Class DenyRuleExplanation.Builder (1.28.0)

Details about how a deny rule in a deny policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Required. Indicates whether this rule denies the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal is actually denied on the permission for the resource. There might be another rule that overrides this rule. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.DenyAccessState deny_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 10;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

Use #getDeniedPermissionsMap() instead.

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Use #getDeniedPrincipalsMap() instead.

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Required. Indicates whether this rule denies the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal is actually denied on the permission for the resource. There might be another rule that overrides this rule. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.DenyAccessState deny_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

Required. Indicates whether this rule denies the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal is actually denied on the permission for the resource. There might be another rule that overrides this rule. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.DenyAccessState deny_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

Use #getExceptionPermissionsMap() instead.

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Use #getExceptionPrincipalsMap() instead.

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Use alternate mutation accessors instead.

Use alternate mutation accessors instead.

Use alternate mutation accessors instead.

Use alternate mutation accessors instead.

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 10;

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 10;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Lists all denied permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a denied permission in the rule, and each value indicates whether the denied permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> denied_permissions = 3;

Lists all denied principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a denied principal in the rule, and each value indicates whether the denied principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> denied_principals = 7;

Lists all exception permissions in the deny rule and indicates whether each permission matches the permission in the request.

Each key identifies a exception permission in the rule, and each value indicates whether the exception permission matches the permission in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching> exception_permissions = 5;

Lists all exception principals in the deny rule and indicates whether each principal matches the principal in the request, either directly or through membership in a principal set.

Each key identifies a exception principal in the rule, and each value indicates whether the exception principal matches the principal in the request.

map<string, .google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching> exception_principals = 9;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the permission in the request is listed as a denied permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_denied_permission = 2;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the principal is listed as a denied principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_denied_principal = 6;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the permission in the request is listed as an exception permission in the deny rule.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedPermissionMatching combined_exception_permission = 4;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

Indicates whether the principal is listed as an exception principal in the deny rule, either directly or through membership in a principal set.

.google.cloud.policytroubleshooter.iam.v3.DenyRuleExplanation.AnnotatedDenyPrincipalMatching combined_exception_principal = 8;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

A condition expression that specifies when the deny rule denies the principal access.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 11;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Condition evaluation state for this role binding.

.google.cloud.policytroubleshooter.iam.v3.ConditionExplanation condition_explanation = 12;

Required. Indicates whether this rule denies the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal is actually denied on the permission for the resource. There might be another rule that overrides this rule. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.DenyAccessState deny_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

Required. Indicates whether this rule denies the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal is actually denied on the permission for the resource. There might be another rule that overrides this rule. To determine whether the principal actually has the permission, use the overall_access_state field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.iam.v3.DenyAccessState deny_access_state = 1 [(.google.api.field_behavior) = REQUIRED];

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 10;

The relevance of this role binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.iam.v3.HeuristicRelevance relevance = 10;