REST Resource: folders.locations.entitlements.grants

Resource: Grant

A grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for.

JSON representation 
{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "requester": string,
  "requestedDuration": string,
  "justification": {
    object (Justification)
  },
  "state": enum (State),
  "timeline": {
    object (Timeline)
  },
  "privilegedAccess": {
    object (PrivilegedAccess)
  },
  "requestedPrivilegedAccess": [
    {
      object (RequestedPrivilegedAccess)
    }
  ],
  "auditTrail": {
    object (AuditTrail)
  },
  "additionalEmailRecipients": [
    string
  ],
  "externallyModified": boolean
}
Fields
name

string

Identifier. Name of this grant. Possible formats:

  • organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}
  • folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}
  • projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}

The last segment of this name ({grant-id}) is autogenerated.
createTime

string (Timestamp format)

Output only. Create time stamp.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
updateTime

string (Timestamp format)

Output only. Update time stamp.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
requester

string

Output only. Username of the user who created this grant.
requestedDuration

string (Duration format)

Required. The amount of time access is needed for. This value should be less than the maxRequestDuration value of the entitlement.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
justification

object (Justification)

Optional. Justification of why this access is needed.
state

enum (State)

Output only. Current state of this grant.
timeline

object (Timeline)

Output only. Timeline of this grant.
privilegedAccess

object (PrivilegedAccess)

Output only. The access that would be granted by this grant.
requestedPrivilegedAccess[]

object (RequestedPrivilegedAccess)

Optional. The accesses requested to be granted by this grant.
auditTrail

object (AuditTrail)

Output only. Audit trail of access provided by this grant. If unspecified then access was never granted.
additionalEmailRecipients[]

string

Optional. Additional email addresses to notify for all the actions performed on the grant.
externallyModified

boolean

Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM.

After it is set, this flag remains set forever irrespective of the grant state. A true value here indicates that PAM no longer has any certainty on the access a user has because of this grant.

Justification

Justification represents a justification for requesting access.

JSON representation 
{

  // Union field justification can be only one of the following:
  "unstructuredJustification": string
  // End of list of possible types for union field justification.
}
Fields

Union field justification.

justification can be only one of the following:
unstructuredJustification

string

A free form textual justification. The system only ensures that this is not empty. No other kind of validation is performed on the string.

State

Different states a grant can be in.

Enums
STATE_UNSPECIFIED Unspecified state. This value is never returned by the server.
APPROVAL_AWAITED The entitlement had an approval workflow configured and this grant is waiting for the workflow to complete.
DENIED The approval workflow completed with a denied result. No access is granted for this grant. This is a terminal state.
SCHEDULED The approval workflow completed successfully with an approved result or none was configured. Access is provided at an appropriate time.
ACTIVATING Access is being given.
ACTIVE Access was successfully given and is currently active.
ACTIVATION_FAILED The system could not give access due to a non-retriable error. This is a terminal state.
EXPIRED Expired after waiting for the approval workflow to complete. This is a terminal state.
REVOKING Access is being revoked.
REVOKED Access was revoked by a user. This is a terminal state.
ENDED System took back access as the requested duration was over. This is a terminal state.
WITHDRAWING Access is being withdrawn.
WITHDRAWN Grant was withdrawn by the grant owner. This is a terminal state.

Timeline

Timeline of a grant describing what happened to it and when.

JSON representation 
{
  "events": [
    {
      object (Event)
    }
  ]
}
Fields
events[]

object (Event)

Output only. The events that have occurred on this grant. This list contains entries in the same order as they occurred. The first entry is always be of type Requested and there is always at least one entry in this array.

Event

A single operation on the grant.

JSON representation 
{
  "eventTime": string,

  // Union field event can be only one of the following:
  "requested": {
    object (Requested)
  },
  "approved": {
    object (Approved)
  },
  "denied": {
    object (Denied)
  },
  "revoked": {
    object (Revoked)
  },
  "scheduled": {
    object (Scheduled)
  },
  "activated": {
    object (Activated)
  },
  "activationFailed": {
    object (ActivationFailed)
  },
  "expired": {
    object (Expired)
  },
  "ended": {
    object (Ended)
  },
  "externallyModified": {
    object (ExternallyModified)
  },
  "withdrawn": {
    object (Withdrawn)
  }
  // End of list of possible types for union field event.
}
Fields
eventTime

string (Timestamp format)

Output only. The time (as recorded at server) when this event occurred.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Union field event.

event can be only one of the following:
requested

object (Requested)

The grant was requested.
approved

object (Approved)

The grant was approved.
denied

object (Denied)

The grant was denied.
revoked

object (Revoked)

The grant was revoked.
scheduled

object (Scheduled)

The grant has been scheduled to give access.
activated

object (Activated)

The grant was successfully activated to give access.
activationFailed

object (ActivationFailed)

There was a non-retriable error while trying to give access.
expired

object (Expired)

The approval workflow did not complete in the necessary duration, and so the grant is expired.
ended

object (Ended)

Access given by the grant ended automatically as the approved duration was over.
externallyModified

object (ExternallyModified)

The policy bindings made by grant have been modified outside of PAM.
withdrawn

object (Withdrawn)

The grant was withdrawn.

Requested

An event representing that a grant was requested.

JSON representation 
{
  "expireTime": string
}
Fields
expireTime

string (Timestamp format)

Output only. The time at which this grant expires unless the approval workflow completes. If omitted, then the request never expires.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Approved

An event representing that the grant was approved.

JSON representation 
{
  "reason": string,
  "actor": string,
  "stepId": string
}
Fields
reason

string

Output only. The reason provided by the approver for approving the grant.
actor

string

Output only. Username of the user who approved the grant.
stepId

string

Output only. The ID of the approval workflow step that was approved.

Denied

An event representing that the grant was denied.

JSON representation 
{
  "reason": string,
  "actor": string,
  "stepId": string
}
Fields
reason

string

Output only. The reason provided by the approver for denying the grant.
actor

string

Output only. Username of the user who denied the grant.
stepId

string

Output only. The ID of the approval workflow step that was denied.

Revoked

An event representing that the grant was revoked.

JSON representation 
{
  "reason": string,
  "actor": string
}
Fields
reason

string

Output only. The reason provided by the user for revoking the grant.
actor

string

Output only. Username of the user who revoked the grant.

Scheduled

An event representing that the grant has been scheduled to be activated later.

JSON representation 
{
  "scheduledActivationTime": string
}
Fields
scheduledActivationTime

string (Timestamp format)

Output only. The time at which the access is granted.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Activated

This type has no fields.

An event representing that the grant was successfully activated.

ActivationFailed

An event representing that the grant activation failed.

JSON representation 
{
  "error": {
    object (Status)
  }
}
Fields
error

object (Status)

Output only. The error that occurred while activating the grant.

Expired

This type has no fields.

An event representing that the grant was expired.

Ended

This type has no fields.

An event representing that the grant has ended.

ExternallyModified

This type has no fields.

An event representing that the policy bindings made by this grant were modified externally.

Withdrawn

This type has no fields.

An event representing that the grant was withdrawn.

RequestedPrivilegedAccess

Privileged access that is requested by a user via a grant.

JSON representation 
{

  // Union field access_type can be only one of the following:
  "gcpIamAccess": {
    object (GcpIamAccess)
  }
  // End of list of possible types for union field access_type.
}
Fields
Union field access_type. Type of access that is requested. Only GCP IAM based access is supported for now. access_type can be only one of the following:
gcpIamAccess

object (GcpIamAccess)

Access to a Google Cloud resource through IAM.

GcpIamAccess

GcpIamAccess represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM.

JSON representation 
{
  "resourceType": string,
  "resource": string,
  "roleBindings": [
    {
      object (RoleBinding)
    }
  ]
}
Fields
resourceType

string

Required. The type of this resource.
resource

string

Required. Name of the resource.
roleBindings[]

object (RoleBinding)

Optional. Role bindings that are requested as part of the grant.

RoleBinding

IAM role bindings that are requested as part of the grant.

JSON representation 
{
  "entitlementRoleBindingId": string,
  "accessRestrictions": {
    object (AccessRestrictions)
  },
  "role": string,
  "entitlementConditionExpression": string
}
Fields
entitlementRoleBindingId

string

Required. The role binding id of the role to be granted from the entitlement.
accessRestrictions

object (AccessRestrictions)

Optional. The access restrictions to be applied to the role binding. This further restricts the access of this role binding to specific resources.
role

string

Output only. The IAM role requested as part of the grant.
entitlementConditionExpression

string

Output only. The IAM condition expression associated with the role at the time of grant request.

AccessRestrictions

AccessRestrictions represents a set of resources to further restrict the access to. This is used to get finer grained access as part of a grant. All restrictions are OR-ed with each other.

JSON representation 
{
  "resourceNames": [
    string
  ],
  "resourceNamePrefixes": [
    string
  ]
}
Fields
resourceNames[]

string

Optional. The resource names to restrict the access to. Follow https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name format.
resourceNamePrefixes[]

string

Optional. The resource name prefixes to restrict the access to. Follow https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name format.

AuditTrail

Audit trail for the access provided by this grant.

JSON representation 
{
  "accessGrantTime": string,
  "accessRemoveTime": string
}
Fields
accessGrantTime

string (Timestamp format)

Output only. The time at which access was given.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
accessRemoveTime

string (Timestamp format)

Output only. The time at which the system removed access. This could be because of an automatic expiry or because of a revocation.

If unspecified, then access hasn't been removed yet.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Methods

approve

 ApproveGrant is used to approve a grant.

create

 Creates a grant in a given project, folder, or organization and location.

deny

 DenyGrant is used to deny a grant.

get

 Get details of a single grant.

list

 Lists grants for a given entitlement.

revoke

 RevokeGrant is used to immediately revoke access for a grant.
SearchGrants returns grants that are related to the calling user in the specified way.

withdraw

 WithdrawGrant is used to immediately withdraw the grant.