Package Classes (0.1.0)

This API allows customers to manage temporary, request based privileged access to their resources.

It defines the following resource model:

• A collection of Entitlement resources. An entitlement allows configuring (among other things):

  • Some kind of privileged access that users can request.
  • A set of users called requesters who can request this access.
  • A maximum duration for which the access can be requested.
  • An optional approval workflow which must be satisfied before access is granted.

• A collection of Grant resources. A grant is a request by a requester to get the privileged access specified in an entitlement for some duration.

  After the approval workflow as specified in the entitlement is satisfied, the specified access is given to the requester. The access is automatically taken back after the requested duration is over.

This API allows customers to manage temporary, request based privileged access to their resources.

It defines the following resource model:

• A collection of Entitlement resources. An entitlement allows configuring (among other things):

  • Some kind of privileged access that users can request.
  • A set of users called requesters who can request this access.
  • A maximum duration for which the access can be requested.
  • An optional approval workflow which must be satisfied before access is granted.

• A collection of Grant resources. A grant is a request by a requester to get the privileged access specified in an entitlement for some duration.

  After the approval workflow as specified in the entitlement is satisfied, the specified access is given to the requester. The access is automatically taken back after the requested duration is over.

A pager for iterating through list_entitlements requests.

This class thinly wraps an initial ListEntitlementsResponse object, and provides an __aiter__ method to iterate through its entitlements field.

If there are more pages, the __aiter__ method will make additional ListEntitlements requests and continue to iterate through the entitlements field on the corresponding responses.

All the usual ListEntitlementsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through list_entitlements requests.

This class thinly wraps an initial ListEntitlementsResponse object, and provides an __iter__ method to iterate through its entitlements field.

If there are more pages, the __iter__ method will make additional ListEntitlements requests and continue to iterate through the entitlements field on the corresponding responses.

All the usual ListEntitlementsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through list_grants requests.

This class thinly wraps an initial ListGrantsResponse object, and provides an __aiter__ method to iterate through its grants field.

If there are more pages, the __aiter__ method will make additional ListGrants requests and continue to iterate through the grants field on the corresponding responses.

All the usual ListGrantsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through list_grants requests.

This class thinly wraps an initial ListGrantsResponse object, and provides an __iter__ method to iterate through its grants field.

If there are more pages, the __iter__ method will make additional ListGrants requests and continue to iterate through the grants field on the corresponding responses.

All the usual ListGrantsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through search_entitlements requests.

This class thinly wraps an initial SearchEntitlementsResponse object, and provides an __aiter__ method to iterate through its entitlements field.

If there are more pages, the __aiter__ method will make additional SearchEntitlements requests and continue to iterate through the entitlements field on the corresponding responses.

All the usual SearchEntitlementsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through search_entitlements requests.

This class thinly wraps an initial SearchEntitlementsResponse object, and provides an __iter__ method to iterate through its entitlements field.

If there are more pages, the __iter__ method will make additional SearchEntitlements requests and continue to iterate through the entitlements field on the corresponding responses.

All the usual SearchEntitlementsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through search_grants requests.

This class thinly wraps an initial SearchGrantsResponse object, and provides an __aiter__ method to iterate through its grants field.

If there are more pages, the __aiter__ method will make additional SearchGrants requests and continue to iterate through the grants field on the corresponding responses.

All the usual SearchGrantsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

A pager for iterating through search_grants requests.

This class thinly wraps an initial SearchGrantsResponse object, and provides an __iter__ method to iterate through its grants field.

If there are more pages, the __iter__ method will make additional SearchGrants requests and continue to iterate through the grants field on the corresponding responses.

All the usual SearchGrantsResponse attributes are available on the pager. If multiple requests are made, only the most recent response is retained, and thus used for attribute lookup.

AccessControlEntry is used to control who can do some operation.

Different types of approval workflows that can be used to gate privileged access granting.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

Request message for ApproveGrant method.

Request message for CheckOnboardingStatus method.

Response message for CheckOnboardingStatus method.

Finding represents an issue which prevents PAM from functioning properly for this resource.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

PAM's service account is being denied access by Cloud IAM. This can be fixed by granting a role that contains the missing permissions to the service account or exempting it from deny policies if they are blocking the access.

Message for creating an entitlement.

Message for creating a grant

Message for deleting an entitlement.

Request message for DenyGrant method.

An entitlement defines the eligibility of a set of users to obtain predefined access for some time possibly after going through an approval workflow.

AdditionalNotificationTargets includes email addresses to be notified.

Defines how a requester must provide a justification when requesting access.

This message has oneof_ fields (mutually exclusive fields). For each oneof, at most one member field can be set at the same time. Setting any member of the oneof automatically clears all other members.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

The justification is not mandatory but can be provided in any of the supported formats.

The requester has to provide a justification in the form of a string.

Different states an entitlement can be in.

Message for getting an entitlement.

Message for getting a grant.

This is to ensure that the Grants and ProducerGrants proto are byte compatible. A grant represents a request from a user for obtaining the access specified in an entitlement they are eligible for.

Audit trail for the access provided by this grant.

Different states a grant can be in.

Timeline of a grant describing what happened to it and when.

A single operation on the grant.

This message has oneof_ fields (mutually exclusive fields). For each oneof, at most one member field can be set at the same time. Setting any member of the oneof automatically clears all other members.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

An event representing that the grant was successfully activated.

An event representing that the grant activation failed.

An event representing that the grant was approved.

An event representing that the grant was denied.

An event representing that the grant has ended.

An event representing that the grant was expired.

An event representing that the policy bindings made by this grant were modified externally.

An event representing that a grant was requested.

An event representing that the grant was revoked.

An event representing that the grant has been scheduled to be activated later.

Justification represents a justification for requesting access.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

Message for requesting list of entitlements.

Message for response to listing entitlements.

Message for requesting list of grants.

Message for response to listing grants.

A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for a grant. The workflow can consist of multiple serial steps where each step defines who can act as approver in that step and how many of those users should approve before the workflow moves to the next step.

This can be used to create approval workflows such as:

• Require an approval from any user in a group G.
• Require an approval from any k number of users from a Group G.
• Require an approval from any user in a group G and then from a user U.

A single user might be part of the approvers ACL for multiple steps in this workflow, but they can only approve once and that approval is only considered to satisfy the approval step at which it was granted.

Step represents a logical step in a manual approval workflow.

Represents the metadata of the long-running operation.

Privileged access that this service can be used to gate.

.. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields

GcpIamAccess represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM.

IAM Role bindings that are created after a successful grant.

Request message for RevokeGrant method.

Request message for SearchEntitlements method.

Different types of access a user can have on the entitlement resource.

Response message for SearchEntitlements method.

Request message for SearchGrants method.

Different types of relationships a user can have with a grant.

Response message for SearchGrants method.

Message for updating an entitlement.

API documentation for privilegedaccessmanager_v1.services.privileged_access_manager.pagers module.