Reference documentation and code samples for the Cloud Asset V1 API class Google::Cloud::OrgPolicy::V1::Policy::ListPolicy.
Used in policy_type
to specify how list_policy
behaves at this
resource.
ListPolicy
can define specific values and subtrees of Cloud Resource
Manager resource hierarchy (Organizations
, Folders
, Projects
) that
are allowed or denied by setting the allowed_values
and denied_values
fields. This is achieved by using the under:
and optional is:
prefixes.
The under:
prefix is used to denote resource subtree values.
The is:
prefix is used to denote specific values, and is required only
if the value contains a ":". Values prefixed with "is:" are treated the
same as values with no prefix.
Ancestry subtrees must be in one of the following formats:
- "projects/
- "folders/
- "organizations/
Inherits
- Object
Extended By
- Google::Protobuf::MessageExts::ClassMethods
Includes
- Google::Protobuf::MessageExts
Methods
#all_values
def all_values() -> ::Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues
- (::Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues) — The policy all_values state.
#all_values=
def all_values=(value) -> ::Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues
- value (::Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues) — The policy all_values state.
- (::Google::Cloud::OrgPolicy::V1::Policy::ListPolicy::AllValues) — The policy all_values state.
#allowed_values
def allowed_values() -> ::Array<::String>
-
(::Array<::String>) — List of values allowed at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
.
#allowed_values=
def allowed_values=(value) -> ::Array<::String>
-
value (::Array<::String>) — List of values allowed at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
.
-
(::Array<::String>) — List of values allowed at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
.
#denied_values
def denied_values() -> ::Array<::String>
-
(::Array<::String>) — List of values denied at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
.
#denied_values=
def denied_values=(value) -> ::Array<::String>
-
value (::Array<::String>) — List of values denied at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
.
-
(::Array<::String>) — List of values denied at this resource. Can only be set if
all_values
is set toALL_VALUES_UNSPECIFIED
.
#inherit_from_parent
def inherit_from_parent() -> ::Boolean
-
(::Boolean) — Determines the inheritance behavior for this
Policy
.By default, a
ListPolicy
set at a resource supercedes anyPolicy
set anywhere up the resource hierarchy. However, ifinherit_from_parent
is set totrue
, then the values from the effectivePolicy
of the parent resource are inherited, meaning the values set in thisPolicy
are added to the values inherited up the hierarchy.Setting
Policy
hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set aPolicy
withallowed_values
set that inherits aPolicy
withdenied_values
set. In this case, the values that are allowed must be inallowed_values
and not present indenied_values
.For example, suppose you have a
Constraint
constraints/serviceuser.services
, which has aconstraint_type
oflist_constraint
, and withconstraint_default
set toALLOW
. Suppose that at the Organization level, aPolicy
is applied that restricts the allowed API activations to {E1
,E2
}. Then, if aPolicy
is applied to a project below the Organization that hasinherit_from_parent
set tofalse
and field all_values set to DENY, then an attempt to activate any API will be denied.The following examples demonstrate different possible layerings for
projects/bar
parented byorganizations/foo
:Example 1 (no inherited values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
hasinherit_from_parent
false
and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE3
, andE4
.Example 2 (inherited values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE1
,E2
,E3
, andE4
.Example 3 (inheriting both allowed and denied values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {denied_values: "E1"} The accepted values atorganizations/foo
areE1
,E2
. The value accepted atprojects/bar
isE2
.Example 4 (RestoreDefault):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {RestoreDefault: \{}} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none).Example 5 (no policy inherits parent policy):
organizations/foo
has noPolicy
set.projects/bar
has noPolicy
set. The accepted values at both levels are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none).Example 6 (ListConstraint allowing all):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: ALLOW} The accepted values atorganizations/foo
areE1
, E2. Any value is accepted at
projects/bar`.Example 7 (ListConstraint allowing none):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: DENY} The accepted values atorganizations/foo
areE1
, E2. No value is accepted at
projects/bar`.Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
organizations/foo
has aPolicy
with values: {allowed_values: "under:organizations/O1"}projects/bar
has aPolicy
with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values atorganizations/foo
areorganizations/O1
,folders/F1
,folders/F2
,projects/P1
,projects/P2
,projects/P3
. The accepted values atprojects/bar
areorganizations/O1
,folders/F1
,projects/P1
.
#inherit_from_parent=
def inherit_from_parent=(value) -> ::Boolean
-
value (::Boolean) — Determines the inheritance behavior for this
Policy
.By default, a
ListPolicy
set at a resource supercedes anyPolicy
set anywhere up the resource hierarchy. However, ifinherit_from_parent
is set totrue
, then the values from the effectivePolicy
of the parent resource are inherited, meaning the values set in thisPolicy
are added to the values inherited up the hierarchy.Setting
Policy
hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set aPolicy
withallowed_values
set that inherits aPolicy
withdenied_values
set. In this case, the values that are allowed must be inallowed_values
and not present indenied_values
.For example, suppose you have a
Constraint
constraints/serviceuser.services
, which has aconstraint_type
oflist_constraint
, and withconstraint_default
set toALLOW
. Suppose that at the Organization level, aPolicy
is applied that restricts the allowed API activations to {E1
,E2
}. Then, if aPolicy
is applied to a project below the Organization that hasinherit_from_parent
set tofalse
and field all_values set to DENY, then an attempt to activate any API will be denied.The following examples demonstrate different possible layerings for
projects/bar
parented byorganizations/foo
:Example 1 (no inherited values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
hasinherit_from_parent
false
and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE3
, andE4
.Example 2 (inherited values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE1
,E2
,E3
, andE4
.Example 3 (inheriting both allowed and denied values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {denied_values: "E1"} The accepted values atorganizations/foo
areE1
,E2
. The value accepted atprojects/bar
isE2
.Example 4 (RestoreDefault):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {RestoreDefault: \{}} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none).Example 5 (no policy inherits parent policy):
organizations/foo
has noPolicy
set.projects/bar
has noPolicy
set. The accepted values at both levels are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none).Example 6 (ListConstraint allowing all):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: ALLOW} The accepted values atorganizations/foo
areE1
, E2. Any value is accepted at
projects/bar`.Example 7 (ListConstraint allowing none):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: DENY} The accepted values atorganizations/foo
areE1
, E2. No value is accepted at
projects/bar`.Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
organizations/foo
has aPolicy
with values: {allowed_values: "under:organizations/O1"}projects/bar
has aPolicy
with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values atorganizations/foo
areorganizations/O1
,folders/F1
,folders/F2
,projects/P1
,projects/P2
,projects/P3
. The accepted values atprojects/bar
areorganizations/O1
,folders/F1
,projects/P1
.
-
(::Boolean) — Determines the inheritance behavior for this
Policy
.By default, a
ListPolicy
set at a resource supercedes anyPolicy
set anywhere up the resource hierarchy. However, ifinherit_from_parent
is set totrue
, then the values from the effectivePolicy
of the parent resource are inherited, meaning the values set in thisPolicy
are added to the values inherited up the hierarchy.Setting
Policy
hierarchies that inherit both allowed values and denied values isn't recommended in most circumstances to keep the configuration simple and understandable. However, it is possible to set aPolicy
withallowed_values
set that inherits aPolicy
withdenied_values
set. In this case, the values that are allowed must be inallowed_values
and not present indenied_values
.For example, suppose you have a
Constraint
constraints/serviceuser.services
, which has aconstraint_type
oflist_constraint
, and withconstraint_default
set toALLOW
. Suppose that at the Organization level, aPolicy
is applied that restricts the allowed API activations to {E1
,E2
}. Then, if aPolicy
is applied to a project below the Organization that hasinherit_from_parent
set tofalse
and field all_values set to DENY, then an attempt to activate any API will be denied.The following examples demonstrate different possible layerings for
projects/bar
parented byorganizations/foo
:Example 1 (no inherited values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
hasinherit_from_parent
false
and values: {allowed_values: "E3" allowed_values: "E4"} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE3
, andE4
.Example 2 (inherited values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {value: "E3" value: "E4" inherit_from_parent: true} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
areE1
,E2
,E3
, andE4
.Example 3 (inheriting both allowed and denied values):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {denied_values: "E1"} The accepted values atorganizations/foo
areE1
,E2
. The value accepted atprojects/bar
isE2
.Example 4 (RestoreDefault):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values:"E2"}projects/bar
has aPolicy
with values: {RestoreDefault: \{}} The accepted values atorganizations/foo
areE1
,E2
. The accepted values atprojects/bar
are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none).Example 5 (no policy inherits parent policy):
organizations/foo
has noPolicy
set.projects/bar
has noPolicy
set. The accepted values at both levels are either all or none depending on the value ofconstraint_default
(ifALLOW
, all; ifDENY
, none).Example 6 (ListConstraint allowing all):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: ALLOW} The accepted values atorganizations/foo
areE1
, E2. Any value is accepted at
projects/bar`.Example 7 (ListConstraint allowing none):
organizations/foo
has aPolicy
with values: {allowed_values: "E1" allowed_values: "E2"}projects/bar
has aPolicy
with: {all: DENY} The accepted values atorganizations/foo
areE1
, E2. No value is accepted at
projects/bar`.Example 10 (allowed and denied subtrees of Resource Manager hierarchy): Given the following resource hierarchy O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
organizations/foo
has aPolicy
with values: {allowed_values: "under:organizations/O1"}projects/bar
has aPolicy
with: {allowed_values: "under:projects/P3"} {denied_values: "under:folders/F2"} The accepted values atorganizations/foo
areorganizations/O1
,folders/F1
,folders/F2
,projects/P1
,projects/P2
,projects/P3
. The accepted values atprojects/bar
areorganizations/O1
,folders/F1
,projects/P1
.
#suggested_value
def suggested_value() -> ::String
-
(::String) — Optional. The Google Cloud Console will try to default to a configuration
that matches the value specified in this
Policy
. Ifsuggested_value
is not set, it will inherit the value specified higher in the hierarchy, unlessinherit_from_parent
isfalse
.
#suggested_value=
def suggested_value=(value) -> ::String
-
value (::String) — Optional. The Google Cloud Console will try to default to a configuration
that matches the value specified in this
Policy
. Ifsuggested_value
is not set, it will inherit the value specified higher in the hierarchy, unlessinherit_from_parent
isfalse
.
-
(::String) — Optional. The Google Cloud Console will try to default to a configuration
that matches the value specified in this
Policy
. Ifsuggested_value
is not set, it will inherit the value specified higher in the hierarchy, unlessinherit_from_parent
isfalse
.