Class IamPolicyAnalysisResult (1.1.0)

IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.

The Cloud IAM policy binding under analysis.

The identity list derived from members of the [iam_binding][go ogle.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.iam_binding ] that match or potentially match identity selector specified in the request.

Classes

Access

A role or permission that appears in an access control list. .. attribute:: role

The role.

The analysis state of this access node.

AccessControlList

An access control list, derived from the above IAM policy binding, which contains a set of resources and accesses. May include one item from each set to compose an access control entry. NOTICE that there could be multiple access control lists for one IAM policy binding. The access control lists are created based on resource and access combinations. For example, assume we have the following cases in one IAM policy binding: - Permission P1 and P2 apply to resource R1 and R2; - Permission P3 applies to resource R2 and R3; This will result in the following access control lists: - AccessControlList 1: [R1, R2], [P1, P2] - AccessControlList 2: [R2, R3], [P3] .. attribute:: resources

The resources that match one of the following conditions: - The resource_selector, if it is specified in request; - Otherwise, resources reachable from the policy attached resource.

Resource edges of the graph starting from the policy attached resource to any descendant resources. The [Edge.source_node][g oogle.cloud.asset.v1p4beta1.IamPolicyAnalysisResult.Edge.sourc e_node] contains the full resource name of a parent resource and [Edge.target_node][google.cloud.asset.v1p4beta1.IamPolicyA nalysisResult.Edge.target_node] contains the full resource name of a child resource. This field is present only if the output_resource_edges option is enabled in request.

AnalysisState

Represents analysis state of each node in the result graph or non- critical errors in the response. .. attribute:: code

The Google standard error code that best describes the state. For example: - OK means the node has been successfully explored; - PERMISSION_DENIED means an access denied error is encountered; - DEADLINE_EXCEEDED means the node hasn’t been explored in time;

Edge

A directional edge. .. attribute:: source_node

The source node of the edge.

Identity

An identity that appears in an access control list. .. attribute:: name

The identity name in any form of members appear in IAM policy binding <https://cloud.google.com/iam/reference/rest/v1/Binding>__, such as: - user:foo@google.com - group:group1@google.com - serviceAccount:s1@prj1.iam.gserviceaccount.com - projectOwner:some_project_id - domain:google.com - allUsers - etc.

IdentityList

Group identity edges of the graph starting from the binding’s group members to any node of the [identities][google.cloud.ass et.v1p4beta1.IamPolicyAnalysisResult.IdentityList.identities]. The [Edge.source_node][google.cloud.asset.v1p4beta1.IamPolicyA nalysisResult.Edge.source_node] contains a group, such as “group:parent@google.com”. The [Edge.target_node][google.cloud .asset.v1p4beta1.IamPolicyAnalysisResult.Edge.target_node] contains a member of the group, such as “group:child@google.com” or “user:foo@google.com”. This field is present only if the output_group_edges option is enabled in request.

Resource

A GCP resource that appears in an access control list. .. attribute:: full_resource_name

The full resource name <https://aip.dev/122#full-resource- names>__.