Class BindingExplanation (1.12.0)

BindingExplanation(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Details about how a binding in a policy affects a principal's ability to use a permission.

Attributes

Name Description
access google.cloud.policytroubleshooter_v1.types.AccessState
Required. Indicates whether *this binding* provides the specified permission to the specified principal for the specified resource. This field does *not* indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the access field in the TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].
role str
The role that this binding grants. For example, roles/compute.serviceAgent. For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.
role_permission google.cloud.policytroubleshooter_v1.types.BindingExplanation.RolePermission
Indicates whether the role granted by this binding contains the specified permission.
role_permission_relevance google.cloud.policytroubleshooter_v1.types.HeuristicRelevance
The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.
memberships MutableMapping[str, google.cloud.policytroubleshooter_v1.types.BindingExplanation.AnnotatedMembership]
Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request. For example, suppose that a binding includes the following principals: - user:alice@example.com - group:product-eng@example.com You want to troubleshoot access for user:bob@example.com. This user is a principal of the group group:product-eng@example.com. For the first principal in the binding, the key is user:alice@example.com, and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED. For the second principal in the binding, the key is group:product-eng@example.com, and the membership field in the value is set to MEMBERSHIP_INCLUDED.
relevance google.cloud.policytroubleshooter_v1.types.HeuristicRelevance
The relevance of this binding to the overall determination for the entire policy.
condition google.type.expr_pb2.Expr
A condition expression that prevents this binding from granting access unless the expression evaluates to true. To learn about IAM Conditions, see https://cloud.google.com/iam/help/conditions/overview.

Classes

AnnotatedMembership

AnnotatedMembership(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Details about whether the binding includes the principal.

Membership

Membership(value)

Whether the binding includes the principal.

    -  A principal is included directly if that principal is
       listed in the binding.
    -  A principal is included indirectly if that principal is
       in a Google group or Google Workspace domain that is
       listed in the binding.
MEMBERSHIP_NOT_INCLUDED (2):
    The binding does not include the principal.
MEMBERSHIP_UNKNOWN_INFO_DENIED (3):
    The sender of the request is not allowed to
    access the binding.
MEMBERSHIP_UNKNOWN_UNSUPPORTED (4):
    The principal is an unsupported type. Only
    Google Accounts and service accounts are
    supported.

MembershipsEntry

MembershipsEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)

The abstract base class for a message.

Parameters
Name Description
kwargs dict

Keys and values corresponding to the fields of the message.

mapping Union[dict, .Message]

A dictionary or message to be used to determine the values for this message.

ignore_unknown_fields Optional(bool)

If True, do not raise errors for unknown fields. Only applied if mapping is a mapping type or there are keyword parameters.

RolePermission

RolePermission(value)

Whether a role includes a specific permission.