Resource: DataAccessScope
A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users.
| JSON representation |
|---|
{ "name": string, "allowedDataAccessLabels": [ { object ( |
| Fields | |
|---|---|
name |
The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. |
allowedDataAccessLabels[] |
Optional. The allowed labels for the scope. Either allowAll or allowedDataAccessLabels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). |
deniedDataAccessLabels[] |
Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. |
displayName |
Output only. The name to be used for display to customers of the data access scope. |
createTime |
Output only. The time at which the data access scope was created. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. The time at which the data access scope was last updated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
author |
Output only. The user who created the data access scope. |
lastEditor |
Output only. The user who last updated the data access scope. |
description |
Optional. A description of the data access scope for a human reader. |
allowAll |
Optional. Whether or not the scope allows all labels, allowAll and allowedDataAccessLabels are mutually exclusive and one of them must be present. deniedDataAccessLabels can still be used along with allowAll. When combined with deniedDataAccessLabels, access will be granted to all data that doesn't have labels mentioned in deniedDataAccessLabels. E.g.: A customer with scope with denied labels A and B and allowAll will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. |
DataAccessLabelReference
Reference object to a data access label.
| JSON representation |
|---|
{ "displayName": string, // Union field |
| Fields | |
|---|---|
displayName |
Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. |
Union field label. The unique identifier for the label. label can be only one of the following: |
|
dataAccessLabel |
The name of the data access label. |
logType |
The name of the log type. |
assetNamespace |
The asset namespace configured in the forwarder of the customer's events. |
ingestionLabel |
The ingestion label configured in the forwarder of the customer's events. |
IngestionLabel
Representation of an ingestion label type.
| JSON representation |
|---|
{ "ingestionLabelKey": string, "ingestionLabelValue": string } |
| Fields | |
|---|---|
ingestionLabelKey |
Required. The key of the ingestion label. Always required. |
ingestionLabelValue |
Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. |
Methods |
|
|---|---|
|
Creates a data access scope. |
|
Deletes a data access scope. |
|
Retrieves an existing data access scope. |
|
Lists all existing data access scopes for the customer. |
|
Updates a data access scope. |