Package types (0.1.2)

Information about the principal, resource, and permission to check.

Whether IAM allow policies gives the principal the permission.

Values: ALLOW_ACCESS_STATE_UNSPECIFIED (0): Not specified. ALLOW_ACCESS_STATE_GRANTED (1): The allow policy gives the principal the permission. ALLOW_ACCESS_STATE_NOT_GRANTED (2): The allow policy doesn't give the principal the permission. ALLOW_ACCESS_STATE_UNKNOWN_CONDITIONAL (3): The allow policy gives the principal the permission if a condition expression evaluate to true. However, the sender of the request didn't provide enough context for Policy Troubleshooter to evaluate the condition expression. ALLOW_ACCESS_STATE_UNKNOWN_INFO (4): The sender of the request doesn't have access to all of the allow policies that Policy Troubleshooter needs to evaluate the principal's access.

Details about how a role binding in an allow policy affects a principal's ability to use a permission.

Details about how the relevant IAM allow policies affect the final access state.

Additional context for troubleshooting conditional role bindings and deny rules.

Explanation for how a condition affects a principal's access

Whether IAM deny policies deny the principal the permission.

Values: DENY_ACCESS_STATE_UNSPECIFIED (0): Not specified. DENY_ACCESS_STATE_DENIED (1): The deny policy denies the principal the permission. DENY_ACCESS_STATE_NOT_DENIED (2): The deny policy doesn't deny the principal the permission. DENY_ACCESS_STATE_UNKNOWN_CONDITIONAL (3): The deny policy denies the principal the permission if a condition expression evaluates to true. However, the sender of the request didn't provide enough context for Policy Troubleshooter to evaluate the condition expression. DENY_ACCESS_STATE_UNKNOWN_INFO (4): The sender of the request does not have access to all of the deny policies that Policy Troubleshooter needs to evaluate the principal's access.

Details about how the relevant IAM deny policies affect the final access state.

Details about how a deny rule in a deny policy affects a principal's ability to use a permission.

Details about how a specific IAM allow policy contributed to the final access state.

Details about how a specific IAM deny policy Policy][google.iam.v2.Policy] contributed to the access check.

Details about how a specific resource contributed to the deny policy evaluation.

The extent to which a single data point contributes to an overall determination.

Values: HEURISTIC_RELEVANCE_UNSPECIFIED (0): Not specified. HEURISTIC_RELEVANCE_NORMAL (1): The data point has a limited effect on the result. Changing the data point is unlikely to affect the overall determination. HEURISTIC_RELEVANCE_HIGH (2): The data point has a strong effect on the result. Changing the data point is likely to affect the overall determination.

Whether the principal in the request matches the principal in the policy.

Values: MEMBERSHIP_MATCHING_STATE_UNSPECIFIED (0): Not specified. MEMBERSHIP_MATCHED (1): The principal in the request matches the principal in the policy. The principal can be included directly or indirectly:

    -  A principal is included directly if that principal is
       listed in the role binding.
    -  A principal is included indirectly if that principal is
       in a Google group, Google Workspace account, or Cloud
       Identity domain that is listed in the policy.
MEMBERSHIP_NOT_MATCHED (2):
    The principal in the request doesn't match
    the principal in the policy.
MEMBERSHIP_UNKNOWN_INFO (3):
    The principal in the policy is a group or
    domain, and the sender of the request doesn't
    have permission to view whether the principal in
    the request is a member of the group or domain.
MEMBERSHIP_UNKNOWN_UNSUPPORTED (4):
    The principal is an unsupported type.

Whether the permission in the request matches the permission in the policy.

Values: PERMISSION_PATTERN_MATCHING_STATE_UNSPECIFIED (0): Not specified. PERMISSION_PATTERN_MATCHED (1): The permission in the request matches the permission in the policy. PERMISSION_PATTERN_NOT_MATCHED (2): The permission in the request matches the permission in the policy.

Whether a role includes a specific permission.

Values: ROLE_PERMISSION_INCLUSION_STATE_UNSPECIFIED (0): Not specified. ROLE_PERMISSION_INCLUDED (1): The permission is included in the role. ROLE_PERMISSION_NOT_INCLUDED (2): The permission is not included in the role. ROLE_PERMISSION_UNKNOWN_INFO (3): The sender of the request is not allowed to access the role definition.

Request for TroubleshootIamPolicy.

Response for TroubleshootIamPolicy.