Resource: Policy
Defines a Cloud Organization Policy
which is used to specify Constraints
for configurations of Cloud Platform resources.
JSON representation | |
---|---|
{
"name": string,
"spec": {
object ( |
Fields | |
---|---|
name |
Immutable. The resource name of the Policy. Must be one of the following forms, where constraint_name is the name of the constraint which this Policy configures: * For example, "projects/123/policies/compute.disableSerialPortAccess". Note: |
spec |
Basic information about the Organization Policy. |
PolicySpec
Defines a Cloud Organization PolicySpec
which is used to specify Constraints
for configurations of Cloud Platform resources.
JSON representation | |
---|---|
{
"etag": string,
"updateTime": string,
"rules": [
{
object ( |
Fields | |
---|---|
etag |
An opaque tag indicating the current version of the This field is ignored if used in a When the When the |
updateTime |
Output only. The time stamp this was previously updated. This represents the last time a call to A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
rules[] |
Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set |
inheritFromParent |
Determines the inheritance behavior for this If |
reset |
Ignores policies set above this resource and restores the |
PolicyRule
A rule used to express this policy.
JSON representation | |
---|---|
{ "condition": { object ( |
Fields | ||
---|---|---|
condition |
A condition which determines whether this rule is used in the evaluation of the policy. When set, the |
|
Union field
|
||
values |
List of values to be used for this PolicyRule. This field can be set only in Policies for list constraints. |
|
allowAll |
Setting this to true means that all values are allowed. This field can be set only in Policies for list constraints. |
|
denyAll |
Setting this to true means that all values are denied. This field can be set only in Policies for list constraints. |
|
enforce |
If |
StringValues
A message that holds specific allowed and denied values. This message can define specific values and subtrees of Cloud Resource Manager resource hierarchy (Organizations
, Folders
, Projects
) that are allowed or denied. This is achieved by using the under:
and optional is:
prefixes. The under:
prefix is used to denote resource subtree values. The is:
prefix is used to denote specific values, and is required only if the value contains a ":". Values prefixed with "is:" are treated the same as values with no prefix. Ancestry subtrees must be in one of the following formats: - "projects/supportsUnder
field of the associated Constraint
defines whether ancestry prefixes can be used.
JSON representation | |
---|---|
{ "allowedValues": [ string ], "deniedValues": [ string ] } |
Fields | |
---|---|
allowedValues[] |
List of values allowed at this resource. |
deniedValues[] |
List of values denied at this resource. |
Expr
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec.
Example (Comparison):
title: "Summary size limit"
description: "Determines if a summary is less than 100 chars"
expression: "document.summary.size() < 100"
Example (Equality):
title: "Requestor is owner"
description: "Determines if requestor is the document owner"
expression: "document.owner == request.auth.claims.email"
Example (Logic):
title: "Public documents"
description: "Determine whether the document should be publicly visible"
expression: "document.type != 'private' && document.type != 'internal'"
Example (Data Manipulation):
title: "Notification string"
description: "Create a notification string with a timestamp."
expression: "'New message received at ' + string(document.create_time)"
The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
JSON representation | |
---|---|
{ "expression": string, "title": string, "description": string, "location": string } |
Fields | |
---|---|
expression |
Textual representation of an expression in Common Expression Language syntax. |
title |
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. |
description |
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
location |
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. |
Methods |
|
---|---|
|
Creates a Policy. |
|
Deletes a Policy. |
|
Gets a Policy on a resource. |
|
Gets the effective Policy on a resource. |
|
Retrieves all of the Policies that exist on a particular resource. |
|
Updates a Policy. |