Class DenyRule.Builder (1.24.0) 

public static final class DenyRule.Builder extends GeneratedMessageV3.Builder<DenyRule.Builder> implements DenyRuleOrBuilder

A deny rule in an IAM deny policy.

Protobuf type google.iam.v2beta.DenyRule

Inheritance

Object > AbstractMessageLite.Builder<MessageType,BuilderType> > AbstractMessage.Builder<BuilderType> > GeneratedMessageV3.Builder > DenyRule.Builder

Implements

DenyRuleOrBuilder

Static Methods

getDescriptor()

public static final Descriptors.Descriptor getDescriptor()
Returns
TypeDescription
Descriptor

Methods

addAllDeniedPermissions(Iterable<String> values)

public DenyRule.Builder addAllDeniedPermissions(Iterable<String> values)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
NameDescription
valuesIterable<String>

The deniedPermissions to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addAllDeniedPrincipals(Iterable<String> values)

public DenyRule.Builder addAllDeniedPrincipals(Iterable<String> values)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
NameDescription
valuesIterable<String>

The deniedPrincipals to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addAllExceptionPermissions(Iterable<String> values)

public DenyRule.Builder addAllExceptionPermissions(Iterable<String> values)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
NameDescription
valuesIterable<String>

The exceptionPermissions to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addAllExceptionPrincipals(Iterable<String> values)

public DenyRule.Builder addAllExceptionPrincipals(Iterable<String> values)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
NameDescription
valuesIterable<String>

The exceptionPrincipals to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addDeniedPermissions(String value)

public DenyRule.Builder addDeniedPermissions(String value)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
NameDescription
valueString

The deniedPermissions to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addDeniedPermissionsBytes(ByteString value)

public DenyRule.Builder addDeniedPermissionsBytes(ByteString value)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
NameDescription
valueByteString

The bytes of the deniedPermissions to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addDeniedPrincipals(String value)

public DenyRule.Builder addDeniedPrincipals(String value)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
NameDescription
valueString

The deniedPrincipals to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addDeniedPrincipalsBytes(ByteString value)

public DenyRule.Builder addDeniedPrincipalsBytes(ByteString value)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
NameDescription
valueByteString

The bytes of the deniedPrincipals to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addExceptionPermissions(String value)

public DenyRule.Builder addExceptionPermissions(String value)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
NameDescription
valueString

The exceptionPermissions to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addExceptionPermissionsBytes(ByteString value)

public DenyRule.Builder addExceptionPermissionsBytes(ByteString value)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
NameDescription
valueByteString

The bytes of the exceptionPermissions to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addExceptionPrincipals(String value)

public DenyRule.Builder addExceptionPrincipals(String value)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
NameDescription
valueString

The exceptionPrincipals to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addExceptionPrincipalsBytes(ByteString value)

public DenyRule.Builder addExceptionPrincipalsBytes(ByteString value)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
NameDescription
valueByteString

The bytes of the exceptionPrincipals to add.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

addRepeatedField(Descriptors.FieldDescriptor field, Object value)

public DenyRule.Builder addRepeatedField(Descriptors.FieldDescriptor field, Object value)
Parameters
NameDescription
fieldFieldDescriptor
valueObject
Returns
TypeDescription
DenyRule.Builder
Overrides

build()

public DenyRule build()
Returns
TypeDescription
DenyRule

buildPartial()

public DenyRule buildPartial()
Returns
TypeDescription
DenyRule

clear()

public DenyRule.Builder clear()
Returns
TypeDescription
DenyRule.Builder
Overrides

clearDenialCondition()

public DenyRule.Builder clearDenialCondition()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
TypeDescription
DenyRule.Builder

clearDeniedPermissions()

public DenyRule.Builder clearDeniedPermissions()

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

clearDeniedPrincipals()

public DenyRule.Builder clearDeniedPrincipals()

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

clearExceptionPermissions()

public DenyRule.Builder clearExceptionPermissions()

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

clearExceptionPrincipals()

public DenyRule.Builder clearExceptionPrincipals()

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

clearField(Descriptors.FieldDescriptor field)

public DenyRule.Builder clearField(Descriptors.FieldDescriptor field)
Parameter
NameDescription
fieldFieldDescriptor
Returns
TypeDescription
DenyRule.Builder
Overrides

clearOneof(Descriptors.OneofDescriptor oneof)

public DenyRule.Builder clearOneof(Descriptors.OneofDescriptor oneof)
Parameter
NameDescription
oneofOneofDescriptor
Returns
TypeDescription
DenyRule.Builder
Overrides

clone()

public DenyRule.Builder clone()
Returns
TypeDescription
DenyRule.Builder
Overrides

getDefaultInstanceForType()

public DenyRule getDefaultInstanceForType()
Returns
TypeDescription
DenyRule

getDenialCondition()

public Expr getDenialCondition()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
TypeDescription
com.google.type.Expr

The denialCondition.

getDenialConditionBuilder()

public Expr.Builder getDenialConditionBuilder()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
TypeDescription
com.google.type.Expr.Builder

getDenialConditionOrBuilder()

public ExprOrBuilder getDenialConditionOrBuilder()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
TypeDescription
com.google.type.ExprOrBuilder

getDeniedPermissions(int index)

public String getDeniedPermissions(int index)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
NameDescription
indexint

The index of the element to return.

Returns
TypeDescription
String

The deniedPermissions at the given index.

getDeniedPermissionsBytes(int index)

public ByteString getDeniedPermissionsBytes(int index)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
NameDescription
indexint

The index of the value to return.

Returns
TypeDescription
ByteString

The bytes of the deniedPermissions at the given index.

getDeniedPermissionsCount()

public int getDeniedPermissionsCount()

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Returns
TypeDescription
int

The count of deniedPermissions.

getDeniedPermissionsList()

public ProtocolStringList getDeniedPermissionsList()

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Returns
TypeDescription
ProtocolStringList

A list containing the deniedPermissions.

getDeniedPrincipals(int index)

public String getDeniedPrincipals(int index)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
NameDescription
indexint

The index of the element to return.

Returns
TypeDescription
String

The deniedPrincipals at the given index.

getDeniedPrincipalsBytes(int index)

public ByteString getDeniedPrincipalsBytes(int index)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
NameDescription
indexint

The index of the value to return.

Returns
TypeDescription
ByteString

The bytes of the deniedPrincipals at the given index.

getDeniedPrincipalsCount()

public int getDeniedPrincipalsCount()

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Returns
TypeDescription
int

The count of deniedPrincipals.

getDeniedPrincipalsList()

public ProtocolStringList getDeniedPrincipalsList()

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Returns
TypeDescription
ProtocolStringList

A list containing the deniedPrincipals.

getDescriptorForType()

public Descriptors.Descriptor getDescriptorForType()
Returns
TypeDescription
Descriptor
Overrides

getExceptionPermissions(int index)

public String getExceptionPermissions(int index)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
NameDescription
indexint

The index of the element to return.

Returns
TypeDescription
String

The exceptionPermissions at the given index.

getExceptionPermissionsBytes(int index)

public ByteString getExceptionPermissionsBytes(int index)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
NameDescription
indexint

The index of the value to return.

Returns
TypeDescription
ByteString

The bytes of the exceptionPermissions at the given index.

getExceptionPermissionsCount()

public int getExceptionPermissionsCount()

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Returns
TypeDescription
int

The count of exceptionPermissions.

getExceptionPermissionsList()

public ProtocolStringList getExceptionPermissionsList()

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Returns
TypeDescription
ProtocolStringList

A list containing the exceptionPermissions.

getExceptionPrincipals(int index)

public String getExceptionPrincipals(int index)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
NameDescription
indexint

The index of the element to return.

Returns
TypeDescription
String

The exceptionPrincipals at the given index.

getExceptionPrincipalsBytes(int index)

public ByteString getExceptionPrincipalsBytes(int index)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
NameDescription
indexint

The index of the value to return.

Returns
TypeDescription
ByteString

The bytes of the exceptionPrincipals at the given index.

getExceptionPrincipalsCount()

public int getExceptionPrincipalsCount()

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Returns
TypeDescription
int

The count of exceptionPrincipals.

getExceptionPrincipalsList()

public ProtocolStringList getExceptionPrincipalsList()

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Returns
TypeDescription
ProtocolStringList

A list containing the exceptionPrincipals.

hasDenialCondition()

public boolean hasDenialCondition()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
TypeDescription
boolean

Whether the denialCondition field is set.

internalGetFieldAccessorTable()

protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Returns
TypeDescription
FieldAccessorTable
Overrides

isInitialized()

public final boolean isInitialized()
Returns
TypeDescription
boolean
Overrides

mergeDenialCondition(Expr value)

public DenyRule.Builder mergeDenialCondition(Expr value)

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Parameter
NameDescription
valuecom.google.type.Expr
Returns
TypeDescription
DenyRule.Builder

mergeFrom(DenyRule other)

public DenyRule.Builder mergeFrom(DenyRule other)
Parameter
NameDescription
otherDenyRule
Returns
TypeDescription
DenyRule.Builder

mergeFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)

public DenyRule.Builder mergeFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
NameDescription
inputCodedInputStream
extensionRegistryExtensionRegistryLite
Returns
TypeDescription
DenyRule.Builder
Overrides
Exceptions
TypeDescription
IOException

mergeFrom(Message other)

public DenyRule.Builder mergeFrom(Message other)
Parameter
NameDescription
otherMessage
Returns
TypeDescription
DenyRule.Builder
Overrides

mergeUnknownFields(UnknownFieldSet unknownFields)

public final DenyRule.Builder mergeUnknownFields(UnknownFieldSet unknownFields)
Parameter
NameDescription
unknownFieldsUnknownFieldSet
Returns
TypeDescription
DenyRule.Builder
Overrides

setDenialCondition(Expr value)

public DenyRule.Builder setDenialCondition(Expr value)

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Parameter
NameDescription
valuecom.google.type.Expr
Returns
TypeDescription
DenyRule.Builder

setDenialCondition(Expr.Builder builderForValue)

public DenyRule.Builder setDenialCondition(Expr.Builder builderForValue)

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Parameter
NameDescription
builderForValuecom.google.type.Expr.Builder
Returns
TypeDescription
DenyRule.Builder

setDeniedPermissions(int index, String value)

public DenyRule.Builder setDeniedPermissions(int index, String value)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameters
NameDescription
indexint

The index to set the value at.

valueString

The deniedPermissions to set.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

setDeniedPrincipals(int index, String value)

public DenyRule.Builder setDeniedPrincipals(int index, String value)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameters
NameDescription
indexint

The index to set the value at.

valueString

The deniedPrincipals to set.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

setExceptionPermissions(int index, String value)

public DenyRule.Builder setExceptionPermissions(int index, String value)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameters
NameDescription
indexint

The index to set the value at.

valueString

The exceptionPermissions to set.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

setExceptionPrincipals(int index, String value)

public DenyRule.Builder setExceptionPrincipals(int index, String value)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameters
NameDescription
indexint

The index to set the value at.

valueString

The exceptionPrincipals to set.

Returns
TypeDescription
DenyRule.Builder

This builder for chaining.

setField(Descriptors.FieldDescriptor field, Object value)

public DenyRule.Builder setField(Descriptors.FieldDescriptor field, Object value)
Parameters
NameDescription
fieldFieldDescriptor
valueObject
Returns
TypeDescription
DenyRule.Builder
Overrides

setRepeatedField(Descriptors.FieldDescriptor field, int index, Object value)

public DenyRule.Builder setRepeatedField(Descriptors.FieldDescriptor field, int index, Object value)
Parameters
NameDescription
fieldFieldDescriptor
indexint
valueObject
Returns
TypeDescription
DenyRule.Builder
Overrides

setUnknownFields(UnknownFieldSet unknownFields)

public final DenyRule.Builder setUnknownFields(UnknownFieldSet unknownFields)
Parameter
NameDescription
unknownFieldsUnknownFieldSet
Returns
TypeDescription
DenyRule.Builder
Overrides