Class DenyRule (1.45.0)

public final class DenyRule extends GeneratedMessageV3 implements DenyRuleOrBuilder

A deny rule in an IAM deny policy.

Protobuf type google.iam.v2.DenyRule

Implements

DenyRuleOrBuilder

Static Fields

DENIAL_CONDITION_FIELD_NUMBER

public static final int DENIAL_CONDITION_FIELD_NUMBER
Field Value
Type Description
int

DENIED_PERMISSIONS_FIELD_NUMBER

public static final int DENIED_PERMISSIONS_FIELD_NUMBER
Field Value
Type Description
int

DENIED_PRINCIPALS_FIELD_NUMBER

public static final int DENIED_PRINCIPALS_FIELD_NUMBER
Field Value
Type Description
int

EXCEPTION_PERMISSIONS_FIELD_NUMBER

public static final int EXCEPTION_PERMISSIONS_FIELD_NUMBER
Field Value
Type Description
int

EXCEPTION_PRINCIPALS_FIELD_NUMBER

public static final int EXCEPTION_PRINCIPALS_FIELD_NUMBER
Field Value
Type Description
int

Static Methods

getDefaultInstance()

public static DenyRule getDefaultInstance()
Returns
Type Description
DenyRule

getDescriptor()

public static final Descriptors.Descriptor getDescriptor()
Returns
Type Description
Descriptor

newBuilder()

public static DenyRule.Builder newBuilder()
Returns
Type Description
DenyRule.Builder

newBuilder(DenyRule prototype)

public static DenyRule.Builder newBuilder(DenyRule prototype)
Parameter
Name Description
prototype DenyRule
Returns
Type Description
DenyRule.Builder

parseDelimitedFrom(InputStream input)

public static DenyRule parseDelimitedFrom(InputStream input)
Parameter
Name Description
input InputStream
Returns
Type Description
DenyRule
Exceptions
Type Description
IOException

parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)

public static DenyRule parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input InputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
DenyRule
Exceptions
Type Description
IOException

parseFrom(byte[] data)

public static DenyRule parseFrom(byte[] data)
Parameter
Name Description
data byte[]
Returns
Type Description
DenyRule
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)

public static DenyRule parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
data byte[]
extensionRegistry ExtensionRegistryLite
Returns
Type Description
DenyRule
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(ByteString data)

public static DenyRule parseFrom(ByteString data)
Parameter
Name Description
data ByteString
Returns
Type Description
DenyRule
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)

public static DenyRule parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
data ByteString
extensionRegistry ExtensionRegistryLite
Returns
Type Description
DenyRule
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(CodedInputStream input)

public static DenyRule parseFrom(CodedInputStream input)
Parameter
Name Description
input CodedInputStream
Returns
Type Description
DenyRule
Exceptions
Type Description
IOException

parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)

public static DenyRule parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input CodedInputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
DenyRule
Exceptions
Type Description
IOException

parseFrom(InputStream input)

public static DenyRule parseFrom(InputStream input)
Parameter
Name Description
input InputStream
Returns
Type Description
DenyRule
Exceptions
Type Description
IOException

parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)

public static DenyRule parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input InputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
DenyRule
Exceptions
Type Description
IOException

parseFrom(ByteBuffer data)

public static DenyRule parseFrom(ByteBuffer data)
Parameter
Name Description
data ByteBuffer
Returns
Type Description
DenyRule
Exceptions
Type Description
InvalidProtocolBufferException

parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)

public static DenyRule parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
data ByteBuffer
extensionRegistry ExtensionRegistryLite
Returns
Type Description
DenyRule
Exceptions
Type Description
InvalidProtocolBufferException

parser()

public static Parser<DenyRule> parser()
Returns
Type Description
Parser<DenyRule>

Methods

equals(Object obj)

public boolean equals(Object obj)
Parameter
Name Description
obj Object
Returns
Type Description
boolean
Overrides

getDefaultInstanceForType()

public DenyRule getDefaultInstanceForType()
Returns
Type Description
DenyRule

getDenialCondition()

public Expr getDenialCondition()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
Type Description
com.google.type.Expr

The denialCondition.

getDenialConditionOrBuilder()

public ExprOrBuilder getDenialConditionOrBuilder()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
Type Description
com.google.type.ExprOrBuilder

getDeniedPermissions(int index)

public String getDeniedPermissions(int index)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
Name Description
index int

The index of the element to return.

Returns
Type Description
String

The deniedPermissions at the given index.

getDeniedPermissionsBytes(int index)

public ByteString getDeniedPermissionsBytes(int index)

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Parameter
Name Description
index int

The index of the value to return.

Returns
Type Description
ByteString

The bytes of the deniedPermissions at the given index.

getDeniedPermissionsCount()

public int getDeniedPermissionsCount()

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Returns
Type Description
int

The count of deniedPermissions.

getDeniedPermissionsList()

public ProtocolStringList getDeniedPermissionsList()

The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

repeated string denied_permissions = 3;

Returns
Type Description
ProtocolStringList

A list containing the deniedPermissions.

getDeniedPrincipals(int index)

public String getDeniedPrincipals(int index)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
Name Description
index int

The index of the element to return.

Returns
Type Description
String

The deniedPrincipals at the given index.

getDeniedPrincipalsBytes(int index)

public ByteString getDeniedPrincipalsBytes(int index)

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Parameter
Name Description
index int

The index of the value to return.

Returns
Type Description
ByteString

The bytes of the deniedPrincipals at the given index.

getDeniedPrincipalsCount()

public int getDeniedPrincipalsCount()

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Returns
Type Description
int

The count of deniedPrincipals.

getDeniedPrincipalsList()

public ProtocolStringList getDeniedPrincipalsList()

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

  • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

  • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

  • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

  • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

  • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

  • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

  • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

  • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

repeated string denied_principals = 1;

Returns
Type Description
ProtocolStringList

A list containing the deniedPrincipals.

getExceptionPermissions(int index)

public String getExceptionPermissions(int index)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
Name Description
index int

The index of the element to return.

Returns
Type Description
String

The exceptionPermissions at the given index.

getExceptionPermissionsBytes(int index)

public ByteString getExceptionPermissionsBytes(int index)

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Parameter
Name Description
index int

The index of the value to return.

Returns
Type Description
ByteString

The bytes of the exceptionPermissions at the given index.

getExceptionPermissionsCount()

public int getExceptionPermissionsCount()

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Returns
Type Description
int

The count of exceptionPermissions.

getExceptionPermissionsList()

public ProtocolStringList getExceptionPermissionsList()

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

The excluded permissions can be specified using the same syntax as denied_permissions.

repeated string exception_permissions = 4;

Returns
Type Description
ProtocolStringList

A list containing the exceptionPermissions.

getExceptionPrincipals(int index)

public String getExceptionPrincipals(int index)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
Name Description
index int

The index of the element to return.

Returns
Type Description
String

The exceptionPrincipals at the given index.

getExceptionPrincipalsBytes(int index)

public ByteString getExceptionPrincipalsBytes(int index)

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Parameter
Name Description
index int

The index of the value to return.

Returns
Type Description
ByteString

The bytes of the exceptionPrincipals at the given index.

getExceptionPrincipalsCount()

public int getExceptionPrincipalsCount()

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Returns
Type Description
int

The count of exceptionPrincipals.

getExceptionPrincipalsList()

public ProtocolStringList getExceptionPrincipalsList()

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

repeated string exception_principals = 2;

Returns
Type Description
ProtocolStringList

A list containing the exceptionPrincipals.

getParserForType()

public Parser<DenyRule> getParserForType()
Returns
Type Description
Parser<DenyRule>
Overrides

getSerializedSize()

public int getSerializedSize()
Returns
Type Description
int
Overrides

hasDenialCondition()

public boolean hasDenialCondition()

The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

.google.type.Expr denial_condition = 5;

Returns
Type Description
boolean

Whether the denialCondition field is set.

hashCode()

public int hashCode()
Returns
Type Description
int
Overrides

internalGetFieldAccessorTable()

protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Returns
Type Description
FieldAccessorTable
Overrides

isInitialized()

public final boolean isInitialized()
Returns
Type Description
boolean
Overrides

newBuilderForType()

public DenyRule.Builder newBuilderForType()
Returns
Type Description
DenyRule.Builder

newBuilderForType(GeneratedMessageV3.BuilderParent parent)

protected DenyRule.Builder newBuilderForType(GeneratedMessageV3.BuilderParent parent)
Parameter
Name Description
parent BuilderParent
Returns
Type Description
DenyRule.Builder
Overrides

newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)

protected Object newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
Parameter
Name Description
unused UnusedPrivateParameter
Returns
Type Description
Object
Overrides

toBuilder()

public DenyRule.Builder toBuilder()
Returns
Type Description
DenyRule.Builder

writeTo(CodedOutputStream output)

public void writeTo(CodedOutputStream output)
Parameter
Name Description
output CodedOutputStream
Overrides
Exceptions
Type Description
IOException