Class: Google::Apis::PolicytroubleshooterV3::GoogleIamV2DenyRule

Inherits:

Object

• Object
• Google::Apis::PolicytroubleshooterV3::GoogleIamV2DenyRule

Includes:

Core::Hashable, Core::JsonObjectSupport

Defined in:

lib/google/apis/policytroubleshooter_v3/classes.rb,
lib/google/apis/policytroubleshooter_v3/representations.rb,
lib/google/apis/policytroubleshooter_v3/representations.rb

Overview

A deny rule in an IAM deny policy.

Instance Attribute Summary

• #denial_condition ⇒ Google::Apis::PolicytroubleshooterV3::GoogleTypeExpr

  Represents a textual expression in the Common Expression Language (CEL) syntax.

• #denied_permissions ⇒ Array<String>

  The permissions that are explicitly denied by this rule.

• #denied_principals ⇒ Array<String>

  The identities that are prevented from using one or more permissions on Google Cloud resources.

• #exception_permissions ⇒ Array<String>

  Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions.

• #exception_principals ⇒ Array<String>

  The identities that are excluded from the deny rule, even if they are listed in the denied_principals.

Instance Method Summary

• #initialize(**args) ⇒ GoogleIamV2DenyRule constructor

  A new instance of GoogleIamV2DenyRule.

• #update!(**args) ⇒ Object

  Update properties of this object.

Constructor Details

#initialize(**args) ⇒ GoogleIamV2DenyRule

Returns a new instance of GoogleIamV2DenyRule.

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1363

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#denial_condition ⇒ Google::Apis::PolicytroubleshooterV3::GoogleTypeExpr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: " Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example ( Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Corresponds to the JSON property denialCondition

Returns:

• (Google::Apis::PolicytroubleshooterV3::GoogleTypeExpr)

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1274

def denial_condition
  @denial_condition
end

#denied_permissions ⇒ Array<String>

The permissions that are explicitly denied by this rule. Each permission uses the format service_fqdn`/`resource`.`verb, where service_fqdn is the fully qualified domain name for the service. For example, iam.googleapis.com/ roles.list. Corresponds to the JSON property deniedPermissions

Returns:

• (Array<String>)

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1282

def denied_permissions
  @denied_permissions
end

#denied_principals ⇒ Array<String>

The identities that are prevented from using one or more permissions on Google Cloud resources. This field can contain the following values: * principal://goog/subject/email_id: A specific Google Account. Includes Gmail, Cloud Identity, and Google Workspace user accounts. For example, ` principal://goog/subject/alice@example.com`. * `principal://iam.googleapis.com/ projects/-/serviceAccounts/`service_account_id: A Google Cloud service account. For example, principal://iam.googleapis.com/projects/-/ serviceAccounts/my-service-account@iam.gserviceaccount.com. * principalSet:// goog/group/group_id: A Google group. For example, `principalSet://goog/ group/admins@example.com`. * `principalSet://goog/public:all`: A special identifier that represents any principal that is on the internet, even if they do not have a Google Account or are not logged in. * `principalSet://goog/ cloudIdentityCustomerId/`customer_id: All of the principals associated with the specified Google Workspace or Cloud Identity customer ID. For example, principalSet://goog/cloudIdentityCustomerId/C01Abc35. * principal://iam. googleapis.com/locations/global/workforcePools/pool_id/subject/ subject_attribute_value: A single identity in a workforce identity pool. * ` principalSet://iam.googleapis.com/locations/global/workforcePools/`pool_id`/ group/`group_id: All workforce identities in a group. * principalSet://iam. googleapis.com/locations/global/workforcePools/pool_id/attribute. attribute_name/attribute_value: All workforce identities with a specific attribute value. * `principalSet://iam.googleapis.com/locations/global/ workforcePools/`pool_id`/*`: All identities in a workforce identity pool. * ` principal://iam.googleapis.com/projects/`project_number`/locations/global/ workloadIdentityPools/`pool_id`/subject/`subject_attribute_value: A single identity in a workload identity pool. * principalSet://iam.googleapis.com/ projects/project_number/locations/global/workloadIdentityPools/pool_id/ group/group_id: A workload identity pool group. * `principalSet://iam. googleapis.com/projects/`project_number`/locations/global/ workloadIdentityPools/`pool_id`/attribute.`attribute_name`/`attribute_value: All identities in a workload identity pool with a certain attribute. * principalSet://iam.googleapis.com/projects/project_number/locations/global/ workloadIdentityPools/pool_id/*: All identities in a workload identity pool.

• principalSet://cloudresourcemanager.googleapis.com/[projects|folders| organizations]/project_number|folder_number|org_number/type/ServiceAccount: All service accounts grouped under a resource (project, folder, or organization). * principalSet://cloudresourcemanager.googleapis.com/[projects| folders|organizations]/project_number|folder_number|org_number/type/ ServiceAgent: All service agents grouped under a resource (project, folder, or organization). * deleted:principal://goog/subject/email_id?uid=uid: A specific Google Account that was deleted recently. For example, `deleted: principal://goog/subject/alice@example.com?uid=1234567890`. If the Google Account is recovered, this identifier reverts to the standard identifier for a Google Account. * `deleted:principalSet://goog/group/`group_id`?uid=`uid: A Google group that was deleted recently. For example, deleted:principalSet:// goog/group/admins@example.com?uid=1234567890. If the Google group is restored, this identifier reverts to the standard identifier for a Google group. * deleted:principal://iam.googleapis.com/projects/-/serviceAccounts/ service_account_id?uid=uid: A Google Cloud service account that was deleted recently. For example, `deleted:principal://iam.googleapis.com/ projects/-/serviceAccounts/my-service-account@iam.gserviceaccount.com?uid= 1234567890`. If the service account is undeleted, this identifier reverts to the standard identifier for a service account. * `deleted:principal://iam. googleapis.com/locations/global/workforcePools/`pool_id`/subject/` subject_attribute_value: Deleted single identity in a workforce identity pool. For example, deleted:principal://iam.googleapis.com/locations/global/ workforcePools/my-pool-id/subject/my-subject-attribute-value. Corresponds to the JSON property deniedPrincipals

Returns:

• (Array<String>)

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1343

def denied_principals
  @denied_principals
end

#exception_permissions ⇒ Array<String>

Specifies the permissions that this rule excludes from the set of denied permissions given by denied_permissions. If a permission appears in denied_permissions and in exception_permissions then it will not be denied. The excluded permissions can be specified using the same syntax as denied_permissions. Corresponds to the JSON property exceptionPermissions

Returns:

• (Array<String>)

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1352

def exception_permissions
  @exception_permissions
end

#exception_principals ⇒ Array<String>

The identities that are excluded from the deny rule, even if they are listed in the denied_principals. For example, you could add a Google group to the denied_principals, then exclude specific users who belong to that group. This field can contain the same values as the denied_principals field, excluding principalSet://goog/public:all, which represents all users on the internet. Corresponds to the JSON property exceptionPrincipals

Returns:

• (Array<String>)

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1361

def exception_principals
  @exception_principals
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object

# File 'lib/google/apis/policytroubleshooter_v3/classes.rb', line 1368

def update!(**args)
  @denial_condition = args[:denial_condition] if args.key?(:denial_condition)
  @denied_permissions = args[:denied_permissions] if args.key?(:denied_permissions)
  @denied_principals = args[:denied_principals] if args.key?(:denied_principals)
  @exception_permissions = args[:exception_permissions] if args.key?(:exception_permissions)
  @exception_principals = args[:exception_principals] if args.key?(:exception_principals)
end