Resource: Entitlement
An entitlement defines the eligibility of a set of users to obtain predefined access for some time possibly after going through an approval workflow.
JSON representation |
---|
{ "name": string, "createTime": string, "updateTime": string, "eligibleUsers": [ { object ( |
Fields | |
---|---|
name |
Identifier. Name of the entitlement. Possible formats:
|
createTime |
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
eligibleUsers[] |
Optional. Who can create grants using this entitlement. This list should contain at most one entry. |
approvalWorkflow |
Optional. The approvals needed before access are granted to a requester. No approvals are needed if this field is null. |
privilegedAccess |
The access granted to a requester on successful approval. |
maxRequestDuration |
Required. The maximum amount of time that access is granted for a request. A requester can ask for a duration less than this, but never more. A duration in seconds with up to nine fractional digits, ending with ' |
state |
Output only. Current state of this entitlement. |
requesterJustificationConfig |
Required. The manner in which the requester should provide a justification for requesting access. |
additionalNotificationTargets |
Optional. Additional email addresses to be notified based on actions taken. |
etag |
An |
AccessControlEntry
AccessControlEntry
is used to control who can do some operation.
JSON representation |
---|
{ "principals": [ string ] } |
Fields | |
---|---|
principals[] |
Optional. Users who are allowed for the operation. Each entry should be a valid v1 IAM principal identifier. The format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1 |
ApprovalWorkflow
Different types of approval workflows that can be used to gate privileged access granting.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
manualApprovals |
An approval workflow where users designated as approvers review and act on the grants. |
ManualApprovals
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant
/DenyGrant
APIs for a grant. The workflow can consist of multiple serial steps where each step defines who can act as approver in that step and how many of those users should approve before the workflow moves to the next step.
This can be used to create approval workflows such as:
- Require an approval from any user in a group G.
- Require an approval from any k number of users from a Group G.
- Require an approval from any user in a group G and then from a user U.
A single user might be part of the approvers
ACL for multiple steps in this workflow, but they can only approve once and that approval is only considered to satisfy the approval step at which it was granted.
JSON representation |
---|
{
"requireApproverJustification": boolean,
"steps": [
{
object ( |
Fields | |
---|---|
requireApproverJustification |
Optional. Do the approvers need to provide a justification for their actions? |
steps[] |
Optional. List of approval steps in this workflow. These steps are followed in the specified order sequentially. Only 1 step is supported. |
Step
Step represents a logical step in a manual approval workflow.
JSON representation |
---|
{
"approvers": [
{
object ( |
Fields | |
---|---|
approvers[] |
Optional. The potential set of approvers in this step. This list must contain at most one entry. |
approvalsNeeded |
Required. How many users from the above list need to approve. If there aren't enough distinct users in the list, then the workflow indefinitely blocks. Should always be greater than 0. 1 is the only supported value. |
approverEmailRecipients[] |
Optional. Additional email addresses to be notified when a grant is pending approval. |
State
Different states an entitlement can be in.
Enums | |
---|---|
STATE_UNSPECIFIED |
Unspecified state. This value is never returned by the server. |
CREATING |
The entitlement is being created. |
AVAILABLE |
The entitlement is available for requesting access. |
DELETING |
The entitlement is being deleted. |
DELETED |
The entitlement has been deleted. |
UPDATING |
The entitlement is being updated. |
RequesterJustificationConfig
Defines how a requester must provide a justification when requesting access.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field justification_type . This is a required field and the user must explicitly opt out if a justification from the requester isn't mandatory. justification_type can be only one of the following: |
|
notMandatory |
This option means the requester isn't required to provide a justification. |
unstructured |
This option means the requester must provide a string as justification. If this is selected, the server allows the requester to provide a justification but doesn't validate it. |
NotMandatory
This type has no fields.
The justification is not mandatory but can be provided in any of the supported formats.
Unstructured
This type has no fields.
The requester has to provide a justification in the form of a string.
AdditionalNotificationTargets
AdditionalNotificationTargets
includes email addresses to be notified.
JSON representation |
---|
{ "adminEmailRecipients": [ string ], "requesterEmailRecipients": [ string ] } |
Fields | |
---|---|
adminEmailRecipients[] |
Optional. Additional email addresses to be notified when a principal (requester) is granted access. |
requesterEmailRecipients[] |
Optional. Additional email address to be notified about an eligible entitlement. |
Methods |
|
---|---|
|
Creates a new entitlement in a given project/folder/organization and location. |
|
Deletes a single entitlement. |
|
Gets details of a single entitlement. |
|
Lists entitlements in a given project/folder/organization and location. |
|
Updates the entitlement specified in the request. |
|
SearchEntitlements returns entitlements on which the caller has the specified access. |