Class: Google::Cloud::Asset::V1::IamPolicyAnalysisQuery
- Inherits:
-
Object
- Object
- Google::Cloud::Asset::V1::IamPolicyAnalysisQuery
- Extended by:
- Protobuf::MessageExts::ClassMethods
- Includes:
- Protobuf::MessageExts
- Defined in:
- proto_docs/google/cloud/asset/v1/asset_service.rb
Overview
IAM policy analysis query message.
Defined Under Namespace
Classes: AccessSelector, ConditionContext, IdentitySelector, Options, ResourceSelector
Instance Attribute Summary collapse
-
#access_selector ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector
Optional.
-
#condition_context ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ConditionContext
Optional.
-
#identity_selector ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector
Optional.
-
#options ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options
Optional.
-
#resource_selector ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector
Optional.
-
#scope ⇒ ::String
Required.
Instance Attribute Details
#access_selector ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::AccessSelector
Returns Optional. Specifies roles or permissions for analysis. This is optional.
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 |
# File 'proto_docs/google/cloud/asset/v1/asset_service.rb', line 964 class IamPolicyAnalysisQuery include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the resource to analyze for access policies, which may be set # directly on the resource, or on ancestors such as organizations, folders or # projects. # @!attribute [rw] full_resource_name # @return [::String] # Required. The [full resource name] # (https://cloud.google.com/asset-inventory/docs/resource-name-format) # of a resource of [supported resource # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). class ResourceSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies an identity for which to determine resource access, based on # roles assigned either directly to them or to the groups they belong to, # directly or indirectly. # @!attribute [rw] identity # @return [::String] # Required. The identity appear in the form of principals in # [IAM policy # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). # # The examples of supported forms are: # "user:mike@example.com", # "group:admins@example.com", # "domain:google.com", # "serviceAccount:my-project-id@appspot.gserviceaccount.com". # # Notice that wildcard characters (such as * and ?) are not supported. # You must give a specific identity. class IdentitySelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies roles and/or permissions to analyze, to determine both the # identities possessing them and the resources they control. If multiple # values are specified, results will include roles or permissions matching # any of them. The total number of roles and permissions should be equal or # less than 10. # @!attribute [rw] roles # @return [::Array<::String>] # Optional. The roles to appear in result. # @!attribute [rw] permissions # @return [::Array<::String>] # Optional. The permissions to appear in result. class AccessSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Contains query options. # @!attribute [rw] expand_groups # @return [::Boolean] # Optional. If true, the identities section of the result will expand any # Google groups appearing in an IAM policy binding. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} # is specified, the identity in the result will be determined by the # selector, and this flag is not allowed to set. # # If true, the default max expansion per group is 1000 for # AssetService.AnalyzeIamPolicy][]. # # Default is false. # @!attribute [rw] expand_roles # @return [::Boolean] # Optional. If true, the access section of result will expand any roles # appearing in IAM policy bindings to include their permissions. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} # is specified, the access section of the result will be determined by the # selector, and this flag is not allowed to set. # # Default is false. # @!attribute [rw] expand_resources # @return [::Boolean] # Optional. If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is not specified, the resource section of the result will expand any # resource attached to an IAM policy to include resources lower in the # resource hierarchy. # # For example, if the request analyzes for which resources user A has # permission P, and the results include an IAM policy with P on a Google # Cloud folder, the results will also include resources in that folder with # permission P. # # If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is specified, the resource section of the result will expand the # specified resource to include resources lower in the resource hierarchy. # Only project or lower resources are supported. Folder and organization # resources cannot be used together with this option. # # For example, if the request analyzes for which users have permission P on # a Google Cloud project with this option enabled, the results will include # all users who have permission P on that project or any lower resource. # # If true, the default max expansion per resource is 1000 for # AssetService.AnalyzeIamPolicy][] and 100000 for # AssetService.AnalyzeIamPolicyLongrunning][]. # # Default is false. # @!attribute [rw] output_resource_edges # @return [::Boolean] # Optional. If true, the result will output the relevant parent/child # relationships between resources. Default is false. # @!attribute [rw] output_group_edges # @return [::Boolean] # Optional. If true, the result will output the relevant membership # relationships between groups and other groups, and between groups and # principals. Default is false. # @!attribute [rw] analyze_service_account_impersonation # @return [::Boolean] # Optional. If true, the response will include access analysis from # identities to resources via service account impersonation. This is a very # expensive operation, because many derived queries will be executed. We # highly recommend you use # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} # RPC instead. # # For example, if the request analyzes for which resources user A has # permission P, and there's an IAM policy states user A has # iam.serviceAccounts.getAccessToken permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to a Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Another example, if the request analyzes for who has # permission P to a Google Cloud folder F, and there's an IAM policy states # user A has iam.serviceAccounts.actAs permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to the Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Only the following permissions are considered in this analysis: # # * `iam.serviceAccounts.actAs` # * `iam.serviceAccounts.signBlob` # * `iam.serviceAccounts.signJwt` # * `iam.serviceAccounts.getAccessToken` # * `iam.serviceAccounts.getOpenIdToken` # * `iam.serviceAccounts.implicitDelegation` # # Default is false. class Options include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # The IAM conditions context. # @!attribute [rw] access_time # @return [::Google::Protobuf::Timestamp] # The hypothetical access timestamp to evaluate IAM conditions. Note that # this value must not be earlier than the current time; otherwise, an # INVALID_ARGUMENT error will be returned. class ConditionContext include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end |
#condition_context ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ConditionContext
Returns Optional. The hypothetical context for IAM conditions evaluation.
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 |
# File 'proto_docs/google/cloud/asset/v1/asset_service.rb', line 964 class IamPolicyAnalysisQuery include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the resource to analyze for access policies, which may be set # directly on the resource, or on ancestors such as organizations, folders or # projects. # @!attribute [rw] full_resource_name # @return [::String] # Required. The [full resource name] # (https://cloud.google.com/asset-inventory/docs/resource-name-format) # of a resource of [supported resource # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). class ResourceSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies an identity for which to determine resource access, based on # roles assigned either directly to them or to the groups they belong to, # directly or indirectly. # @!attribute [rw] identity # @return [::String] # Required. The identity appear in the form of principals in # [IAM policy # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). # # The examples of supported forms are: # "user:mike@example.com", # "group:admins@example.com", # "domain:google.com", # "serviceAccount:my-project-id@appspot.gserviceaccount.com". # # Notice that wildcard characters (such as * and ?) are not supported. # You must give a specific identity. class IdentitySelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies roles and/or permissions to analyze, to determine both the # identities possessing them and the resources they control. If multiple # values are specified, results will include roles or permissions matching # any of them. The total number of roles and permissions should be equal or # less than 10. # @!attribute [rw] roles # @return [::Array<::String>] # Optional. The roles to appear in result. # @!attribute [rw] permissions # @return [::Array<::String>] # Optional. The permissions to appear in result. class AccessSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Contains query options. # @!attribute [rw] expand_groups # @return [::Boolean] # Optional. If true, the identities section of the result will expand any # Google groups appearing in an IAM policy binding. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} # is specified, the identity in the result will be determined by the # selector, and this flag is not allowed to set. # # If true, the default max expansion per group is 1000 for # AssetService.AnalyzeIamPolicy][]. # # Default is false. # @!attribute [rw] expand_roles # @return [::Boolean] # Optional. If true, the access section of result will expand any roles # appearing in IAM policy bindings to include their permissions. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} # is specified, the access section of the result will be determined by the # selector, and this flag is not allowed to set. # # Default is false. # @!attribute [rw] expand_resources # @return [::Boolean] # Optional. If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is not specified, the resource section of the result will expand any # resource attached to an IAM policy to include resources lower in the # resource hierarchy. # # For example, if the request analyzes for which resources user A has # permission P, and the results include an IAM policy with P on a Google # Cloud folder, the results will also include resources in that folder with # permission P. # # If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is specified, the resource section of the result will expand the # specified resource to include resources lower in the resource hierarchy. # Only project or lower resources are supported. Folder and organization # resources cannot be used together with this option. # # For example, if the request analyzes for which users have permission P on # a Google Cloud project with this option enabled, the results will include # all users who have permission P on that project or any lower resource. # # If true, the default max expansion per resource is 1000 for # AssetService.AnalyzeIamPolicy][] and 100000 for # AssetService.AnalyzeIamPolicyLongrunning][]. # # Default is false. # @!attribute [rw] output_resource_edges # @return [::Boolean] # Optional. If true, the result will output the relevant parent/child # relationships between resources. Default is false. # @!attribute [rw] output_group_edges # @return [::Boolean] # Optional. If true, the result will output the relevant membership # relationships between groups and other groups, and between groups and # principals. Default is false. # @!attribute [rw] analyze_service_account_impersonation # @return [::Boolean] # Optional. If true, the response will include access analysis from # identities to resources via service account impersonation. This is a very # expensive operation, because many derived queries will be executed. We # highly recommend you use # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} # RPC instead. # # For example, if the request analyzes for which resources user A has # permission P, and there's an IAM policy states user A has # iam.serviceAccounts.getAccessToken permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to a Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Another example, if the request analyzes for who has # permission P to a Google Cloud folder F, and there's an IAM policy states # user A has iam.serviceAccounts.actAs permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to the Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Only the following permissions are considered in this analysis: # # * `iam.serviceAccounts.actAs` # * `iam.serviceAccounts.signBlob` # * `iam.serviceAccounts.signJwt` # * `iam.serviceAccounts.getAccessToken` # * `iam.serviceAccounts.getOpenIdToken` # * `iam.serviceAccounts.implicitDelegation` # # Default is false. class Options include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # The IAM conditions context. # @!attribute [rw] access_time # @return [::Google::Protobuf::Timestamp] # The hypothetical access timestamp to evaluate IAM conditions. Note that # this value must not be earlier than the current time; otherwise, an # INVALID_ARGUMENT error will be returned. class ConditionContext include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end |
#identity_selector ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::IdentitySelector
Returns Optional. Specifies an identity for analysis.
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 |
# File 'proto_docs/google/cloud/asset/v1/asset_service.rb', line 964 class IamPolicyAnalysisQuery include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the resource to analyze for access policies, which may be set # directly on the resource, or on ancestors such as organizations, folders or # projects. # @!attribute [rw] full_resource_name # @return [::String] # Required. The [full resource name] # (https://cloud.google.com/asset-inventory/docs/resource-name-format) # of a resource of [supported resource # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). class ResourceSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies an identity for which to determine resource access, based on # roles assigned either directly to them or to the groups they belong to, # directly or indirectly. # @!attribute [rw] identity # @return [::String] # Required. The identity appear in the form of principals in # [IAM policy # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). # # The examples of supported forms are: # "user:mike@example.com", # "group:admins@example.com", # "domain:google.com", # "serviceAccount:my-project-id@appspot.gserviceaccount.com". # # Notice that wildcard characters (such as * and ?) are not supported. # You must give a specific identity. class IdentitySelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies roles and/or permissions to analyze, to determine both the # identities possessing them and the resources they control. If multiple # values are specified, results will include roles or permissions matching # any of them. The total number of roles and permissions should be equal or # less than 10. # @!attribute [rw] roles # @return [::Array<::String>] # Optional. The roles to appear in result. # @!attribute [rw] permissions # @return [::Array<::String>] # Optional. The permissions to appear in result. class AccessSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Contains query options. # @!attribute [rw] expand_groups # @return [::Boolean] # Optional. If true, the identities section of the result will expand any # Google groups appearing in an IAM policy binding. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} # is specified, the identity in the result will be determined by the # selector, and this flag is not allowed to set. # # If true, the default max expansion per group is 1000 for # AssetService.AnalyzeIamPolicy][]. # # Default is false. # @!attribute [rw] expand_roles # @return [::Boolean] # Optional. If true, the access section of result will expand any roles # appearing in IAM policy bindings to include their permissions. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} # is specified, the access section of the result will be determined by the # selector, and this flag is not allowed to set. # # Default is false. # @!attribute [rw] expand_resources # @return [::Boolean] # Optional. If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is not specified, the resource section of the result will expand any # resource attached to an IAM policy to include resources lower in the # resource hierarchy. # # For example, if the request analyzes for which resources user A has # permission P, and the results include an IAM policy with P on a Google # Cloud folder, the results will also include resources in that folder with # permission P. # # If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is specified, the resource section of the result will expand the # specified resource to include resources lower in the resource hierarchy. # Only project or lower resources are supported. Folder and organization # resources cannot be used together with this option. # # For example, if the request analyzes for which users have permission P on # a Google Cloud project with this option enabled, the results will include # all users who have permission P on that project or any lower resource. # # If true, the default max expansion per resource is 1000 for # AssetService.AnalyzeIamPolicy][] and 100000 for # AssetService.AnalyzeIamPolicyLongrunning][]. # # Default is false. # @!attribute [rw] output_resource_edges # @return [::Boolean] # Optional. If true, the result will output the relevant parent/child # relationships between resources. Default is false. # @!attribute [rw] output_group_edges # @return [::Boolean] # Optional. If true, the result will output the relevant membership # relationships between groups and other groups, and between groups and # principals. Default is false. # @!attribute [rw] analyze_service_account_impersonation # @return [::Boolean] # Optional. If true, the response will include access analysis from # identities to resources via service account impersonation. This is a very # expensive operation, because many derived queries will be executed. We # highly recommend you use # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} # RPC instead. # # For example, if the request analyzes for which resources user A has # permission P, and there's an IAM policy states user A has # iam.serviceAccounts.getAccessToken permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to a Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Another example, if the request analyzes for who has # permission P to a Google Cloud folder F, and there's an IAM policy states # user A has iam.serviceAccounts.actAs permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to the Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Only the following permissions are considered in this analysis: # # * `iam.serviceAccounts.actAs` # * `iam.serviceAccounts.signBlob` # * `iam.serviceAccounts.signJwt` # * `iam.serviceAccounts.getAccessToken` # * `iam.serviceAccounts.getOpenIdToken` # * `iam.serviceAccounts.implicitDelegation` # # Default is false. class Options include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # The IAM conditions context. # @!attribute [rw] access_time # @return [::Google::Protobuf::Timestamp] # The hypothetical access timestamp to evaluate IAM conditions. Note that # this value must not be earlier than the current time; otherwise, an # INVALID_ARGUMENT error will be returned. class ConditionContext include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end |
#options ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::Options
Returns Optional. The query options.
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 |
# File 'proto_docs/google/cloud/asset/v1/asset_service.rb', line 964 class IamPolicyAnalysisQuery include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the resource to analyze for access policies, which may be set # directly on the resource, or on ancestors such as organizations, folders or # projects. # @!attribute [rw] full_resource_name # @return [::String] # Required. The [full resource name] # (https://cloud.google.com/asset-inventory/docs/resource-name-format) # of a resource of [supported resource # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). class ResourceSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies an identity for which to determine resource access, based on # roles assigned either directly to them or to the groups they belong to, # directly or indirectly. # @!attribute [rw] identity # @return [::String] # Required. The identity appear in the form of principals in # [IAM policy # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). # # The examples of supported forms are: # "user:mike@example.com", # "group:admins@example.com", # "domain:google.com", # "serviceAccount:my-project-id@appspot.gserviceaccount.com". # # Notice that wildcard characters (such as * and ?) are not supported. # You must give a specific identity. class IdentitySelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies roles and/or permissions to analyze, to determine both the # identities possessing them and the resources they control. If multiple # values are specified, results will include roles or permissions matching # any of them. The total number of roles and permissions should be equal or # less than 10. # @!attribute [rw] roles # @return [::Array<::String>] # Optional. The roles to appear in result. # @!attribute [rw] permissions # @return [::Array<::String>] # Optional. The permissions to appear in result. class AccessSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Contains query options. # @!attribute [rw] expand_groups # @return [::Boolean] # Optional. If true, the identities section of the result will expand any # Google groups appearing in an IAM policy binding. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} # is specified, the identity in the result will be determined by the # selector, and this flag is not allowed to set. # # If true, the default max expansion per group is 1000 for # AssetService.AnalyzeIamPolicy][]. # # Default is false. # @!attribute [rw] expand_roles # @return [::Boolean] # Optional. If true, the access section of result will expand any roles # appearing in IAM policy bindings to include their permissions. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} # is specified, the access section of the result will be determined by the # selector, and this flag is not allowed to set. # # Default is false. # @!attribute [rw] expand_resources # @return [::Boolean] # Optional. If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is not specified, the resource section of the result will expand any # resource attached to an IAM policy to include resources lower in the # resource hierarchy. # # For example, if the request analyzes for which resources user A has # permission P, and the results include an IAM policy with P on a Google # Cloud folder, the results will also include resources in that folder with # permission P. # # If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is specified, the resource section of the result will expand the # specified resource to include resources lower in the resource hierarchy. # Only project or lower resources are supported. Folder and organization # resources cannot be used together with this option. # # For example, if the request analyzes for which users have permission P on # a Google Cloud project with this option enabled, the results will include # all users who have permission P on that project or any lower resource. # # If true, the default max expansion per resource is 1000 for # AssetService.AnalyzeIamPolicy][] and 100000 for # AssetService.AnalyzeIamPolicyLongrunning][]. # # Default is false. # @!attribute [rw] output_resource_edges # @return [::Boolean] # Optional. If true, the result will output the relevant parent/child # relationships between resources. Default is false. # @!attribute [rw] output_group_edges # @return [::Boolean] # Optional. If true, the result will output the relevant membership # relationships between groups and other groups, and between groups and # principals. Default is false. # @!attribute [rw] analyze_service_account_impersonation # @return [::Boolean] # Optional. If true, the response will include access analysis from # identities to resources via service account impersonation. This is a very # expensive operation, because many derived queries will be executed. We # highly recommend you use # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} # RPC instead. # # For example, if the request analyzes for which resources user A has # permission P, and there's an IAM policy states user A has # iam.serviceAccounts.getAccessToken permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to a Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Another example, if the request analyzes for who has # permission P to a Google Cloud folder F, and there's an IAM policy states # user A has iam.serviceAccounts.actAs permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to the Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Only the following permissions are considered in this analysis: # # * `iam.serviceAccounts.actAs` # * `iam.serviceAccounts.signBlob` # * `iam.serviceAccounts.signJwt` # * `iam.serviceAccounts.getAccessToken` # * `iam.serviceAccounts.getOpenIdToken` # * `iam.serviceAccounts.implicitDelegation` # # Default is false. class Options include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # The IAM conditions context. # @!attribute [rw] access_time # @return [::Google::Protobuf::Timestamp] # The hypothetical access timestamp to evaluate IAM conditions. Note that # this value must not be earlier than the current time; otherwise, an # INVALID_ARGUMENT error will be returned. class ConditionContext include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end |
#resource_selector ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery::ResourceSelector
Returns Optional. Specifies a resource for analysis.
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 |
# File 'proto_docs/google/cloud/asset/v1/asset_service.rb', line 964 class IamPolicyAnalysisQuery include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the resource to analyze for access policies, which may be set # directly on the resource, or on ancestors such as organizations, folders or # projects. # @!attribute [rw] full_resource_name # @return [::String] # Required. The [full resource name] # (https://cloud.google.com/asset-inventory/docs/resource-name-format) # of a resource of [supported resource # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). class ResourceSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies an identity for which to determine resource access, based on # roles assigned either directly to them or to the groups they belong to, # directly or indirectly. # @!attribute [rw] identity # @return [::String] # Required. The identity appear in the form of principals in # [IAM policy # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). # # The examples of supported forms are: # "user:mike@example.com", # "group:admins@example.com", # "domain:google.com", # "serviceAccount:my-project-id@appspot.gserviceaccount.com". # # Notice that wildcard characters (such as * and ?) are not supported. # You must give a specific identity. class IdentitySelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies roles and/or permissions to analyze, to determine both the # identities possessing them and the resources they control. If multiple # values are specified, results will include roles or permissions matching # any of them. The total number of roles and permissions should be equal or # less than 10. # @!attribute [rw] roles # @return [::Array<::String>] # Optional. The roles to appear in result. # @!attribute [rw] permissions # @return [::Array<::String>] # Optional. The permissions to appear in result. class AccessSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Contains query options. # @!attribute [rw] expand_groups # @return [::Boolean] # Optional. If true, the identities section of the result will expand any # Google groups appearing in an IAM policy binding. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} # is specified, the identity in the result will be determined by the # selector, and this flag is not allowed to set. # # If true, the default max expansion per group is 1000 for # AssetService.AnalyzeIamPolicy][]. # # Default is false. # @!attribute [rw] expand_roles # @return [::Boolean] # Optional. If true, the access section of result will expand any roles # appearing in IAM policy bindings to include their permissions. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} # is specified, the access section of the result will be determined by the # selector, and this flag is not allowed to set. # # Default is false. # @!attribute [rw] expand_resources # @return [::Boolean] # Optional. If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is not specified, the resource section of the result will expand any # resource attached to an IAM policy to include resources lower in the # resource hierarchy. # # For example, if the request analyzes for which resources user A has # permission P, and the results include an IAM policy with P on a Google # Cloud folder, the results will also include resources in that folder with # permission P. # # If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is specified, the resource section of the result will expand the # specified resource to include resources lower in the resource hierarchy. # Only project or lower resources are supported. Folder and organization # resources cannot be used together with this option. # # For example, if the request analyzes for which users have permission P on # a Google Cloud project with this option enabled, the results will include # all users who have permission P on that project or any lower resource. # # If true, the default max expansion per resource is 1000 for # AssetService.AnalyzeIamPolicy][] and 100000 for # AssetService.AnalyzeIamPolicyLongrunning][]. # # Default is false. # @!attribute [rw] output_resource_edges # @return [::Boolean] # Optional. If true, the result will output the relevant parent/child # relationships between resources. Default is false. # @!attribute [rw] output_group_edges # @return [::Boolean] # Optional. If true, the result will output the relevant membership # relationships between groups and other groups, and between groups and # principals. Default is false. # @!attribute [rw] analyze_service_account_impersonation # @return [::Boolean] # Optional. If true, the response will include access analysis from # identities to resources via service account impersonation. This is a very # expensive operation, because many derived queries will be executed. We # highly recommend you use # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} # RPC instead. # # For example, if the request analyzes for which resources user A has # permission P, and there's an IAM policy states user A has # iam.serviceAccounts.getAccessToken permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to a Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Another example, if the request analyzes for who has # permission P to a Google Cloud folder F, and there's an IAM policy states # user A has iam.serviceAccounts.actAs permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to the Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Only the following permissions are considered in this analysis: # # * `iam.serviceAccounts.actAs` # * `iam.serviceAccounts.signBlob` # * `iam.serviceAccounts.signJwt` # * `iam.serviceAccounts.getAccessToken` # * `iam.serviceAccounts.getOpenIdToken` # * `iam.serviceAccounts.implicitDelegation` # # Default is false. class Options include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # The IAM conditions context. # @!attribute [rw] access_time # @return [::Google::Protobuf::Timestamp] # The hypothetical access timestamp to evaluate IAM conditions. Note that # this value must not be earlier than the current time; otherwise, an # INVALID_ARGUMENT error will be returned. class ConditionContext include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end |
#scope ⇒ ::String
Returns Required. The relative name of the root asset. Only resources and IAM policies within the scope will be analyzed.
This can only be an organization number (such as "organizations/123"), a folder number (such as "folders/123"), a project ID (such as "projects/my-project-id"), or a project number (such as "projects/12345").
To know how to get organization ID, visit here .
To know how to get folder or project ID, visit here .
964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 |
# File 'proto_docs/google/cloud/asset/v1/asset_service.rb', line 964 class IamPolicyAnalysisQuery include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Specifies the resource to analyze for access policies, which may be set # directly on the resource, or on ancestors such as organizations, folders or # projects. # @!attribute [rw] full_resource_name # @return [::String] # Required. The [full resource name] # (https://cloud.google.com/asset-inventory/docs/resource-name-format) # of a resource of [supported resource # types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types). class ResourceSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies an identity for which to determine resource access, based on # roles assigned either directly to them or to the groups they belong to, # directly or indirectly. # @!attribute [rw] identity # @return [::String] # Required. The identity appear in the form of principals in # [IAM policy # binding](https://cloud.google.com/iam/reference/rest/v1/Binding). # # The examples of supported forms are: # "user:mike@example.com", # "group:admins@example.com", # "domain:google.com", # "serviceAccount:my-project-id@appspot.gserviceaccount.com". # # Notice that wildcard characters (such as * and ?) are not supported. # You must give a specific identity. class IdentitySelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Specifies roles and/or permissions to analyze, to determine both the # identities possessing them and the resources they control. If multiple # values are specified, results will include roles or permissions matching # any of them. The total number of roles and permissions should be equal or # less than 10. # @!attribute [rw] roles # @return [::Array<::String>] # Optional. The roles to appear in result. # @!attribute [rw] permissions # @return [::Array<::String>] # Optional. The permissions to appear in result. class AccessSelector include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Contains query options. # @!attribute [rw] expand_groups # @return [::Boolean] # Optional. If true, the identities section of the result will expand any # Google groups appearing in an IAM policy binding. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#identity_selector IamPolicyAnalysisQuery.identity_selector} # is specified, the identity in the result will be determined by the # selector, and this flag is not allowed to set. # # If true, the default max expansion per group is 1000 for # AssetService.AnalyzeIamPolicy][]. # # Default is false. # @!attribute [rw] expand_roles # @return [::Boolean] # Optional. If true, the access section of result will expand any roles # appearing in IAM policy bindings to include their permissions. # # If # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#access_selector IamPolicyAnalysisQuery.access_selector} # is specified, the access section of the result will be determined by the # selector, and this flag is not allowed to set. # # Default is false. # @!attribute [rw] expand_resources # @return [::Boolean] # Optional. If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is not specified, the resource section of the result will expand any # resource attached to an IAM policy to include resources lower in the # resource hierarchy. # # For example, if the request analyzes for which resources user A has # permission P, and the results include an IAM policy with P on a Google # Cloud folder, the results will also include resources in that folder with # permission P. # # If true and # {::Google::Cloud::Asset::V1::IamPolicyAnalysisQuery#resource_selector IamPolicyAnalysisQuery.resource_selector} # is specified, the resource section of the result will expand the # specified resource to include resources lower in the resource hierarchy. # Only project or lower resources are supported. Folder and organization # resources cannot be used together with this option. # # For example, if the request analyzes for which users have permission P on # a Google Cloud project with this option enabled, the results will include # all users who have permission P on that project or any lower resource. # # If true, the default max expansion per resource is 1000 for # AssetService.AnalyzeIamPolicy][] and 100000 for # AssetService.AnalyzeIamPolicyLongrunning][]. # # Default is false. # @!attribute [rw] output_resource_edges # @return [::Boolean] # Optional. If true, the result will output the relevant parent/child # relationships between resources. Default is false. # @!attribute [rw] output_group_edges # @return [::Boolean] # Optional. If true, the result will output the relevant membership # relationships between groups and other groups, and between groups and # principals. Default is false. # @!attribute [rw] analyze_service_account_impersonation # @return [::Boolean] # Optional. If true, the response will include access analysis from # identities to resources via service account impersonation. This is a very # expensive operation, because many derived queries will be executed. We # highly recommend you use # {::Google::Cloud::Asset::V1::AssetService::Client#analyze_iam_policy_longrunning AssetService.AnalyzeIamPolicyLongrunning} # RPC instead. # # For example, if the request analyzes for which resources user A has # permission P, and there's an IAM policy states user A has # iam.serviceAccounts.getAccessToken permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to a Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Another example, if the request analyzes for who has # permission P to a Google Cloud folder F, and there's an IAM policy states # user A has iam.serviceAccounts.actAs permission to a service account SA, # and there's another IAM policy states service account SA has permission P # to the Google Cloud folder F, then user A potentially has access to the # Google Cloud folder F. And those advanced analysis results will be # included in # {::Google::Cloud::Asset::V1::AnalyzeIamPolicyResponse#service_account_impersonation_analysis AnalyzeIamPolicyResponse.service_account_impersonation_analysis}. # # Only the following permissions are considered in this analysis: # # * `iam.serviceAccounts.actAs` # * `iam.serviceAccounts.signBlob` # * `iam.serviceAccounts.signJwt` # * `iam.serviceAccounts.getAccessToken` # * `iam.serviceAccounts.getOpenIdToken` # * `iam.serviceAccounts.implicitDelegation` # # Default is false. class Options include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # The IAM conditions context. # @!attribute [rw] access_time # @return [::Google::Protobuf::Timestamp] # The hypothetical access timestamp to evaluate IAM conditions. Note that # this value must not be earlier than the current time; otherwise, an # INVALID_ARGUMENT error will be returned. class ConditionContext include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end |