Module types (1.0.0)

API documentation for dlp_v2.types module.

A task to execute on the completion of a job. See https://cloud.google.com/dlp/docs/concepts-actions to learn more. .. attribute:: save_findings

Save resulting findings in a provided location.

Publish summary to Cloud Security Command Center (Alpha).

Enable email notification for project owners and editors on job’s completion/failure.

Request message for ActivateJobTrigger. .. attribute:: name

Required. Resource name of the trigger to activate, for example projects/dlp-test-project/jobTriggers/53234423.

Result of a risk analysis operation request. .. attribute:: requested_privacy_metric

Privacy metric to compute.

Values associated with this metric.

Categorical stats result

L-divesity result

Delta-presence result

API documentation for dlp_v2.types.Any class.

Message defining a field of a BigQuery table. .. attribute:: table

Source table of the field.

Row key for identifying a record in BigQuery table. .. attribute:: table_reference

Complete BigQuery table reference.

Options defining BigQuery table and row identifiers. .. attribute:: table_reference

Complete BigQuery table reference.

Max number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig.

References to fields excluded from scanning. This allows you to skip inspection of entire columns which you know have no findings.

Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: <project_id>:<dataset_id>.<table_id> or <project_id>.<dataset_id>.<table_id>. .. attribute:: project_id

The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.

Name of the table.

Bounding box encompassing detected text within an image. .. attribute:: top

Top coordinate of the bounding box. (0,0) is upper left.

Width of the bounding box in pixels.

Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. .. attribute:: buckets

Set of buckets. Ranges must be non-overlapping.

Container for bytes to inspect or redact. .. attribute:: type

The type of data stored in the bytes string. Default will be TEXT_UTF8.

The request message for canceling a DLP job. .. attribute:: name

Required. The name of the DlpJob resource to be cancelled.

Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we’ll attempt to preserve the original data’s type. (This allows you to take a long like 123 and modify it to a string like **3. .. attribute:: masking_character

Character to use to mask the sensitive values—for example, * for an alphabetic string such as a name, or 0 for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to * for strings, and 0 for digits.

Mask characters in reverse order. For example, if masking_character is 0, number_to_mask is 14, and reverse_order is false, then the input string 1234-5678-9012-3456 is masked as 00000000000000-3456. If masking_character is *, number_to_mask is 3, and reverse_order is true, then the string 12345 is masked as 12***.

Characters to skip when doing deidentification of a value. These will be left alone and skipped. .. attribute:: characters_to_skip

Characters to not transform when masking.

Message representing a set of files in Cloud Storage. .. attribute:: url

The url, in the format gs://<bucket>/<path>. Trailing wildcard in the path is allowed.

Options defining a file or a set of files within a Google Cloud Storage bucket. .. attribute:: file_set

The set of one or more files to scan.

Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified.

Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0.

Message representing a single file or path in Cloud Storage. .. attribute:: path

A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt

Message representing a set of files in a Cloud Storage bucket. Regular expressions are used to allow fine-grained control over which files in the bucket to include. Included files are those that match at least one item in include_regex and do not match any items in exclude_regex. Note that a file that matches items from both lists will not be included. For a match to occur, the entire file path (i.e., everything in the url after the bucket name) must match the regular expression. For example, given the input {bucket_name: "mybucket", include_regex: ["directory1/.*"], exclude_regex: ["directory1/excluded.*"]}: - gs://mybucket/directory1/myfile will be included - gs://mybucket/directory1/directory2/myfile will be included (.* matches across /) - gs://mybucket/directory0/directory1/myfile will not be included (the full path doesn’t match any items in include_regex) - gs://mybucket/directory1/excludedfile will not be included (the path matches an item in exclude_regex) If include_regex is left empty, it will match all files by default (this is equivalent to setting include_regex: [".*"]). Some other common use cases: - {bucket_name: "mybucket", exclude_regex: [".*\.pdf"]} will include all files in mybucket except for .pdf files - {bucket_name: "mybucket", include_regex: ["directory/[^/]+"]} will include all files directly under gs://mybucket/directory/, without matching across / .. attribute:: bucket_name

The name of a Cloud Storage bucket. Required.

A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan. Regular expressions use RE2 syntax <https://github.com/google/re2/wiki/Syntax>__; a guide can be found under the google/re2 repository on GitHub.

Represents a color in the RGB color space. .. attribute:: red

The amount of red in the color as a value in the interval [0, 1].

The amount of blue in the color as a value in the interval [0, 1].

Represents a container that may contain DLP findings. Examples of a container include a file, table, or database record. .. attribute:: type

Container type, for example BigQuery or Google Cloud Storage.

A string representation of the full container name. Examples:

• BigQuery: ‘Project:DataSetId.TableId’ - Google Cloud Storage: ‘gs://Bucket/folders/filename.txt’

  The rest of the path after the root. Examples: - For BigQuery table project_id:dataset_id.table_id, the relative path is table_id - Google Cloud Storage file gs://bucket/folder/filename.txt, the relative path is folder/filename.txt

  Findings container version, if available (“generation” for Google Cloud Storage).

Container structure for the content to inspect. .. attribute:: data_item

Data of the item either in the byte array or UTF-8 string form, or table.

Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting- text#inspecting_a_table to learn more.

Precise location of the finding within a document, record, image, or metadata container. .. attribute:: container_name

Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: - BigQuery tables: {project_id}:{dataset_id}.{table_id} - Cloud Storage files: gs://{bucket}/{path} - Datastore namespace: {namespace} Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).

Location within a row or record of a database table.

Location data for document files.

Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.

Request message for CreateDeidentifyTemplate. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or organizations/my-org-id or projects/my-project- id/locations/{location_id}.

The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

Request message for CreateDlpJobRequest. Used to initiate long running jobs such as calculating risk metrics or inspecting Google Cloud Storage. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or projects/my-project-id/locations/{location_id}.

Set to control what and how to inspect.

The job id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

Request message for CreateInspectTemplate. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or organizations/my-org-id or projects/my-project- id/locations/{location-id}.

The template id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

Request message for CreateJobTrigger. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or projects/my-project-id/locations/{location_id}.

The trigger id can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

Request message for CreateStoredInfoType. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or organizations/my-org-id or projects/my-project- id/locations/{location_id}

The storedInfoType ID can contain uppercase and lowercase letters, numbers, and hyphens; that is, it must match the regular expression: [a-zA-Z\d-_]+. The maximum length is 100 characters. Can be empty to allow the system to generate one.

Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. .. attribute:: crypto_key

The key used by the encryption function.

A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an InfoTypeTransformation is applied to both structured and non-structured ContentItem\ s.

Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. .. attribute:: crypto_key

The key used by the hash function.

This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. .. attribute:: source

Sources of crypto keys.

Unwrapped crypto key

Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the ReidentifyContent API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. .. attribute:: crypto_key

Required. The key used by the encryption algorithm.

Choose an alphabet which the data being transformed will be made up of.

This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter.

The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is ‘MY_TOKEN_INFO_TYPE’ and the surrogate is ‘abc’, the full replacement value will be: ‘MY_TOKEN_INFO_TYPE(3):abc’ This annotation identifies the surrogate when inspecting content using the custom infoType `SurrogateType </dlp/docs/reference/rest/v2/InspectConfig#surrogatetype>`__. This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE

Custom information type provided by the user. Used to find domain- specific sensitive information configurable to the data in question. .. attribute:: info_type

CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in InspectContent.info_types field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in InspectContent.info_types list then the name is treated as a custom info type.

A list of phrases to detect as a CustomInfoType.

Message for detecting output from deidentification transformations that support reversing.

Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the surrogate_type CustomInfoType.

Record key for a finding in Cloud Datastore. .. attribute:: entity_key

Datastore entity key.

Options defining a data set within Google Cloud Datastore. .. attribute:: partition_id

A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty.

API documentation for dlp_v2.types.Date class.

Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts- date-shifting to learn more. .. attribute:: upper_bound_days

Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.

Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.

Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.

Message for a date time object. e.g. 2018-01-01, 5th August. .. attribute:: date

One or more of the following must be set. Must be a valid date or time value.

Time of day

The configuration that controls how the data will change. .. attribute:: info_type_transformations

Treat the dataset as free-form text and apply the same free text transformation everywhere.

Mode for handling transformation errors. If left unspecified, the default mode is TransformationErrorHandling.ThrowError.

Request to de-identify a list of items. .. attribute:: parent

The parent resource name, for example projects/my-project-id or projects/my-project-id/locations/{location_id}.

Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.

Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

Deprecated. This field has no effect.

Results of de-identifying a ContentItem. .. attribute:: item

The de-identified item.

DeidentifyTemplates contains instructions on how to de-identify content. See https://cloud.google.com/dlp/docs/concepts-templates to learn more. .. attribute:: name

Output only. The template name. The template will have one of the following formats: projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID OR o rganizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID

Short description (max 256 chars).

Output only. The last update timestamp of an inspectTemplate.

Request message for DeleteDeidentifyTemplate. .. attribute:: name

Required. Resource name of the organization and deidentify template to be deleted, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

The request message for deleting a DLP job. .. attribute:: name

Required. The name of the DlpJob resource to be deleted.

Request message for DeleteInspectTemplate. .. attribute:: name

Required. Resource name of the organization and inspectTemplate to be deleted, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Request message for DeleteJobTrigger. .. attribute:: name

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test- project/jobTriggers/53234423.

Request message for DeleteStoredInfoType. .. attribute:: name

Required. Resource name of the organization and storedInfoType to be deleted, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Combines all of the information about a DLP job. .. attribute:: name

The server-assigned name.

State of a job.

Results from inspecting a data source.

Time when the job started.

If created by a job trigger, the resource name of the trigger that instantiated the job.

Location of a finding within a document. .. attribute:: file_offset

Offset of the line, from the beginning of the file, where the finding is located.

API documentation for dlp_v2.types.Duration class.

API documentation for dlp_v2.types.Empty class.

An entity in a dataset is a field or set of fields that correspond to a single person. For example, in medical records the EntityId might be a patient identifier, or for financial records it might be an account identifier. This message is used when generalizations or analysis must take into account that multiple rows correspond to the same entity. .. attribute:: field

Composite key indicating which field contains the entity identifier.

Details information about an error encountered during job execution or the results of an unsuccessful activation of the JobTrigger. .. attribute:: details

Detailed error codes and messages.

List of exclude infoTypes. .. attribute:: info_types

InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for InspectionRuleSet.info_types containing “PHONE_NUMBER” and\ exclusion_rule\ containing exclude_info_types.info_types` with “EMAIL_ADDRESS” the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to “555-222-2222@example.org” to generate only a single finding, namely email address.

The rule that specifies conditions when findings of infoTypes specified in InspectionRuleSet are removed from results. .. attribute:: type

Exclusion rule types.

Regular expression which defines the rule.

How the rule is applied, see MatchingType documentation for details.

General identifier of a data field in a storage service. .. attribute:: name

Name describing the field.

API documentation for dlp_v2.types.FieldMask class.

The transformation to apply to the field. .. attribute:: fields

Required. Input field(s) to apply the transformation to.

Transformation to apply. [required]

Treat the contents of the field as free text, and selectively transform content that matches an InfoType.

Represents a piece of potentially sensitive content. .. attribute:: name

Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings.

The type of content that might have been found. Provided if excluded_types is false.

Where the content was found.

Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.

Job trigger name, if applicable, for this finding.

Time the job started that produced this finding.

The request message for finishing a DLP hybrid job. .. attribute:: name

Required. The name of the DlpJob resource to be cancelled.

Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with “10-20”. This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. .. attribute:: lower_bound

Required. Lower bound value of buckets. All values less than lower_bound are grouped together into a single bucket; for example if lower_bound = 10, then all values less than 10 are replaced with the value “-10”.

Required. Size of each bucket (except for minimum and maximum buckets). So if lower_bound = 10, upper_bound = 89, and bucket_size = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Request message for GetDeidentifyTemplate. .. attribute:: name

Required. Resource name of the organization and deidentify template to be read, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

The request message for [DlpJobs.GetDlpJob][]. .. attribute:: name

Required. The name of the DlpJob resource.

Request message for GetInspectTemplate. .. attribute:: name

Required. Resource name of the organization and inspectTemplate to be read, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Request message for GetJobTrigger. .. attribute:: name

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test- project/jobTriggers/53234423.

Request message for GetStoredInfoType. .. attribute:: name

Required. Resource name of the organization and storedInfoType to be read, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

An individual hybrid item to inspect. Will be stored temporarily during processing. .. attribute:: item

The item to inspect.

Populate to associate additional data with each finding. .. attribute:: container_details

Details about the container where the content being inspected is from.

Offset of the row for tables. Populate if the row(s) being scanned are part of a bigger dataset and you want to keep track of their absolute position.

Labels to represent user provided metadata about the data being inspected. If configured by the job, some key values may be required. The labels associated with Finding\ ’s produced by hybrid inspection. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: [a-z]([-a-z0-9]*[a-z0-9])?. Label values must be between 0 and 63 characters long and must conform to the regular expression ([a-z]([-a-z0-9]*[a-z0-9])?)?. No more than 10 labels can be associated with a given finding. Examples: * "environment" : "production" * "pipeline" : "etl"

Request to search for potentially sensitive info in a custom location. .. attribute:: name

Required. Resource name of the job to execute a hybrid inspect on, for example projects/dlp-test-project/dlpJob/53234423.

Request to search for potentially sensitive info in a custom location. .. attribute:: name

Required. Resource name of the trigger to execute a hybrid inspect on, for example projects/dlp-test- project/jobTriggers/53234423.

Quota exceeded errors will be thrown once quota has been met.

Statistics related to processing hybrid inspect requests.s .. attribute:: processed_count

The number of hybrid inspection requests processed within this job.

The number of hybrid requests currently being processed. Only populated when called via method getDlpJob. A burst of traffic may cause hybrid inspect requests to be enqueued. Processing will take place as quickly as possible, but resource limitations may impact how long a request is enqueued for.

Configuration to control jobs where the content being inspected is outside of Google Cloud Platform. .. attribute:: description

A short description of where the data is coming from. Will be stored once in the job. 256 max length.

To organize findings, these labels will be added to each finding. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: [a-z]([-a-z0-9]*[a-z0-9])?. Label values must be between 0 and 63 characters long and must conform to the regular expression ([a-z]([-a-z0-9]*[a-z0-9])?)?. No more than 10 labels can be associated with a given finding. Examples: * "environment" : "production" * "pipeline" : "etl"

Location of the finding within an image. .. attribute:: bounding_boxes

Bounding boxes locating the pixels within the image containing the finding.

Type of information detected by the API. .. attribute:: name

Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. InfoType names should conform to the pattern [a-zA-Z0-9_]{1,64}.

InfoType description. .. attribute:: name

Internal name of the infoType.

Which parts of the API supports this InfoType.

Statistics regarding a specific InfoType. .. attribute:: info_type

The type of finding this stat is for.

A type of transformation that will scan unstructured text and apply various PrimitiveTransformation\ s to each finding, where the transformation is applied to only values that were identified as a specific info_type. .. attribute:: transformations

Required. Transformation for each infoType. Cannot specify more than one for a given infoType.

Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. .. attribute:: info_types

Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes- reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.

Configuration to control the number of findings returned.

When true, excludes type information of the findings.

List of options defining data content to scan. If empty, text, images, and other content will be included.

Request to search for potentially sensitive info in a ContentItem. .. attribute:: parent

The parent resource name, for example projects/my-project-id or projects/my-project-id/locations/{location_id}

The item to inspect.

Deprecated. This field has no effect.

Results of inspecting an item. .. attribute:: result

The findings.

The results of an inspect DataSource job. .. attribute:: requested_options

The configuration used for this job.

Controls what and how to inspect for findings. .. attribute:: storage_config

The data to scan.

If provided, will be used as the default for all values in InspectConfig. inspect_config will be merged into the values persisted as part of the template. actions: Actions to execute at the completion of the job.

All the findings for a single scanned item. .. attribute:: findings

List of findings for an item.

The inspectTemplate contains a configuration (set of types of sensitive data to be detected) to be used anywhere you otherwise would normally specify InspectConfig. See https://cloud.google.com/dlp/docs/concepts-templates to learn more. .. attribute:: name

Output only. The template name. The template will have one of the following formats: projects/PROJECT_ID/inspectTemplates/TEMPLATE_ID OR orga nizations/ORGANIZATION_ID/inspectTemplates/TEMPLATE_ID;

Short description (max 256 chars).

Output only. The last update timestamp of an inspectTemplate.

A single inspection rule to be applied to infoTypes, specified in InspectionRuleSet. .. attribute:: type

Inspection rule types.

Exclusion rule.

Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set. .. attribute:: info_types

List of infoTypes this rule set is applied to.

What event needs to occur for a new job to be started. .. attribute:: schedule

Create a job on a repeating basis based on the elapse of time.

Unique resource name for the triggeredJob, assigned by the service when the triggeredJob is created, for example projects/dlp-test-project/jobTriggers/53234423.

User provided description (max 256 chars)

For inspect jobs, a snapshot of the configuration.

Output only. A stream of errors encountered when the trigger was activated. Repeated errors may result in the JobTrigger automatically being paused. Will return the last 100 errors. Whenever the JobTrigger is modified this list will be cleared.

Output only. The last update timestamp of a triggeredJob.

Required. A status for this trigger.

A unique identifier for a Datastore entity. If a key’s partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts. .. attribute:: partition_id

Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition.

A representation of a Datastore kind. .. attribute:: name

The name of the kind.

Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt .. attribute:: wrapped_key

Required. The wrapped data crypto key.

Configuration for a custom dictionary created from a data source of any size up to the maximum size defined in the limits <https://cloud.google.com/dlp/limits>__ page. The artifacts of dictionary creation are stored in the specified Google Cloud Storage location. Consider using CustomInfoType.Dictionary for smaller dictionaries that satisfy the size requirements. .. attribute:: output_path

Location to store dictionary artifacts in Google Cloud Storage. These files will only be accessible by project owners and the DLP API. If any of these artifacts are modified, the dictionary is considered invalid and can no longer be used.

Field in a BigQuery table where each cell represents a dictionary phrase.

Summary statistics of a custom dictionary. .. attribute:: approx_num_phrases

Approximate number of distinct phrases in the dictionary.

Request message for ListDeidentifyTemplates. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or organizations/my-org-id or projects/my-project- id/locations/{location_id}.

Size of the page, can be limited by server. If zero server returns a page of max size 100.

Deprecated. This field has no effect.

Response message for ListDeidentifyTemplates. .. attribute:: deidentify_templates

List of deidentify templates, up to page_size in ListDeidentifyTemplatesRequest.

The request message for listing DLP jobs. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or projects/my-project-id/locations/{location_id}.

The standard list page size.

The type of job. Defaults to DlpJobType.INSPECT

Deprecated. This field has no effect.

The response message for listing DLP jobs. .. attribute:: jobs

A list of DlpJobs that matches the specified filter in the request.

Request for the list of infoTypes. .. attribute:: parent

The parent resource name, for example locations/{location_id}

filter to only return infoTypes supported by certain parts of the API. Defaults to supported_by=INSPECT.

Response to the ListInfoTypes request. .. attribute:: info_types

Set of sensitive infoTypes.

Request message for ListInspectTemplates. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or organizations/my-org-id or projects/my-project- id/locations/{location_id}.

Size of the page, can be limited by server. If zero server returns a page of max size 100.

Deprecated. This field has no effect.

Response message for ListInspectTemplates. .. attribute:: inspect_templates

List of inspectTemplates, up to page_size in ListInspectTemplatesRequest.

Request message for ListJobTriggers. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or projects/my-project- id/locations/{location_id}.

Size of the page, can be limited by a server.

Allows filtering. Supported syntax: - Filter expressions are made up of one or more restrictions. - Restrictions can be combined by AND or OR logical operators. A sequence of restrictions implicitly uses AND. - A restriction has the form of {field} {operator} {value}. - Supported fields/values for inspect jobs: - status - HEALTHY|PAUSED|CANCELLED - inspected_storage - DATASTORE|CLOUD_STORAGE|BIGQUERY - ’last_run_time` - RFC 3339 formatted timestamp, surrounded by quotation marks. Nanoseconds are ignored. - ‘error_count’ - Number of errors that have occurred while running. - The operator must be = or != for status and inspected_storage. Examples: - inspected_storage = cloud_storage AND status = HEALTHY - inspected_storage = cloud_storage OR inspected_storage = bigquery - inspected_storage = cloud_storage AND (state = PAUSED OR state = HEALTHY) - last_run_time > "2017-12-12T00:00:00+00:00" The length of this field should be no more than 500 characters.

Response message for ListJobTriggers. .. attribute:: job_triggers

List of triggeredJobs, up to page_size in ListJobTriggersRequest.

Request message for ListStoredInfoTypes. .. attribute:: parent

Required. The parent resource name, for example projects/my- project-id or organizations/my-org-id or projects/my-project- id/locations/{location_id}.

Size of the page, can be limited by server. If zero server returns a page of max size 100.

Deprecated. This field has no effect.

Response message for ListStoredInfoTypes. .. attribute:: stored_info_types

List of storedInfoTypes, up to page_size in ListStoredInfoTypesRequest.

Specifies the location of the finding. .. attribute:: byte_range

Zero-based byte offsets delimiting the finding. These are relative to the finding’s containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.

List of nested objects pointing to the precise location of the finding within the file or record.

Job trigger option for hybrid jobs. Jobs must be manually created and finished.

Metadata Location .. attribute:: type

Type of metadata containing the finding.

Storage metadata.

Cloud repository for storing output. .. attribute:: type

Output storage types.

Schema used for writing the findings for Inspect jobs. This field is only used for Inspect and must be unspecified for Risk jobs. Columns are derived from the Finding object. If appending to an existing table, any columns from the predefined schema that are missing will be added. No columns in the existing table will be deleted. If unspecified, then all available columns will be used for a new table or an (existing) table with no schema, and no changes will be made to an existing table that has a schema. Only for use with external storage.

Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. A partition ID contains several dimensions: project ID and namespace ID. .. attribute:: project_id

The ID of the project to which the entities belong.

A rule for transforming a value. .. attribute:: replace_config

Replace

Mask

Fixed size bucketing

Replace with infotype

Crypto

Deterministic Crypto

Privacy metric to compute for reidentification risk analysis. .. attribute:: type

Types of analysis.

Categorical stats

l-diversity

delta-presence

A column with a semantic tag attached. .. attribute:: field

Required. Identifies the column.

A column can be tagged with a InfoType to use the relevant public dataset as a statistical model of population, if available. We currently support US ZIP codes, region codes, ages and genders. To programmatically obtain the list of supported InfoTypes, use ListInfoTypes with the supported_by=RISK_ANALYSIS filter.

If no semantic tag is indicated, we infer the statistical model from the distribution of values in the input data

Message for infoType-dependent details parsed from quote. .. attribute:: parsed_quote

Object representation of the quote.

Generic half-open interval [start, end) .. attribute:: start

Index of the first character of the range (inclusive).

The field type of value and field do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A value of type: - string can be compared against all other types - boolean can only be compared against other booleans - integer can be compared against doubles or a string if the string value can be parsed as an integer. - double can be compared against integers or a string if the string can be parsed as a double. - Timestamp can be compared against strings in RFC 3339 date string format. - TimeOfDay can be compared against timestamps and strings in the format of ‘HH:mm:ss’. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false. .. attribute:: field

Required. Field within the record this condition is evaluated against.

Value to compare against. [Mandatory, except for EXISTS tests.]

Message for a unique key indicating a record that contains a finding. .. attribute:: id_values

Values of identifying columns in the given row. Order of values matches the order of identifying_fields specified in the scanning request.

Location of a finding within a row or record. .. attribute:: record_key

Key of the finding.

Location within a ContentItem.Table.

Configuration to suppress records whose suppression conditions evaluate to true. .. attribute:: condition

A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.

A type of transformation that is applied over structured data such as a table. .. attribute:: field_transformations

Transform the record by applying various field transformations.

Redact a given value. For example, if used with an InfoTypeTransformation transforming PHONE_NUMBER, and input ‘My phone number is 206-555-0123’, the output would be ‘My phone number is’.

Request to search for potentially sensitive info in an image and redact it by covering it with a colored rectangle. .. attribute:: parent

The parent resource name, for example projects/my-project-id or projects/my-project-id/locations/{location_id}.

Configuration for the inspector.

Whether the response should include findings along with the redacted image.

Results of redacting an image. .. attribute:: redacted_image

The redacted image. The type will be the same as the original image.

The findings. Populated when include_findings in the request is true.

Request to re-identify an item. .. attribute:: parent

Required. The parent resource name.

Configuration for the inspector.

Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.

Deprecated. This field has no effect.

Results of re-identifying a item. .. attribute:: item

The re-identified item.

Replace each input value with a given Value. .. attribute:: new_value

Value to replace it with.

Replace each matching finding with the name of the info_type.

Configuration for a risk analysis job. See https://cloud.google.com/dlp/docs/concepts-risk-analysis to learn more. .. attribute:: privacy_metric

Privacy metric to compute.

Actions to execute at the completion of the job. Are executed in the order provided.

Schedule for triggeredJobs. .. attribute:: recurrence_period_duration

With this option a job is started a regular periodic basis. For example: every day (86400 seconds). A scheduled start time will be skipped if the previous execution has not ended when its scheduled time occurs. This value must be set to a time duration greater than or equal to 1 day and can be no longer than 60 days.

An auxiliary table containing statistical information on the relative frequency of different quasi-identifiers values. It has one or several quasi-identifiers columns, and one column that indicates the relative frequency of each quasi-identifier tuple. If a tuple is present in the data but not in the auxiliary table, the corresponding relative frequency is assumed to be zero (and thus, the tuple is highly reidentifiable). .. attribute:: table

Required. Auxiliary table location.

Required. The relative frequency column must contain a floating-point number between 0 and 1 (inclusive). Null values are assumed to be zero.

API documentation for dlp_v2.types.Status class.

Shared message indicating Cloud storage type. .. attribute:: datastore_options

Google Cloud Datastore options.

BigQuery options.

Storage metadata label to indicate which metadata entry contains findings.

StoredInfoType resource message that contains information about the current version and any pending updates. .. attribute:: name

Resource name.

Pending versions of the stored info type. Empty if no versions are pending.

Configuration for stored infoTypes. All fields and subfield are provided by the user. For more information, see https://cloud.google.com/dlp/docs/creating-custom-infotypes. .. attribute:: display_name

Display name of the StoredInfoType (max 256 characters).

Stored infotype types.

Store dictionary-based CustomInfoType.

Statistics for a StoredInfoType. .. attribute:: type

Stat types

Version of a StoredInfoType, including the configuration used to build it, create timestamp, and current state. .. attribute:: config

StoredInfoType configuration.

Stored info type version state. Read-only, updated by the system during dictionary creation.

Statistics about this storedInfoType version.

A reference to a StoredInfoType to use with scanning. .. attribute:: name

Resource name of the requested StoredInfoType, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Structured content to inspect. Up to 50,000 Value\ s per request allowed. See https://cloud.google.com/dlp/docs/inspecting- text#inspecting_a_table to learn more. .. attribute:: headers

Headers of the table.

Location of a finding within a table. .. attribute:: row_index

The zero-based index of the row where the finding is located. Only populated for resources that have a natural ordering, not BigQuery. In BigQuery, to identify the row a finding came from, populate BigQueryOptions.identifying_fields with your primary key column names and when you store the findings the value of those columns will be stored inside of Finding.

Instructions regarding the table content being inspected. .. attribute:: identifying_fields

The columns that are the primary keys for table objects included in ContentItem. A copy of this cell’s value will stored alongside alongside each finding so that the finding can be traced to the specific row it came from. No more than 3 may be provided.

API documentation for dlp_v2.types.TimeOfDay class.

For use with Date, Timestamp, and TimeOfDay, extract or preserve a portion of the value. .. attribute:: part_to_extract

The part of the time to keep.

API documentation for dlp_v2.types.Timestamp class.

How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a DateShift transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the TransformationOverviews. .. attribute:: mode

How transformation errors should be handled.

Ignore errors

Overview of the modifications that occurred. .. attribute:: transformed_bytes

Total size in bytes that were transformed in some way.

Summary of a single transformation. Only one of ‘transformation’, ‘field_transformation’, or ‘record_suppress’ will be set. .. attribute:: info_type

Set if the transformation was limited to a specific InfoType.

The specific transformation these stats apply to.

The specific suppression option these stats apply to.

Total size in bytes that were transformed in some way.

Use this to have a random data crypto key generated. It will be discarded after the request finishes. .. attribute:: name

Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate TransientCryptoKey protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).

Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. .. attribute:: key

Required. A 128/192/256 bit key.

Request message for UpdateDeidentifyTemplate. .. attribute:: name

Required. Resource name of organization and deidentify template to be updated, for example organizations/433245324/deidentifyTemplates/432452342 or projects/project-id/deidentifyTemplates/432452342.

Mask to control which fields get updated.

Request message for UpdateInspectTemplate. .. attribute:: name

Required. Resource name of organization and inspectTemplate to be updated, for example organizations/433245324/inspectTemplates/432452342 or projects/project-id/inspectTemplates/432452342.

Mask to control which fields get updated.

Request message for UpdateJobTrigger. .. attribute:: name

Required. Resource name of the project and the triggeredJob, for example projects/dlp-test- project/jobTriggers/53234423.

Mask to control which fields get updated.

Request message for UpdateStoredInfoType. .. attribute:: name

Required. Resource name of organization and storedInfoType to be updated, for example organizations/433245324/storedInfoTypes/432452342 or projects/project-id/storedInfoTypes/432452342.

Mask to control which fields get updated.

Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a ‘Value’ is based on its representation as a UTF-8 encoded string. For example, if ‘integer_value’ is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. .. attribute:: type

Value types

float

boolean

time of day

day of week

A value of a field, including its frequency. .. attribute:: value

A value contained in the field in question.