Class IamPolicyAnalysisQuery.Options.Builder (3.10.0)

public static final class IamPolicyAnalysisQuery.Options.Builder extends GeneratedMessageV3.Builder<IamPolicyAnalysisQuery.Options.Builder> implements IamPolicyAnalysisQuery.OptionsOrBuilder

Contains query options.

Protobuf type google.cloud.asset.v1.IamPolicyAnalysisQuery.Options

Static Methods

getDescriptor()

public static final Descriptors.Descriptor getDescriptor()
Returns
Type Description
Descriptor

Methods

addRepeatedField(Descriptors.FieldDescriptor field, Object value)

public IamPolicyAnalysisQuery.Options.Builder addRepeatedField(Descriptors.FieldDescriptor field, Object value)
Parameters
Name Description
field FieldDescriptor
value Object
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

build()

public IamPolicyAnalysisQuery.Options build()
Returns
Type Description
IamPolicyAnalysisQuery.Options

buildPartial()

public IamPolicyAnalysisQuery.Options buildPartial()
Returns
Type Description
IamPolicyAnalysisQuery.Options

clear()

public IamPolicyAnalysisQuery.Options.Builder clear()
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

clearAnalyzeServiceAccountImpersonation()

public IamPolicyAnalysisQuery.Options.Builder clearAnalyzeServiceAccountImpersonation()

Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis:

  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation Default is false.

bool analyze_service_account_impersonation = 6 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

clearExpandGroups()

public IamPolicyAnalysisQuery.Options.Builder clearExpandGroups()

Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.

bool expand_groups = 1 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

clearExpandResources()

public IamPolicyAnalysisQuery.Options.Builder clearExpandResources()

Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.

bool expand_resources = 3 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

clearExpandRoles()

public IamPolicyAnalysisQuery.Options.Builder clearExpandRoles()

Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.

bool expand_roles = 2 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

clearField(Descriptors.FieldDescriptor field)

public IamPolicyAnalysisQuery.Options.Builder clearField(Descriptors.FieldDescriptor field)
Parameter
Name Description
field FieldDescriptor
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

clearOneof(Descriptors.OneofDescriptor oneof)

public IamPolicyAnalysisQuery.Options.Builder clearOneof(Descriptors.OneofDescriptor oneof)
Parameter
Name Description
oneof OneofDescriptor
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

clearOutputGroupEdges()

public IamPolicyAnalysisQuery.Options.Builder clearOutputGroupEdges()

Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.

bool output_group_edges = 5 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

clearOutputResourceEdges()

public IamPolicyAnalysisQuery.Options.Builder clearOutputResourceEdges()

Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.

bool output_resource_edges = 4 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

clone()

public IamPolicyAnalysisQuery.Options.Builder clone()
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

getAnalyzeServiceAccountImpersonation()

public boolean getAnalyzeServiceAccountImpersonation()

Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis:

  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation Default is false.

bool analyze_service_account_impersonation = 6 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
boolean

The analyzeServiceAccountImpersonation.

getDefaultInstanceForType()

public IamPolicyAnalysisQuery.Options getDefaultInstanceForType()
Returns
Type Description
IamPolicyAnalysisQuery.Options

getDescriptorForType()

public Descriptors.Descriptor getDescriptorForType()
Returns
Type Description
Descriptor
Overrides

getExpandGroups()

public boolean getExpandGroups()

Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.

bool expand_groups = 1 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
boolean

The expandGroups.

getExpandResources()

public boolean getExpandResources()

Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.

bool expand_resources = 3 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
boolean

The expandResources.

getExpandRoles()

public boolean getExpandRoles()

Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.

bool expand_roles = 2 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
boolean

The expandRoles.

getOutputGroupEdges()

public boolean getOutputGroupEdges()

Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.

bool output_group_edges = 5 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
boolean

The outputGroupEdges.

getOutputResourceEdges()

public boolean getOutputResourceEdges()

Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.

bool output_resource_edges = 4 [(.google.api.field_behavior) = OPTIONAL];

Returns
Type Description
boolean

The outputResourceEdges.

internalGetFieldAccessorTable()

protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Returns
Type Description
FieldAccessorTable
Overrides

isInitialized()

public final boolean isInitialized()
Returns
Type Description
boolean
Overrides

mergeFrom(IamPolicyAnalysisQuery.Options other)

public IamPolicyAnalysisQuery.Options.Builder mergeFrom(IamPolicyAnalysisQuery.Options other)
Parameter
Name Description
other IamPolicyAnalysisQuery.Options
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

mergeFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)

public IamPolicyAnalysisQuery.Options.Builder mergeFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Name Description
input CodedInputStream
extensionRegistry ExtensionRegistryLite
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides Exceptions
Type Description
IOException

mergeFrom(Message other)

public IamPolicyAnalysisQuery.Options.Builder mergeFrom(Message other)
Parameter
Name Description
other Message
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

mergeUnknownFields(UnknownFieldSet unknownFields)

public final IamPolicyAnalysisQuery.Options.Builder mergeUnknownFields(UnknownFieldSet unknownFields)
Parameter
Name Description
unknownFields UnknownFieldSet
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

setAnalyzeServiceAccountImpersonation(boolean value)

public IamPolicyAnalysisQuery.Options.Builder setAnalyzeServiceAccountImpersonation(boolean value)

Optional. If true, the response will include access analysis from identities to resources via service account impersonation. This is a very expensive operation, because many derived queries will be executed. We highly recommend you use AssetService.AnalyzeIamPolicyLongrunning rpc instead. For example, if the request analyzes for which resources user A has permission P, and there's an IAM policy states user A has iam.serviceAccounts.getAccessToken permission to a service account SA, and there's another IAM policy states service account SA has permission P to a GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Another example, if the request analyzes for who has permission P to a GCP folder F, and there's an IAM policy states user A has iam.serviceAccounts.actAs permission to a service account SA, and there's another IAM policy states service account SA has permission P to the GCP folder F, then user A potentially has access to the GCP folder F. And those advanced analysis results will be included in AnalyzeIamPolicyResponse.service_account_impersonation_analysis. Only the following permissions are considered in this analysis:

  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.signBlob
  • iam.serviceAccounts.signJwt
  • iam.serviceAccounts.getAccessToken
  • iam.serviceAccounts.getOpenIdToken
  • iam.serviceAccounts.implicitDelegation Default is false.

bool analyze_service_account_impersonation = 6 [(.google.api.field_behavior) = OPTIONAL];

Parameter
Name Description
value boolean

The analyzeServiceAccountImpersonation to set.

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

setExpandGroups(boolean value)

public IamPolicyAnalysisQuery.Options.Builder setExpandGroups(boolean value)

Optional. If true, the identities section of the result will expand any Google groups appearing in an IAM policy binding. If IamPolicyAnalysisQuery.identity_selector is specified, the identity in the result will be determined by the selector, and this flag is not allowed to set. If true, the default max expansion per group is 1000 for AssetService.AnalyzeIamPolicy][]. Default is false.

bool expand_groups = 1 [(.google.api.field_behavior) = OPTIONAL];

Parameter
Name Description
value boolean

The expandGroups to set.

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

setExpandResources(boolean value)

public IamPolicyAnalysisQuery.Options.Builder setExpandResources(boolean value)

Optional. If true and IamPolicyAnalysisQuery.resource_selector is not specified, the resource section of the result will expand any resource attached to an IAM policy to include resources lower in the resource hierarchy. For example, if the request analyzes for which resources user A has permission P, and the results include an IAM policy with P on a GCP folder, the results will also include resources in that folder with permission P. If true and IamPolicyAnalysisQuery.resource_selector is specified, the resource section of the result will expand the specified resource to include resources lower in the resource hierarchy. Only project or lower resources are supported. Folder and organization resource cannot be used together with this option. For example, if the request analyzes for which users have permission P on a GCP project with this option enabled, the results will include all users who have permission P on that project or any lower resource. If true, the default max expansion per resource is 1000 for AssetService.AnalyzeIamPolicy][] and 100000 for AssetService.AnalyzeIamPolicyLongrunning][]. Default is false.

bool expand_resources = 3 [(.google.api.field_behavior) = OPTIONAL];

Parameter
Name Description
value boolean

The expandResources to set.

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

setExpandRoles(boolean value)

public IamPolicyAnalysisQuery.Options.Builder setExpandRoles(boolean value)

Optional. If true, the access section of result will expand any roles appearing in IAM policy bindings to include their permissions. If IamPolicyAnalysisQuery.access_selector is specified, the access section of the result will be determined by the selector, and this flag is not allowed to set. Default is false.

bool expand_roles = 2 [(.google.api.field_behavior) = OPTIONAL];

Parameter
Name Description
value boolean

The expandRoles to set.

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

setField(Descriptors.FieldDescriptor field, Object value)

public IamPolicyAnalysisQuery.Options.Builder setField(Descriptors.FieldDescriptor field, Object value)
Parameters
Name Description
field FieldDescriptor
value Object
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

setOutputGroupEdges(boolean value)

public IamPolicyAnalysisQuery.Options.Builder setOutputGroupEdges(boolean value)

Optional. If true, the result will output the relevant membership relationships between groups and other groups, and between groups and principals. Default is false.

bool output_group_edges = 5 [(.google.api.field_behavior) = OPTIONAL];

Parameter
Name Description
value boolean

The outputGroupEdges to set.

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

setOutputResourceEdges(boolean value)

public IamPolicyAnalysisQuery.Options.Builder setOutputResourceEdges(boolean value)

Optional. If true, the result will output the relevant parent/child relationships between resources. Default is false.

bool output_resource_edges = 4 [(.google.api.field_behavior) = OPTIONAL];

Parameter
Name Description
value boolean

The outputResourceEdges to set.

Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder

This builder for chaining.

setRepeatedField(Descriptors.FieldDescriptor field, int index, Object value)

public IamPolicyAnalysisQuery.Options.Builder setRepeatedField(Descriptors.FieldDescriptor field, int index, Object value)
Parameters
Name Description
field FieldDescriptor
index int
value Object
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides

setUnknownFields(UnknownFieldSet unknownFields)

public final IamPolicyAnalysisQuery.Options.Builder setUnknownFields(UnknownFieldSet unknownFields)
Parameter
Name Description
unknownFields UnknownFieldSet
Returns
Type Description
IamPolicyAnalysisQuery.Options.Builder
Overrides