason provided by the user for revoking the grant.

actor

string

Output only. Username of the user who revoked the grant.

Scheduled

An event representing that the grant has been scheduled to be activated later.

JSON representation
{ "scheduledActivationTime": string }

Fields

Fields
`scheduledActivationTime`	`string (Timestamp format)` Output only. The time at which the access is granted. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.

scheduledActivationTime

string (Timestamp format)

Output only. The time at which the access is granted.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Activated

This type has no fields.

An event representing that the grant was successfully activated.

ActivationFailed

An event representing that the grant activation failed.

JSON representation
{ "error": { object (`Status`) } }

Fields

Fields
`error`	`object (Status)` Output only. The error that occurred while activating the grant.

error

object (Status)

Output only. The error that occurred while activating the grant.

Expired

This type has no fields.

An event representing that the grant was expired.

Ended

This type has no fields.

An event representing that the grant has ended.

ExternallyModified

This type has no fields.

An event representing that the policy bindings made by this grant were modified externally.

AuditTrail

Audit trail for the access provided by this grant.

JSON representation
{ "accessGrantTime": string, "accessRemoveTime": string }

Fields

Fields
`accessGrantTime`	`string (Timestamp format)` Output only. The time at which access was given. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`accessRemoveTime`	`string (Timestamp format)` Output only. The time at which the system removed access. This could be because of an automatic expiry or because of a revocation. If unspecified, then access hasn't been removed yet. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.

accessGrantTime

string (Timestamp format)

Output only. The time at which access was given.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessRemoveTime

string (Timestamp format)

Output only. The time at which the system removed access. This could be because of an automatic expiry or because of a revocation.

If unspecified, then access hasn't been removed yet.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Methods
`approve`	`ApproveGrant` is used to approve a grant.
`create`	Creates a new grant in a given project/folder/organization and location.
`deny`	`DenyGrant` is used to deny a grant.
`get`	Get details of a single grant.
`list`	Lists grants for a given entitlement.
`revoke`	`RevokeGrant` is used to immediately revoke access for a grant.
`search`	`SearchGrants` returns grants that are related to the calling user in the specified way.

REST Resource: folders.locations.entitlements.grants

Resource: Grant

Justification

State

Timeline

Event

Requested

Approved

Denied

Revoked

Scheduled

Activated

ActivationFailed

Expired

Ended

ExternallyModified

AuditTrail

Methods

`approve`

`create`

`deny`

`get`

`list`

`revoke`

`search`