Reference documentation and code samples for the Access Context Manager V1 API class Google::Identity::AccessContextManager::V1::Condition.
A condition necessary for an AccessLevel
to be granted. The Condition is an
AND over its fields. So a Condition is true if: 1) the request IP is from one
of the listed subnetworks AND 2) the originating device complies with the
listed device policy AND 3) all listed access levels are granted AND 4) the
request was sent at a time allowed by the DateTimeRestriction.
Inherits
- Object
Extended By
- Google::Protobuf::MessageExts::ClassMethods
Includes
- Google::Protobuf::MessageExts
Methods
#device_policy
def device_policy() -> ::Google::Identity::AccessContextManager::V1::DevicePolicy
- (::Google::Identity::AccessContextManager::V1::DevicePolicy) — Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed.
#device_policy=
def device_policy=(value) -> ::Google::Identity::AccessContextManager::V1::DevicePolicy
- value (::Google::Identity::AccessContextManager::V1::DevicePolicy) — Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed.
- (::Google::Identity::AccessContextManager::V1::DevicePolicy) — Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed.
#ip_subnetworks
def ip_subnetworks() -> ::Array<::String>
- (::Array<::String>) — CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed.
#ip_subnetworks=
def ip_subnetworks=(value) -> ::Array<::String>
- value (::Array<::String>) — CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed.
- (::Array<::String>) — CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed.
#members
def members() -> ::Array<::String>
-
(::Array<::String>) — The request must be made by one of the provided user or service
accounts. Groups are not supported.
Syntax:
user:{emailid}
serviceAccount:{emailid}
If not specified, a request may come from any user.
#members=
def members=(value) -> ::Array<::String>
-
value (::Array<::String>) — The request must be made by one of the provided user or service
accounts. Groups are not supported.
Syntax:
user:{emailid}
serviceAccount:{emailid}
If not specified, a request may come from any user.
-
(::Array<::String>) — The request must be made by one of the provided user or service
accounts. Groups are not supported.
Syntax:
user:{emailid}
serviceAccount:{emailid}
If not specified, a request may come from any user.
#negate
def negate() -> ::Boolean
- (::Boolean) — Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false.
#negate=
def negate=(value) -> ::Boolean
- value (::Boolean) — Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false.
- (::Boolean) — Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false.
#regions
def regions() -> ::Array<::String>
- (::Array<::String>) — The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes.
#regions=
def regions=(value) -> ::Array<::String>
- value (::Array<::String>) — The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes.
- (::Array<::String>) — The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes.
#required_access_levels
def required_access_levels() -> ::Array<::String>
-
(::Array<::String>) — A list of other access levels defined in the same
Policy
, referenced by resource name. Referencing anAccessLevel
which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"
#required_access_levels=
def required_access_levels=(value) -> ::Array<::String>
-
value (::Array<::String>) — A list of other access levels defined in the same
Policy
, referenced by resource name. Referencing anAccessLevel
which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"
-
(::Array<::String>) — A list of other access levels defined in the same
Policy
, referenced by resource name. Referencing anAccessLevel
which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"