Namespace Google.Identity.AccessContextManager.V1 (1.4.0)

Classes

AccessContextManager

API for setting [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] for Google Cloud Projects. Each organization has one [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] containing the [Access Levels] [google.identity.accesscontextmanager.v1.AccessLevel] and [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter]. This [AccessPolicy] [google.identity.accesscontextmanager.v1.AccessPolicy] is applicable to all resources in the organization. AccessPolicies

AccessContextManager.AccessContextManagerBase

Base class for server-side implementations of AccessContextManager

AccessContextManager.AccessContextManagerClient

Client for AccessContextManager

AccessContextManagerClient

AccessContextManager client wrapper, for convenient use.

AccessContextManagerClientBuilder

Builder class for AccessContextManagerClient to provide simple configuration of credentials, endpoint etc.

AccessContextManagerClientImpl

AccessContextManager client wrapper implementation, for convenient use.

AccessContextManagerOperationMetadata

Metadata of Access Context Manager's Long Running Operations.

AccessContextManagerSettings

Settings for AccessContextManagerClient instances.

AccessLevel

An AccessLevel is a label that can be applied to requests to Google Cloud services, along with a list of requirements necessary for the label to be applied.

AccessLevelName

Resource name for the AccessLevel resource.

AccessPolicy

AccessPolicy is a container for AccessLevels (which define the necessary attributes to use Google Cloud services) and ServicePerimeters (which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.

AccessPolicyName

Resource name for the AccessPolicy resource.

BasicLevel

BasicLevel is an AccessLevel using a set of recommended features.

BasicLevel.Types

Container for nested types declared in the BasicLevel message type.

CommitServicePerimetersRequest

A request to commit dry-run specs in all [Service Perimeters] [google.identity.accesscontextmanager.v1.ServicePerimeter] belonging to an [Access Policy][google.identity.accesscontextmanager.v1.AccessPolicy].

CommitServicePerimetersResponse

A response to CommitServicePerimetersRequest. This will be put inside of Operation.response field.

Condition

A condition necessary for an AccessLevel to be granted. The Condition is an AND over its fields. So a Condition is true if: 1) the request IP is from one of the listed subnetworks AND 2) the originating device complies with the listed device policy AND 3) all listed access levels are granted AND 4) the request was sent at a time allowed by the DateTimeRestriction.

CreateAccessLevelRequest

A request to create an AccessLevel.

CreateGcpUserAccessBindingRequest

Request of [CreateGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.CreateGcpUserAccessBinding].

CreateServicePerimeterRequest

A request to create a ServicePerimeter.

CustomLevel

CustomLevel is an AccessLevel using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. See CEL spec at: https://github.com/google/cel-spec

DeleteAccessLevelRequest

A request to delete an AccessLevel.

DeleteAccessPolicyRequest

A request to delete an AccessPolicy.

DeleteGcpUserAccessBindingRequest

Request of [DeleteGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.DeleteGcpUserAccessBinding].

DeleteServicePerimeterRequest

A request to delete a ServicePerimeter.

DevicePolicy

DevicePolicy specifies device specific restrictions necessary to acquire a given access level. A DevicePolicy specifies requirements for requests from devices to be granted access levels, it does not do any enforcement on the device. DevicePolicy acts as an AND over all specified fields, and each repeated field is an OR over its elements. Any unset fields are ignored. For example, if the proto is { os_type : DESKTOP_WINDOWS, os_type : DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be true for requests originating from encrypted Linux desktops and encrypted Windows desktops.

GcpUserAccessBinding

Restricts access to Cloud Console and Google Cloud APIs for a set of users using Context-Aware Access.

GcpUserAccessBindingName

Resource name for the GcpUserAccessBinding resource.

GcpUserAccessBindingOperationMetadata

Currently, a completed operation means nothing. In the future, this metadata and a completed operation may indicate that the binding has taken effect and is affecting access decisions for all users.

GetAccessLevelRequest

A request to get a particular AccessLevel.

GetAccessPolicyRequest

A request to get a particular AccessPolicy.

GetGcpUserAccessBindingRequest

Request of [GetGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.GetGcpUserAccessBinding].

GetServicePerimeterRequest

A request to get a particular ServicePerimeter.

ListAccessLevelsRequest

A request to list all AccessLevels in an AccessPolicy.

ListAccessLevelsResponse

A response to ListAccessLevelsRequest.

ListAccessPoliciesRequest

A request to list all AccessPolicies for a container.

ListAccessPoliciesResponse

A response to ListAccessPoliciesRequest.

ListGcpUserAccessBindingsRequest

Request of [ListGcpUserAccessBindings] [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].

ListGcpUserAccessBindingsResponse

Response of [ListGcpUserAccessBindings] [google.identity.accesscontextmanager.v1.AccessContextManager.ListGcpUserAccessBindings].

ListServicePerimetersRequest

A request to list all ServicePerimeters in an AccessPolicy.

ListServicePerimetersResponse

A response to ListServicePerimetersRequest.

OsConstraint

A restriction on the OS type and version of devices making requests.

ReplaceAccessLevelsRequest

A request to replace all existing Access Levels in an Access Policy with the Access Levels provided. This is done atomically.

ReplaceAccessLevelsResponse

A response to ReplaceAccessLevelsRequest. This will be put inside of Operation.response field.

ReplaceServicePerimetersRequest

A request to replace all existing Service Perimeters in an Access Policy with the Service Perimeters provided. This is done atomically.

ReplaceServicePerimetersResponse

A response to ReplaceServicePerimetersRequest. This will be put inside of Operation.response field.

ServicePerimeter

ServicePerimeter describes a set of Google Cloud resources which can freely import and export data amongst themselves, but not export outside of the ServicePerimeter. If a request with a source within this ServicePerimeter has a target outside of the ServicePerimeter, the request will be blocked. Otherwise the request is allowed. There are two types of Service Perimeter - Regular and Bridge. Regular Service Perimeters cannot overlap, a single Google Cloud project can only belong to a single regular Service Perimeter. Service Perimeter Bridges can contain only Google Cloud projects as members, a single Google Cloud project may belong to multiple Service Perimeter Bridges.

ServicePerimeter.Types

Container for nested types declared in the ServicePerimeter message type.

ServicePerimeterConfig

ServicePerimeterConfig specifies a set of Google Cloud resources that describe specific Service Perimeter configuration.

ServicePerimeterConfig.Types

Container for nested types declared in the ServicePerimeterConfig message type.

ServicePerimeterConfig.Types.ApiOperation

Identification for an API Operation.

ServicePerimeterConfig.Types.EgressFrom

Defines the conditions under which an [EgressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] matches a request. Conditions based on information about the source of the request. Note that if the destination of the request is also protected by a [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter], then that [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] must have an [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] which allows access in order for this request to succeed.

ServicePerimeterConfig.Types.EgressPolicy

Policy for egress from perimeter.

[EgressPolicies] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] match requests based on egress_from and egress_to stanzas. For an [EgressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] to match, both egress_from and egress_to stanzas must be matched. If an [EgressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] matches a request, the request is allowed to span the [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] boundary. For example, an [EgressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] can be used to allow VMs on networks within the [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] to access a defined set of projects outside the perimeter in certain contexts (e.g. to read data from a Cloud Storage bucket or query against a BigQuery dataset).

[EgressPolicies] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] are concerned with the resources that a request relates as well as the API services and API actions being used. They do not related to the direction of data movement. More detailed documentation for this concept can be found in the descriptions of [EgressFrom] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] and [EgressTo] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressTo].

ServicePerimeterConfig.Types.EgressTo

Defines the conditions under which an [EgressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressPolicy] matches a request. Conditions are based on information about the [ApiOperation] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] intended to be performed on the resources specified. Note that if the destination of the request is also protected by a [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter], then that [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter] must have an [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] which allows access in order for this request to succeed. The request must match operations AND resources fields in order to be allowed egress out of the perimeter.

ServicePerimeterConfig.Types.IngressFrom

Defines the conditions under which an [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] matches a request. Conditions are based on information about the source of the request. The request must satisfy what is defined in sources AND identity related fields in order to match.

ServicePerimeterConfig.Types.IngressPolicy

Policy for ingress into [ServicePerimeter] [google.identity.accesscontextmanager.v1.ServicePerimeter].

[IngressPolicies] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] match requests based on ingress_from and ingress_to stanzas. For an ingress policy to match, both the ingress_from and ingress_to stanzas must be matched. If an [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] matches a request, the request is allowed through the perimeter boundary from outside the perimeter.

For example, access from the internet can be allowed either based on an [AccessLevel] [google.identity.accesscontextmanager.v1.AccessLevel] or, for traffic hosted on Google Cloud, the project of the source network. For access from private networks, using the project of the hosting network is required.

Individual ingress policies can be limited by restricting which services and/or actions they match using the ingress_to field.

ServicePerimeterConfig.Types.IngressSource

The source that [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] authorizes access from.

ServicePerimeterConfig.Types.IngressTo

Defines the conditions under which an [IngressPolicy] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressPolicy] matches a request. Conditions are based on information about the [ApiOperation] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation] intended to be performed on the target resource of the request. The request must satisfy what is defined in operations AND resources in order to match.

ServicePerimeterConfig.Types.MethodSelector

An allowed method or permission of a service specified in [ApiOperation] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.ApiOperation].

ServicePerimeterConfig.Types.VpcAccessibleServices

Specifies how APIs are allowed to communicate within the Service Perimeter.

ServicePerimeterName

Resource name for the ServicePerimeter resource.

UpdateAccessLevelRequest

A request to update an AccessLevel.

UpdateAccessPolicyRequest

A request to update an AccessPolicy.

UpdateGcpUserAccessBindingRequest

Request of [UpdateGcpUserAccessBinding] [google.identity.accesscontextmanager.v1.AccessContextManager.UpdateGcpUserAccessBinding].

UpdateServicePerimeterRequest

A request to update a ServicePerimeter.

Enums

AccessLevel.LevelOneofCase

Enum of possible cases for the "level" oneof.

AccessLevelName.ResourceNameType

The possible contents of AccessLevelName.

AccessPolicyName.ResourceNameType

The possible contents of AccessPolicyName.

BasicLevel.Types.ConditionCombiningFunction

Options for how the conditions list should be combined to determine if this AccessLevel is applied. Default is AND.

GcpUserAccessBindingName.ResourceNameType

The possible contents of GcpUserAccessBindingName.

LevelFormat

The format used in an AccessLevel.

ServicePerimeter.Types.PerimeterType

Specifies the type of the Perimeter. There are two types: regular and bridge. Regular Service Perimeter contains resources, access levels, and restricted services. Every resource can be in at most ONE regular Service Perimeter.

In addition to being in a regular service perimeter, a resource can also be in zero or more perimeter bridges. A perimeter bridge only contains resources. Cross project operations are permitted if all effected resources share some perimeter (whether bridge or regular). Perimeter Bridge does not contain access levels or services: those are governed entirely by the regular perimeter that resource is in.

Perimeter Bridges are typically useful when building more complex toplogies with many independent perimeters that need to share some data with a common perimeter, but should not be able to share data among themselves.

ServicePerimeterConfig.Types.IdentityType

Specifies the types of identities that are allowed access in either [IngressFrom] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.IngressFrom] or [EgressFrom] [google.identity.accesscontextmanager.v1.ServicePerimeterConfig.EgressFrom] rules.

ServicePerimeterConfig.Types.IngressSource.SourceOneofCase

Enum of possible cases for the "source" oneof.

ServicePerimeterConfig.Types.MethodSelector.KindOneofCase

Enum of possible cases for the "kind" oneof.

ServicePerimeterName.ResourceNameType

The possible contents of ServicePerimeterName.