Class: Google::Cloud::Asset::V1::IamPolicyAnalysisResult

Inherits:

Object

• Object
• Google::Cloud::Asset::V1::IamPolicyAnalysisResult

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/asset/v1/assets.rb

Overview

IAM Policy analysis result, consisting of one IAM policy binding and derived access control lists.

Defined Under Namespace

Classes: Access, AccessControlList, Edge, Identity, IdentityList, Resource

Instance Attribute Summary

• #access_control_lists ⇒ ::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::AccessControlList>

  The access control lists derived from the iam_binding that match or potentially match resource and access selectors specified in the request.

• #attached_resource_full_name ⇒ ::String

  The full resource name of the resource to which the iam_binding policy attaches.

• #fully_explored ⇒ ::Boolean

  Represents whether all analyses on the iam_binding have successfully finished.

• #iam_binding ⇒ ::Google::Iam::V1::Binding

  The IAM policy binding under analysis.

• #identity_list ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList

  The identity list derived from members of the iam_binding that match or potentially match identity selector specified in the request.

Instance Attribute Details

#access_control_lists ⇒ ::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::AccessControlList>

Returns The access control lists derived from the iam_binding that match or potentially match resource and access selectors specified in the request.

Returns:

• (::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::AccessControlList>) —

  The access control lists derived from the iam_binding that match or potentially match resource and access selectors specified in the request.

# File 'proto_docs/google/cloud/asset/v1/assets.rb', line 987

class IamPolicyAnalysisResult
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A Google Cloud resource under analysis.
  # @!attribute [rw] full_resource_name
  #   @return [::String]
  #     The [full resource
  #     name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this resource.
  class Resource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An IAM role or permission under analysis.
  # @!attribute [rw] role
  #   @return [::String]
  #     The role.
  # @!attribute [rw] permission
  #   @return [::String]
  #     The permission.
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this access.
  class Access
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An identity under analysis.
  # @!attribute [rw] name
  #   @return [::String]
  #     The identity of members, formatted as appear in an
  #     [IAM policy
  #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For
  #     example, they might be formatted like the following:
  #
  #     - user:foo@google.com
  #     - group:group1@google.com
  #     - serviceAccount:s1@prj1.iam.gserviceaccount.com
  #     - projectOwner:some_project_id
  #     - domain:google.com
  #     - allUsers
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this identity.
  class Identity
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A directional edge.
  # @!attribute [rw] source_node
  #   @return [::String]
  #     The source node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  # @!attribute [rw] target_node
  #   @return [::String]
  #     The target node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  class Edge
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An access control list, derived from the above IAM policy binding, which
  # contains a set of resources and accesses. May include one
  # item from each set to compose an access control entry.
  #
  # NOTICE that there could be multiple access control lists for one IAM policy
  # binding. The access control lists are created based on resource and access
  # combinations.
  #
  # For example, assume we have the following cases in one IAM policy binding:
  # - Permission P1 and P2 apply to resource R1 and R2;
  # - Permission P3 applies to resource R2 and R3;
  #
  # This will result in the following access control lists:
  # - AccessControlList 1: [R1, R2], [P1, P2]
  # - AccessControlList 2: [R2, R3], [P3]
  # @!attribute [rw] resources
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
  #     The resources that match one of the following conditions:
  #     - The resource_selector, if it is specified in request;
  #     - Otherwise, resources reachable from the policy attached resource.
  # @!attribute [rw] accesses
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
  #     The accesses that match one of the following conditions:
  #     - The access_selector, if it is specified in request;
  #     - Otherwise, access specifiers reachable from the policy binding's role.
  # @!attribute [rw] resource_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Resource edges of the graph starting from the policy attached
  #     resource to any descendant resources. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains the full resource name of a parent resource and
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains the full resource name of a child resource. This field is
  #     present only if the output_resource_edges option is enabled in request.
  # @!attribute [rw] condition_evaluation
  #   @return [::Google::Cloud::Asset::V1::ConditionEvaluation]
  #     Condition evaluation for this AccessControlList, if there is a condition
  #     defined in the above IAM policy binding.
  class AccessControlList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The identities and group edges.
  # @!attribute [rw] identities
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
  #     Only the identities that match one of the following conditions will be
  #     presented:
  #     - The identity_selector, if it is specified in request;
  #     - Otherwise, identities reachable from the policy binding's members.
  # @!attribute [rw] group_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Group identity edges of the graph starting from the binding's
  #     group members to any node of the
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}.
  #     The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains a group, such as `group:parent@google.com`. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains a member of the group, such as `group:child@google.com` or
  #     `user:foo@google.com`. This field is present only if the
  #     output_group_edges option is enabled in request.
  class IdentityList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#attached_resource_full_name ⇒ ::String

Returns The full resource name of the resource to which the iam_binding policy attaches.

Returns:

• (::String) —

  The full resource name of the resource to which the iam_binding policy attaches.

# File 'proto_docs/google/cloud/asset/v1/assets.rb', line 987

class IamPolicyAnalysisResult
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A Google Cloud resource under analysis.
  # @!attribute [rw] full_resource_name
  #   @return [::String]
  #     The [full resource
  #     name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this resource.
  class Resource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An IAM role or permission under analysis.
  # @!attribute [rw] role
  #   @return [::String]
  #     The role.
  # @!attribute [rw] permission
  #   @return [::String]
  #     The permission.
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this access.
  class Access
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An identity under analysis.
  # @!attribute [rw] name
  #   @return [::String]
  #     The identity of members, formatted as appear in an
  #     [IAM policy
  #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For
  #     example, they might be formatted like the following:
  #
  #     - user:foo@google.com
  #     - group:group1@google.com
  #     - serviceAccount:s1@prj1.iam.gserviceaccount.com
  #     - projectOwner:some_project_id
  #     - domain:google.com
  #     - allUsers
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this identity.
  class Identity
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A directional edge.
  # @!attribute [rw] source_node
  #   @return [::String]
  #     The source node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  # @!attribute [rw] target_node
  #   @return [::String]
  #     The target node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  class Edge
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An access control list, derived from the above IAM policy binding, which
  # contains a set of resources and accesses. May include one
  # item from each set to compose an access control entry.
  #
  # NOTICE that there could be multiple access control lists for one IAM policy
  # binding. The access control lists are created based on resource and access
  # combinations.
  #
  # For example, assume we have the following cases in one IAM policy binding:
  # - Permission P1 and P2 apply to resource R1 and R2;
  # - Permission P3 applies to resource R2 and R3;
  #
  # This will result in the following access control lists:
  # - AccessControlList 1: [R1, R2], [P1, P2]
  # - AccessControlList 2: [R2, R3], [P3]
  # @!attribute [rw] resources
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
  #     The resources that match one of the following conditions:
  #     - The resource_selector, if it is specified in request;
  #     - Otherwise, resources reachable from the policy attached resource.
  # @!attribute [rw] accesses
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
  #     The accesses that match one of the following conditions:
  #     - The access_selector, if it is specified in request;
  #     - Otherwise, access specifiers reachable from the policy binding's role.
  # @!attribute [rw] resource_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Resource edges of the graph starting from the policy attached
  #     resource to any descendant resources. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains the full resource name of a parent resource and
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains the full resource name of a child resource. This field is
  #     present only if the output_resource_edges option is enabled in request.
  # @!attribute [rw] condition_evaluation
  #   @return [::Google::Cloud::Asset::V1::ConditionEvaluation]
  #     Condition evaluation for this AccessControlList, if there is a condition
  #     defined in the above IAM policy binding.
  class AccessControlList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The identities and group edges.
  # @!attribute [rw] identities
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
  #     Only the identities that match one of the following conditions will be
  #     presented:
  #     - The identity_selector, if it is specified in request;
  #     - Otherwise, identities reachable from the policy binding's members.
  # @!attribute [rw] group_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Group identity edges of the graph starting from the binding's
  #     group members to any node of the
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}.
  #     The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains a group, such as `group:parent@google.com`. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains a member of the group, such as `group:child@google.com` or
  #     `user:foo@google.com`. This field is present only if the
  #     output_group_edges option is enabled in request.
  class IdentityList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#fully_explored ⇒ ::Boolean

Returns Represents whether all analyses on the iam_binding have successfully finished.

Returns:

• (::Boolean) —

  Represents whether all analyses on the iam_binding have successfully finished.

# File 'proto_docs/google/cloud/asset/v1/assets.rb', line 987

class IamPolicyAnalysisResult
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A Google Cloud resource under analysis.
  # @!attribute [rw] full_resource_name
  #   @return [::String]
  #     The [full resource
  #     name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this resource.
  class Resource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An IAM role or permission under analysis.
  # @!attribute [rw] role
  #   @return [::String]
  #     The role.
  # @!attribute [rw] permission
  #   @return [::String]
  #     The permission.
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this access.
  class Access
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An identity under analysis.
  # @!attribute [rw] name
  #   @return [::String]
  #     The identity of members, formatted as appear in an
  #     [IAM policy
  #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For
  #     example, they might be formatted like the following:
  #
  #     - user:foo@google.com
  #     - group:group1@google.com
  #     - serviceAccount:s1@prj1.iam.gserviceaccount.com
  #     - projectOwner:some_project_id
  #     - domain:google.com
  #     - allUsers
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this identity.
  class Identity
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A directional edge.
  # @!attribute [rw] source_node
  #   @return [::String]
  #     The source node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  # @!attribute [rw] target_node
  #   @return [::String]
  #     The target node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  class Edge
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An access control list, derived from the above IAM policy binding, which
  # contains a set of resources and accesses. May include one
  # item from each set to compose an access control entry.
  #
  # NOTICE that there could be multiple access control lists for one IAM policy
  # binding. The access control lists are created based on resource and access
  # combinations.
  #
  # For example, assume we have the following cases in one IAM policy binding:
  # - Permission P1 and P2 apply to resource R1 and R2;
  # - Permission P3 applies to resource R2 and R3;
  #
  # This will result in the following access control lists:
  # - AccessControlList 1: [R1, R2], [P1, P2]
  # - AccessControlList 2: [R2, R3], [P3]
  # @!attribute [rw] resources
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
  #     The resources that match one of the following conditions:
  #     - The resource_selector, if it is specified in request;
  #     - Otherwise, resources reachable from the policy attached resource.
  # @!attribute [rw] accesses
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
  #     The accesses that match one of the following conditions:
  #     - The access_selector, if it is specified in request;
  #     - Otherwise, access specifiers reachable from the policy binding's role.
  # @!attribute [rw] resource_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Resource edges of the graph starting from the policy attached
  #     resource to any descendant resources. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains the full resource name of a parent resource and
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains the full resource name of a child resource. This field is
  #     present only if the output_resource_edges option is enabled in request.
  # @!attribute [rw] condition_evaluation
  #   @return [::Google::Cloud::Asset::V1::ConditionEvaluation]
  #     Condition evaluation for this AccessControlList, if there is a condition
  #     defined in the above IAM policy binding.
  class AccessControlList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The identities and group edges.
  # @!attribute [rw] identities
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
  #     Only the identities that match one of the following conditions will be
  #     presented:
  #     - The identity_selector, if it is specified in request;
  #     - Otherwise, identities reachable from the policy binding's members.
  # @!attribute [rw] group_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Group identity edges of the graph starting from the binding's
  #     group members to any node of the
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}.
  #     The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains a group, such as `group:parent@google.com`. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains a member of the group, such as `group:child@google.com` or
  #     `user:foo@google.com`. This field is present only if the
  #     output_group_edges option is enabled in request.
  class IdentityList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#iam_binding ⇒ ::Google::Iam::V1::Binding

Returns The IAM policy binding under analysis.

Returns:

• (::Google::Iam::V1::Binding) —

  The IAM policy binding under analysis.

# File 'proto_docs/google/cloud/asset/v1/assets.rb', line 987

class IamPolicyAnalysisResult
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A Google Cloud resource under analysis.
  # @!attribute [rw] full_resource_name
  #   @return [::String]
  #     The [full resource
  #     name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this resource.
  class Resource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An IAM role or permission under analysis.
  # @!attribute [rw] role
  #   @return [::String]
  #     The role.
  # @!attribute [rw] permission
  #   @return [::String]
  #     The permission.
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this access.
  class Access
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An identity under analysis.
  # @!attribute [rw] name
  #   @return [::String]
  #     The identity of members, formatted as appear in an
  #     [IAM policy
  #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For
  #     example, they might be formatted like the following:
  #
  #     - user:foo@google.com
  #     - group:group1@google.com
  #     - serviceAccount:s1@prj1.iam.gserviceaccount.com
  #     - projectOwner:some_project_id
  #     - domain:google.com
  #     - allUsers
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this identity.
  class Identity
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A directional edge.
  # @!attribute [rw] source_node
  #   @return [::String]
  #     The source node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  # @!attribute [rw] target_node
  #   @return [::String]
  #     The target node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  class Edge
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An access control list, derived from the above IAM policy binding, which
  # contains a set of resources and accesses. May include one
  # item from each set to compose an access control entry.
  #
  # NOTICE that there could be multiple access control lists for one IAM policy
  # binding. The access control lists are created based on resource and access
  # combinations.
  #
  # For example, assume we have the following cases in one IAM policy binding:
  # - Permission P1 and P2 apply to resource R1 and R2;
  # - Permission P3 applies to resource R2 and R3;
  #
  # This will result in the following access control lists:
  # - AccessControlList 1: [R1, R2], [P1, P2]
  # - AccessControlList 2: [R2, R3], [P3]
  # @!attribute [rw] resources
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
  #     The resources that match one of the following conditions:
  #     - The resource_selector, if it is specified in request;
  #     - Otherwise, resources reachable from the policy attached resource.
  # @!attribute [rw] accesses
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
  #     The accesses that match one of the following conditions:
  #     - The access_selector, if it is specified in request;
  #     - Otherwise, access specifiers reachable from the policy binding's role.
  # @!attribute [rw] resource_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Resource edges of the graph starting from the policy attached
  #     resource to any descendant resources. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains the full resource name of a parent resource and
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains the full resource name of a child resource. This field is
  #     present only if the output_resource_edges option is enabled in request.
  # @!attribute [rw] condition_evaluation
  #   @return [::Google::Cloud::Asset::V1::ConditionEvaluation]
  #     Condition evaluation for this AccessControlList, if there is a condition
  #     defined in the above IAM policy binding.
  class AccessControlList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The identities and group edges.
  # @!attribute [rw] identities
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
  #     Only the identities that match one of the following conditions will be
  #     presented:
  #     - The identity_selector, if it is specified in request;
  #     - Otherwise, identities reachable from the policy binding's members.
  # @!attribute [rw] group_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Group identity edges of the graph starting from the binding's
  #     group members to any node of the
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}.
  #     The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains a group, such as `group:parent@google.com`. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains a member of the group, such as `group:child@google.com` or
  #     `user:foo@google.com`. This field is present only if the
  #     output_group_edges option is enabled in request.
  class IdentityList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#identity_list ⇒ ::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList

Returns The identity list derived from members of the iam_binding that match or potentially match identity selector specified in the request.

Returns:

• (::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList) —

  The identity list derived from members of the iam_binding that match or potentially match identity selector specified in the request.

# File 'proto_docs/google/cloud/asset/v1/assets.rb', line 987

class IamPolicyAnalysisResult
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # A Google Cloud resource under analysis.
  # @!attribute [rw] full_resource_name
  #   @return [::String]
  #     The [full resource
  #     name](https://cloud.google.com/asset-inventory/docs/resource-name-format)
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this resource.
  class Resource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An IAM role or permission under analysis.
  # @!attribute [rw] role
  #   @return [::String]
  #     The role.
  # @!attribute [rw] permission
  #   @return [::String]
  #     The permission.
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this access.
  class Access
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An identity under analysis.
  # @!attribute [rw] name
  #   @return [::String]
  #     The identity of members, formatted as appear in an
  #     [IAM policy
  #     binding](https://cloud.google.com/iam/reference/rest/v1/Binding). For
  #     example, they might be formatted like the following:
  #
  #     - user:foo@google.com
  #     - group:group1@google.com
  #     - serviceAccount:s1@prj1.iam.gserviceaccount.com
  #     - projectOwner:some_project_id
  #     - domain:google.com
  #     - allUsers
  # @!attribute [rw] analysis_state
  #   @return [::Google::Cloud::Asset::V1::IamPolicyAnalysisState]
  #     The analysis state of this identity.
  class Identity
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # A directional edge.
  # @!attribute [rw] source_node
  #   @return [::String]
  #     The source node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  # @!attribute [rw] target_node
  #   @return [::String]
  #     The target node of the edge. For example, it could be a full resource
  #     name for a resource node or an email of an identity.
  class Edge
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # An access control list, derived from the above IAM policy binding, which
  # contains a set of resources and accesses. May include one
  # item from each set to compose an access control entry.
  #
  # NOTICE that there could be multiple access control lists for one IAM policy
  # binding. The access control lists are created based on resource and access
  # combinations.
  #
  # For example, assume we have the following cases in one IAM policy binding:
  # - Permission P1 and P2 apply to resource R1 and R2;
  # - Permission P3 applies to resource R2 and R3;
  #
  # This will result in the following access control lists:
  # - AccessControlList 1: [R1, R2], [P1, P2]
  # - AccessControlList 2: [R2, R3], [P3]
  # @!attribute [rw] resources
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Resource>]
  #     The resources that match one of the following conditions:
  #     - The resource_selector, if it is specified in request;
  #     - Otherwise, resources reachable from the policy attached resource.
  # @!attribute [rw] accesses
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Access>]
  #     The accesses that match one of the following conditions:
  #     - The access_selector, if it is specified in request;
  #     - Otherwise, access specifiers reachable from the policy binding's role.
  # @!attribute [rw] resource_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Resource edges of the graph starting from the policy attached
  #     resource to any descendant resources. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains the full resource name of a parent resource and
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains the full resource name of a child resource. This field is
  #     present only if the output_resource_edges option is enabled in request.
  # @!attribute [rw] condition_evaluation
  #   @return [::Google::Cloud::Asset::V1::ConditionEvaluation]
  #     Condition evaluation for this AccessControlList, if there is a condition
  #     defined in the above IAM policy binding.
  class AccessControlList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # The identities and group edges.
  # @!attribute [rw] identities
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Identity>]
  #     Only the identities that match one of the following conditions will be
  #     presented:
  #     - The identity_selector, if it is specified in request;
  #     - Otherwise, identities reachable from the policy binding's members.
  # @!attribute [rw] group_edges
  #   @return [::Array<::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge>]
  #     Group identity edges of the graph starting from the binding's
  #     group members to any node of the
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::IdentityList#identities identities}.
  #     The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#source_node Edge.source_node}
  #     contains a group, such as `group:parent@google.com`. The
  #     {::Google::Cloud::Asset::V1::IamPolicyAnalysisResult::Edge#target_node Edge.target_node}
  #     contains a member of the group, such as `group:child@google.com` or
  #     `user:foo@google.com`. This field is present only if the
  #     output_group_edges option is enabled in request.
  class IdentityList
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end