Class: Google::Cloud::PolicySimulator::V1::BindingExplanation

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/policysimulator/v1/explanations.rb

Overview

Details about how a binding in a policy affects a principal's ability to use a permission.

Defined Under Namespace

Modules: Membership, RolePermission Classes: AnnotatedMembership, MembershipsEntry

Instance Attribute Summary collapse

Instance Attribute Details

#access::Google::Cloud::PolicySimulator::V1::AccessState

Returns Required. Indicates whether this binding provides the specified permission to the specified principal for the specified resource.

This field does not indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the access field in the [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].

Returns:

  • (::Google::Cloud::PolicySimulator::V1::AccessState)

    Required. Indicates whether this binding provides the specified permission to the specified principal for the specified resource.

    This field does not indicate whether the principal actually has the permission for the resource. There might be another binding that overrides this binding. To determine whether the principal actually has the permission, use the access field in the [TroubleshootIamPolicyResponse][IamChecker.TroubleshootIamPolicyResponse].



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#condition::Google::Type::Expr

Returns A condition expression that prevents this binding from granting access unless the expression evaluates to true.

To learn about IAM Conditions, see https://cloud.google.com/iam/docs/conditions-overview.

Returns:



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#memberships::Google::Protobuf::Map{::String => ::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership}

Returns Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

For example, suppose that a binding includes the following principals:

The principal in the replayed access tuple is user:[email protected]. This user is a principal of the group group:[email protected].

For the first principal in the binding, the key is user:[email protected], and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

For the second principal in the binding, the key is group:[email protected], and the membership field in the value is set to MEMBERSHIP_INCLUDED.

Returns:

  • (::Google::Protobuf::Map{::String => ::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership})

    Indicates whether each principal in the binding includes the principal specified in the request, either directly or indirectly. Each key identifies a principal in the binding, and each value indicates whether the principal in the binding includes the principal in the request.

    For example, suppose that a binding includes the following principals:

    The principal in the replayed access tuple is user:[email protected]. This user is a principal of the group group:[email protected].

    For the first principal in the binding, the key is user:[email protected], and the membership field in the value is set to MEMBERSHIP_NOT_INCLUDED.

    For the second principal in the binding, the key is group:[email protected], and the membership field in the value is set to MEMBERSHIP_INCLUDED.



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#relevance::Google::Cloud::PolicySimulator::V1::HeuristicRelevance

Returns The relevance of this binding to the overall determination for the entire policy.

Returns:



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#role::String

Returns The role that this binding grants. For example, roles/compute.serviceAgent.

For a complete list of predefined IAM roles, as well as the permissions in each role, see https://cloud.google.com/iam/help/roles/reference.

Returns:



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#role_permission::Google::Cloud::PolicySimulator::V1::BindingExplanation::RolePermission

Returns Indicates whether the role granted by this binding contains the specified permission.

Returns:



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end

#role_permission_relevance::Google::Cloud::PolicySimulator::V1::HeuristicRelevance

Returns The relevance of the permission's existence, or nonexistence, in the role to the overall determination for the entire policy.

Returns:



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'proto_docs/google/cloud/policysimulator/v1/explanations.rb', line 167

class BindingExplanation
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Details about whether the binding includes the principal.
  # @!attribute [rw] membership
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::Membership]
  #     Indicates whether the binding includes the principal.
  # @!attribute [rw] relevance
  #   @return [::Google::Cloud::PolicySimulator::V1::HeuristicRelevance]
  #     The relevance of the principal's status to the overall determination for
  #     the binding.
  class AnnotatedMembership
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::Google::Cloud::PolicySimulator::V1::BindingExplanation::AnnotatedMembership]
  class MembershipsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Whether a role includes a specific permission.
  module RolePermission
    # Default value. This value is unused.
    ROLE_PERMISSION_UNSPECIFIED = 0

    # The permission is included in the role.
    ROLE_PERMISSION_INCLUDED = 1

    # The permission is not included in the role.
    ROLE_PERMISSION_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    ROLE_PERMISSION_UNKNOWN_INFO_DENIED = 3
  end

  # Whether the binding includes the principal.
  module Membership
    # Default value. This value is unused.
    MEMBERSHIP_UNSPECIFIED = 0

    # The binding includes the principal. The principal can be included
    # directly or indirectly. For example:
    #
    # * A principal is included directly if that principal is listed in the
    #   binding.
    # * A principal is included indirectly if that principal is in a Google
    #   group or Google Workspace domain that is listed in the binding.
    MEMBERSHIP_INCLUDED = 1

    # The binding does not include the principal.
    MEMBERSHIP_NOT_INCLUDED = 2

    # The user who created the
    # {::Google::Cloud::PolicySimulator::V1::Replay Replay} is not
    # allowed to access the binding.
    MEMBERSHIP_UNKNOWN_INFO_DENIED = 3

    # The principal is an unsupported type. Only Google Accounts and service
    # accounts are supported.
    MEMBERSHIP_UNKNOWN_UNSUPPORTED = 4
  end
end