Google Git
Sign in
android / platform / external / python / google-api-python-client / refs/heads/android11-dev / . / docs / dyn / accesscontextmanager_v1beta.accessPolicies.accessLevels.html
blob: fd5095a385490191a33c23f9b1667295d3e20dc0 [file] [log] [blame] [edit]
<html><body>
<style>
body, h1, h2, h3, div, span, p, pre, a {
margin: 0;
padding: 0;
border: 0;
font-weight: inherit;
font-style: inherit;
font-size: 100%;
font-family: inherit;
vertical-align: baseline;
}
body {
font-size: 13px;
padding: 1em;
}
h1 {
font-size: 26px;
margin-bottom: 1em;
}
h2 {
font-size: 24px;
margin-bottom: 1em;
}
h3 {
font-size: 20px;
margin-bottom: 1em;
margin-top: 1em;
}
pre, code {
line-height: 1.5;
font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}
pre {
margin-top: 0.5em;
}
h1, h2, h3, p {
font-family: Arial, sans serif;
}
h1, h2, h3 {
border-bottom: solid #CCC 1px;
}
.toc_element {
margin-top: 0.5em;
}
.firstline {
margin-left: 2 em;
}
.method {
margin-top: 1em;
border: solid 1px #CCC;
padding: 1em;
background: #EEE;
}
.details {
font-weight: bold;
font-size: 14px;
}
</style>
<h1><a href="accesscontextmanager_v1beta.html">Access Context Manager API</a> . <a href="accesscontextmanager_v1beta.accessPolicies.html">accessPolicies</a> . <a href="accesscontextmanager_v1beta.accessPolicies.accessLevels.html">accessLevels</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
<code><a href="#create">create(parent, body, x__xgafv=None)</a></code></p>
<p class="firstline">Create an Access Level. The longrunning</p>
<p class="toc_element">
<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
<p class="firstline">Delete an Access Level by resource</p>
<p class="toc_element">
<code><a href="#get">get(name, accessLevelFormat=None, x__xgafv=None)</a></code></p>
<p class="firstline">Get an Access Level by resource</p>
<p class="toc_element">
<code><a href="#list">list(parent, accessLevelFormat=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
<p class="firstline">List all Access Levels for an access</p>
<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
<code><a href="#patch">patch(name, body, updateMask=None, x__xgafv=None)</a></code></p>
<p class="firstline">Update an Access Level. The longrunning</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="create">create(parent, body, x__xgafv=None)</code>
<pre>Create an Access Level. The longrunning
operation from this RPC will have a successful status once the Access
Level has
propagated to long-lasting storage. Access Levels containing
errors will result in an error response for the first error encountered.
Args:
parent: string, Required. Resource name for the access policy which owns this Access
Level.
Format: `accessPolicies/{policy_id}` (required)
body: object, The request body. (required)
The object takes the form of:
{ # An `AccessLevel` is a label that can be applied to requests to GCP services,
# along with a list of requirements necessary for the label to be applied.
"updateTime": "A String", # Output only. Time the `AccessLevel` was updated in UTC.
"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.
"title": "A String", # Human readable title. Must be unique within the Policy.
"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.
"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is
# granted this `AccessLevel`. If AND is used, each `Condition` in
# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
# is used, at least one `Condition` in `conditions` must be satisfied for the
# `AccessLevel` to be applied. Default behavior is AND.
"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.
{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an
# AND over its fields. So a Condition is true if: 1) the request IP is from one
# of the listed subnetworks AND 2) the originating device complies with the
# listed device policy AND 3) all listed access levels are granted AND 4) the
# request was sent at a time allowed by the DateTimeRestriction.
"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by
# resource name. Referencing an `AccessLevel` which does not exist is an
# error. All access levels listed must be granted for the Condition
# to be true. Example:
# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`
"A String",
],
"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the
# Condition to be true. If not specified, all devices are allowed.
# given access level. A `DevicePolicy` specifies requirements for requests from
# devices to be granted access levels, it does not do any enforcement on the
# device. `DevicePolicy` acts as an AND over all specified fields, and each
# repeated field is an OR over its elements. Any unset fields are ignored. For
# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
# true for requests originating from encrypted Linux desktops and encrypted
# Windows desktops.
"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.
"A String",
],
"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.
{ # A restriction on the OS type and version of devices making requests.
"osType": "A String", # Required. The allowed OS type.
"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.
# Verifications includes requirements that the device is enterprise-managed,
# conformant to Dasher domain policies, and the caller has permission to call
# the API targeted by the request.
"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS
# satisfies the constraint. Format: `"major.minor.patch"`.
# Examples: `"10.5.301"`, `"9.2.1"`.
},
],
"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.
"requireCorpOwned": True or False, # Whether the device needs to be corp owned.
"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management
# levels.
"A String",
],
"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.
# Defaults to `false`.
},
"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
# a CIDR IP address block, the specified IP address portion must be properly
# truncated (i.e. all the host bits must be zero) or the input is considered
# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is
# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas
# "2001:db8::1/32" is not. The originating IP of a request must be in one of
# the listed subnets in order for this Condition to be true. If empty, all IP
# addresses are allowed.
"A String",
],
"regions": [ # The request must originate from one of the provided countries/regions.
# Must be valid ISO 3166-1 alpha-2 codes.
"A String",
],
"members": [ # The request must be made by one of the provided user or service
# accounts. Groups are not supported.
# Syntax:
# `user:{emailid}`
# `serviceAccount:{emailid}`
# If not specified, a request may come from any user.
"A String",
],
"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over
# its non-empty fields, each field must be false for the Condition overall to
# be satisfied. Defaults to false.
},
],
},
"createTime": "A String", # Output only. Time the `AccessLevel` was created in UTC.
"name": "A String", # Required. Resource name for the Access Level. The `short_name` component
# must begin with a letter and only include alphanumeric and '_'. Format:
# `accessPolicies/{policy_id}/accessLevels/{short_name}`
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # This resource represents a long-running operation that is the result of a
# network API call.
"response": { # The normal response of the operation in case of success. If the original
# method returns no data on success, such as `Delete`, the response is
# `google.protobuf.Empty`. If the original method is standard
# `Get`/`Create`/`Update`, the response should be the resource. For other
# methods, the response should have the type `XxxResponse`, where `Xxx`
# is the original method name. For example, if the original method name
# is `TakeSnapshot()`, the inferred response type is
# `TakeSnapshotResponse`.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"metadata": { # Service-specific metadata associated with the operation. It typically
# contains progress information and common metadata such as create time.
# Some services might not provide such metadata. Any method that returns a
# long-running operation should document the metadata type, if any.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"done": True or False, # If the value is `false`, it means the operation is still in progress.
# If `true`, the operation is completed, and either `error` or `response` is
# available.
"name": "A String", # The server-assigned name, which is only unique within the same service that
# originally returns it. If you use the default HTTP mapping, the
# `name` should be a resource name ending with `operations/{unique_id}`.
"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
# different programming environments, including REST APIs and RPC APIs. It is
# used by [gRPC](https://github.com/grpc). Each `Status` message contains
# three pieces of data: error code, error message, and error details.
#
# You can find out more about this error model and how to work with it in the
# [API Design Guide](https://cloud.google.com/apis/design/errors).
"message": "A String", # A developer-facing error message, which should be in English. Any
# user-facing error message should be localized and sent in the
# google.rpc.Status.details field, or localized by the client.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of
# message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
},
}</pre>
</div>
<div class="method">
<code class="details" id="delete">delete(name, x__xgafv=None)</code>
<pre>Delete an Access Level by resource
name. The longrunning operation from this RPC will have a successful status
once the Access Level has been removed
from long-lasting storage.
Args:
name: string, Required. Resource name for the Access Level.
Format:
`accessPolicies/{policy_id}/accessLevels/{access_level_id}` (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # This resource represents a long-running operation that is the result of a
# network API call.
"response": { # The normal response of the operation in case of success. If the original
# method returns no data on success, such as `Delete`, the response is
# `google.protobuf.Empty`. If the original method is standard
# `Get`/`Create`/`Update`, the response should be the resource. For other
# methods, the response should have the type `XxxResponse`, where `Xxx`
# is the original method name. For example, if the original method name
# is `TakeSnapshot()`, the inferred response type is
# `TakeSnapshotResponse`.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"metadata": { # Service-specific metadata associated with the operation. It typically
# contains progress information and common metadata such as create time.
# Some services might not provide such metadata. Any method that returns a
# long-running operation should document the metadata type, if any.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"done": True or False, # If the value is `false`, it means the operation is still in progress.
# If `true`, the operation is completed, and either `error` or `response` is
# available.
"name": "A String", # The server-assigned name, which is only unique within the same service that
# originally returns it. If you use the default HTTP mapping, the
# `name` should be a resource name ending with `operations/{unique_id}`.
"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
# different programming environments, including REST APIs and RPC APIs. It is
# used by [gRPC](https://github.com/grpc). Each `Status` message contains
# three pieces of data: error code, error message, and error details.
#
# You can find out more about this error model and how to work with it in the
# [API Design Guide](https://cloud.google.com/apis/design/errors).
"message": "A String", # A developer-facing error message, which should be in English. Any
# user-facing error message should be localized and sent in the
# google.rpc.Status.details field, or localized by the client.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of
# message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
},
}</pre>
</div>
<div class="method">
<code class="details" id="get">get(name, accessLevelFormat=None, x__xgafv=None)</code>
<pre>Get an Access Level by resource
name.
Args:
name: string, Required. Resource name for the Access Level.
Format:
`accessPolicies/{policy_id}/accessLevels/{access_level_id}` (required)
accessLevelFormat: string, Whether to return `BasicLevels` in the Cloud Common Expression
Language rather than as `BasicLevels`. Defaults to AS_DEFINED, where
Access Levels
are returned as `BasicLevels` or `CustomLevels` based on how they were
created. If set to CEL, all Access Levels are returned as
`CustomLevels`. In the CEL case, `BasicLevels` are translated to equivalent
`CustomLevels`.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # An `AccessLevel` is a label that can be applied to requests to GCP services,
# along with a list of requirements necessary for the label to be applied.
"updateTime": "A String", # Output only. Time the `AccessLevel` was updated in UTC.
"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.
"title": "A String", # Human readable title. Must be unique within the Policy.
"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.
"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is
# granted this `AccessLevel`. If AND is used, each `Condition` in
# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
# is used, at least one `Condition` in `conditions` must be satisfied for the
# `AccessLevel` to be applied. Default behavior is AND.
"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.
{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an
# AND over its fields. So a Condition is true if: 1) the request IP is from one
# of the listed subnetworks AND 2) the originating device complies with the
# listed device policy AND 3) all listed access levels are granted AND 4) the
# request was sent at a time allowed by the DateTimeRestriction.
"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by
# resource name. Referencing an `AccessLevel` which does not exist is an
# error. All access levels listed must be granted for the Condition
# to be true. Example:
# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`
"A String",
],
"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the
# Condition to be true. If not specified, all devices are allowed.
# given access level. A `DevicePolicy` specifies requirements for requests from
# devices to be granted access levels, it does not do any enforcement on the
# device. `DevicePolicy` acts as an AND over all specified fields, and each
# repeated field is an OR over its elements. Any unset fields are ignored. For
# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
# true for requests originating from encrypted Linux desktops and encrypted
# Windows desktops.
"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.
"A String",
],
"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.
{ # A restriction on the OS type and version of devices making requests.
"osType": "A String", # Required. The allowed OS type.
"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.
# Verifications includes requirements that the device is enterprise-managed,
# conformant to Dasher domain policies, and the caller has permission to call
# the API targeted by the request.
"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS
# satisfies the constraint. Format: `"major.minor.patch"`.
# Examples: `"10.5.301"`, `"9.2.1"`.
},
],
"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.
"requireCorpOwned": True or False, # Whether the device needs to be corp owned.
"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management
# levels.
"A String",
],
"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.
# Defaults to `false`.
},
"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
# a CIDR IP address block, the specified IP address portion must be properly
# truncated (i.e. all the host bits must be zero) or the input is considered
# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is
# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas
# "2001:db8::1/32" is not. The originating IP of a request must be in one of
# the listed subnets in order for this Condition to be true. If empty, all IP
# addresses are allowed.
"A String",
],
"regions": [ # The request must originate from one of the provided countries/regions.
# Must be valid ISO 3166-1 alpha-2 codes.
"A String",
],
"members": [ # The request must be made by one of the provided user or service
# accounts. Groups are not supported.
# Syntax:
# `user:{emailid}`
# `serviceAccount:{emailid}`
# If not specified, a request may come from any user.
"A String",
],
"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over
# its non-empty fields, each field must be false for the Condition overall to
# be satisfied. Defaults to false.
},
],
},
"createTime": "A String", # Output only. Time the `AccessLevel` was created in UTC.
"name": "A String", # Required. Resource name for the Access Level. The `short_name` component
# must begin with a letter and only include alphanumeric and '_'. Format:
# `accessPolicies/{policy_id}/accessLevels/{short_name}`
}</pre>
</div>
<div class="method">
<code class="details" id="list">list(parent, accessLevelFormat=None, pageToken=None, x__xgafv=None, pageSize=None)</code>
<pre>List all Access Levels for an access
policy.
Args:
parent: string, Required. Resource name for the access policy to list Access Levels from.
Format:
`accessPolicies/{policy_id}` (required)
accessLevelFormat: string, Whether to return `BasicLevels` in the Cloud Common Expression language, as
`CustomLevels`, rather than as `BasicLevels`. Defaults to returning
`AccessLevels` in the format they were defined.
pageToken: string, Next page token for the next batch of Access Level instances.
Defaults to the first page of results.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
pageSize: integer, Number of Access Levels to include in
the list. Default 100.
Returns:
An object of the form:
{ # A response to `ListAccessLevelsRequest`.
"nextPageToken": "A String", # The pagination token to retrieve the next page of results. If the value is
# empty, no further results remain.
"accessLevels": [ # List of the Access Level instances.
{ # An `AccessLevel` is a label that can be applied to requests to GCP services,
# along with a list of requirements necessary for the label to be applied.
"updateTime": "A String", # Output only. Time the `AccessLevel` was updated in UTC.
"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.
"title": "A String", # Human readable title. Must be unique within the Policy.
"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.
"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is
# granted this `AccessLevel`. If AND is used, each `Condition` in
# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
# is used, at least one `Condition` in `conditions` must be satisfied for the
# `AccessLevel` to be applied. Default behavior is AND.
"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.
{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an
# AND over its fields. So a Condition is true if: 1) the request IP is from one
# of the listed subnetworks AND 2) the originating device complies with the
# listed device policy AND 3) all listed access levels are granted AND 4) the
# request was sent at a time allowed by the DateTimeRestriction.
"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by
# resource name. Referencing an `AccessLevel` which does not exist is an
# error. All access levels listed must be granted for the Condition
# to be true. Example:
# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`
"A String",
],
"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the
# Condition to be true. If not specified, all devices are allowed.
# given access level. A `DevicePolicy` specifies requirements for requests from
# devices to be granted access levels, it does not do any enforcement on the
# device. `DevicePolicy` acts as an AND over all specified fields, and each
# repeated field is an OR over its elements. Any unset fields are ignored. For
# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
# true for requests originating from encrypted Linux desktops and encrypted
# Windows desktops.
"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.
"A String",
],
"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.
{ # A restriction on the OS type and version of devices making requests.
"osType": "A String", # Required. The allowed OS type.
"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.
# Verifications includes requirements that the device is enterprise-managed,
# conformant to Dasher domain policies, and the caller has permission to call
# the API targeted by the request.
"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS
# satisfies the constraint. Format: `"major.minor.patch"`.
# Examples: `"10.5.301"`, `"9.2.1"`.
},
],
"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.
"requireCorpOwned": True or False, # Whether the device needs to be corp owned.
"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management
# levels.
"A String",
],
"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.
# Defaults to `false`.
},
"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
# a CIDR IP address block, the specified IP address portion must be properly
# truncated (i.e. all the host bits must be zero) or the input is considered
# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is
# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas
# "2001:db8::1/32" is not. The originating IP of a request must be in one of
# the listed subnets in order for this Condition to be true. If empty, all IP
# addresses are allowed.
"A String",
],
"regions": [ # The request must originate from one of the provided countries/regions.
# Must be valid ISO 3166-1 alpha-2 codes.
"A String",
],
"members": [ # The request must be made by one of the provided user or service
# accounts. Groups are not supported.
# Syntax:
# `user:{emailid}`
# `serviceAccount:{emailid}`
# If not specified, a request may come from any user.
"A String",
],
"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over
# its non-empty fields, each field must be false for the Condition overall to
# be satisfied. Defaults to false.
},
],
},
"createTime": "A String", # Output only. Time the `AccessLevel` was created in UTC.
"name": "A String", # Required. Resource name for the Access Level. The `short_name` component
# must begin with a letter and only include alphanumeric and '_'. Format:
# `accessPolicies/{policy_id}/accessLevels/{short_name}`
},
],
}</pre>
</div>
<div class="method">
<code class="details" id="list_next">list_next(previous_request, previous_response)</code>
<pre>Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
</pre>
</div>
<div class="method">
<code class="details" id="patch">patch(name, body, updateMask=None, x__xgafv=None)</code>
<pre>Update an Access Level. The longrunning
operation from this RPC will have a successful status once the changes to
the Access Level have propagated
to long-lasting storage. Access Levels containing
errors will result in an error response for the first error encountered.
Args:
name: string, Required. Resource name for the Access Level. The `short_name` component
must begin with a letter and only include alphanumeric and '_'. Format:
`accessPolicies/{policy_id}/accessLevels/{short_name}` (required)
body: object, The request body. (required)
The object takes the form of:
{ # An `AccessLevel` is a label that can be applied to requests to GCP services,
# along with a list of requirements necessary for the label to be applied.
"updateTime": "A String", # Output only. Time the `AccessLevel` was updated in UTC.
"description": "A String", # Description of the `AccessLevel` and its use. Does not affect behavior.
"title": "A String", # Human readable title. Must be unique within the Policy.
"basic": { # `BasicLevel` is an `AccessLevel` using a set of recommended features. # A `BasicLevel` composed of `Conditions`.
"combiningFunction": "A String", # How the `conditions` list should be combined to determine if a request is
# granted this `AccessLevel`. If AND is used, each `Condition` in
# `conditions` must be satisfied for the `AccessLevel` to be applied. If OR
# is used, at least one `Condition` in `conditions` must be satisfied for the
# `AccessLevel` to be applied. Default behavior is AND.
"conditions": [ # Required. A list of requirements for the `AccessLevel` to be granted.
{ # A condition necessary for an `AccessLevel` to be granted. The Condition is an
# AND over its fields. So a Condition is true if: 1) the request IP is from one
# of the listed subnetworks AND 2) the originating device complies with the
# listed device policy AND 3) all listed access levels are granted AND 4) the
# request was sent at a time allowed by the DateTimeRestriction.
"requiredAccessLevels": [ # A list of other access levels defined in the same `Policy`, referenced by
# resource name. Referencing an `AccessLevel` which does not exist is an
# error. All access levels listed must be granted for the Condition
# to be true. Example:
# "`accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME"`
"A String",
],
"devicePolicy": { # `DevicePolicy` specifies device specific restrictions necessary to acquire a # Device specific restrictions, all restrictions must hold for the
# Condition to be true. If not specified, all devices are allowed.
# given access level. A `DevicePolicy` specifies requirements for requests from
# devices to be granted access levels, it does not do any enforcement on the
# device. `DevicePolicy` acts as an AND over all specified fields, and each
# repeated field is an OR over its elements. Any unset fields are ignored. For
# example, if the proto is { os_type : DESKTOP_WINDOWS, os_type :
# DESKTOP_LINUX, encryption_status: ENCRYPTED}, then the DevicePolicy will be
# true for requests originating from encrypted Linux desktops and encrypted
# Windows desktops.
"allowedEncryptionStatuses": [ # Allowed encryptions statuses, an empty list allows all statuses.
"A String",
],
"osConstraints": [ # Allowed OS versions, an empty list allows all types and all versions.
{ # A restriction on the OS type and version of devices making requests.
"osType": "A String", # Required. The allowed OS type.
"requireVerifiedChromeOs": True or False, # Only allows requests from devices with a verified Chrome OS.
# Verifications includes requirements that the device is enterprise-managed,
# conformant to Dasher domain policies, and the caller has permission to call
# the API targeted by the request.
"minimumVersion": "A String", # The minimum allowed OS version. If not set, any version of this OS
# satisfies the constraint. Format: `"major.minor.patch"`.
# Examples: `"10.5.301"`, `"9.2.1"`.
},
],
"requireAdminApproval": True or False, # Whether the device needs to be approved by the customer admin.
"requireCorpOwned": True or False, # Whether the device needs to be corp owned.
"allowedDeviceManagementLevels": [ # Allowed device management levels, an empty list allows all management
# levels.
"A String",
],
"requireScreenlock": True or False, # Whether or not screenlock is required for the DevicePolicy to be true.
# Defaults to `false`.
},
"ipSubnetworks": [ # CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for
# a CIDR IP address block, the specified IP address portion must be properly
# truncated (i.e. all the host bits must be zero) or the input is considered
# malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is
# not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas
# "2001:db8::1/32" is not. The originating IP of a request must be in one of
# the listed subnets in order for this Condition to be true. If empty, all IP
# addresses are allowed.
"A String",
],
"regions": [ # The request must originate from one of the provided countries/regions.
# Must be valid ISO 3166-1 alpha-2 codes.
"A String",
],
"members": [ # The request must be made by one of the provided user or service
# accounts. Groups are not supported.
# Syntax:
# `user:{emailid}`
# `serviceAccount:{emailid}`
# If not specified, a request may come from any user.
"A String",
],
"negate": True or False, # Whether to negate the Condition. If true, the Condition becomes a NAND over
# its non-empty fields, each field must be false for the Condition overall to
# be satisfied. Defaults to false.
},
],
},
"createTime": "A String", # Output only. Time the `AccessLevel` was created in UTC.
"name": "A String", # Required. Resource name for the Access Level. The `short_name` component
# must begin with a letter and only include alphanumeric and '_'. Format:
# `accessPolicies/{policy_id}/accessLevels/{short_name}`
}
updateMask: string, Required. Mask to control which fields get updated. Must be non-empty.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # This resource represents a long-running operation that is the result of a
# network API call.
"response": { # The normal response of the operation in case of success. If the original
# method returns no data on success, such as `Delete`, the response is
# `google.protobuf.Empty`. If the original method is standard
# `Get`/`Create`/`Update`, the response should be the resource. For other
# methods, the response should have the type `XxxResponse`, where `Xxx`
# is the original method name. For example, if the original method name
# is `TakeSnapshot()`, the inferred response type is
# `TakeSnapshotResponse`.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"metadata": { # Service-specific metadata associated with the operation. It typically
# contains progress information and common metadata such as create time.
# Some services might not provide such metadata. Any method that returns a
# long-running operation should document the metadata type, if any.
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
"done": True or False, # If the value is `false`, it means the operation is still in progress.
# If `true`, the operation is completed, and either `error` or `response` is
# available.
"name": "A String", # The server-assigned name, which is only unique within the same service that
# originally returns it. If you use the default HTTP mapping, the
# `name` should be a resource name ending with `operations/{unique_id}`.
"error": { # The `Status` type defines a logical error model that is suitable for # The error result of the operation in case of failure or cancellation.
# different programming environments, including REST APIs and RPC APIs. It is
# used by [gRPC](https://github.com/grpc). Each `Status` message contains
# three pieces of data: error code, error message, and error details.
#
# You can find out more about this error model and how to work with it in the
# [API Design Guide](https://cloud.google.com/apis/design/errors).
"message": "A String", # A developer-facing error message, which should be in English. Any
# user-facing error message should be localized and sent in the
# google.rpc.Status.details field, or localized by the client.
"code": 42, # The status code, which should be an enum value of google.rpc.Code.
"details": [ # A list of messages that carry the error details. There is a common set of
# message types for APIs to use.
{
"a_key": "", # Properties of the object. Contains field @type with type URL.
},
],
},
}</pre>
</div>
</body></html>