Policy Troubleshooter V3 API - Class Google::Iam::V2::DenyRule (v0.3.0)

Reference documentation and code samples for the Policy Troubleshooter V3 API class Google::Iam::V2::DenyRule.

A deny rule in an IAM deny policy.

Inherits

  • Object

Extended By

  • Google::Protobuf::MessageExts::ClassMethods

Includes

  • Google::Protobuf::MessageExts

Methods

#denial_condition

def denial_condition() -> ::Google::Type::Expr
Returns
  • (::Google::Type::Expr) — The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

    Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

    The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

#denial_condition=

def denial_condition=(value) -> ::Google::Type::Expr
Parameter
  • value (::Google::Type::Expr) — The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

    Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

    The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

Returns
  • (::Google::Type::Expr) — The condition that determines whether this deny rule applies to a request. If the condition expression evaluates to true, then the deny rule is applied; otherwise, the deny rule is not applied.

    Each deny rule is evaluated independently. If this deny rule does not apply to a request, other deny rules might still apply.

    The condition can use CEL functions that evaluate resource tags. Other functions and operators are not supported.

#denied_permissions

def denied_permissions() -> ::Array<::String>
Returns
  • (::Array<::String>) — The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

#denied_permissions=

def denied_permissions=(value) -> ::Array<::String>
Parameter
  • value (::Array<::String>) — The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.
Returns
  • (::Array<::String>) — The permissions that are explicitly denied by this rule. Each permission uses the format {service_fqdn}/{resource}.{verb}, where {service_fqdn} is the fully qualified domain name for the service. For example, iam.googleapis.com/roles.list.

#denied_principals

def denied_principals() -> ::Array<::String>
Returns
  • (::Array<::String>) —

    The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

#denied_principals=

def denied_principals=(value) -> ::Array<::String>
Parameter
  • value (::Array<::String>) —

    The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

Returns
  • (::Array<::String>) —

    The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values:

    • principalSet://goog/public:all: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in.

    • principal://goog/subject/{email_id}: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, principal://goog/subject/alice@example.com.

    • deleted:principal://goog/subject/{email_id}?uid={uid}: A specific Google Account that was deleted recently. For example, deleted:principal://goog/subject/alice@example.com?uid=1234567890. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account.

    • principalSet://goog/group/{group_id}: A Google group. For example, principalSet://goog/group/admins@example.com.

    • deleted:principalSet://goog/group/{group_id}?uid={uid}: A Google group that was deleted recently. For example, deleted:principalSet://goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group.

    • principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com.

    • deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/{service_account_id}?uid={uid}: A Google Cloud service account that was deleted recently. For example, deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid=1234567890. If the service account is undeleted, this identifier reverts to the standard identifier for a service account.

    • principalSet://goog/cloudIdentityCustomerId/{customer_id}: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35.

#exception_permissions

def exception_permissions() -> ::Array<::String>
Returns
  • (::Array<::String>) — Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

    The excluded permissions can be specified using the same syntax as denied_permissions.

#exception_permissions=

def exception_permissions=(value) -> ::Array<::String>
Parameter
  • value (::Array<::String>) — Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

    The excluded permissions can be specified using the same syntax as denied_permissions.

Returns
  • (::Array<::String>) — Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied.

    The excluded permissions can be specified using the same syntax as denied_permissions.

#exception_principals

def exception_principals() -> ::Array<::String>
Returns
  • (::Array<::String>) — The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

    This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

#exception_principals=

def exception_principals=(value) -> ::Array<::String>
Parameter
  • value (::Array<::String>) — The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

    This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.

Returns
  • (::Array<::String>) — The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group.

    This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet.