-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
access_policy.proto
81 lines (69 loc) · 3.56 KB
/
access_policy.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.identity.accesscontextmanager.v1;
import "google/api/resource.proto";
import "google/protobuf/timestamp.proto";
option csharp_namespace = "Google.Identity.AccessContextManager.V1";
option go_package = "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb;accesscontextmanagerpb";
option java_multiple_files = true;
option java_outer_classname = "PolicyProto";
option java_package = "com.google.identity.accesscontextmanager.v1";
option objc_class_prefix = "GACM";
option php_namespace = "Google\\Identity\\AccessContextManager\\V1";
option ruby_package = "Google::Identity::AccessContextManager::V1";
// `AccessPolicy` is a container for `AccessLevels` (which define the necessary
// attributes to use Google Cloud services) and `ServicePerimeters` (which
// define regions of services able to freely pass data within a perimeter). An
// access policy is globally visible within an organization, and the
// restrictions it specifies apply to all projects within an organization.
message AccessPolicy {
option (google.api.resource) = {
type: "accesscontextmanager.googleapis.com/AccessPolicy"
pattern: "accessPolicies/{access_policy}"
};
// Output only. Resource name of the `AccessPolicy`. Format:
// `accessPolicies/{access_policy}`
string name = 1;
// Required. The parent of this `AccessPolicy` in the Cloud Resource
// Hierarchy. Currently immutable once created. Format:
// `organizations/{organization_id}`
string parent = 2;
// Required. Human readable title. Does not affect behavior.
string title = 3;
// The scopes of a policy define which resources an ACM policy can restrict,
// and where ACM resources can be referenced.
// For example, a policy with scopes=["folders/123"] has the following
// behavior:
// - vpcsc perimeters can only restrict projects within folders/123
// - access levels can only be referenced by resources within folders/123.
// If empty, there are no limitations on which resources can be restricted by
// an ACM policy, and there are no limitations on where ACM resources can be
// referenced.
// Only one policy can include a given scope (attempting to create a second
// policy which includes "folders/123" will result in an error).
// Currently, scopes cannot be modified after a policy is created.
// Currently, policies can only have a single scope.
// Format: list of `folders/{folder_number}` or `projects/{project_number}`
repeated string scopes = 7;
// Output only. Time the `AccessPolicy` was created in UTC.
google.protobuf.Timestamp create_time = 4;
// Output only. Time the `AccessPolicy` was updated in UTC.
google.protobuf.Timestamp update_time = 5;
// Output only. An opaque identifier for the current version of the
// `AccessPolicy`. This will always be a strongly validated etag, meaning that
// two Access Polices will be identical if and only if their etags are
// identical. Clients should not expect this to be in any specific format.
string etag = 6;
}