Class: Google::Apis::CloudassetV1beta1::GoogleCloudOrgpolicyV1ListPolicy
- Inherits:
-
Object
- Object
- Google::Apis::CloudassetV1beta1::GoogleCloudOrgpolicyV1ListPolicy
- Includes:
- Google::Apis::Core::Hashable, Google::Apis::Core::JsonObjectSupport
- Defined in:
- generated/google/apis/cloudasset_v1beta1/classes.rb,
generated/google/apis/cloudasset_v1beta1/representations.rb,
generated/google/apis/cloudasset_v1beta1/representations.rb
Overview
Used in policy_type
to specify how list_policy
behaves at this resource.
ListPolicy
can define specific values and subtrees of Cloud Resource Manager
resource hierarchy (Organizations
, Folders
, Projects
) that are allowed
or denied by setting the allowed_values
and denied_values
fields. This is
achieved by using the under:
and optional is:
prefixes. The under:
prefix is used to denote resource subtree values. The is:
prefix is used to
denote specific values, and is required only if the value contains a ":".
Values prefixed with "is:" are treated the same as values with no prefix.
Ancestry subtrees must be in one of the following formats: - "projects/", e.g.
"projects/tokyo-rain-123" - "folders/", e.g. "folders/1234" - "organizations/",
e.g. "organizations/1234" The supports_under
field of the associated
Constraint
defines whether ancestry prefixes can be used. You can set
allowed_values
and denied_values
in the same Policy
if all_values
is
ALL_VALUES_UNSPECIFIED
. ALLOW
or DENY
are used to allow or deny all
values. If all_values
is set to either ALLOW
or DENY
, allowed_values
and denied_values
must be unset.
Instance Attribute Summary collapse
-
#all_values ⇒ String
The policy all_values state.
-
#allowed_values ⇒ Array<String>
List of values allowed at this resource.
-
#denied_values ⇒ Array<String>
List of values denied at this resource.
-
#inherit_from_parent ⇒ Boolean
(also: #inherit_from_parent?)
Determines the inheritance behavior for this
Policy
. -
#suggested_value ⇒ String
Optional.
Instance Method Summary collapse
-
#initialize(**args) ⇒ GoogleCloudOrgpolicyV1ListPolicy
constructor
A new instance of GoogleCloudOrgpolicyV1ListPolicy.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ GoogleCloudOrgpolicyV1ListPolicy
Returns a new instance of GoogleCloudOrgpolicyV1ListPolicy.
581 582 583 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 581 def initialize(**args) update!(**args) end |
Instance Attribute Details
#all_values ⇒ String
The policy all_values state.
Corresponds to the JSON property allValues
498 499 500 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 498 def all_values @all_values end |
#allowed_values ⇒ Array<String>
List of values allowed at this resource. Can only be set if all_values
is
set to ALL_VALUES_UNSPECIFIED
.
Corresponds to the JSON property allowedValues
504 505 506 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 504 def allowed_values @allowed_values end |
#denied_values ⇒ Array<String>
List of values denied at this resource. Can only be set if all_values
is set
to ALL_VALUES_UNSPECIFIED
.
Corresponds to the JSON property deniedValues
510 511 512 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 510 def denied_values @denied_values end |
#inherit_from_parent ⇒ Boolean Also known as: inherit_from_parent?
Determines the inheritance behavior for this Policy
. By default, a
ListPolicy
set at a resource supersedes any Policy
set anywhere up the
resource hierarchy. However, if inherit_from_parent
is set to true
, then
the values from the effective Policy
of the parent resource are inherited,
meaning the values set in this Policy
are added to the values inherited up
the hierarchy. Setting Policy
hierarchies that inherit both allowed values
and denied values isn't recommended in most circumstances to keep the
configuration simple and understandable. However, it is possible to set a
Policy
with allowed_values
set that inherits a Policy
with denied_values
set. In this case, the values that are allowed must be in allowed_values
and not present in denied_values
. For example, suppose you have a
Constraint
constraints/serviceuser.services
, which has a constraint_type
of list_constraint
, and with constraint_default
set to ALLOW
. Suppose
that at the Organization level, a Policy
is applied that restricts the
allowed API activations to E1`, `E2
. Then, if a Policy
is applied to a
project below the Organization that has inherit_from_parent
set to false
and field all_values set to DENY, then an attempt to activate any API will be
denied. The following examples demonstrate different possible layerings for
projects/bar
parented by organizations/foo
: Example 1 (no inherited values):
organizations/foo
has a Policy
with values: allowed_values: "E1"
allowed_values:"E2"
projects/bar
has inherit_from_parent
false
and
values: allowed_values: "E3" allowed_values: "E4"
The accepted values at
organizations/foo
are E1
, E2
. The accepted values at projects/bar
are
E3
, and E4
. Example 2 (inherited values): organizations/foo
has a Policy
with values: allowed_values: "E1" allowed_values:"E2"
projects/bar
has a
Policy
with values: value: "E3" value: "E4" inherit_from_parent: true
The
accepted values at organizations/foo
are E1
, E2
. The accepted values at
projects/bar
are E1
, E2
, E3
, and E4
. Example 3 (inheriting both
allowed and denied values): organizations/foo
has a Policy
with values:
allowed_values: "E1" allowed_values: "E2"
projects/bar
has a Policy
with:
denied_values: "E1"
The accepted values at organizations/foo
are E1
, E2
. The value accepted at projects/bar
is E2
. Example 4 (RestoreDefault):
organizations/foo
has a Policy
with values: allowed_values: "E1"
allowed_values:"E2"
projects/bar
has a Policy
with values:
RestoreDefault:
`The accepted values at
organizations/fooare
E1,
E2.
The accepted values at
projects/barare either all or none depending on the
value of
constraint_default(if
ALLOW, all; if
DENY, none). Example 5 (
no policy inherits parent policy):
organizations/foohas no
Policyset.
projects/barhas no
Policyset. The accepted values at both levels are
either all or none depending on the value of
constraint_default(if
ALLOW,
all; if
DENY, none). Example 6 (ListConstraint allowing all):
organizations/
foohas a
Policywith values:
allowed_values: "E1" allowed_values: "E2"
projects/bar
has a
Policywith:
all: ALLOWThe accepted values at
organizations/fooare
E1, E2
. Any value is accepted at projects/bar
.
Example 7 (ListConstraint allowing none): organizations/foo
has a Policy
with values: allowed_values: "E1" allowed_values: "E2"
projects/bar
has a
Policy
with: all: DENY
The accepted values at organizations/foo
are E1
,
E2. No value is accepted at
projects/bar. Example 10 (allowed and denied
subtrees of Resource Manager hierarchy): Given the following resource
hierarchy O1->
F1, F2; F1->
P1; F2->
P2, P3,
organizations/foohas a
Policywith values:
allowed_values: "under:organizations/O1"projects/bar
has a
Policywith:
allowed_values: "under:projects/P3"denied_values: "
under:folders/F2"
The accepted values at
organizations/fooare
organizations/O1,
folders/F1,
folders/F2,
projects/P1,
projects/P2,
projects/P3. The accepted values at
projects/barare
organizations/O1,
folders/F1,
projects/P1.
Corresponds to the JSON property
inheritFromParent`
570 571 572 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 570 def inherit_from_parent @inherit_from_parent end |
#suggested_value ⇒ String
Optional. The Google Cloud Console will try to default to a configuration that
matches the value specified in this Policy
. If suggested_value
is not set,
it will inherit the value specified higher in the hierarchy, unless
inherit_from_parent
is false
.
Corresponds to the JSON property suggestedValue
579 580 581 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 579 def suggested_value @suggested_value end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
586 587 588 589 590 591 592 |
# File 'generated/google/apis/cloudasset_v1beta1/classes.rb', line 586 def update!(**args) @all_values = args[:all_values] if args.key?(:all_values) @allowed_values = args[:allowed_values] if args.key?(:allowed_values) @denied_values = args[:denied_values] if args.key?(:denied_values) @inherit_from_parent = args[:inherit_from_parent] if args.key?(:inherit_from_parent) @suggested_value = args[:suggested_value] if args.key?(:suggested_value) end |