Resource: ReplayResult
The result of replaying a single access tuple against a simulated state.
JSON representation |
---|
{ "name": string, "parent": string, "accessTuple": { object ( |
Fields | |
---|---|
name |
The resource name of the
Example: |
parent |
The |
accessTuple |
The access tuple that was replayed. This field includes information about the principal, resource, and permission that were involved in the access attempt. |
lastSeenDate |
The latest date this access tuple was seen in the logs. |
Union field result . The result of replaying the access tuple. result can be only one of the following: |
|
diff |
The difference between the principal's access under the current (baseline) policies and the principal's access under the proposed (simulated) policies. This field is only included for access tuples that were successfully replayed and had different results under the current policies and the proposed policies. |
error |
The error that caused the access tuple replay to fail. This field is only included for access tuples that were not replayed successfully. |
ReplayDiff
The difference between the results of evaluating an access tuple under the current (baseline) policies and under the proposed (simulated) policies. This difference explains how a principal's access could change if the proposed policies were applied.
JSON representation |
---|
{
"accessDiff": {
object ( |
Fields | |
---|---|
accessDiff |
A summary and comparison of the principal's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple. The evaluation of the principal's access is reported in the |
AccessStateDiff
A summary and comparison of the principal's access under the current (baseline) policies and the proposed (simulated) policies for a single access tuple.
JSON representation |
---|
{ "baseline": { object ( |
Fields | |
---|---|
baseline |
The results of evaluating the access tuple under the current (baseline) policies. If the |
simulated |
The results of evaluating the access tuple under the proposed (simulated) policies. If the AccessState couldn't be fully evaluated, this field explains why. |
accessChange |
How the principal's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies. |
ExplainedAccess
Details about how a set of policies, listed in ExplainedPolicy
, resulted in a certain AccessState
when replaying an access tuple.
JSON representation |
---|
{ "accessState": enum ( |
Fields | |
---|---|
accessState |
Whether the principal in the access tuple has permission to access the resource in the access tuple under the given policies. |
policies[] |
If the If the |
errors[] |
If the If the |
AccessState
Whether a principal has a permission for a resource.
Enums | |
---|---|
ACCESS_STATE_UNSPECIFIED |
Default value. This value is unused. |
GRANTED |
The principal has the permission. |
NOT_GRANTED |
The principal does not have the permission. |
UNKNOWN_CONDITIONAL |
The principal has the permission only if a condition expression evaluates to true . |
UNKNOWN_INFO_DENIED |
The user who created the Replay does not have access to all of the policies that Policy Simulator needs to evaluate. |
ExplainedPolicy
Details about how a specific IAM Policy
contributed to the access check.
JSON representation |
---|
{ "access": enum ( |
Fields | |
---|---|
access |
Indicates whether this policy provides the specified permission to the specified principal for the specified resource. This field does not indicate whether the principal actually has the permission for the resource. There might be another policy that overrides this policy. To determine whether the principal actually has the permission, use the |
fullResourceName |
The full resource name that identifies the resource. For example, If the user who created the For examples of full resource names for Google Cloud services, see https://cloud.google.com/iam/help/troubleshooter/full-resource-names. |
policy |
The IAM policy attached to the resource. If the user who created the |
bindingExplanations[] |
Details about how each binding in the policy affects the principal's ability, or inability, to use the permission for the resource. If the user who created the |
relevance |
The relevance of this policy to the overall determination in the [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]. If the user who created the |
BindingExplanation
Details about how a binding in a policy affects a principal's ability to use a permission.
JSON representation |
---|
{ "access": enum ( |
Fields | |
---|---|
access |
Required. Indicates whether this binding provides the specified permission to the specified principal for the specified resource. This field does not indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the |
role |
The role that this binding grants. For example, For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. |
rolePermission |
Indicates whether the role granted by this binding contains the specified permission. |
rolePermissionRelevance |
The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy. |
memberships[] |
Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request. For example, suppose that a binding includes the following principals:
The principal in the replayed access tuple is For the first principal in the binding, the key is For the second principal in the binding, the key is An object containing a list of |
memberships[].membership |
Indicates whether the binding includes the principal. Valid values of this enum field are:
,
,
,
,
|
memberships[].relevance |
The relevance of the principal's status to the overall determination for the binding. |
relevance |
The relevance of this binding to the overall determination for the entire policy. |
condition |
A condition expression that prevents this binding from granting access unless the expression evaluates to To learn about IAM Conditions, see https://cloud.google.com/iam/docs/conditions-overview. |
RolePermission
Whether a role includes a specific permission.
Enums | |
---|---|
ROLE_PERMISSION_UNSPECIFIED |
Default value. This value is unused. |
ROLE_PERMISSION_INCLUDED |
The permission is included in the role. |
ROLE_PERMISSION_NOT_INCLUDED |
The permission is not included in the role. |
ROLE_PERMISSION_UNKNOWN_INFO_DENIED |
The user who created the Replay is not allowed to access the binding. |
HeuristicRelevance
The extent to which a single data point, such as the existence of a binding or whether a binding includes a specific principal, contributes to an overall determination.
Enums | |
---|---|
HEURISTIC_RELEVANCE_UNSPECIFIED |
Default value. This value is unused. |
NORMAL |
The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination. |
HIGH |
The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination. |
AccessChangeType
How the principal's access, specified in the AccessState field, changed between the current (baseline) policies and proposed (simulated) policies.
Enums | |
---|---|
ACCESS_CHANGE_TYPE_UNSPECIFIED |
Default value. This value is unused. |
NO_CHANGE |
The principal's access did not change. This includes the case where both baseline and simulated are UNKNOWN, but the unknown information is equivalent. |
UNKNOWN_CHANGE |
The principal's access under both the current policies and the proposed policies is UNKNOWN , but the unknown information differs between them. |
ACCESS_REVOKED |
The principal had access under the current policies (GRANTED ), but will no longer have access after the proposed changes (NOT_GRANTED ). |
ACCESS_GAINED |
The principal did not have access under the current policies (NOT_GRANTED ), but will have access after the proposed changes (GRANTED ). |
ACCESS_MAYBE_REVOKED |
This result can occur for the following reasons:
|
ACCESS_MAYBE_GAINED |
This result can occur for the following reasons:
|
AccessTuple
Information about the principal, resource, and permission to check.
JSON representation |
---|
{ "principal": string, "fullResourceName": string, "permission": string } |
Fields | |
---|---|
principal |
Required. The principal whose access you want to check, in the form of the email address that represents that principal. For example, The principal must be a Google Account or a service account. Other types of principals are not supported. |
fullResourceName |
Required. The full resource name that identifies the resource. For example, For examples of full resource names for Google Cloud services, see https://cloud.google.com/iam/help/troubleshooter/full-resource-names. |
permission |
Required. The IAM permission to check for the specified principal and resource. For a complete list of IAM permissions, see https://cloud.google.com/iam/help/permissions/reference. For a complete list of predefined IAM roles and the permissions in each role, see https://cloud.google.com/iam/help/roles/reference. |
Methods |
|
---|---|
|
Lists the results of running a Replay . |