Class Explanations.BindingExplanation (1.47.0)

Details about how a binding in a policy affects a principal's ability to use a permission.

Protobuf type google.cloud.policytroubleshooter.v1.BindingExplanation

Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

For example, suppose that a binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a principal of the group group:product-eng@example.com.

  For the first principal in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

  For the second principal in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

map<string, .google.cloud.policytroubleshooter.v1.BindingExplanation.AnnotatedMembership> memberships = 5;

Required. Indicates whether this binding provides the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the access field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.v1.AccessState access = 1 [(.google.api.field_behavior) = REQUIRED];

Required. Indicates whether this binding provides the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the access field in the TroubleshootIamPolicyResponse.

.google.cloud.policytroubleshooter.v1.AccessState access = 1 [(.google.api.field_behavior) = REQUIRED];

A condition expression that prevents this binding from granting access unless the expression evaluates to true.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 7;

A condition expression that prevents this binding from granting access unless the expression evaluates to true.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 7;

Use #getMembershipsMap() instead.

Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

For example, suppose that a binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a principal of the group group:product-eng@example.com.

  For the first principal in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

  For the second principal in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

map<string, .google.cloud.policytroubleshooter.v1.BindingExplanation.AnnotatedMembership> memberships = 5;

Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

For example, suppose that a binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a principal of the group group:product-eng@example.com.

  For the first principal in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

  For the second principal in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

map<string, .google.cloud.policytroubleshooter.v1.BindingExplanation.AnnotatedMembership> memberships = 5;

Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

For example, suppose that a binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a principal of the group group:product-eng@example.com.

  For the first principal in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

  For the second principal in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

map<string, .google.cloud.policytroubleshooter.v1.BindingExplanation.AnnotatedMembership> memberships = 5;

Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

For example, suppose that a binding includes the following principals:

• user:alice@example.com

• group:product-eng@example.com

  You want to troubleshoot access for user:bob@example.com. This user is a principal of the group group:product-eng@example.com.

  For the first principal in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

  For the second principal in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.

map<string, .google.cloud.policytroubleshooter.v1.BindingExplanation.AnnotatedMembership> memberships = 5;

The relevance of this binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.v1.HeuristicRelevance relevance = 6;

The relevance of this binding to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.v1.HeuristicRelevance relevance = 6;

The role that this binding grants. For example, roles/compute.serviceAgent.

For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

string role = 2;

The role that this binding grants. For example, roles/compute.serviceAgent.

For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

string role = 2;

Indicates whether the role granted by this binding contains the specified permission.

.google.cloud.policytroubleshooter.v1.BindingExplanation.RolePermission role_permission = 3;

The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.v1.HeuristicRelevance role_permission_relevance = 4;

The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

.google.cloud.policytroubleshooter.v1.HeuristicRelevance role_permission_relevance = 4;

Indicates whether the role granted by this binding contains the specified permission.

.google.cloud.policytroubleshooter.v1.BindingExplanation.RolePermission role_permission = 3;

A condition expression that prevents this binding from granting access unless the expression evaluates to true.

To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

.google.type.Expr condition = 7;