public static final class DenyRule.Builder extends GeneratedMessageV3.Builder<DenyRule.Builder> implements DenyRuleOrBuilder
A deny rule in an IAM deny policy.
Protobuf type google.iam.v2beta.DenyRule
Inheritance
Object > AbstractMessageLite.Builder<MessageType,BuilderType> > AbstractMessage.Builder<BuilderType> > GeneratedMessageV3.Builder > DenyRule.BuilderImplements
DenyRuleOrBuilderStatic Methods
getDescriptor()
public static final Descriptors.Descriptor getDescriptor()
Type | Description |
Descriptor |
Methods
addAllDeniedPermissions(Iterable<String> values)
public DenyRule.Builder addAllDeniedPermissions(Iterable<String> values)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Name | Description |
values | Iterable<String> The deniedPermissions to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addAllDeniedPrincipals(Iterable<String> values)
public DenyRule.Builder addAllDeniedPrincipals(Iterable<String> values)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Name | Description |
values | Iterable<String> The deniedPrincipals to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addAllExceptionPermissions(Iterable<String> values)
public DenyRule.Builder addAllExceptionPermissions(Iterable<String> values)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Name | Description |
values | Iterable<String> The exceptionPermissions to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addAllExceptionPrincipals(Iterable<String> values)
public DenyRule.Builder addAllExceptionPrincipals(Iterable<String> values)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Name | Description |
values | Iterable<String> The exceptionPrincipals to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addDeniedPermissions(String value)
public DenyRule.Builder addDeniedPermissions(String value)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Name | Description |
value | String The deniedPermissions to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addDeniedPermissionsBytes(ByteString value)
public DenyRule.Builder addDeniedPermissionsBytes(ByteString value)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Name | Description |
value | ByteString The bytes of the deniedPermissions to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addDeniedPrincipals(String value)
public DenyRule.Builder addDeniedPrincipals(String value)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Name | Description |
value | String The deniedPrincipals to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addDeniedPrincipalsBytes(ByteString value)
public DenyRule.Builder addDeniedPrincipalsBytes(ByteString value)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Name | Description |
value | ByteString The bytes of the deniedPrincipals to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addExceptionPermissions(String value)
public DenyRule.Builder addExceptionPermissions(String value)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Name | Description |
value | String The exceptionPermissions to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addExceptionPermissionsBytes(ByteString value)
public DenyRule.Builder addExceptionPermissionsBytes(ByteString value)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Name | Description |
value | ByteString The bytes of the exceptionPermissions to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addExceptionPrincipals(String value)
public DenyRule.Builder addExceptionPrincipals(String value)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Name | Description |
value | String The exceptionPrincipals to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addExceptionPrincipalsBytes(ByteString value)
public DenyRule.Builder addExceptionPrincipalsBytes(ByteString value)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Name | Description |
value | ByteString The bytes of the exceptionPrincipals to add. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
addRepeatedField(Descriptors.FieldDescriptor field, Object value)
public DenyRule.Builder addRepeatedField(Descriptors.FieldDescriptor field, Object value)
Name | Description |
field | FieldDescriptor |
value | Object |
Type | Description |
DenyRule.Builder |
build()
public DenyRule build()
Type | Description |
DenyRule |
buildPartial()
public DenyRule buildPartial()
Type | Description |
DenyRule |
clear()
public DenyRule.Builder clear()
Type | Description |
DenyRule.Builder |
clearDenialCondition()
public DenyRule.Builder clearDenialCondition()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Type | Description |
DenyRule.Builder |
clearDeniedPermissions()
public DenyRule.Builder clearDeniedPermissions()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Type | Description |
DenyRule.Builder | This builder for chaining. |
clearDeniedPrincipals()
public DenyRule.Builder clearDeniedPrincipals()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Type | Description |
DenyRule.Builder | This builder for chaining. |
clearExceptionPermissions()
public DenyRule.Builder clearExceptionPermissions()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Type | Description |
DenyRule.Builder | This builder for chaining. |
clearExceptionPrincipals()
public DenyRule.Builder clearExceptionPrincipals()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Type | Description |
DenyRule.Builder | This builder for chaining. |
clearField(Descriptors.FieldDescriptor field)
public DenyRule.Builder clearField(Descriptors.FieldDescriptor field)
Name | Description |
field | FieldDescriptor |
Type | Description |
DenyRule.Builder |
clearOneof(Descriptors.OneofDescriptor oneof)
public DenyRule.Builder clearOneof(Descriptors.OneofDescriptor oneof)
Name | Description |
oneof | OneofDescriptor |
Type | Description |
DenyRule.Builder |
clone()
public DenyRule.Builder clone()
Type | Description |
DenyRule.Builder |
getDefaultInstanceForType()
public DenyRule getDefaultInstanceForType()
Type | Description |
DenyRule |
getDenialCondition()
public Expr getDenialCondition()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Type | Description |
com.google.type.Expr | The denialCondition. |
getDenialConditionBuilder()
public Expr.Builder getDenialConditionBuilder()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Type | Description |
com.google.type.Expr.Builder |
getDenialConditionOrBuilder()
public ExprOrBuilder getDenialConditionOrBuilder()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Type | Description |
com.google.type.ExprOrBuilder |
getDeniedPermissions(int index)
public String getDeniedPermissions(int index)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Name | Description |
index | int The index of the element to return. |
Type | Description |
String | The deniedPermissions at the given index. |
getDeniedPermissionsBytes(int index)
public ByteString getDeniedPermissionsBytes(int index)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Name | Description |
index | int The index of the value to return. |
Type | Description |
ByteString | The bytes of the deniedPermissions at the given index. |
getDeniedPermissionsCount()
public int getDeniedPermissionsCount()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Type | Description |
int | The count of deniedPermissions. |
getDeniedPermissionsList()
public ProtocolStringList getDeniedPermissionsList()
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Type | Description |
ProtocolStringList | A list containing the deniedPermissions. |
getDeniedPrincipals(int index)
public String getDeniedPrincipals(int index)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Name | Description |
index | int The index of the element to return. |
Type | Description |
String | The deniedPrincipals at the given index. |
getDeniedPrincipalsBytes(int index)
public ByteString getDeniedPrincipalsBytes(int index)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Name | Description |
index | int The index of the value to return. |
Type | Description |
ByteString | The bytes of the deniedPrincipals at the given index. |
getDeniedPrincipalsCount()
public int getDeniedPrincipalsCount()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Type | Description |
int | The count of deniedPrincipals. |
getDeniedPrincipalsList()
public ProtocolStringList getDeniedPrincipalsList()
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Type | Description |
ProtocolStringList | A list containing the deniedPrincipals. |
getDescriptorForType()
public Descriptors.Descriptor getDescriptorForType()
Type | Description |
Descriptor |
getExceptionPermissions(int index)
public String getExceptionPermissions(int index)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Name | Description |
index | int The index of the element to return. |
Type | Description |
String | The exceptionPermissions at the given index. |
getExceptionPermissionsBytes(int index)
public ByteString getExceptionPermissionsBytes(int index)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Name | Description |
index | int The index of the value to return. |
Type | Description |
ByteString | The bytes of the exceptionPermissions at the given index. |
getExceptionPermissionsCount()
public int getExceptionPermissionsCount()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Type | Description |
int | The count of exceptionPermissions. |
getExceptionPermissionsList()
public ProtocolStringList getExceptionPermissionsList()
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Type | Description |
ProtocolStringList | A list containing the exceptionPermissions. |
getExceptionPrincipals(int index)
public String getExceptionPrincipals(int index)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Name | Description |
index | int The index of the element to return. |
Type | Description |
String | The exceptionPrincipals at the given index. |
getExceptionPrincipalsBytes(int index)
public ByteString getExceptionPrincipalsBytes(int index)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Name | Description |
index | int The index of the value to return. |
Type | Description |
ByteString | The bytes of the exceptionPrincipals at the given index. |
getExceptionPrincipalsCount()
public int getExceptionPrincipalsCount()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Type | Description |
int | The count of exceptionPrincipals. |
getExceptionPrincipalsList()
public ProtocolStringList getExceptionPrincipalsList()
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Type | Description |
ProtocolStringList | A list containing the exceptionPrincipals. |
hasDenialCondition()
public boolean hasDenialCondition()
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Type | Description |
boolean | Whether the denialCondition field is set. |
internalGetFieldAccessorTable()
protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Type | Description |
FieldAccessorTable |
isInitialized()
public final boolean isInitialized()
Type | Description |
boolean |
mergeDenialCondition(Expr value)
public DenyRule.Builder mergeDenialCondition(Expr value)
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Name | Description |
value | com.google.type.Expr |
Type | Description |
DenyRule.Builder |
mergeFrom(DenyRule other)
public DenyRule.Builder mergeFrom(DenyRule other)
Name | Description |
other | DenyRule |
Type | Description |
DenyRule.Builder |
mergeFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
public DenyRule.Builder mergeFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Name | Description |
input | CodedInputStream |
extensionRegistry | ExtensionRegistryLite |
Type | Description |
DenyRule.Builder |
Type | Description |
IOException |
mergeFrom(Message other)
public DenyRule.Builder mergeFrom(Message other)
Name | Description |
other | Message |
Type | Description |
DenyRule.Builder |
mergeUnknownFields(UnknownFieldSet unknownFields)
public final DenyRule.Builder mergeUnknownFields(UnknownFieldSet unknownFields)
Name | Description |
unknownFields | UnknownFieldSet |
Type | Description |
DenyRule.Builder |
setDenialCondition(Expr value)
public DenyRule.Builder setDenialCondition(Expr value)
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Name | Description |
value | com.google.type.Expr |
Type | Description |
DenyRule.Builder |
setDenialCondition(Expr.Builder builderForValue)
public DenyRule.Builder setDenialCondition(Expr.Builder builderForValue)
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
.google.type.Expr denial_condition = 5;
Name | Description |
builderForValue | com.google.type.Expr.Builder |
Type | Description |
DenyRule.Builder |
setDeniedPermissions(int index, String value)
public DenyRule.Builder setDeniedPermissions(int index, String value)
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
repeated string denied_permissions = 3;
Name | Description |
index | int The index to set the value at. |
value | String The deniedPermissions to set. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
setDeniedPrincipals(int index, String value)
public DenyRule.Builder setDeniedPrincipals(int index, String value)
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any user who is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
repeated string denied_principals = 1;
Name | Description |
index | int The index to set the value at. |
value | String The deniedPrincipals to set. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
setExceptionPermissions(int index, String value)
public DenyRule.Builder setExceptionPermissions(int index, String value)
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
repeated string exception_permissions = 4;
Name | Description |
index | int The index to set the value at. |
value | String The exceptionPermissions to set. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
setExceptionPrincipals(int index, String value)
public DenyRule.Builder setExceptionPrincipals(int index, String value)
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
repeated string exception_principals = 2;
Name | Description |
index | int The index to set the value at. |
value | String The exceptionPrincipals to set. |
Type | Description |
DenyRule.Builder | This builder for chaining. |
setField(Descriptors.FieldDescriptor field, Object value)
public DenyRule.Builder setField(Descriptors.FieldDescriptor field, Object value)
Name | Description |
field | FieldDescriptor |
value | Object |
Type | Description |
DenyRule.Builder |
setRepeatedField(Descriptors.FieldDescriptor field, int index, Object value)
public DenyRule.Builder setRepeatedField(Descriptors.FieldDescriptor field, int index, Object value)
Name | Description |
field | FieldDescriptor |
index | int |
value | Object |
Type | Description |
DenyRule.Builder |
setUnknownFields(UnknownFieldSet unknownFields)
public final DenyRule.Builder setUnknownFields(UnknownFieldSet unknownFields)
Name | Description |
unknownFields | UnknownFieldSet |
Type | Description |
DenyRule.Builder |