Reference documentation and code samples for the Google Cloud Iam V2 Client class DenyRule.
A deny rule in an IAM deny policy.
Generated from protobuf message google.iam.v2.DenyRule
Namespace
Google \ Cloud \ Iam \ V2Methods
__construct
Constructor.
Parameters | |
---|---|
Name | Description |
data |
array
Optional. Data for populating the Message object. |
↳ denied_principals |
array
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * * |
↳ exception_principals |
array
The identities that are excluded from the deny rule, even if they are listed in the |
↳ denied_permissions |
array
The permissions that are explicitly denied by this rule. Each permission uses the format |
↳ exception_permissions |
array
Specifies the permissions that this rule excludes from the set of denied permissions given by |
↳ denial_condition |
Google\Type\Expr
The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to |
getDeniedPrincipals
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
Returns | |
---|---|
Type | Description |
Google\Protobuf\Internal\RepeatedField |
setDeniedPrincipals
The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:
principalSet://goog/public:all
: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.principal://goog/subject/{email_id}
: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example,principal://goog/subject/alice@example.com
.deleted:principal://goog/subject/{email_id}?uid={uid}
: A specific Google Account that was deleted recently. For example,deleted:principal://goog/subject/alice@example.com?uid=1234567890
. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.principalSet://goog/group/{group_id}
: A Google group. For example,principalSet://goog/group/admins@example.com
.deleted:principalSet://goog/group/{group_id}?uid={uid}
: A Google group that was deleted recently. For example,deleted:principalSet://goog/group/admins@example.com?uid=1234567890
. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}
: A Google Cloud service account. For example,principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com
.deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}
: A Google Cloud service account that was deleted recently. For example,deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890
. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.principalSet://goog/cloudIdentityCustomerId/{customer_id}
: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example,principalSet://goog/cloudIdentityCustomerId/C01Abc35
.
Parameter | |
---|---|
Name | Description |
var |
string[]
|
Returns | |
---|---|
Type | Description |
$this |
getExceptionPrincipals
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
Returns | |
---|---|
Type | Description |
Google\Protobuf\Internal\RepeatedField |
setExceptionPrincipals
The identities that are excluded from the deny rule, even if they are
listed in the denied_principals
. For example, you could add a Google
group to the denied_principals
, then exclude specific users who belong to
that group.
This field can contain the same values as the denied_principals
field,
excluding principalSet://goog/public:all
, which represents all users on
the internet.
Parameter | |
---|---|
Name | Description |
var |
string[]
|
Returns | |
---|---|
Type | Description |
$this |
getDeniedPermissions
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
Returns | |
---|---|
Type | Description |
Google\Protobuf\Internal\RepeatedField |
setDeniedPermissions
The permissions that are explicitly denied by this rule. Each permission
uses the format {service_fqdn}/{resource}.{verb}
, where {service_fqdn}
is the fully qualified domain name for the service. For example,
iam.googleapis.com/roles.list
.
Parameter | |
---|---|
Name | Description |
var |
string[]
|
Returns | |
---|---|
Type | Description |
$this |
getExceptionPermissions
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
Returns | |
---|---|
Type | Description |
Google\Protobuf\Internal\RepeatedField |
setExceptionPermissions
Specifies the permissions that this rule excludes from the set of denied
permissions given by denied_permissions
. If a permission appears in
denied_permissions
and in exception_permissions
then it will not be
denied.
The excluded permissions can be specified using the same syntax as
denied_permissions
.
Parameter | |
---|---|
Name | Description |
var |
string[]
|
Returns | |
---|---|
Type | Description |
$this |
getDenialCondition
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
Returns | |
---|---|
Type | Description |
Google\Type\Expr|null |
hasDenialCondition
clearDenialCondition
setDenialCondition
The condition that determines whether this deny rule applies to a request.
If the condition expression evaluates to true
, then the deny rule is
applied; otherwise, the deny rule is not applied.
Each deny rule is evaluated independently. If this deny rule does not apply
to a request, other deny rules might still apply.
The condition can use CEL functions that evaluate
resource
tags. Other
functions and operators are not supported.
Parameter | |
---|---|
Name | Description |
var |
Google\Type\Expr
|
Returns | |
---|---|
Type | Description |
$this |