Namespace Google.Apis.Iam.v1

Classes

IamBaseServiceRequest<TResponse>

A base abstract class for Iam requests.

IamPoliciesResource

The "iamPolicies" collection of methods.

IamPoliciesResource.LintPolicyRequest

Lints, or validates, an IAM policy. Currently checks the google.iam.v1.Binding.condition field, which contains a condition expression for a role binding. Successful calls to this method always return an HTTP 200 OK status code, even if the linter detects an issue in the IAM policy.

IamPoliciesResource.QueryAuditableServicesRequest

Returns a list of services that allow you to opt into audit logs that are not generated by default. To learn more about audit logs, see the Logging documentation.

IamService

The Iam Service.

IamService.Scope

Available OAuth 2.0 scopes for use with the Identity and Access Management (IAM) API.

IamService.ScopeConstants

Available OAuth 2.0 scope constants for use with the Identity and Access Management (IAM) API.

LocationsResource

The "locations" collection of methods.

LocationsResource.WorkforcePoolsResource

The "workforcePools" collection of methods.

LocationsResource.WorkforcePoolsResource.CreateRequest

Creates a new WorkforcePool. You cannot reuse the name of a deleted pool until 30 days after deletion.

LocationsResource.WorkforcePoolsResource.DeleteRequest

Deletes a WorkforcePool. You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.

LocationsResource.WorkforcePoolsResource.GetIamPolicyRequest

Gets IAM policies on a WorkforcePool.

LocationsResource.WorkforcePoolsResource.GetRequest

Gets an individual WorkforcePool.

LocationsResource.WorkforcePoolsResource.ListRequest

Lists all non-deleted WorkforcePools under the specified parent. If show_deleted is set to true, then deleted pools are also listed.

LocationsResource.WorkforcePoolsResource.OperationsResource

The "operations" collection of methods.

LocationsResource.WorkforcePoolsResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

LocationsResource.WorkforcePoolsResource.PatchRequest

Updates an existing WorkforcePool.

LocationsResource.WorkforcePoolsResource.ProvidersResource

The "providers" collection of methods.

LocationsResource.WorkforcePoolsResource.ProvidersResource.CreateRequest

Creates a new WorkforcePoolProvider in a WorkforcePool. You cannot reuse the name of a deleted provider until 30 days after deletion.

LocationsResource.WorkforcePoolsResource.ProvidersResource.DeleteRequest

Deletes a WorkforcePoolProvider. Deleting a provider does not revoke credentials that have already been issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.

LocationsResource.WorkforcePoolsResource.ProvidersResource.GetRequest

Gets an individual WorkforcePoolProvider.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource

The "keys" collection of methods.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.CreateRequest

Creates a new WorkforcePoolProviderKey in a WorkforcePoolProvider.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.DeleteRequest

Deletes a WorkforcePoolProviderKey. You can undelete a key for 30 days. After 30 days, deletion is permanent.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.GetRequest

Gets a WorkforcePoolProviderKey.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.ListRequest

Lists all non-deleted WorkforcePoolProviderKeys in a WorkforcePoolProvider. If show_deleted is set to true, then deleted keys are also listed.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.OperationsResource

The "operations" collection of methods.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

LocationsResource.WorkforcePoolsResource.ProvidersResource.KeysResource.UndeleteRequest

Undeletes a WorkforcePoolProviderKey, as long as it was deleted fewer than 30 days ago.

LocationsResource.WorkforcePoolsResource.ProvidersResource.ListRequest

Lists all non-deleted WorkforcePoolProviders in a WorkforcePool. If show_deleted is set to true, then deleted providers are also listed.

LocationsResource.WorkforcePoolsResource.ProvidersResource.OperationsResource

The "operations" collection of methods.

LocationsResource.WorkforcePoolsResource.ProvidersResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

LocationsResource.WorkforcePoolsResource.ProvidersResource.PatchRequest

Updates an existing WorkforcePoolProvider.

LocationsResource.WorkforcePoolsResource.ProvidersResource.UndeleteRequest

Undeletes a WorkforcePoolProvider, as long as it was deleted fewer than 30 days ago.

LocationsResource.WorkforcePoolsResource.SetIamPolicyRequest

Sets IAM policies on a WorkforcePool.

LocationsResource.WorkforcePoolsResource.SubjectsResource

The "subjects" collection of methods.

LocationsResource.WorkforcePoolsResource.SubjectsResource.DeleteRequest

Deletes a WorkforcePoolSubject. Subject must not already be in a deleted state. A WorkforcePoolSubject is automatically created the first time an external credential is exchanged for a Google Cloud credential using a mapped google.subject attribute. There is no endpoint to manually create a WorkforcePoolSubject. For 30 days after a WorkforcePoolSubject is deleted, using the same google.subject attribute in token exchanges with Google Cloud STS fails. Call UndeleteWorkforcePoolSubject to undelete a WorkforcePoolSubject that has been deleted, within within 30 days of deleting it. After 30 days, the WorkforcePoolSubject is permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mapped google.subject attribute automatically creates a new WorkforcePoolSubject that is unrelated to the previously deleted WorkforcePoolSubject but has the same google.subject value.

LocationsResource.WorkforcePoolsResource.SubjectsResource.OperationsResource

The "operations" collection of methods.

LocationsResource.WorkforcePoolsResource.SubjectsResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

LocationsResource.WorkforcePoolsResource.SubjectsResource.UndeleteRequest

Undeletes a WorkforcePoolSubject, as long as it was deleted fewer than 30 days ago.

LocationsResource.WorkforcePoolsResource.TestIamPermissionsRequest

Returns the caller's permissions on the WorkforcePool. If the pool doesn't exist, this call returns an empty set of permissions. It doesn't return a NOT_FOUND error.

LocationsResource.WorkforcePoolsResource.UndeleteRequest

Undeletes a WorkforcePool, as long as it was deleted fewer than 30 days ago.

OrganizationsResource

The "organizations" collection of methods.

OrganizationsResource.RolesResource

The "roles" collection of methods.

OrganizationsResource.RolesResource.CreateRequest

Creates a new custom Role.

OrganizationsResource.RolesResource.DeleteRequest

Deletes a custom Role. When you delete a custom role, the following changes occur immediately: * You cannot bind a principal to the custom role in an IAM Policy. * Existing bindings to the custom role are not changed, but they have no effect. * By default, the response from ListRoles does not include the custom role. A deleted custom role still counts toward the custom role limit until it is permanently deleted. You have 7 days to undelete the custom role. After 7 days, the following changes occur: * The custom role is permanently deleted and cannot be recovered. * If an IAM policy contains a binding to the custom role, the binding is permanently removed. * The custom role no longer counts toward your custom role limit.

OrganizationsResource.RolesResource.GetRequest

Gets the definition of a Role.

OrganizationsResource.RolesResource.ListRequest

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

OrganizationsResource.RolesResource.PatchRequest

Updates the definition of a custom Role.

OrganizationsResource.RolesResource.UndeleteRequest

Undeletes a custom Role.

PermissionsResource

The "permissions" collection of methods.

PermissionsResource.QueryTestablePermissionsRequest

Lists every permission that you can test on a resource. A permission is testable if you can check whether a principal has that permission on the resource.

ProjectsResource

The "projects" collection of methods.

ProjectsResource.LocationsResource

The "locations" collection of methods.

ProjectsResource.LocationsResource.OauthClientsResource

The "oauthClients" collection of methods.

ProjectsResource.LocationsResource.OauthClientsResource.CreateRequest

Creates a new OauthClient. You cannot reuse the name of a deleted OauthClient until 30 days after deletion.

ProjectsResource.LocationsResource.OauthClientsResource.CredentialsResource

The "credentials" collection of methods.

ProjectsResource.LocationsResource.OauthClientsResource.CredentialsResource.CreateRequest

Creates a new OauthClientCredential.

ProjectsResource.LocationsResource.OauthClientsResource.CredentialsResource.DeleteRequest

Deletes an OauthClientCredential. Before deleting an OauthClientCredential, it should first be disabled.

ProjectsResource.LocationsResource.OauthClientsResource.CredentialsResource.GetRequest

Gets an individual OauthClientCredential.

ProjectsResource.LocationsResource.OauthClientsResource.CredentialsResource.ListRequest

Lists all OauthClientCredentials in an OauthClient.

ProjectsResource.LocationsResource.OauthClientsResource.CredentialsResource.PatchRequest

Updates an existing OauthClientCredential.

ProjectsResource.LocationsResource.OauthClientsResource.DeleteRequest

Deletes an OauthClient. You cannot use a deleted OauthClient. However, deletion does not revoke access tokens that have already been issued. They continue to grant access. Deletion does revoke refresh tokens that have already been issued. They cannot be used to renew an access token. If the OauthClient is undeleted, and the refresh tokens are not expired, they are valid for token exchange again. You can undelete an OauthClient for 30 days. After 30 days, deletion is permanent. You cannot update deleted OauthClients. However, you can view and list them.

ProjectsResource.LocationsResource.OauthClientsResource.GetRequest

Gets an individual OauthClient.

ProjectsResource.LocationsResource.OauthClientsResource.ListRequest

Lists all non-deleted OauthClients in a project. If show_deleted is set to true, then deleted OauthClients are also listed.

ProjectsResource.LocationsResource.OauthClientsResource.PatchRequest

Updates an existing OauthClient.

ProjectsResource.LocationsResource.OauthClientsResource.UndeleteRequest

Undeletes an OauthClient, as long as it was deleted fewer than 30 days ago.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource

The "workloadIdentityPools" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.CreateRequest

Creates a new WorkloadIdentityPool. You cannot reuse the name of a deleted pool until 30 days after deletion.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.DeleteRequest

Deletes a WorkloadIdentityPool. You cannot use a deleted pool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.GetRequest

Gets an individual WorkloadIdentityPool.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ListRequest

Lists all non-deleted WorkloadIdentityPools in a project. If show_deleted is set to true, then deleted pools are also listed.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource

The "namespaces" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.ManagedIdentitiesResource

The "managedIdentities" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.ManagedIdentitiesResource.OperationsResource

The "operations" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.ManagedIdentitiesResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.ManagedIdentitiesResource.WorkloadSourcesResource

The "workloadSources" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.ManagedIdentitiesResource.WorkloadSourcesResource.OperationsResource

The "operations" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.ManagedIdentitiesResource.WorkloadSourcesResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.OperationsResource

The "operations" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.NamespacesResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.OperationsResource

The "operations" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.PatchRequest

Updates an existing WorkloadIdentityPool.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource

The "providers" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.CreateRequest

Creates a new WorkloadIdentityPoolProvider in a WorkloadIdentityPool. You cannot reuse the name of a deleted provider until 30 days after deletion.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.DeleteRequest

Deletes a WorkloadIdentityPoolProvider. Deleting a provider does not revoke credentials that have already been issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.GetRequest

Gets an individual WorkloadIdentityPoolProvider.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource

The "keys" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.CreateRequest

Create a new WorkloadIdentityPoolProviderKey in a WorkloadIdentityPoolProvider.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.DeleteRequest

Deletes an WorkloadIdentityPoolProviderKey. You can undelete a key for 30 days. After 30 days, deletion is permanent.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.GetRequest

Gets an individual WorkloadIdentityPoolProviderKey.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.ListRequest

Lists all non-deleted WorkloadIdentityPoolProviderKeys in a project. If show_deleted is set to true, then deleted pools are also listed.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.OperationsResource

The "operations" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.KeysResource.UndeleteRequest

Undeletes an WorkloadIdentityPoolProviderKey, as long as it was deleted fewer than 30 days ago.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.ListRequest

Lists all non-deleted WorkloadIdentityPoolProviders in a WorkloadIdentityPool. If show_deleted is set to true, then deleted providers are also listed.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.OperationsResource

The "operations" collection of methods.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.OperationsResource.GetRequest

Gets the latest state of a long-running operation. Clients can use this method to poll the operation result at intervals as recommended by the API service.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.PatchRequest

Updates an existing WorkloadIdentityPoolProvider.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.ProvidersResource.UndeleteRequest

Undeletes a WorkloadIdentityPoolProvider, as long as it was deleted fewer than 30 days ago.

ProjectsResource.LocationsResource.WorkloadIdentityPoolsResource.UndeleteRequest

Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.

ProjectsResource.RolesResource

The "roles" collection of methods.

ProjectsResource.RolesResource.CreateRequest

Creates a new custom Role.

ProjectsResource.RolesResource.DeleteRequest

ProjectsResource.RolesResource.GetRequest

Gets the definition of a Role.

ProjectsResource.RolesResource.ListRequest

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

ProjectsResource.RolesResource.PatchRequest

Updates the definition of a custom Role.

ProjectsResource.RolesResource.UndeleteRequest

Undeletes a custom Role.

ProjectsResource.ServiceAccountsResource

The "serviceAccounts" collection of methods.

ProjectsResource.ServiceAccountsResource.CreateRequest

Creates a ServiceAccount.

ProjectsResource.ServiceAccountsResource.DeleteRequest

Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.

ProjectsResource.ServiceAccountsResource.DisableRequest

Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.

ProjectsResource.ServiceAccountsResource.EnableRequest

Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.

ProjectsResource.ServiceAccountsResource.GetIamPolicyRequest

Gets the IAM policy that is attached to a ServiceAccount. This IAM policy specifies which principals have access to the service account. This method does not tell you whether the service account has been granted any roles on other resources. To check whether a service account has role grants on a resource, use the getIamPolicy method for that resource. For example, to view the role grants for a project, call the Resource Manager API's projects.getIamPolicy method.

ProjectsResource.ServiceAccountsResource.GetRequest

Gets a ServiceAccount.

ProjectsResource.ServiceAccountsResource.KeysResource

The "keys" collection of methods.

ProjectsResource.ServiceAccountsResource.KeysResource.CreateRequest

Creates a ServiceAccountKey.

ProjectsResource.ServiceAccountsResource.KeysResource.DeleteRequest

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

ProjectsResource.ServiceAccountsResource.KeysResource.DisableRequest

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

ProjectsResource.ServiceAccountsResource.KeysResource.EnableRequest

Enable a ServiceAccountKey.

ProjectsResource.ServiceAccountsResource.KeysResource.GetRequest

Gets a ServiceAccountKey.

ProjectsResource.ServiceAccountsResource.KeysResource.ListRequest

Lists every ServiceAccountKey for a service account.

ProjectsResource.ServiceAccountsResource.KeysResource.UploadRequest

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount. After you upload the public key, you can use the private key from the key pair as a service account key.

ProjectsResource.ServiceAccountsResource.ListRequest

Lists every ServiceAccount that belongs to a specific project.

ProjectsResource.ServiceAccountsResource.PatchRequest

Patches a ServiceAccount.

ProjectsResource.ServiceAccountsResource.SetIamPolicyRequest

Sets the IAM policy that is attached to a ServiceAccount. Use this method to grant or revoke access to the service account. For example, you could grant a principal the ability to impersonate the service account. This method does not enable the service account to access other resources. To grant roles to a service account on a resource, follow these steps: 1. Call the resource's getIamPolicy method to get its current IAM policy. 2. Edit the policy so that it binds the service account to an IAM role for the resource. 3. Call the resource's setIamPolicy method to update its IAM policy. For detailed instructions, see Manage access to project, folders, and organizations or Manage access to other resources.

ProjectsResource.ServiceAccountsResource.SignBlobRequest

Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount.

ProjectsResource.ServiceAccountsResource.SignJwtRequest

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

ProjectsResource.ServiceAccountsResource.TestIamPermissionsRequest

Tests whether the caller has the specified permissions on a ServiceAccount.

ProjectsResource.ServiceAccountsResource.UndeleteRequest

Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.

ProjectsResource.ServiceAccountsResource.UpdateRequest

Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field.

RolesResource

The "roles" collection of methods.

RolesResource.GetRequest

Gets the definition of a Role.

RolesResource.ListRequest

Lists every predefined Role that IAM supports, or every custom role that is defined for an organization or project.

RolesResource.QueryGrantableRolesRequest

Lists roles that can be granted on a Google Cloud resource. A role is grantable if the IAM policy for the resource can contain bindings to the role.

Enums

IamBaseServiceRequest<TResponse>.AltEnum

Data format for response.

IamBaseServiceRequest<TResponse>.XgafvEnum

V1 error format.

OrganizationsResource.RolesResource.ListRequest.ViewEnum

Optional view for the returned Role objects. When FULL is specified, the includedPermissions field is returned, which includes a list of all permissions in the role. The default value is BASIC, which does not return the includedPermissions field.