Class IamPolicyAnalysisResult (0.10.0)

IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.

The Cloud IAM policy binding under analysis.

The identity list derived from members of the [iam_binding][go ogle.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding ] that match or potentially match identity selector specified in the request.

Classes

Access

A role or permission that appears in an access control list.

The permission.

AccessControlList

An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry.

NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations.

For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3;

This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3]

The accesses that match one of the following conditions: - The access_selector, if it is specified in request; - Otherwise, access specifiers reachable from the policy binding’s role.

AnalysisState

Represents analysis state of each node in the result graph or non-critical errors in the response.

The human-readable description of the cause of failure.

Edge

A directional edge.

The target node of the edge.

Identity

An identity that appears in an access control list.

The analysis state of this identity node.

IdentityList

Group identity edges of the graph starting from the binding’s group members to any node of the [identities][google.cloud.ass et.v1p4beta1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1p4beta1.IamPolicyA nalysisResult.Edge.source_node] contains a group, such as “group:parent@google.com”. The [Edge.target_node][google.cloud .asset.v1p4beta1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group, such as “group:child@google.com” or “user:foo@google.com”. This field is present only if the output_group_edges option is enabled in request.

Resource

A GCP resource that appears in an access control list.

The analysis state of this resource node.