Class: Google::Cloud::PrivilegedAccessManager::V1::Grant

Inherits:

Object

• Object
• Google::Cloud::PrivilegedAccessManager::V1::Grant

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb

Overview

A grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for.

Defined Under Namespace

Modules: State Classes: AuditTrail, Timeline

Instance Attribute Summary

• #additional_email_recipients ⇒ ::Array<::String>

  Optional.

• #audit_trail ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Grant::AuditTrail readonly

  Output only.

• #create_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #externally_modified ⇒ ::Boolean readonly

  Output only.

• #justification ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Justification

  Optional.

• #name ⇒ ::String

  Identifier.

• #privileged_access ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess readonly

  Output only.

• #requested_duration ⇒ ::Google::Protobuf::Duration

  Required.

• #requester ⇒ ::String readonly

  Output only.

• #state ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Grant::State readonly

  Output only.

• #timeline ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline readonly

  Output only.

• #update_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

Instance Attribute Details

#additional_email_recipients ⇒ ::Array<::String>

Returns Optional. Additional email addresses to notify for all the actions performed on the grant.

Returns:

• (::Array<::String>) —

  Optional. Additional email addresses to notify for all the actions performed on the grant.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#audit_trail ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Grant::AuditTrail (readonly)

Returns Output only. Audit trail of access provided by this grant. If unspecified then access was never granted.

Returns:

• (::Google::Cloud::PrivilegedAccessManager::V1::Grant::AuditTrail) —

  Output only. Audit trail of access provided by this grant. If unspecified then access was never granted.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#create_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. Create time stamp.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. Create time stamp.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#externally_modified ⇒ ::Boolean (readonly)

Returns Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM.

After it is set, this flag remains set forever irrespective of the grant state. A true value here indicates that PAM no longer has any certainty on the access a user has because of this grant.

Returns:

• (::Boolean) —

  Output only. Flag set by the PAM system to indicate that policy bindings made by this grant have been modified from outside PAM.

  After it is set, this flag remains set forever irrespective of the grant state. A true value here indicates that PAM no longer has any certainty on the access a user has because of this grant.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#justification ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Justification

Returns Optional. Justification of why this access is needed.

Returns:

• (::Google::Cloud::PrivilegedAccessManager::V1::Justification) —

  Optional. Justification of why this access is needed.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#name ⇒ ::String

Returns Identifier. Name of this grant. Possible formats:

• organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}
• folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}
• projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}

The last segment of this name ({grant-id}) is autogenerated.

Returns:

• (::String) —

  Identifier. Name of this grant. Possible formats:

  • organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}
  • folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}
  • projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}/grants/{grant-id}

  The last segment of this name ({grant-id}) is autogenerated.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#privileged_access ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess (readonly)

Returns Output only. The access that would be granted by this grant.

Returns:

• (::Google::Cloud::PrivilegedAccessManager::V1::PrivilegedAccess) —

  Output only. The access that would be granted by this grant.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#requested_duration ⇒ ::Google::Protobuf::Duration

Returns Required. The amount of time access is needed for. This value should be less than the max_request_duration value of the entitlement.

Returns:

• (::Google::Protobuf::Duration) —

  Required. The amount of time access is needed for. This value should be less than the max_request_duration value of the entitlement.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#requester ⇒ ::String (readonly)

Returns Output only. Username of the user who created this grant.

Returns:

• (::String) —

  Output only. Username of the user who created this grant.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#state ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Grant::State (readonly)

Returns Output only. Current state of this grant.

Returns:

• (::Google::Cloud::PrivilegedAccessManager::V1::Grant::State) —

  Output only. Current state of this grant.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#timeline ⇒ ::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline (readonly)

Returns Output only. Timeline of this grant.

Returns:

• (::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline) —

  Output only. Timeline of this grant.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end

#update_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. Update time stamp.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. Update time stamp.

# File 'proto_docs/google/cloud/privilegedaccessmanager/v1/privilegedaccessmanager.rb', line 551

class Grant
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Timeline of a grant describing what happened to it and when.
  # @!attribute [r] events
  #   @return [::Array<::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event>]
  #     Output only. The events that have occurred on this grant. This list
  #     contains entries in the same order as they occurred. The first entry is
  #     always be of type `Requested` and there is always at least one entry in
  #     this array.
  class Timeline
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # A single operation on the grant.
    # @!attribute [rw] requested
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Requested]
    #     The grant was requested.
    #
    #     Note: The following fields are mutually exclusive: `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] approved
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Approved]
    #     The grant was approved.
    #
    #     Note: The following fields are mutually exclusive: `approved`, `requested`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] denied
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Denied]
    #     The grant was denied.
    #
    #     Note: The following fields are mutually exclusive: `denied`, `requested`, `approved`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] revoked
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Revoked]
    #     The grant was revoked.
    #
    #     Note: The following fields are mutually exclusive: `revoked`, `requested`, `approved`, `denied`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] scheduled
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Scheduled]
    #     The grant has been scheduled to give access.
    #
    #     Note: The following fields are mutually exclusive: `scheduled`, `requested`, `approved`, `denied`, `revoked`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activated
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Activated]
    #     The grant was successfully activated to give access.
    #
    #     Note: The following fields are mutually exclusive: `activated`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activation_failed`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] activation_failed
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ActivationFailed]
    #     There was a non-retriable error while trying to give access.
    #
    #     Note: The following fields are mutually exclusive: `activation_failed`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `expired`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] expired
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Expired]
    #     The approval workflow did not complete in the necessary duration,
    #     and so the grant is expired.
    #
    #     Note: The following fields are mutually exclusive: `expired`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `ended`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ended
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Ended]
    #     Access given by the grant ended automatically as the approved
    #     duration was over.
    #
    #     Note: The following fields are mutually exclusive: `ended`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `externally_modified`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] externally_modified
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::ExternallyModified]
    #     The policy bindings made by grant have been modified outside of PAM.
    #
    #     Note: The following fields are mutually exclusive: `externally_modified`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `withdrawn`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] withdrawn
    #   @return [::Google::Cloud::PrivilegedAccessManager::V1::Grant::Timeline::Event::Withdrawn]
    #     The grant was withdrawn.
    #
    #     Note: The following fields are mutually exclusive: `withdrawn`, `requested`, `approved`, `denied`, `revoked`, `scheduled`, `activated`, `activation_failed`, `expired`, `ended`, `externally_modified`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [r] event_time
    #   @return [::Google::Protobuf::Timestamp]
    #     Output only. The time (as recorded at server) when this event occurred.
    class Event
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # An event representing that a grant was requested.
      # @!attribute [r] expire_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which this grant expires unless the approval
      #     workflow completes. If omitted, then the request never expires.
      class Requested
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was approved.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for approving the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who approved the grant.
      class Approved
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was denied.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the approver for denying the
      #     grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who denied the grant.
      class Denied
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was revoked.
      # @!attribute [r] reason
      #   @return [::String]
      #     Output only. The reason provided by the user for revoking the grant.
      # @!attribute [r] actor
      #   @return [::String]
      #     Output only. Username of the user who revoked the grant.
      class Revoked
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was withdrawn.
      class Withdrawn
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has been scheduled to be
      # activated later.
      # @!attribute [r] scheduled_activation_time
      #   @return [::Google::Protobuf::Timestamp]
      #     Output only. The time at which the access is granted.
      class Scheduled
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was successfully
      # activated.
      class Activated
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant activation failed.
      # @!attribute [r] error
      #   @return [::Google::Rpc::Status]
      #     Output only. The error that occurred while activating the grant.
      class ActivationFailed
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant was expired.
      class Expired
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the grant has ended.
      class Ended
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # An event representing that the policy bindings made by this grant were
      # modified externally.
      class ExternallyModified
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # Audit trail for the access provided by this grant.
  # @!attribute [r] access_grant_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which access was given.
  # @!attribute [r] access_remove_time
  #   @return [::Google::Protobuf::Timestamp]
  #     Output only. The time at which the system removed access. This could be
  #     because of an automatic expiry or because of a revocation.
  #
  #     If unspecified, then access hasn't been removed yet.
  class AuditTrail
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Different states a grant can be in.
  module State
    # Unspecified state. This value is never returned by the server.
    STATE_UNSPECIFIED = 0

    # The entitlement had an approval workflow configured and this grant is
    # waiting for the workflow to complete.
    APPROVAL_AWAITED = 1

    # The approval workflow completed with a denied result. No access is
    # granted for this grant. This is a terminal state.
    DENIED = 3

    # The approval workflow completed successfully with an approved result or
    # none was configured. Access is provided at an appropriate time.
    SCHEDULED = 4

    # Access is being given.
    ACTIVATING = 5

    # Access was successfully given and is currently active.
    ACTIVE = 6

    # The system could not give access due to a non-retriable error. This is a
    # terminal state.
    ACTIVATION_FAILED = 7

    # Expired after waiting for the approval workflow to complete. This is a
    # terminal state.
    EXPIRED = 8

    # Access is being revoked.
    REVOKING = 9

    # Access was revoked by a user. This is a terminal state.
    REVOKED = 10

    # System took back access as the requested duration was over. This is a
    # terminal state.
    ENDED = 11

    # Access is being withdrawn.
    WITHDRAWING = 12

    # Grant was withdrawn by the grant owner. This is a terminal state.
    WITHDRAWN = 13
  end
end