| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="cloudresourcemanager_v1.html">Cloud Resource Manager API</a> . <a href="cloudresourcemanager_v1.organizations.html">organizations</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Clears a `Policy` from a resource.</p> |
| <p class="toc_element"> |
| <code><a href="#get">get(name, x__xgafv=None)</a></code></p> |
| <p class="firstline">Fetches an Organization resource identified by the specified resource name.</p> |
| <p class="toc_element"> |
| <code><a href="#getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the effective `Policy` on a resource. This is the result of merging</p> |
| <p class="toc_element"> |
| <code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the access control policy for an Organization resource. May be empty</p> |
| <p class="toc_element"> |
| <code><a href="#getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a `Policy` on a resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists `Constraints` that could be applied on the specified resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists all the `Policies` set for a particular resource.</p> |
| <p class="toc_element"> |
| <code><a href="#listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#search">search(body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Searches Organization resources that are visible to the user and satisfy</p> |
| <p class="toc_element"> |
| <code><a href="#search_next">search_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the access control policy on an Organization resource. Replaces any</p> |
| <p class="toc_element"> |
| <code><a href="#setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Updates the specified `Policy` on the resource. Creates a new `Policy` for</p> |
| <p class="toc_element"> |
| <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns permissions that a caller has on the specified Organization.</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="clearOrgPolicy">clearOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Clears a `Policy` from a resource. |
| |
| Args: |
| resource: string, Name of the resource for the `Policy` to clear. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the ClearOrgPolicy method. |
| "etag": "A String", # The current version, for concurrency control. Not sending an `etag` |
| # will cause the `Policy` to be cleared blindly. |
| "constraint": "A String", # Name of the `Constraint` of the `Policy` to clear. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A generic empty message that you can re-use to avoid defining duplicated |
| # empty messages in your APIs. A typical example is to use it as the request |
| # or the response type of an API method. For instance: |
| # |
| # service Foo { |
| # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); |
| # } |
| # |
| # The JSON representation for `Empty` is empty JSON object `{}`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="get">get(name, x__xgafv=None)</code> |
| <pre>Fetches an Organization resource identified by the specified resource name. |
| |
| Args: |
| name: string, The resource name of the Organization to fetch. This is the organization's |
| relative path in the API, formatted as "organizations/[organizationId]". |
| For example, "organizations/1234". (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The root node in the resource hierarchy to which a particular entity's |
| # (e.g., company) resources belong. |
| "owner": { # The entity that owns an Organization. The lifetime of the Organization and # The owner of this Organization. The owner should be specified on |
| # creation. Once set, it cannot be changed. |
| # This field is required. |
| # all of its descendants are bound to the `OrganizationOwner`. If the |
| # `OrganizationOwner` is deleted, the Organization and all its descendants will |
| # be deleted. |
| "directoryCustomerId": "A String", # The G Suite customer id used in the Directory API. |
| }, |
| "displayName": "A String", # A human-readable string that refers to the Organization in the |
| # GCP Console UI. This string is set by the server and cannot be |
| # changed. The string will be set to the primary domain (for example, |
| # "google.com") of the G Suite customer that owns the organization. |
| # @OutputOnly |
| "creationTime": "A String", # Timestamp when the Organization was created. Assigned by the server. |
| # @OutputOnly |
| "lifecycleState": "A String", # The organization's current lifecycle state. Assigned by the server. |
| # @OutputOnly |
| "name": "A String", # Output Only. The resource name of the organization. This is the |
| # organization's relative path in the API. Its format is |
| # "organizations/[organization_id]". For example, "organizations/1234". |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getEffectiveOrgPolicy">getEffectiveOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Gets the effective `Policy` on a resource. This is the result of merging |
| `Policies` in the resource hierarchy. The returned `Policy` will not have |
| an `etag`set because it is a computed `Policy` across multiple resources. |
| Subtrees of Resource Manager resource hierarchy with 'under:' prefix will |
| not be expanded. |
| |
| Args: |
| resource: string, The name of the resource to start computing the effective `Policy`. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the GetEffectiveOrgPolicy method. |
| "constraint": "A String", # The name of the `Constraint` to compute the effective `Policy`. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” |
| # - “folders/<folder-id>”, e.g. “folders/1234” |
| # - “organizations/<organization-id>”, e.g. “organizations/1234” |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code> |
| <pre>Gets the access control policy for an Organization resource. May be empty |
| if no such policy or resource exists. The `resource` field should be the |
| organization's resource name, e.g. "organizations/123". |
| |
| Authorization requires the Google IAM permission |
| `resourcemanager.organizations.getIamPolicy` on the specified organization |
| |
| Args: |
| resource: string, REQUIRED: The resource for which the policy is being requested. |
| See the operation documentation for the appropriate value for this field. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Request message for `GetIamPolicy` method. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines an Identity and Access Management (IAM) policy. It is used to |
| # specify access control policies for Cloud Platform resources. |
| # |
| # |
| # A `Policy` consists of a list of `bindings`. A `binding` binds a list of |
| # `members` to a `role`, where the members can be user accounts, Google groups, |
| # Google domains, and service accounts. A `role` is a named list of permissions |
| # defined by IAM. |
| # |
| # **JSON Example** |
| # |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/owner", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/viewer", |
| # "members": ["user:[email protected]"] |
| # } |
| # ] |
| # } |
| # |
| # **YAML Example** |
| # |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/owner |
| # - members: |
| # - user:[email protected] |
| # role: roles/viewer |
| # |
| # |
| # For a description of IAM and its features, see the |
| # [IAM developer's guide](https://cloud.google.com/iam/docs). |
| "bindings": [ # Associates a list of `members` to a `role`. |
| # `bindings` with no members will result in an error. |
| { # Associates `members` with a `role`. |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. |
| # NOTE: An unsatisfied condition will not allow user access via current |
| # binding. Different bindings, including their conditions, are examined |
| # independently. |
| # |
| # title: "User account presence" |
| # description: "Determines whether the request has a user account" |
| # expression: "size(request.user) > 0" |
| "location": "A String", # An optional string indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "expression": "A String", # Textual representation of an expression in |
| # Common Expression Language syntax. |
| # |
| # The application context of the containing message determines which |
| # well-known feature set of CEL is supported. |
| "description": "A String", # An optional description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "title": "A String", # An optional title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `[email protected]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| # policy is overwritten blindly. |
| "version": 42, # Deprecated. |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # }, |
| # { |
| # "log_type": "ADMIN_READ", |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "fooservice.googleapis.com" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts [email protected] from DATA_READ logging, and |
| # [email protected] from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getOrgPolicy">getOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Gets a `Policy` on a resource. |
| |
| If no `Policy` is set on the resource, a `Policy` is returned with default |
| values including `POLICY_TYPE_NOT_SET` for the `policy_type oneof`. The |
| `etag` value can be used with `SetOrgPolicy()` to create or update a |
| `Policy` during read-modify-write. |
| |
| Args: |
| resource: string, Name of the resource the `Policy` is set on. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the GetOrgPolicy method. |
| "constraint": "A String", # Name of the `Constraint` to get the `Policy`. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” |
| # - “folders/<folder-id>”, e.g. “folders/1234” |
| # - “organizations/<organization-id>”, e.g. “organizations/1234” |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listAvailableOrgPolicyConstraints">listAvailableOrgPolicyConstraints(resource, body, x__xgafv=None)</code> |
| <pre>Lists `Constraints` that could be applied on the specified resource. |
| |
| Args: |
| resource: string, Name of the resource to list `Constraints` for. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the [ListAvailableOrgPolicyConstraints] |
| # google.cloud.OrgPolicy.v1.ListAvailableOrgPolicyConstraints] method. |
| "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported |
| # and will be ignored. The server may at any point start using this field. |
| "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will |
| # be ignored. The server may at any point start using this field to limit |
| # page size. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the ListAvailableOrgPolicyConstraints method. |
| # Returns all `Constraints` that could be set at this level of the hierarchy |
| # (contrast with the response from `ListPolicies`, which returns all policies |
| # which are set). |
| "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used. |
| "constraints": [ # The collection of constraints that are settable on the request resource. |
| { # A `Constraint` describes a way in which a resource's configuration can be |
| # restricted. For example, it controls which cloud services can be activated |
| # across an organization, or whether a Compute Engine instance can have |
| # serial port connections established. `Constraints` can be configured by the |
| # organization's policy adminstrator to fit the needs of the organzation by |
| # setting Policies for `Constraints` at different locations in the |
| # organization's resource hierarchy. Policies are inherited down the resource |
| # hierarchy from higher levels, but can also be overridden. For details about |
| # the inheritance rules please read about |
| # Policies. |
| # |
| # `Constraints` have a default behavior determined by the `constraint_default` |
| # field, which is the enforcement behavior that is used in the absence of a |
| # `Policy` being defined or inherited for the resource in question. |
| "constraintDefault": "A String", # The evaluation behavior of this constraint in the absense of 'Policy'. |
| "displayName": "A String", # The human readable name. |
| # |
| # Mutable. |
| "name": "A String", # Immutable value, required to globally be unique. For example, |
| # `constraints/serviceuser.services` |
| "booleanConstraint": { # A `Constraint` that is either enforced or not. # Defines this constraint as being a BooleanConstraint. |
| # |
| # For example a constraint `constraints/compute.disableSerialPortAccess`. |
| # If it is enforced on a VM instance, serial port connections will not be |
| # opened to that instance. |
| }, |
| "version": 42, # Version of the `Constraint`. Default version is 0; |
| "listConstraint": { # A `Constraint` that allows or disallows a list of string values, which are # Defines this constraint as being a ListConstraint. |
| # configured by an Organization's policy administrator with a `Policy`. |
| "supportsUnder": True or False, # Indicates whether subtrees of Cloud Resource Manager resource hierarchy |
| # can be used in `Policy.allowed_values` and `Policy.denied_values`. For |
| # example, `"under:folders/123"` would match any resource under the |
| # 'folders/123' folder. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Constraint`. |
| }, |
| "description": "A String", # Detailed description of what this `Constraint` controls as well as how and |
| # where it is enforced. |
| # |
| # Mutable. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listAvailableOrgPolicyConstraints_next">listAvailableOrgPolicyConstraints_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listOrgPolicies">listOrgPolicies(resource, body, x__xgafv=None)</code> |
| <pre>Lists all the `Policies` set for a particular resource. |
| |
| Args: |
| resource: string, Name of the resource to list Policies for. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the ListOrgPolicies method. |
| "pageToken": "A String", # Page token used to retrieve the next page. This is currently unsupported |
| # and will be ignored. The server may at any point start using this field. |
| "pageSize": 42, # Size of the pages to be returned. This is currently unsupported and will |
| # be ignored. The server may at any point start using this field to limit |
| # page size. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the ListOrgPolicies method. It will be empty |
| # if no `Policies` are set on the resource. |
| "nextPageToken": "A String", # Page token used to retrieve the next page. This is currently not used, but |
| # the server may at any point start supplying a valid token. |
| "policies": [ # The `Policies` that are set on the resource. It will be empty if no |
| # `Policies` are set. |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” |
| # - “folders/<folder-id>”, e.g. “folders/1234” |
| # - “organizations/<organization-id>”, e.g. “organizations/1234” |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listOrgPolicies_next">listOrgPolicies_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="search">search(body, x__xgafv=None)</code> |
| <pre>Searches Organization resources that are visible to the user and satisfy |
| the specified filter. This method returns Organizations in an unspecified |
| order. New Organizations do not necessarily appear at the end of the |
| results. |
| |
| Search will only return organizations on which the user has the permission |
| `resourcemanager.organizations.get` |
| |
| Args: |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the `SearchOrganizations` method. |
| "filter": "A String", # An optional query string used to filter the Organizations to return in |
| # the response. Filter rules are case-insensitive. |
| # |
| # |
| # Organizations may be filtered by `owner.directoryCustomerId` or by |
| # `domain`, where the domain is a G Suite domain, for example: |
| # |
| # clang-format off |
| # | Filter | Description | |
| # |-------------------------------------|----------------------------------| |
| # | owner.directorycustomerid:123456789 | Organizations with `owner.directory_customer_id` equal to `123456789`.| |
| # | domain:google.com | Organizations corresponding to the domain `google.com`.| |
| # clang-format on |
| # |
| # This field is optional. |
| "pageToken": "A String", # A pagination token returned from a previous call to `SearchOrganizations` |
| # that indicates from where listing should continue. |
| # This field is optional. |
| "pageSize": 42, # The maximum number of Organizations to return in the response. |
| # This field is optional. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # The response returned from the `SearchOrganizations` method. |
| "nextPageToken": "A String", # A pagination token to be used to retrieve the next page of results. If the |
| # result is too large to fit within the page size specified in the request, |
| # this field will be set with a token that can be used to fetch the next page |
| # of results. If this field is empty, it indicates that this response |
| # contains the last page of results. |
| "organizations": [ # The list of Organizations that matched the search query, possibly |
| # paginated. |
| { # The root node in the resource hierarchy to which a particular entity's |
| # (e.g., company) resources belong. |
| "owner": { # The entity that owns an Organization. The lifetime of the Organization and # The owner of this Organization. The owner should be specified on |
| # creation. Once set, it cannot be changed. |
| # This field is required. |
| # all of its descendants are bound to the `OrganizationOwner`. If the |
| # `OrganizationOwner` is deleted, the Organization and all its descendants will |
| # be deleted. |
| "directoryCustomerId": "A String", # The G Suite customer id used in the Directory API. |
| }, |
| "displayName": "A String", # A human-readable string that refers to the Organization in the |
| # GCP Console UI. This string is set by the server and cannot be |
| # changed. The string will be set to the primary domain (for example, |
| # "google.com") of the G Suite customer that owns the organization. |
| # @OutputOnly |
| "creationTime": "A String", # Timestamp when the Organization was created. Assigned by the server. |
| # @OutputOnly |
| "lifecycleState": "A String", # The organization's current lifecycle state. Assigned by the server. |
| # @OutputOnly |
| "name": "A String", # Output Only. The resource name of the organization. This is the |
| # organization's relative path in the API. Its format is |
| # "organizations/[organization_id]". For example, "organizations/1234". |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="search_next">search_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Sets the access control policy on an Organization resource. Replaces any |
| existing policy. The `resource` field should be the organization's resource |
| name, e.g. "organizations/123". |
| |
| Authorization requires the Google IAM permission |
| `resourcemanager.organizations.setIamPolicy` on the specified organization |
| |
| Args: |
| resource: string, REQUIRED: The resource for which the policy is being specified. |
| See the operation documentation for the appropriate value for this field. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request message for `SetIamPolicy` method. |
| "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of |
| # the policy is limited to a few 10s of KB. An empty policy is a |
| # valid policy but certain Cloud Platform services (such as Projects) |
| # might reject them. |
| # specify access control policies for Cloud Platform resources. |
| # |
| # |
| # A `Policy` consists of a list of `bindings`. A `binding` binds a list of |
| # `members` to a `role`, where the members can be user accounts, Google groups, |
| # Google domains, and service accounts. A `role` is a named list of permissions |
| # defined by IAM. |
| # |
| # **JSON Example** |
| # |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/owner", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/viewer", |
| # "members": ["user:[email protected]"] |
| # } |
| # ] |
| # } |
| # |
| # **YAML Example** |
| # |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/owner |
| # - members: |
| # - user:[email protected] |
| # role: roles/viewer |
| # |
| # |
| # For a description of IAM and its features, see the |
| # [IAM developer's guide](https://cloud.google.com/iam/docs). |
| "bindings": [ # Associates a list of `members` to a `role`. |
| # `bindings` with no members will result in an error. |
| { # Associates `members` with a `role`. |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. |
| # NOTE: An unsatisfied condition will not allow user access via current |
| # binding. Different bindings, including their conditions, are examined |
| # independently. |
| # |
| # title: "User account presence" |
| # description: "Determines whether the request has a user account" |
| # expression: "size(request.user) > 0" |
| "location": "A String", # An optional string indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "expression": "A String", # Textual representation of an expression in |
| # Common Expression Language syntax. |
| # |
| # The application context of the containing message determines which |
| # well-known feature set of CEL is supported. |
| "description": "A String", # An optional description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "title": "A String", # An optional title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `[email protected]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| # policy is overwritten blindly. |
| "version": 42, # Deprecated. |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # }, |
| # { |
| # "log_type": "ADMIN_READ", |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "fooservice.googleapis.com" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts [email protected] from DATA_READ logging, and |
| # [email protected] from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| }, |
| "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only |
| # the fields in the mask will be modified. If no mask is provided, the |
| # following default mask is used: |
| # paths: "bindings, etag" |
| # This field is only used by Cloud IAM. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines an Identity and Access Management (IAM) policy. It is used to |
| # specify access control policies for Cloud Platform resources. |
| # |
| # |
| # A `Policy` consists of a list of `bindings`. A `binding` binds a list of |
| # `members` to a `role`, where the members can be user accounts, Google groups, |
| # Google domains, and service accounts. A `role` is a named list of permissions |
| # defined by IAM. |
| # |
| # **JSON Example** |
| # |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/owner", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/viewer", |
| # "members": ["user:[email protected]"] |
| # } |
| # ] |
| # } |
| # |
| # **YAML Example** |
| # |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/owner |
| # - members: |
| # - user:[email protected] |
| # role: roles/viewer |
| # |
| # |
| # For a description of IAM and its features, see the |
| # [IAM developer's guide](https://cloud.google.com/iam/docs). |
| "bindings": [ # Associates a list of `members` to a `role`. |
| # `bindings` with no members will result in an error. |
| { # Associates `members` with a `role`. |
| "role": "A String", # Role that is assigned to `members`. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. |
| # NOTE: An unsatisfied condition will not allow user access via current |
| # binding. Different bindings, including their conditions, are examined |
| # independently. |
| # |
| # title: "User account presence" |
| # description: "Determines whether the request has a user account" |
| # expression: "size(request.user) > 0" |
| "location": "A String", # An optional string indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "expression": "A String", # Textual representation of an expression in |
| # Common Expression Language syntax. |
| # |
| # The application context of the containing message determines which |
| # well-known feature set of CEL is supported. |
| "description": "A String", # An optional description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "title": "A String", # An optional title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the identities requesting access for a Cloud Platform resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a service |
| # account. For example, `[email protected]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| "A String", |
| ], |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # If no `etag` is provided in the call to `setIamPolicy`, then the existing |
| # policy is overwritten blindly. |
| "version": 42, # Deprecated. |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # }, |
| # { |
| # "log_type": "ADMIN_READ", |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "fooservice.googleapis.com" |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts [email protected] from DATA_READ logging, and |
| # [email protected] from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setOrgPolicy">setOrgPolicy(resource, body, x__xgafv=None)</code> |
| <pre>Updates the specified `Policy` on the resource. Creates a new `Policy` for |
| that `Constraint` on the resource if one does not exist. |
| |
| Not supplying an `etag` on the request `Policy` results in an unconditional |
| write of the `Policy`. |
| |
| Args: |
| resource: string, Resource name of the resource to attach the `Policy`. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # The request sent to the SetOrgPolicyRequest method. |
| "policy": { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` # `Policy` to set on the resource. |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” |
| # - “folders/<folder-id>”, e.g. “folders/1234” |
| # - “organizations/<organization-id>”, e.g. “organizations/1234” |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
| # for configurations of Cloud Platform resources. |
| "updateTime": "A String", # The time stamp the `Policy` was previously updated. This is set by the |
| # server, not specified by the caller, and represents the last time a call to |
| # `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
| # be ignored. |
| "version": 42, # Version of the `Policy`. Default version is 0; |
| "constraint": "A String", # The name of the `Constraint` the `Policy` is configuring, for example, |
| # `constraints/serviceuser.services`. |
| # |
| # Immutable after creation. |
| "restoreDefault": { # Ignores policies set above this resource and restores the # Restores the default behavior of the constraint; independent of |
| # `Constraint` type. |
| # `constraint_default` enforcement behavior of the specific `Constraint` at |
| # this resource. |
| # |
| # Suppose that `constraint_default` is set to `ALLOW` for the |
| # `Constraint` `constraints/serviceuser.services`. Suppose that organization |
| # foo.com sets a `Policy` at their Organization resource node that restricts |
| # the allowed service activations to deny all service activations. They |
| # could then set a `Policy` with the `policy_type` `restore_default` on |
| # several experimental projects, restoring the `constraint_default` |
| # enforcement of the `Constraint` for only those projects, allowing those |
| # projects to have all services activated. |
| }, |
| "listPolicy": { # Used in `policy_type` to specify how `list_policy` behaves at this # List of values either allowed or disallowed. |
| # resource. |
| # |
| # `ListPolicy` can define specific values and subtrees of Cloud Resource |
| # Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
| # are allowed or denied by setting the `allowed_values` and `denied_values` |
| # fields. This is achieved by using the `under:` and optional `is:` prefixes. |
| # The `under:` prefix is used to denote resource subtree values. |
| # The `is:` prefix is used to denote specific values, and is required only |
| # if the value contains a ":". Values prefixed with "is:" are treated the |
| # same as values with no prefix. |
| # Ancestry subtrees must be in one of the following formats: |
| # - “projects/<project-id>”, e.g. “projects/tokyo-rain-123” |
| # - “folders/<folder-id>”, e.g. “folders/1234” |
| # - “organizations/<organization-id>”, e.g. “organizations/1234” |
| # The `supports_under` field of the associated `Constraint` defines whether |
| # ancestry prefixes can be used. You can set `allowed_values` and |
| # `denied_values` in the same `Policy` if `all_values` is |
| # `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
| # values. If `all_values` is set to either `ALLOW` or `DENY`, |
| # `allowed_values` and `denied_values` must be unset. |
| "allValues": "A String", # The policy all_values state. |
| "allowedValues": [ # List of values allowed at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| "inheritFromParent": True or False, # Determines the inheritance behavior for this `Policy`. |
| # |
| # By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
| # anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
| # set to `true`, then the values from the effective `Policy` of the parent |
| # resource are inherited, meaning the values set in this `Policy` are |
| # added to the values inherited up the hierarchy. |
| # |
| # Setting `Policy` hierarchies that inherit both allowed values and denied |
| # values isn't recommended in most circumstances to keep the configuration |
| # simple and understandable. However, it is possible to set a `Policy` with |
| # `allowed_values` set that inherits a `Policy` with `denied_values` set. |
| # In this case, the values that are allowed must be in `allowed_values` and |
| # not present in `denied_values`. |
| # |
| # For example, suppose you have a `Constraint` |
| # `constraints/serviceuser.services`, which has a `constraint_type` of |
| # `list_constraint`, and with `constraint_default` set to `ALLOW`. |
| # Suppose that at the Organization level, a `Policy` is applied that |
| # restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
| # `Policy` is applied to a project below the Organization that has |
| # `inherit_from_parent` set to `false` and field all_values set to DENY, |
| # then an attempt to activate any API will be denied. |
| # |
| # The following examples demonstrate different possible layerings for |
| # `projects/bar` parented by `organizations/foo`: |
| # |
| # Example 1 (no inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has `inherit_from_parent` `false` and values: |
| # {allowed_values: "E3" allowed_values: "E4"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E3`, and `E4`. |
| # |
| # Example 2 (inherited values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {value: “E3” value: ”E4” inherit_from_parent: true} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
| # |
| # Example 3 (inheriting both allowed and denied values): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "E1" allowed_values: "E2"} |
| # `projects/bar` has a `Policy` with: |
| # {denied_values: "E1"} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The value accepted at `projects/bar` is `E2`. |
| # |
| # Example 4 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values:”E2”} |
| # `projects/bar` has a `Policy` with values: |
| # {RestoreDefault: {}} |
| # The accepted values at `organizations/foo` are `E1`, `E2`. |
| # The accepted values at `projects/bar` are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 5 (no policy inherits parent policy): |
| # `organizations/foo` has no `Policy` set. |
| # `projects/bar` has no `Policy` set. |
| # The accepted values at both levels are either all or none depending on |
| # the value of `constraint_default` (if `ALLOW`, all; if |
| # `DENY`, none). |
| # |
| # Example 6 (ListConstraint allowing all): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: ALLOW} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # Any value is accepted at `projects/bar`. |
| # |
| # Example 7 (ListConstraint allowing none): |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: “E1” allowed_values: ”E2”} |
| # `projects/bar` has a `Policy` with: |
| # {all: DENY} |
| # The accepted values at `organizations/foo` are `E1`, E2`. |
| # No value is accepted at `projects/bar`. |
| # |
| # Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
| # Given the following resource hierarchy |
| # O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
| # `organizations/foo` has a `Policy` with values: |
| # {allowed_values: "under:organizations/O1"} |
| # `projects/bar` has a `Policy` with: |
| # {allowed_values: "under:projects/P3"} |
| # {denied_values: "under:folders/F2"} |
| # The accepted values at `organizations/foo` are `organizations/O1`, |
| # `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
| # `projects/P3`. |
| # The accepted values at `projects/bar` are `organizations/O1`, |
| # `folders/F1`, `projects/P1`. |
| "suggestedValue": "A String", # Optional. The Google Cloud Console will try to default to a configuration |
| # that matches the value specified in this `Policy`. If `suggested_value` |
| # is not set, it will inherit the value specified higher in the hierarchy, |
| # unless `inherit_from_parent` is `false`. |
| "deniedValues": [ # List of values denied at this resource. Can only be set if `all_values` |
| # is set to `ALL_VALUES_UNSPECIFIED`. |
| "A String", |
| ], |
| }, |
| "booleanPolicy": { # Used in `policy_type` to specify how `boolean_policy` will behave at this # For boolean `Constraints`, whether to enforce the `Constraint` or not. |
| # resource. |
| "enforced": True or False, # If `true`, then the `Policy` is enforced. If `false`, then any |
| # configuration is acceptable. |
| # |
| # Suppose you have a `Constraint` |
| # `constraints/compute.disableSerialPortAccess` with `constraint_default` |
| # set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
| # behavior: |
| # - If the `Policy` at this resource has enforced set to `false`, serial |
| # port connection attempts will be allowed. |
| # - If the `Policy` at this resource has enforced set to `true`, serial |
| # port connection attempts will be refused. |
| # - If the `Policy` at this resource is `RestoreDefault`, serial port |
| # connection attempts will be allowed. |
| # - If no `Policy` is set at this resource or anywhere higher in the |
| # resource hierarchy, serial port connection attempts will be allowed. |
| # - If no `Policy` is set at this resource, but one exists higher in the |
| # resource hierarchy, the behavior is as if the`Policy` were set at |
| # this resource. |
| # |
| # The following examples demonstrate the different possible layerings: |
| # |
| # Example 1 (nearest `Constraint` wins): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has no `Policy` set. |
| # The constraint at `projects/bar` and `organizations/foo` will not be |
| # enforced. |
| # |
| # Example 2 (enforcement gets replaced): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: false} |
| # `projects/bar` has a `Policy` with: |
| # {enforced: true} |
| # The constraint at `organizations/foo` is not enforced. |
| # The constraint at `projects/bar` is enforced. |
| # |
| # Example 3 (RestoreDefault): |
| # `organizations/foo` has a `Policy` with: |
| # {enforced: true} |
| # `projects/bar` has a `Policy` with: |
| # {RestoreDefault: {}} |
| # The constraint at `organizations/foo` is enforced. |
| # The constraint at `projects/bar` is not enforced, because |
| # `constraint_default` for the `Constraint` is `ALLOW`. |
| }, |
| "etag": "A String", # An opaque tag indicating the current version of the `Policy`, used for |
| # concurrency control. |
| # |
| # When the `Policy` is returned from either a `GetPolicy` or a |
| # `ListOrgPolicy` request, this `etag` indicates the version of the current |
| # `Policy` to use when executing a read-modify-write loop. |
| # |
| # When the `Policy` is returned from a `GetEffectivePolicy` request, the |
| # `etag` will be unset. |
| # |
| # When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
| # that was returned from a `GetOrgPolicy` request as part of a |
| # read-modify-write loop for concurrency control. Not setting the `etag`in a |
| # `SetOrgPolicy` request will result in an unconditional write of the |
| # `Policy`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> |
| <pre>Returns permissions that a caller has on the specified Organization. |
| The `resource` field should be the organization's resource name, |
| e.g. "organizations/123". |
| |
| There are no permissions required for making this API call. |
| |
| Args: |
| resource: string, REQUIRED: The resource for which the policy detail is being requested. |
| See the operation documentation for the appropriate value for this field. (required) |
| body: object, The request body. (required) |
| The object takes the form of: |
| |
| { # Request message for `TestIamPermissions` method. |
| "permissions": [ # The set of permissions to check for the `resource`. Permissions with |
| # wildcards (such as '*' or 'storage.*') are not allowed. For more |
| # information see |
| # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Response message for `TestIamPermissions` method. |
| "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is |
| # allowed. |
| "A String", |
| ], |
| }</pre> |
| </div> |
| |
| </body></html> |
