Class BindingExplanation (1.7.1)

BindingExplanation(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Details about how a binding in a policy affects a member's ability to use a permission.

Attributes
Name	Description
`access`	`google.cloud.policytroubleshooter_v1.types.AccessState` Required. Indicates whether this binding provides the specified permission to the specified member for the specified resource. This field does not indicate whether the member actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the member actually has the permission, use the `access` field in the `TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse]`.
`role`	`str` The role that this binding grants. For example, `roles/compute.serviceAgent`. For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.
`role_permission`	`google.cloud.policytroubleshooter_v1.types.BindingExplanation.RolePermission` Indicates whether the role granted by this binding contains the specified permission.
`role_permission_relevance`	`google.cloud.policytroubleshooter_v1.types.HeuristicRelevance` The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.
`memberships`	`MutableMapping[str, google.cloud.policytroubleshooter_v1.types.BindingExplanation.AnnotatedMembership]` Indicates whether each member in the binding includes the member specified in the request, either directly or indirectly. Each key identifies a member in the binding, and each value indicates whether the member in the binding includes the member in the request. For example, suppose that a binding includes the following members: - `user:alice@example.com` - `group:product-eng@example.com` You want to troubleshoot access for `user:bob@example.com`. This user is a member of the group `group:product-eng@example.com`. For the first member in the binding, the key is `user:alice@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_NOT_INCLUDED`. For the second member in the binding, the key is `group:product-eng@example.com`, and the `membership` field in the value is set to `MEMBERSHIP_INCLUDED`.
`relevance`	`google.cloud.policytroubleshooter_v1.types.HeuristicRelevance` The relevance of this binding to the overall determination for the entire policy.
`condition`	`google.type.expr_pb2.Expr` A condition expression that prevents access unless the expression evaluates to `true`. To learn about IAM Conditions, see http://cloud.google.com/iam/help/conditions/overview.

Classes

AnnotatedMembership

AnnotatedMembership(mapping=None, *, ignore_unknown_fields=False, **kwargs)

Details about whether the binding includes the member.

Membership

Membership(value)

Whether the binding includes the member.

Values: MEMBERSHIP_UNSPECIFIED (0): Reserved for future use. MEMBERSHIP_INCLUDED (1): The binding includes the member. The member can be included directly or indirectly. For example:

    -  A member is included directly if that member is listed in
       the binding.
    -  A member is included indirectly if that member is in a
       Google group or G Suite domain that is listed in the
       binding.
MEMBERSHIP_NOT_INCLUDED (2):
    The binding does not include the member.
MEMBERSHIP_UNKNOWN_INFO_DENIED (3):
    The sender of the request is not allowed to
    access the binding.
MEMBERSHIP_UNKNOWN_UNSUPPORTED (4):
    The member is an unsupported type. Only
    Google Accounts and service accounts are
    supported.

MembershipsEntry

MembershipsEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)

The abstract base class for a message.

Parameters
Name	Description
`kwargs`	`dict` Keys and values corresponding to the fields of the message.
`mapping`	`Union[dict, .Message]` A dictionary or message to be used to determine the values for this message.
`ignore_unknown_fields`	`Optional(bool)` If True, do not raise errors for unknown fields. Only applied if `mapping` is a mapping type or there are keyword parameters.

RolePermission

RolePermission(value)

Whether a role includes a specific permission.

Values: ROLE_PERMISSION_UNSPECIFIED (0): Reserved for future use. ROLE_PERMISSION_INCLUDED (1): The permission is included in the role. ROLE_PERMISSION_NOT_INCLUDED (2): The permission is not included in the role. ROLE_PERMISSION_UNKNOWN_INFO_DENIED (3): The sender of the request is not allowed to access the binding.