This API allows customers to manage temporary, request based privileged access to their resources.
It defines the following resource model:
- A collection of
Entitlement
resources. An entitlement allows configuring (among other things):- Some kind of privileged access that users can request.
- A set of users called requesters who can request this access.
- A maximum duration for which the access can be requested.
- An optional approval workflow which must be satisfied before access is granted.
A collection of
Grant
resources. A grant is a request by a requester to get the privileged access specified in an entitlement for some duration.After the approval workflow as specified in the entitlement is satisfied, the specified access is given to the requester. The access is automatically taken back after the requested duration is over.
Equality
Instances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal std::shared_ptr<*Connection>
objects compare equal. Objects that compare equal share the same underlying resources.
Performance
Creating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.
Thread Safety
Concurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.
Constructors
PrivilegedAccessManagerClient(PrivilegedAccessManagerClient const &)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
PrivilegedAccessManagerClient const &
|
PrivilegedAccessManagerClient(PrivilegedAccessManagerClient &&)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
PrivilegedAccessManagerClient &&
|
PrivilegedAccessManagerClient(std::shared_ptr< PrivilegedAccessManagerConnection >, Options)
Parameters | |
---|---|
Name | Description |
connection |
std::shared_ptr< PrivilegedAccessManagerConnection >
|
opts |
Options
|
Operators
operator=(PrivilegedAccessManagerClient const &)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
PrivilegedAccessManagerClient const &
|
Returns | |
---|---|
Type | Description |
PrivilegedAccessManagerClient & |
operator=(PrivilegedAccessManagerClient &&)
Copy and move support
Parameter | |
---|---|
Name | Description |
|
PrivilegedAccessManagerClient &&
|
Returns | |
---|---|
Type | Description |
PrivilegedAccessManagerClient & |
Functions
CheckOnboardingStatus(google::cloud::privilegedaccessmanager::v1::CheckOnboardingStatusRequest const &, Options)
CheckOnboardingStatus reports the onboarding status for a project/folder/organization.
Any findings reported by this API need to be fixed before PAM can be used on the resource.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::CheckOnboardingStatusRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::CheckOnboardingStatusResponse > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.CheckOnboardingStatusResponse) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
ListEntitlements(std::string const &, Options)
Lists entitlements in a given project/folder/organization and location.
Parameters | |
---|---|
Name | Description |
parent |
std::string const &
Required. The parent which owns the entitlement resources. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::cloud::privilegedaccessmanager::v1::Entitlement > |
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
ListEntitlements(google::cloud::privilegedaccessmanager::v1::ListEntitlementsRequest, Options)
Lists entitlements in a given project/folder/organization and location.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::ListEntitlementsRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::cloud::privilegedaccessmanager::v1::Entitlement > |
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
SearchEntitlements(google::cloud::privilegedaccessmanager::v1::SearchEntitlementsRequest, Options)
SearchEntitlements
returns entitlements on which the caller has the specified access.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::SearchEntitlementsRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::cloud::privilegedaccessmanager::v1::Entitlement > |
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
GetEntitlement(std::string const &, Options)
Gets details of a single entitlement.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. Name of the resource. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Entitlement) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
GetEntitlement(google::cloud::privilegedaccessmanager::v1::GetEntitlementRequest const &, Options)
Gets details of a single entitlement.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::GetEntitlementRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Entitlement) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateEntitlement(std::string const &, google::cloud::privilegedaccessmanager::v1::Entitlement const &, std::string const &, Options)
Creates a new entitlement in a given project/folder/organization and location.
Parameters | |
---|---|
Name | Description |
parent |
std::string const &
Required. Name of the parent resource for the entitlement. Possible formats:
|
entitlement |
google::cloud::privilegedaccessmanager::v1::Entitlement const &
Required. The resource being created |
entitlement_id |
std::string const &
Required. The ID to use for this entitlement. This becomes the last part of the resource name. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
A |
CreateEntitlement(NoAwaitTag, std::string const &, google::cloud::privilegedaccessmanager::v1::Entitlement const &, std::string const &, Options)
Creates a new entitlement in a given project/folder/organization and location.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
parent |
std::string const &
|
entitlement |
google::cloud::privilegedaccessmanager::v1::Entitlement const &
|
entitlement_id |
std::string const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
CreateEntitlement(google::cloud::privilegedaccessmanager::v1::CreateEntitlementRequest const &, Options)
Creates a new entitlement in a given project/folder/organization and location.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::CreateEntitlementRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
A |
CreateEntitlement(NoAwaitTag, google::cloud::privilegedaccessmanager::v1::CreateEntitlementRequest const &, Options)
Creates a new entitlement in a given project/folder/organization and location.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
request |
google::cloud::privilegedaccessmanager::v1::CreateEntitlementRequest const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
CreateEntitlement(google::longrunning::Operation const &, Options)
Creates a new entitlement in a given project/folder/organization and location.
This method accepts a google::longrunning::Operation
that corresponds to a previously started Long Running Operation (LRO) and polls the status of the LRO in the background.
Parameters | |
---|---|
Name | Description |
operation |
google::longrunning::Operation const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
DeleteEntitlement(std::string const &, Options)
Deletes a single entitlement.
This method can only be called when there are no in-progress (ACTIVE/ACTIVATING/REVOKING) grants under the entitlement.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. Name of the resource. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
A |
DeleteEntitlement(NoAwaitTag, std::string const &, Options)
Deletes a single entitlement.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
name |
std::string const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
DeleteEntitlement(google::cloud::privilegedaccessmanager::v1::DeleteEntitlementRequest const &, Options)
Deletes a single entitlement.
This method can only be called when there are no in-progress (ACTIVE/ACTIVATING/REVOKING) grants under the entitlement.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::DeleteEntitlementRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
A |
DeleteEntitlement(NoAwaitTag, google::cloud::privilegedaccessmanager::v1::DeleteEntitlementRequest const &, Options)
Deletes a single entitlement.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
request |
google::cloud::privilegedaccessmanager::v1::DeleteEntitlementRequest const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
DeleteEntitlement(google::longrunning::Operation const &, Options)
Deletes a single entitlement.
This method accepts a google::longrunning::Operation
that corresponds to a previously started Long Running Operation (LRO) and polls the status of the LRO in the background.
Parameters | |
---|---|
Name | Description |
operation |
google::longrunning::Operation const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
UpdateEntitlement(google::cloud::privilegedaccessmanager::v1::Entitlement const &, google::protobuf::FieldMask const &, Options)
Updates the entitlement specified in the request.
Updated fields in the entitlement need to be specified in an update mask. The changes made to an entitlement are applicable only on future grants of the entitlement. However, if new approvers are added or existing approvers are removed from the approval workflow, the changes are effective on existing grants.
The following fields are not supported for updates:
- All immutable fields
- Entitlement name
- Resource name
- Resource type
- Adding an approval workflow in an entitlement which previously had no approval workflow.
- Deleting the approval workflow from an entitlement.
- Adding or deleting a step in the approval workflow (only one step is supported)
Note that updates are allowed on the list of approvers in an approval workflow step.
Parameters | |
---|---|
Name | Description |
entitlement |
google::cloud::privilegedaccessmanager::v1::Entitlement const &
Required. The entitlement resource that is updated. |
update_mask |
google::protobuf::FieldMask const &
Required. The list of fields to update. A field is overwritten if, and only if, it is in the mask. Any immutable fields set in the mask are ignored by the server. Repeated fields and map fields are only allowed in the last position of a |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
A |
UpdateEntitlement(NoAwaitTag, google::cloud::privilegedaccessmanager::v1::Entitlement const &, google::protobuf::FieldMask const &, Options)
Updates the entitlement specified in the request.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
entitlement |
google::cloud::privilegedaccessmanager::v1::Entitlement const &
|
update_mask |
google::protobuf::FieldMask const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
UpdateEntitlement(google::cloud::privilegedaccessmanager::v1::UpdateEntitlementRequest const &, Options)
Updates the entitlement specified in the request.
Updated fields in the entitlement need to be specified in an update mask. The changes made to an entitlement are applicable only on future grants of the entitlement. However, if new approvers are added or existing approvers are removed from the approval workflow, the changes are effective on existing grants.
The following fields are not supported for updates:
- All immutable fields
- Entitlement name
- Resource name
- Resource type
- Adding an approval workflow in an entitlement which previously had no approval workflow.
- Deleting the approval workflow from an entitlement.
- Adding or deleting a step in the approval workflow (only one step is supported)
Note that updates are allowed on the list of approvers in an approval workflow step.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::UpdateEntitlementRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
A |
UpdateEntitlement(NoAwaitTag, google::cloud::privilegedaccessmanager::v1::UpdateEntitlementRequest const &, Options)
Updates the entitlement specified in the request.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
request |
google::cloud::privilegedaccessmanager::v1::UpdateEntitlementRequest const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
UpdateEntitlement(google::longrunning::Operation const &, Options)
Updates the entitlement specified in the request.
This method accepts a google::longrunning::Operation
that corresponds to a previously started Long Running Operation (LRO) and polls the status of the LRO in the background.
Parameters | |
---|---|
Name | Description |
operation |
google::longrunning::Operation const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Entitlement > > |
ListGrants(std::string const &, Options)
Lists grants for a given entitlement.
Parameters | |
---|---|
Name | Description |
parent |
std::string const &
Required. The parent resource which owns the grants. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::cloud::privilegedaccessmanager::v1::Grant > |
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
ListGrants(google::cloud::privilegedaccessmanager::v1::ListGrantsRequest, Options)
Lists grants for a given entitlement.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::ListGrantsRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::cloud::privilegedaccessmanager::v1::Grant > |
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
SearchGrants(google::cloud::privilegedaccessmanager::v1::SearchGrantsRequest, Options)
SearchGrants
returns grants that are related to the calling user in the specified way.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::SearchGrantsRequest
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StreamRange< google::cloud::privilegedaccessmanager::v1::Grant > |
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has |
GetGrant(std::string const &, Options)
Get details of a single grant.
Parameters | |
---|---|
Name | Description |
name |
std::string const &
Required. Name of the resource. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Grant) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
GetGrant(google::cloud::privilegedaccessmanager::v1::GetGrantRequest const &, Options)
Get details of a single grant.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::GetGrantRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Grant) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateGrant(std::string const &, google::cloud::privilegedaccessmanager::v1::Grant const &, Options)
Creates a new grant in a given project and location.
Parameters | |
---|---|
Name | Description |
parent |
std::string const &
Required. Name of the parent entitlement for which this grant is being requested. |
grant |
google::cloud::privilegedaccessmanager::v1::Grant const &
Required. The resource being created. |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Grant) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
CreateGrant(google::cloud::privilegedaccessmanager::v1::CreateGrantRequest const &, Options)
Creates a new grant in a given project and location.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::CreateGrantRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Grant) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
ApproveGrant(google::cloud::privilegedaccessmanager::v1::ApproveGrantRequest const &, Options)
ApproveGrant
is used to approve a grant.
This method can only be called on a grant when it's in the APPROVAL_AWAITED
state. This operation can't be undone.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::ApproveGrantRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Grant) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
DenyGrant(google::cloud::privilegedaccessmanager::v1::DenyGrantRequest const &, Options)
DenyGrant
is used to deny a grant.
This method can only be called on a grant when it's in the APPROVAL_AWAITED
state. This operation can't be undone.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::DenyGrantRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > |
the result of the RPC. The response message type (google.cloud.privilegedaccessmanager.v1.Grant) is mapped to a C++ class using the Protobuf mapping rules. If the request fails, the |
RevokeGrant(google::cloud::privilegedaccessmanager::v1::RevokeGrantRequest const &, Options)
RevokeGrant
is used to immediately revoke access for a grant.
This method can be called when the grant is in a non-terminal state.
Parameters | |
---|---|
Name | Description |
request |
google::cloud::privilegedaccessmanager::v1::RevokeGrantRequest const &
Unary RPCs, such as the one wrapped by this function, receive a single |
opts |
Options
Optional. Override the class-level options, such as retry and backoff policies. |
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > > |
A |
RevokeGrant(NoAwaitTag, google::cloud::privilegedaccessmanager::v1::RevokeGrantRequest const &, Options)
RevokeGrant
is used to immediately revoke access for a grant.
Specifying the NoAwaitTag
immediately returns the [google::longrunning::Operation
] that corresponds to the Long Running Operation that has been started. No polling for operation status occurs.
Parameters | |
---|---|
Name | Description |
|
NoAwaitTag
|
request |
google::cloud::privilegedaccessmanager::v1::RevokeGrantRequest const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
StatusOr< google::longrunning::Operation > |
RevokeGrant(google::longrunning::Operation const &, Options)
RevokeGrant
is used to immediately revoke access for a grant.
This method accepts a google::longrunning::Operation
that corresponds to a previously started Long Running Operation (LRO) and polls the status of the LRO in the background.
Parameters | |
---|---|
Name | Description |
operation |
google::longrunning::Operation const &
|
opts |
Options
|
Returns | |
---|---|
Type | Description |
future< StatusOr< google::cloud::privilegedaccessmanager::v1::Grant > > |